Merge branch 'master' into disk-full-alert-docsrs

rust-lang · Dec 16, 2024 · 8cea334 · 8cea334
2 parents 982dd8c + 29d453c
commit 8cea334
Show file tree

Hide file tree

Showing 2 changed files with 106 additions and 0 deletions.
diff --git a/terragrunt/modules/ci-runners/codebuild.tf b/terragrunt/modules/ci-runners/codebuild.tf
@@ -101,3 +101,52 @@ resource "aws_codebuild_project" "ubuntu_22_4c" {
     }
   }
 }
+
+resource "aws_codebuild_project" "ubuntu_22_8c" {
+  name         = "ubuntu-22-8c"
+  service_role = aws_iam_role.codebuild_role.arn
+
+  artifacts {
+    type = "NO_ARTIFACTS"
+  }
+
+  cache {
+    type = "NO_CACHE"
+    // TODO: evaluate if it's worth adding cache
+    // modes = ["LOCAL_DOCKER_LAYER_CACHE", "LOCAL_SOURCE_CACHE"]
+  }
+
+  build_timeout = 60 * 6 // 6 hours
+
+  environment {
+    compute_type = "BUILD_GENERAL1_LARGE"
+    // ubuntu 22
+    image                       = "aws/codebuild/standard:7.0-24.10.29"
+    type                        = "LINUX_CONTAINER"
+    image_pull_credentials_type = "CODEBUILD"
+
+    // Whether to enable running the Docker daemon.
+    // The Rust CI uses Docker to build linux artifacts,
+    // so we need this if the target is linux.
+    privileged_mode = true
+  }
+
+  // Disable cloudwatch logs for cost saving.
+  // Logs are available in GitHub Actions.
+  logs_config {
+    cloudwatch_logs {
+      status = "DISABLED"
+    }
+  }
+
+  source {
+    type = "GITHUB"
+    // test repository
+    location        = "https://github.com/rust-lang-ci/rust"
+    git_clone_depth = 1
+
+    git_submodules_config {
+      fetch_submodules = false
+    }
+  }
+}
diff --git a/terragrunt/modules/ci-runners/gh_oidc.tf b/terragrunt/modules/ci-runners/gh_oidc.tf
@@ -0,0 +1,57 @@
+// Docs: https://aws.amazon.com/blogs/security/use-iam-roles-to-connect-github-actions-to-actions-in-aws/
+resource "aws_iam_openid_connect_provider" "github_actions_provider" {
+  url = "https://token.actions.githubusercontent.com"
+
+  client_id_list = ["sts.amazonaws.com"]
+
+  // unused
+  thumbprint_list = ["1c58a3a8518e8759bf075b76b750d4f2df264fcd"]
+}
+
+resource "aws_iam_role" "github_actions_ci_role" {
+  name = "ci--rust-lang--aws-runners-test"
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Action = [
+          "sts:AssumeRoleWithWebIdentity",
+        ]
+        Principal = {
+          Federated = aws_iam_openid_connect_provider.github_actions_provider.arn
+        }
+        Condition = {
+          // StringLike is used with a wildcard operator (*) to allow any branch, pull request merge branch
+          // of the repository to assume a role in AWS
+          StringLike : {
+            "token.actions.githubusercontent.com:sub" : "repo:rust-lang/aws-runners-test:ref:*"
+          },
+          StringEquals : {
+            "token.actions.githubusercontent.com:aud" : "sts.amazonaws.com"
+          }
+        }
+      }
+    ]
+  })
+}
+
+# Allow GitHub Actions to authenticate to AWS ECR Public Gallery
+resource "aws_iam_role_policy" "github_actions_ecr_policy" {
+  name = "ecr-auth-policy"
+  role = aws_iam_role.github_actions_ci_role.id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Action = [
+          "ecr-public:GetAuthorizationToken",
+          "sts:GetServiceBearerToken"
+        ]
+        Resource = "*"
+      }
+    ]
+  })
+}