From b6df408c2edac88499d64dfc72e8a363971c9691 Mon Sep 17 00:00:00 2001 From: MarcoIeni <11428655+MarcoIeni@users.noreply.github.com> Date: Wed, 11 Dec 2024 12:09:29 +0100 Subject: [PATCH 1/4] feat: add codebuild project for ubuntu 8 cores --- terragrunt/modules/ci-runners/codebuild.tf | 49 ++++++++++++++++++++++ 1 file changed, 49 insertions(+) diff --git a/terragrunt/modules/ci-runners/codebuild.tf b/terragrunt/modules/ci-runners/codebuild.tf index 4e09fdcd..e8aa8a9c 100644 --- a/terragrunt/modules/ci-runners/codebuild.tf +++ b/terragrunt/modules/ci-runners/codebuild.tf @@ -101,3 +101,52 @@ resource "aws_codebuild_project" "ubuntu_22_4c" { } } } + +resource "aws_codebuild_project" "ubuntu_22_8c" { + name = "ubuntu-22-8c" + service_role = aws_iam_role.codebuild_role.arn + + artifacts { + type = "NO_ARTIFACTS" + } + + cache { + type = "NO_CACHE" + // TODO: evaluate if it's worth adding cache + // modes = ["LOCAL_DOCKER_LAYER_CACHE", "LOCAL_SOURCE_CACHE"] + } + + build_timeout = 60 * 6 // 6 hours + + environment { + compute_type = "BUILD_GENERAL1_LARGE" + // ubuntu 22 + image = "aws/codebuild/standard:7.0-24.10.29" + type = "LINUX_CONTAINER" + image_pull_credentials_type = "CODEBUILD" + + // Whether to enable running the Docker daemon. + // The Rust CI uses Docker to build linux artifacts, + // so we need this if the target is linux. + privileged_mode = true + } + + // Disable cloudwatch logs for cost saving. + // Logs are available in GitHub Actions. + logs_config { + cloudwatch_logs { + status = "DISABLED" + } + } + + source { + type = "GITHUB" + // test repository + location = "https://github.com/rust-lang-ci/rust" + git_clone_depth = 1 + + git_submodules_config { + fetch_submodules = false + } + } +} From ef9b79c9c86e81f55aa3aa28e42dbb5e04615dc3 Mon Sep 17 00:00:00 2001 From: MarcoIeni <11428655+MarcoIeni@users.noreply.github.com> Date: Fri, 13 Dec 2024 11:38:01 +0100 Subject: [PATCH 2/4] chore(ci-staging): add openid connect provider for gh actions --- terragrunt/modules/ci-runners/gh_oidc.tf | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 terragrunt/modules/ci-runners/gh_oidc.tf diff --git a/terragrunt/modules/ci-runners/gh_oidc.tf b/terragrunt/modules/ci-runners/gh_oidc.tf new file mode 100644 index 00000000..3d1ec3ec --- /dev/null +++ b/terragrunt/modules/ci-runners/gh_oidc.tf @@ -0,0 +1,9 @@ +// Docs: https://aws.amazon.com/blogs/security/use-iam-roles-to-connect-github-actions-to-actions-in-aws/ +resource "aws_iam_openid_connect_provider" "github_actions_provider" { + url = "https://token.actions.githubusercontent.com" + + client_id_list = ["sts.amazonaws.com"] + + // unused + thumbprint_list = ["1c58a3a8518e8759bf075b76b750d4f2df264fcd"] +} From cc18242b39ee758fb70b8dfc6ec01a6c515795d0 Mon Sep 17 00:00:00 2001 From: MarcoIeni <11428655+MarcoIeni@users.noreply.github.com> Date: Fri, 13 Dec 2024 15:01:26 +0100 Subject: [PATCH 3/4] chore(ci-staging): add github actions ci role --- terragrunt/modules/ci-runners/gh_oidc.tf | 28 ++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/terragrunt/modules/ci-runners/gh_oidc.tf b/terragrunt/modules/ci-runners/gh_oidc.tf index 3d1ec3ec..f33083c9 100644 --- a/terragrunt/modules/ci-runners/gh_oidc.tf +++ b/terragrunt/modules/ci-runners/gh_oidc.tf @@ -7,3 +7,31 @@ resource "aws_iam_openid_connect_provider" "github_actions_provider" { // unused thumbprint_list = ["1c58a3a8518e8759bf075b76b750d4f2df264fcd"] } + +resource "aws_iam_role" "github_actions_ci_role" { + name = "ci--rust-lang--aws-runners-test" + assume_role_policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Effect = "Allow" + Action = [ + "sts:AssumeRoleWithWebIdentity", + ] + Principal = { + Federated = aws_iam_openid_connect_provider.github_actions_provider.arn + } + Condition = { + // StringLike is used with a wildcard operator (*) to allow any branch, pull request merge branch + // of the repository to assume a role in AWS + StringLike : { + "token.actions.githubusercontent.com:sub" : "repo:rust-lang/aws-runners-test:ref:*" + }, + StringEquals : { + "token.actions.githubusercontent.com:aud" : "sts.amazonaws.com" + } + } + } + ] + }) +} From d01c787a7a28ae846e79760ae3fa9cb0386bfd74 Mon Sep 17 00:00:00 2001 From: MarcoIeni <11428655+MarcoIeni@users.noreply.github.com> Date: Fri, 13 Dec 2024 15:12:55 +0100 Subject: [PATCH 4/4] chore(ci-staging): allow authenticating to ecr public gallery --- terragrunt/modules/ci-runners/gh_oidc.tf | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/terragrunt/modules/ci-runners/gh_oidc.tf b/terragrunt/modules/ci-runners/gh_oidc.tf index f33083c9..a6ff2905 100644 --- a/terragrunt/modules/ci-runners/gh_oidc.tf +++ b/terragrunt/modules/ci-runners/gh_oidc.tf @@ -35,3 +35,23 @@ resource "aws_iam_role" "github_actions_ci_role" { ] }) } + +# Allow GitHub Actions to authenticate to AWS ECR Public Gallery +resource "aws_iam_role_policy" "github_actions_ecr_policy" { + name = "ecr-auth-policy" + role = aws_iam_role.github_actions_ci_role.id + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Effect = "Allow" + Action = [ + "ecr-public:GetAuthorizationToken", + "sts:GetServiceBearerToken" + ] + Resource = "*" + } + ] + }) +}