-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
wip! Roles for our pathogen-repo-build GitHub Actions workflow
TKTK Resolves: <#4> Related-to: <nextstrain/.github#81>
- Loading branch information
Showing
6 changed files
with
204 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,75 @@ | ||
# Per-pathogen policy, granting access to a single pathogen's data | ||
resource "aws_iam_policy" "NextstrainPathogen" { | ||
for_each = local.pathogen_repos | ||
|
||
name = "NextstrainPathogen@${each.key}" | ||
description = "Provides permissions to upload datasets, workflow files, etc. for a Nextstrain pathogen" | ||
|
||
policy = jsonencode({ | ||
"Version": "2012-10-17", | ||
"Statement": [ | ||
# Technically we don't need to include the public buckets | ||
# nextstrain-data and nextstrain-staging in this statement since they | ||
# already allow a superset of this with their bucket policies, but it's | ||
# good to be explicit about what permissions we require. | ||
# -trs, 16 Feb 2024 | ||
{ | ||
"Sid": "List", | ||
"Effect": "Allow", | ||
"Action": [ | ||
"s3:ListBucket", | ||
"s3:ListBucketVersions", | ||
"s3:GetBucketLocation", | ||
"s3:GetBucketVersioning", | ||
], | ||
"Resource": [ | ||
"arn:aws:s3:::nextstrain-data", | ||
"arn:aws:s3:::nextstrain-data-private", | ||
"arn:aws:s3:::nextstrain-staging", | ||
], | ||
"Condition": { | ||
"StringLike": { | ||
"s3:prefix": [ | ||
"${each.key}.json", | ||
"${each.key}_*.json", | ||
"files/workflows/${each.key}/*", | ||
"files/datasets/${each.key}/*", | ||
] | ||
} | ||
} | ||
}, | ||
{ | ||
"Sid": "ReadWrite", | ||
"Effect": "Allow", | ||
"Action": [ | ||
"s3:GetObject", | ||
"s3:GetObjectTagging", | ||
"s3:GetObjectVersion", | ||
"s3:GetObjectVersionTagging", | ||
"s3:PutObject", | ||
"s3:PutObjectTagging", | ||
"s3:DeleteObject", | ||
# but NOT s3:DeleteObjectVersion so objects can't be completely wiped | ||
], | ||
"Resource": [ | ||
# Auspice dataset JSONs | ||
"arn:aws:s3:::nextstrain-data/${each.key}.json", | ||
"arn:aws:s3:::nextstrain-data/${each.key}_*.json", | ||
"arn:aws:s3:::nextstrain-staging/${each.key}.json", | ||
"arn:aws:s3:::nextstrain-staging/${each.key}_*.json", | ||
"arn:aws:s3:::nextstrain-staging/trial_*_${each.key}.json", | ||
"arn:aws:s3:::nextstrain-staging/trial_*_${each.key}_*.json", | ||
|
||
# Associated data files | ||
# <https://docs.nextstrain.org/en/latest/reference/data-files.html> | ||
"arn:aws:s3:::nextstrain-data/files/workflows/${each.key}/*", | ||
"arn:aws:s3:::nextstrain-data/files/datasets/${each.key}/*", | ||
"arn:aws:s3:::nextstrain-data-private/files/workflows/${each.key}/*", | ||
"arn:aws:s3:::nextstrain-data-private/files/datasets/${each.key}/*", | ||
"arn:aws:s3:::nextstrain-staging/files/workflows/${each.key}/*", | ||
"arn:aws:s3:::nextstrain-staging/files/datasets/${each.key}/*", | ||
], | ||
}, | ||
] | ||
}) | ||
} |
43 changes: 43 additions & 0 deletions
43
env/production/aws-iam-policy-NextstrainPathogenNcovPrivate.tf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,43 @@ | ||
# Single-pathogen policy, special-case for the historical reason that | ||
# nextstrain-ncov-private predates the more general nextstrain-data-private. | ||
resource "aws_iam_policy" "NextstrainPathogenNcovPrivate" { | ||
name = "NextstrainPathogen@ncov+private" | ||
description = "Provides permissions to upload datasets, workflow files, etc. to the ncov-private bucket for the Nextstrain ncov pathogen" | ||
|
||
policy = jsonencode({ | ||
"Version": "2012-10-17", | ||
"Statement": [ | ||
{ | ||
"Sid": "NcovPrivateList", | ||
"Effect": "Allow", | ||
"Action": [ | ||
"s3:ListBucket", | ||
"s3:ListBucketVersions", | ||
"s3:GetBucketLocation", | ||
"s3:GetBucketVersioning", | ||
], | ||
"Resource": [ | ||
"arn:aws:s3:::nextstrain-ncov-private", | ||
], | ||
}, | ||
{ | ||
"Sid": "NcovPrivateReadWrite", | ||
"Effect": "Allow", | ||
"Action": [ | ||
"s3:GetObject", | ||
"s3:GetObjectTagging", | ||
"s3:GetObjectVersion", | ||
"s3:GetObjectVersionTagging", | ||
"s3:PutObject", | ||
"s3:PutObjectTagging", | ||
"s3:DeleteObject", | ||
# but NOT s3:DeleteObjectVersion so objects can't be completely wiped | ||
], | ||
"Resource": [ | ||
# This bucket is akin to nextstrain-data-private/files/{workflows,datasets}/ncov/. | ||
"arn:aws:s3:::nextstrain-ncov-private/*", | ||
], | ||
}, | ||
] | ||
}) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,43 @@ | ||
# Per-repo role, granting access to pathogens | ||
resource "aws_iam_role" "GitHubActionsRoleNextstrainRepo" { | ||
for_each = local.repo_pathogens | ||
|
||
name = "GitHubActionsRoleNextstrainRepo@${each.key}" | ||
description = "Provides permissions to upload datasets, workflow files, etc. for a Nextstrain pathogen to select repos and select GitHub Actions OIDC workflows." | ||
|
||
max_session_duration = 43200 # seconds (12 hours) | ||
|
||
assume_role_policy = jsonencode({ | ||
"Version": "2012-10-17", | ||
"Statement": [ | ||
{ | ||
"Effect": "Allow", | ||
"Principal": { | ||
"Federated": aws_iam_openid_connect_provider.github-actions.arn | ||
}, | ||
"Action": "sts:AssumeRoleWithWebIdentity", | ||
"Condition": { | ||
"StringLike": { | ||
"token.actions.githubusercontent.com:aud": "sts.amazonaws.com", | ||
"token.actions.githubusercontent.com:sub": "repo:nextstrain/${each.key}:*:job_workflow_ref:nextstrain/.github/.github/workflows/pathogen-repo-build.yaml@*" | ||
} | ||
}, | ||
} | ||
] | ||
}) | ||
|
||
managed_policy_arns = flatten([ | ||
# Pathogen-specific permissions to standard public/private buckets | ||
[for p in each.value: aws_iam_policy.NextstrainPathogen[p].arn], | ||
|
||
# Special-case permissions to nextstrain-ncov-private bucket | ||
contains(each.value, "ncov") | ||
? [aws_iam_policy.NextstrainPathogenNcovPrivate.arn] | ||
: [], | ||
|
||
# Builds inside the AWS Batch runtime need access to the jobs bucket. | ||
aws_iam_policy.NextstrainJobsAccessToBucket.arn, | ||
]) | ||
|
||
inline_policy {} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
resource "github_actions_repository_oidc_subject_claim_customization_template" "nextstrain" { | ||
for_each = toset(concat(keys(local.repo_pathogens), [".github"])) | ||
repository = each.key | ||
|
||
# <https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect> | ||
use_default = false | ||
include_claim_keys = [ | ||
# The GitHub default… | ||
"repo", | ||
"context", | ||
|
||
# …plus the <org>/<repo>/<path>@<ref> of the workflow obtaining the token, if any. | ||
"job_workflow_ref", | ||
] | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
locals { | ||
# Some resources (roles, policies, etc) make sense oriented per-pathogen | ||
# (logical), some per-repo (physical). Use two maps to support this more | ||
# easily. By design our repo names are usually equal to the pathogen names, | ||
# but they're two separate things/namespaces. | ||
# -trs, 20 May 2024 | ||
|
||
pathogen_repos = tomap({ | ||
# pathogen name = [repo name, …] | ||
"dengue" = ["dengue"], | ||
"forecasts-ncov" = ["forecasts-ncov"], | ||
"measles" = ["measles"], | ||
"mpox" = ["mpox"], | ||
"ncov" = ["ncov", "ncov-ingest"], | ||
"rsv" = ["rsv"], | ||
"seasonal-flu" = ["seasonal-flu"], | ||
"zika" = ["zika"], | ||
}) | ||
|
||
# repo name = [pathogen name, …] | ||
repo_pathogens = transpose(local.pathogen_repos) | ||
} |