Roles for our pathogen-repo-build GitHub Actions workflow #6
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,100 @@ | ||
| resource "aws_iam_role" "GitHubActionsRoleNextstrainBuilds" { | ||
| name = "GitHubActionsRoleNextstrainBuilds" | ||
| description = "Provides permissions for a Nextstrain build (i.e. in a pathogen repo) to upload datasets, workflow files, etc. for select GitHub Actions OIDC workflows." | ||
|
|
||
| max_session_duration = 43200 # seconds (12 hours) | ||
|
|
||
| assume_role_policy = jsonencode({ | ||
| "Version": "2012-10-17", | ||
| "Statement": [ | ||
| { | ||
| "Effect": "Allow", | ||
| "Principal": { | ||
| "Federated": aws_iam_openid_connect_provider.github-actions.arn | ||
| }, | ||
| "Action": "sts:AssumeRoleWithWebIdentity", | ||
| "Condition": { | ||
| "StringLike": { | ||
| "token.actions.githubusercontent.com:aud": "sts.amazonaws.com", | ||
| "token.actions.githubusercontent.com:sub": "repo:nextstrain/*:*:job_workflow_ref:nextstrain/.github/.github/workflows/pathogen-repo-build.yaml@refs/heads/*", | ||
| } | ||
| }, | ||
| } | ||
| ] | ||
| }) | ||
|
|
||
| # This role provides a superset of the permissions expected to actually be | ||
| # required by any individual Nextstrain pathogen build. In practice, we | ||
| # further scope down permissions per-repo using an inline session policy | ||
| # declared in our centralized and trusted pathogen-repo-build workflow. The | ||
| # inline session policy is obviously less of a hard boundary, but it still | ||
| # provides guardrails against accidental operations. See also the discussion | ||
| # in <https://github.com/nextstrain/private/issues/96>. | ||
| # -trs, 15 May 2024 | ||
| managed_policy_arns = [ | ||
| # Builds inside the AWS Batch runtime need access to the jobs bucket. | ||
| aws_iam_policy.NextstrainJobsAccessToBucket.arn, | ||
|
Comment on lines
+35
to
+36
There was a problem hiding this comment. I'm confused by this. Why does the build require access to the jobs bucket? I thought that was handled by the Nextstrain CLI? Edit: OH duh, it's the workdir for the Batch job so the build needs to be able to write to bucket. There was a problem hiding this comment. Yup. That permission is provided by default by our Batch job role, but that role doesn't apply if you pass in your own credentials. In my ideal world we'd be able to take the union of the default job role + any additional creds passed in, but that's non-trivial in my understanding. |
||
| ] | ||
|
|
||
| # All builds need a subset of this access for downloading starting data and | ||
| # publishing results. | ||
| inline_policy { | ||
| name = "S3Access" | ||
| policy = jsonencode({ | ||
| "Version": "2012-10-17", | ||
| "Statement": [ | ||
| # Technically we don't need to include the public buckets | ||
| # nextstrain-data and nextstrain-staging in this statement since they | ||
| # already allow a superset of this with their bucket policies, but it's | ||
| # good to be explicit about what permissions we require. | ||
| # -trs, 16 Feb 2024 | ||
| { | ||
| "Sid": "List", | ||
| "Effect": "Allow", | ||
| "Action": [ | ||
| "s3:ListBucket", | ||
| "s3:ListBucketVersions", | ||
| "s3:GetBucketLocation", | ||
| "s3:GetBucketVersioning", | ||
| ], | ||
| "Resource": [ | ||
| "arn:aws:s3:::nextstrain-data", | ||
| "arn:aws:s3:::nextstrain-data-private", | ||
| "arn:aws:s3:::nextstrain-ncov-private", | ||
| "arn:aws:s3:::nextstrain-staging", | ||
| ], | ||
| }, | ||
| { | ||
| "Sid": "ReadWrite", | ||
| "Effect": "Allow", | ||
| "Action": [ | ||
| "s3:GetObject", | ||
| "s3:GetObjectTagging", | ||
| "s3:GetObjectVersion", | ||
| "s3:GetObjectVersionTagging", | ||
| "s3:PutObject", | ||
| "s3:PutObjectTagging", | ||
| "s3:DeleteObject", | ||
| # but NOT s3:DeleteObjectVersion so objects can't be completely wiped | ||
| ], | ||
| "Resource": [ | ||
| "arn:aws:s3:::nextstrain-data/*.json", | ||
| "arn:aws:s3:::nextstrain-data/files/workflows/*", | ||
| "arn:aws:s3:::nextstrain-data/files/datasets/*", | ||
|
|
||
| "arn:aws:s3:::nextstrain-data-private/*.json", | ||
| "arn:aws:s3:::nextstrain-data-private/files/workflows/*", | ||
| "arn:aws:s3:::nextstrain-data-private/files/datasets/*", | ||
|
|
||
| # This bucket is akin to nextstrain-data-private/files/{workflows,datasets}/ncov/. | ||
| "arn:aws:s3:::nextstrain-ncov-private/*", | ||
|
|
||
| "arn:aws:s3:::nextstrain-staging/*.json", | ||
| "arn:aws:s3:::nextstrain-staging/files/workflows/*", | ||
| "arn:aws:s3:::nextstrain-staging/files/datasets/*", | ||
| ], | ||
| }, | ||
| ] | ||
| }) | ||
| } | ||
| } | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,19 @@ | ||
| data "github_repositories" "nextstrain" { | ||
| query = "org:nextstrain" | ||
| } | ||
|
|
||
| resource "github_actions_repository_oidc_subject_claim_customization_template" "nextstrain" { | ||
| for_each = toset(data.github_repositories.nextstrain.names) | ||
|
There was a problem hiding this comment. Am I understanding this correctly that this is for existing Nextstrain repos? For any new repos, we'd have to re-deploy the Terraform plan? There was a problem hiding this comment. Correct. No code changes required, but a new |
||
| repository = each.key | ||
|
|
||
| # <https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect> | ||
| use_default = false | ||
| include_claim_keys = [ | ||
| # The GitHub default… | ||
| "repo", | ||
| "context", | ||
|
|
||
| # …plus the <org>/<repo>/<path>@<ref> of the workflow obtaining the token, if any. | ||
| "job_workflow_ref", | ||
| ] | ||
| } | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would
@refs/heads/*prevent the use of specific commit hashes, e.g.pathogen-repo-build.yaml@e48956bb5eb0b1db1ba3d614ede9d1a6275b72ec?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, it would… and that was kinda intentional. I was worried that forks could get a specific commit id accessible in workflow calls. Reason is that GitHub (roughly speaking) stores all forks in the same Git storage backend, which means you can do things like view commits in forks via the forked repo, e.g. nextstrain/test-github-actions@0d1fee0 which really comes from https://github.com/tsibley/test-github-actions.
However, GitHub's protected against such attacks:
(In hindsight, of course they have, but they've also had other oversights in Actions before, so I don't think I was wrong to be wary.)