Skip to content

Commit

Permalink
wip! Roles for our pathogen-repo-build GitHub Actions workflow
Browse files Browse the repository at this point in the history
Static role permissions policies which are expected to be
narrowed/scoped-down by an inline session policy set by the
pathogen-repo-build workflow.

Problems with this approach noted in review commentary:

  - <nextstrain/.github#81 (comment)>
  - <nextstrain/.github#81 (comment)>

Resolves: <#4>
Related-to: <nextstrain/.github#81>
  • Loading branch information
tsibley committed May 17, 2024
1 parent 64f98c5 commit 3225f90
Show file tree
Hide file tree
Showing 3 changed files with 121 additions and 2 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ import {

resource "aws_iam_role" "GitHubActionsRoleNextstrainBatchJobs" {
name = "GitHubActionsRoleNextstrainBatchJobs"
description = "Provides permissions to run jobs on AWS Batch via the Nextstrain CLI to select GitHub Actions OIDC workflows."
description = "Provides permissions to launch and monitor jobs on AWS Batch via the Nextstrain CLI to select GitHub Actions OIDC workflows."

max_session_duration = 43200 # seconds (12 hours)

Expand All @@ -21,7 +21,7 @@ resource "aws_iam_role" "GitHubActionsRoleNextstrainBatchJobs" {
"Condition": {
"StringLike": {
"token.actions.githubusercontent.com:aud": "sts.amazonaws.com",
"token.actions.githubusercontent.com:sub": "repo:nextstrain/.github:*"
"token.actions.githubusercontent.com:sub": "repo:nextstrain/*:*:job_workflow_ref:nextstrain/.github/.github/workflows/pathogen-repo-build.yaml@refs/heads/*",
}
},
}
Expand Down
100 changes: 100 additions & 0 deletions env/production/aws-iam-role-GitHubActionsRoleNextstrainBuilds.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,100 @@
resource "aws_iam_role" "GitHubActionsRoleNextstrainBuilds" {
name = "GitHubActionsRoleNextstrainBuilds"
description = "Provides permissions for a Nextstrain build (i.e. in a pathogen repo) to upload datasets, workflow files, etc. for select GitHub Actions OIDC workflows."

max_session_duration = 43200 # seconds (12 hours)

assume_role_policy = jsonencode({
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": aws_iam_openid_connect_provider.github-actions.arn
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringLike": {
"token.actions.githubusercontent.com:aud": "sts.amazonaws.com",
"token.actions.githubusercontent.com:sub": "repo:nextstrain/*:*:job_workflow_ref:nextstrain/.github/.github/workflows/pathogen-repo-build.yaml@refs/heads/*",
}
},
}
]
})

# This role provides a superset of the permissions expected to actually be
# required by any individual Nextstrain pathogen build. In practice, we
# further scope down permissions per-repo using an inline session policy
# declared in our centralized and trusted pathogen-repo-build workflow. The
# inline session policy is obviously less of a hard boundary, but it still
# provides guardrails against accidental operations. See also the discussion
# in <https://github.com/nextstrain/private/issues/96>.
# -trs, 15 May 2024
managed_policy_arns = [
# Builds inside the AWS Batch runtime need access to the jobs bucket.
aws_iam_policy.NextstrainJobsAccessToBucket.arn,
]

# All builds need a subset of this access for downloading starting data and
# publishing results.
inline_policy {
name = "S3Access"
policy = jsonencode({
"Version": "2012-10-17",
"Statement": [
# Technically we don't need to include the public buckets
# nextstrain-data and nextstrain-staging in this statement since they
# already allow a superset of this with their bucket policies, but it's
# good to be explicit about what permissions we require.
# -trs, 16 Feb 2024
{
"Sid": "List",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:ListBucketVersions",
"s3:GetBucketLocation",
"s3:GetBucketVersioning",
],
"Resource": [
"arn:aws:s3:::nextstrain-data",
"arn:aws:s3:::nextstrain-data-private",
"arn:aws:s3:::nextstrain-ncov-private",
"arn:aws:s3:::nextstrain-staging",
],
},
{
"Sid": "ReadWrite",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:GetObjectTagging",
"s3:GetObjectVersion",
"s3:GetObjectVersionTagging",
"s3:PutObject",
"s3:PutObjectTagging",
"s3:DeleteObject",
# but NOT s3:DeleteObjectVersion so objects can't be completely wiped
],
"Resource": [
"arn:aws:s3:::nextstrain-data/*.json",
"arn:aws:s3:::nextstrain-data/files/workflows/*",
"arn:aws:s3:::nextstrain-data/files/datasets/*",

"arn:aws:s3:::nextstrain-data-private/*.json",
"arn:aws:s3:::nextstrain-data-private/files/workflows/*",
"arn:aws:s3:::nextstrain-data-private/files/datasets/*",

# This bucket is akin to nextstrain-data-private/files/{workflows,datasets}/ncov/.
"arn:aws:s3:::nextstrain-ncov-private/*",

"arn:aws:s3:::nextstrain-staging/*.json",
"arn:aws:s3:::nextstrain-staging/files/workflows/*",
"arn:aws:s3:::nextstrain-staging/files/datasets/*",
],
},
]
})
}
}
19 changes: 19 additions & 0 deletions env/production/github-oidc.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
data "github_repositories" "nextstrain" {
query = "org:nextstrain"
}

resource "github_actions_repository_oidc_subject_claim_customization_template" "nextstrain" {
for_each = toset(data.github_repositories.nextstrain.names)
repository = each.key

# <https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect>
use_default = false
include_claim_keys = [
# The GitHub default…
"repo",
"context",

# …plus the <org>/<repo>/<path>@<ref> of the workflow obtaining the token, if any.
"job_workflow_ref",
]
}

0 comments on commit 3225f90

Please sign in to comment.