-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Roles for our pathogen-repo-build GitHub Actions workflow, take 3 #8
Merged
Merged
Changes from all commits
Commits
Show all changes
3 commits
Select commit
Hold shift + click to select a range
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,75 @@ | ||
# Per-pathogen policy, granting access to a single pathogen's data | ||
resource "aws_iam_policy" "NextstrainPathogen" { | ||
for_each = local.pathogen_repos | ||
|
||
name = "NextstrainPathogen@${each.key}" | ||
description = "Provides permissions to upload datasets, workflow files, etc. for a Nextstrain pathogen" | ||
|
||
policy = jsonencode({ | ||
"Version": "2012-10-17", | ||
"Statement": [ | ||
# Technically we don't need to include the public buckets | ||
# nextstrain-data and nextstrain-staging in this statement since they | ||
# already allow a superset of this with their bucket policies, but it's | ||
# good to be explicit about what permissions we require. | ||
# -trs, 16 Feb 2024 | ||
{ | ||
"Sid": "List", | ||
"Effect": "Allow", | ||
"Action": [ | ||
"s3:ListBucket", | ||
"s3:ListBucketVersions", | ||
"s3:GetBucketLocation", | ||
"s3:GetBucketVersioning", | ||
], | ||
"Resource": [ | ||
"arn:aws:s3:::nextstrain-data", | ||
"arn:aws:s3:::nextstrain-data-private", | ||
"arn:aws:s3:::nextstrain-staging", | ||
], | ||
"Condition": { | ||
"StringLike": { | ||
"s3:prefix": [ | ||
"${each.key}.json", | ||
"${each.key}_*.json", | ||
"files/workflows/${each.key}/*", | ||
"files/datasets/${each.key}/*", | ||
] | ||
} | ||
} | ||
}, | ||
{ | ||
"Sid": "ReadWrite", | ||
"Effect": "Allow", | ||
"Action": [ | ||
"s3:GetObject", | ||
"s3:GetObjectTagging", | ||
"s3:GetObjectVersion", | ||
"s3:GetObjectVersionTagging", | ||
"s3:PutObject", | ||
"s3:PutObjectTagging", | ||
"s3:DeleteObject", | ||
# but NOT s3:DeleteObjectVersion so objects can't be completely wiped | ||
], | ||
"Resource": [ | ||
# Auspice dataset JSONs | ||
"arn:aws:s3:::nextstrain-data/${each.key}.json", | ||
"arn:aws:s3:::nextstrain-data/${each.key}_*.json", | ||
"arn:aws:s3:::nextstrain-staging/${each.key}.json", | ||
"arn:aws:s3:::nextstrain-staging/${each.key}_*.json", | ||
"arn:aws:s3:::nextstrain-staging/trial_*_${each.key}.json", | ||
"arn:aws:s3:::nextstrain-staging/trial_*_${each.key}_*.json", | ||
|
||
# Associated data files | ||
# <https://docs.nextstrain.org/en/latest/reference/data-files.html> | ||
"arn:aws:s3:::nextstrain-data/files/workflows/${each.key}/*", | ||
"arn:aws:s3:::nextstrain-data/files/datasets/${each.key}/*", | ||
"arn:aws:s3:::nextstrain-data-private/files/workflows/${each.key}/*", | ||
"arn:aws:s3:::nextstrain-data-private/files/datasets/${each.key}/*", | ||
"arn:aws:s3:::nextstrain-staging/files/workflows/${each.key}/*", | ||
"arn:aws:s3:::nextstrain-staging/files/datasets/${each.key}/*", | ||
], | ||
}, | ||
] | ||
}) | ||
} |
43 changes: 43 additions & 0 deletions
43
env/production/aws-iam-policy-NextstrainPathogenNcovPrivate.tf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,43 @@ | ||
# Single-pathogen policy, special-case for the historical reason that | ||
# nextstrain-ncov-private predates the more general nextstrain-data-private. | ||
resource "aws_iam_policy" "NextstrainPathogenNcovPrivate" { | ||
name = "NextstrainPathogen@ncov+private" | ||
description = "Provides permissions to upload datasets, workflow files, etc. to the ncov-private bucket for the Nextstrain ncov pathogen" | ||
|
||
policy = jsonencode({ | ||
"Version": "2012-10-17", | ||
"Statement": [ | ||
{ | ||
"Sid": "NcovPrivateList", | ||
"Effect": "Allow", | ||
"Action": [ | ||
"s3:ListBucket", | ||
"s3:ListBucketVersions", | ||
"s3:GetBucketLocation", | ||
"s3:GetBucketVersioning", | ||
], | ||
"Resource": [ | ||
"arn:aws:s3:::nextstrain-ncov-private", | ||
], | ||
}, | ||
{ | ||
"Sid": "NcovPrivateReadWrite", | ||
"Effect": "Allow", | ||
"Action": [ | ||
"s3:GetObject", | ||
"s3:GetObjectTagging", | ||
"s3:GetObjectVersion", | ||
"s3:GetObjectVersionTagging", | ||
"s3:PutObject", | ||
"s3:PutObjectTagging", | ||
"s3:DeleteObject", | ||
# but NOT s3:DeleteObjectVersion so objects can't be completely wiped | ||
], | ||
"Resource": [ | ||
# This bucket is akin to nextstrain-data-private/files/{workflows,datasets}/ncov/. | ||
"arn:aws:s3:::nextstrain-ncov-private/*", | ||
], | ||
}, | ||
] | ||
}) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,43 @@ | ||
# Per-repo role, granting access to pathogens | ||
resource "aws_iam_role" "GitHubActionsRoleNextstrainRepo" { | ||
for_each = local.repo_pathogens | ||
|
||
name = "GitHubActionsRoleNextstrainRepo@${each.key}" | ||
description = "Provides permissions to upload datasets, workflow files, etc. for a Nextstrain pathogen to select repos and select GitHub Actions OIDC workflows." | ||
|
||
max_session_duration = 43200 # seconds (12 hours) | ||
|
||
assume_role_policy = jsonencode({ | ||
"Version": "2012-10-17", | ||
"Statement": [ | ||
{ | ||
"Effect": "Allow", | ||
"Principal": { | ||
"Federated": aws_iam_openid_connect_provider.github-actions.arn | ||
}, | ||
"Action": "sts:AssumeRoleWithWebIdentity", | ||
"Condition": { | ||
"StringLike": { | ||
"token.actions.githubusercontent.com:aud": "sts.amazonaws.com", | ||
"token.actions.githubusercontent.com:sub": "repo:nextstrain/${each.key}:*:job_workflow_ref:nextstrain/.github/.github/workflows/pathogen-repo-build.yaml@*" | ||
} | ||
}, | ||
} | ||
] | ||
}) | ||
|
||
managed_policy_arns = flatten([ | ||
# Pathogen-specific permissions to standard public/private buckets | ||
[for p in each.value: aws_iam_policy.NextstrainPathogen[p].arn], | ||
|
||
# Special-case permissions to nextstrain-ncov-private bucket | ||
contains(each.value, "ncov") | ||
? [aws_iam_policy.NextstrainPathogenNcovPrivate.arn] | ||
: [], | ||
|
||
# Builds inside the AWS Batch runtime need access to the jobs bucket. | ||
aws_iam_policy.NextstrainJobsAccessToBucket.arn, | ||
]) | ||
|
||
inline_policy {} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
resource "github_actions_repository_oidc_subject_claim_customization_template" "nextstrain" { | ||
for_each = toset(keys(local.repo_pathogens)) | ||
repository = each.key | ||
|
||
# <https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect> | ||
use_default = false | ||
include_claim_keys = [ | ||
# The GitHub default… | ||
"repo", | ||
"context", | ||
|
||
# …plus the <org>/<repo>/<path>@<ref> of the workflow obtaining the token, if any. | ||
"job_workflow_ref", | ||
] | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
locals { | ||
# By design our repo names are usually equal to the pathogen names, but | ||
# they're two separate things/namespaces and linkages don't always line up | ||
# 1:1. Some resources (roles, policies, etc) are more naturally oriented | ||
# per-pathogen (logical), some per-repo (physical). Use two maps to support | ||
# this more easily. This will likely evolve in the future to better support | ||
# our needs. | ||
# -trs, 20 May 2024 | ||
|
||
pathogen_repos = tomap({ | ||
# pathogen name = [repo name, …] | ||
"dengue" = ["dengue"], | ||
"forecasts-ncov" = ["forecasts-ncov"], | ||
"measles" = ["measles"], | ||
"mpox" = ["mpox"], | ||
"ncov" = ["ncov", "ncov-ingest"], | ||
"rsv" = ["rsv"], | ||
"seasonal-flu" = ["seasonal-flu"], | ||
"zika" = ["zika"], | ||
}) | ||
|
||
repo_pathogens = merge( | ||
# repo name = [pathogen name, …] | ||
transpose(local.pathogen_repos), | ||
|
||
tomap({ | ||
# For testing. Ensures a role exists but without any pathogen-specific | ||
# permissions. | ||
".github" = [], | ||
}), | ||
) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So for any future pathogens, we would add them to this map then deploy the terraform changes with
terraform apply
.Should we auto-deploy the changes on merge into the main branch?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yep, add to that map then
terraform apply
.We could definitely auto-deploy… but that does require having very broad admin level access to AWS available in GitHub Actions, which makes me a little nervous. I'd say stick with manual deploys for now.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
When we do want to auto-deploy, the best way to gain that admin-level access would be via OIDC again, scoped down tightly to this repo (and ditto for auto-deploying nextstrain.org's Terraform config).