Skip to content

Commit 10c525e

Browse files
Revert "Limit write access to specific prefix"
See write up here: #355 (comment). We decided not to pursue this for the time being and revisit at a later point. This reverts commit 2f7aefc.
1 parent bbb7578 commit 10c525e

File tree

2 files changed

+8
-51
lines changed

2 files changed

+8
-51
lines changed

terraform/rustc-ci/impl/artifacts.tf

+8-28
Original file line numberDiff line numberDiff line change
@@ -150,12 +150,8 @@ resource "aws_s3_bucket_inventory" "artifacts" {
150150
}
151151
}
152152

153-
data "aws_iam_openid_connect_provider" "gha" {
154-
url = "https://token.actions.githubusercontent.com"
155-
}
156-
157-
resource "aws_iam_role" "oidc" {
158-
name = "${var.iam_prefix}--role"
153+
resource "aws_iam_role" "try_builds" {
154+
name = "${var.iam_prefix}--try-role"
159155

160156
assume_role_policy = jsonencode({
161157
Version = "2012-10-17"
@@ -164,29 +160,11 @@ resource "aws_iam_role" "oidc" {
164160
Effect = "Allow"
165161
Action = "sts:AssumeRoleWithWebIdentity"
166162
Principal = {
167-
Federated = "cognito-identity.amazonaws.com"
168-
}
169-
Condition = {
170-
StringEquals = {
171-
"cognito-identity.amazonaws.com:aud" = "${aws_cognito_identity_pool.main.id}"
172-
// This forces the caller to set the session name according to the caller's run & sha
173-
"sts:RoleSessionName" = "$${aws:RequestTag/run_id}@$${aws:RequestTag/sha}"
174-
"aws:RequestTag/repository" = "${var.source_repo}"
175-
// For now only allow new bors & try builds
176-
"aws:RequestTag/ref" = "refs/heads/automation/bors/try"
177-
"aws:RequestTag/event_name" = "push"
178-
}
179-
}
180-
},
181-
{
182-
Effect = "Allow"
183-
Action = "sts:TagSession"
184-
Principal = {
185-
Federated = "cognito-identity.amazonaws.com"
163+
Federated = "arn:aws:iam::890664054962:oidc-provider/token.actions.githubusercontent.com"
186164
}
187165
Condition = {
188166
StringEquals = {
189-
"cognito-identity.amazonaws.com:aud" = "${aws_cognito_identity_pool.main.id}"
167+
"token.actions.githubusercontent.com:sub" = "repo:${var.repo}:ref:refs/heads/automation/bors/try"
190168
}
191169
}
192170
}
@@ -202,8 +180,10 @@ resource "aws_iam_role" "oidc" {
202180
Sid = "ArtifactsBucketWrite"
203181
Effect = "Allow"
204182
Resource = [
205-
"${aws_s3_bucket.artifacts.arn}/rustc-builds/$${aws:PrincipalTag/sha}/*",
206-
"${aws_s3_bucket.artifacts.arn}/rustc-builds-alt/$${aws:PrincipalTag/sha}/*",
183+
"${aws_s3_bucket.artifacts.arn}/rustc-builds-try",
184+
"${aws_s3_bucket.artifacts.arn}/rustc-builds-try/*",
185+
"${aws_s3_bucket.artifacts.arn}/rustc-builds-try-alt",
186+
"${aws_s3_bucket.artifacts.arn}/rustc-builds-try-alt/*",
207187
]
208188
Action = [
209189
"s3:GetObject",

terraform/rustc-ci/impl/cognito.tf

-23
This file was deleted.

0 commit comments

Comments
 (0)