Add access for new bors to PUT into artifacts bucket

This grants access under a new directory prefix (rustc-builds-try) as a
temporary measure to avoid mistakes overwriting any actual artifacts. It
might be a good idea in any case to scope try builds into a different
bucket or place than real builds.

Author: Mark-Simulacrum

terraform/rustc-ci/environments.tf

@@ -5,8 +5,9 @@ module "public" {
     aws.east1 = aws.east1
   }
 
-  iam_prefix = "ci--rust-lang--rust"
-  repo       = "rust-lang-ci/rust"
+  iam_prefix  = "ci--rust-lang--rust"
+  repo        = "rust-lang-ci/rust"
+  source_repo = "rust-lang/rust"
 
   caches_bucket    = "rust-lang-ci-sccache2"
   caches_domain    = "ci-caches.rust-lang.org"
@@ -17,7 +18,7 @@ module "public" {
 
   delete_caches_after_days    = 90
   delete_artifacts_after_days = 168
-  response_policy_id = data.terraform_remote_state.shared.outputs.mdbook_response_policy
+  response_policy_id          = data.terraform_remote_state.shared.outputs.mdbook_response_policy
 }
 
 module "security" {
@@ -27,13 +28,14 @@ module "security" {
     aws.east1 = aws.east1
   }
 
-  iam_prefix = "ci--rust-lang-ci--rsec"
-  repo       = "rust-lang-ci/rsec"
+  iam_prefix  = "ci--rust-lang-ci--rsec"
+  repo        = "rust-lang-ci/rsec"
+  source_repo = "rust-lang-ci/rsec"
 
   caches_bucket    = "rust-lang-security-ci-caches"
   artifacts_bucket = "rust-lang-security-ci-artifacts"
 
   delete_caches_after_days    = 30
   delete_artifacts_after_days = 90
-  response_policy_id = data.terraform_remote_state.shared.outputs.mdbook_response_policy
+  response_policy_id          = data.terraform_remote_state.shared.outputs.mdbook_response_policy
 }

terraform/rustc-ci/impl/_terraform.tf

@@ -56,7 +56,12 @@ variable "repo" {
   type        = string
 }
 
+variable "source_repo" {
+  description = "GitHub repository to authorize for roles"
+  type        = string
+}
+
 variable "response_policy_id" {
   description = "CDN response policy"
-  type = string
+  type        = string
 }

terraform/rustc-ci/impl/artifacts.tf

@@ -149,3 +149,67 @@ resource "aws_s3_bucket_inventory" "artifacts" {
     }
   }
 }
+
+resource "aws_iam_role" "try_builds" {
+  name = "${var.iam_prefix}--try-role"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Action = "sts:AssumeRoleWithWebIdentity"
+        Principal = {
+          Federated = "arn:aws:iam::890664054962:oidc-provider/token.actions.githubusercontent.com"
+        }
+        Condition = {
+          StringEquals = {
+            "token.actions.githubusercontent.com:sub" = "repo:${var.repo}:ref:refs/heads/automation/bors/try"
+          }
+        }
+      }
+    ]
+  })
+
+  inline_policy {
+    name = "put-objects"
+    policy = jsonencode({
+      Version = "2012-10-17"
+      Statement = [
+        {
+          Sid    = "ArtifactsBucketWrite"
+          Effect = "Allow"
+          Resource = [
+            "${aws_s3_bucket.artifacts.arn}/rustc-builds-try",
+            "${aws_s3_bucket.artifacts.arn}/rustc-builds-try/*",
+            "${aws_s3_bucket.artifacts.arn}/rustc-builds-try-alt",
+            "${aws_s3_bucket.artifacts.arn}/rustc-builds-try-alt/*",
+          ]
+          Action = [
+            "s3:GetObject",
+            "s3:DeleteObject",
+            "s3:PutObject",
+            "s3:PutObjectAcl",
+          ]
+        },
+        {
+          Sid      = "ArtifactsBucketList"
+          Effect   = "Allow"
+          Resource = "${aws_s3_bucket.artifacts.arn}"
+          Action = [
+            "s3:ListBucket",
+          ],
+        },
+        {
+          Sid      = "HeadBuckets",
+          Effect   = "Allow",
+          Resource = "*"
+          Action = [
+            "s3:HeadBucket",
+            "s3:GetBucketLocation",
+          ],
+        },
+      ]
+    })
+  }
+}