Merge pull request #428 from jdno/rustup-builds

Create S3 bucket for Rustup build artifacts

Author: jdno

terragrunt/accounts/legacy/rustup-prod/rustup/.terraform.lock.hcl

@@ -0,0 +1,8 @@
+terraform {
+  source = "../../../../..//terragrunt/modules/rustup"
+}
+
+include {
+  path           = find_in_parent_folders()
+  merge_strategy = "deep"
+}

terragrunt/accounts/legacy/rustup-prod/rustup/terragrunt.hcl

@@ -0,0 +1,11 @@
+terraform {
+  required_version = "~> 1.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 4.20"
+    }
+  }
+}
+

terragrunt/modules/rustup/_terraform.tf

@@ -0,0 +1,34 @@
+# The rust-lang/rustup repository on GitHub builds and uploads Rustup artifacts
+# to this S3 bucket.
+resource "aws_s3_bucket" "builds" {
+  provider = aws.us-east-1
+
+  bucket = "rustup-builds"
+}
+
+module "ci_role" {
+  source = "../gha-oidc-role"
+  org    = "rust-lang"
+  repo   = "rustup"
+  branch = "master"
+}
+
+resource "aws_iam_policy" "upload_builds" {
+  name = "upload-rustup-builds"
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Sid      = "WriteToRustupBuilds"
+        Effect   = "Allow"
+        Action   = ["s3:PutObject"]
+        Resource = ["${aws_s3_bucket.builds.arn}/*"]
+      }
+    ]
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "ci_upload_builds" {
+  role       = module.ci_role.role.id
+  policy_arn = aws_iam_policy.upload_builds.arn
+}