From 538385e4d1acd5359825e22f505f4d8bd073c2bf Mon Sep 17 00:00:00 2001 From: Jover Lee Date: Fri, 7 Jun 2024 13:16:47 -0700 Subject: [PATCH] Allow seasonal-flu/deploy-private-nextflu to assume GitHubActionsRoleNextstrainBatchJobs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit We cannot use the usual `pathogen-repo-build` workflow for the seasonal flu deploy-private-nextflu workflow because these are private builds that should not be surfaced through public GH Action artifacts.¹ Adds workflow_ref to the GitHub OIDC token's sub claim since we're conditioning on a regular workflow not a reusable workflow that's been called. ¹ Co-authored-by: Thomas Sibley --- ...am-role-GitHubActionsRoleNextstrainBatchJobs.tf | 14 ++++++++++---- ...ws-iam-role-GitHubActionsRoleNextstrainRepo@.tf | 2 +- env/production/github-oidc.tf | 5 ++++- 3 files changed, 15 insertions(+), 6 deletions(-) diff --git a/env/production/aws-iam-role-GitHubActionsRoleNextstrainBatchJobs.tf b/env/production/aws-iam-role-GitHubActionsRoleNextstrainBatchJobs.tf index 76c4920..f44994b 100644 --- a/env/production/aws-iam-role-GitHubActionsRoleNextstrainBatchJobs.tf +++ b/env/production/aws-iam-role-GitHubActionsRoleNextstrainBatchJobs.tf @@ -22,10 +22,16 @@ resource "aws_iam_role" "GitHubActionsRoleNextstrainBatchJobs" { "Condition": { "StringLike": { "token.actions.githubusercontent.com:aud": "sts.amazonaws.com", - "token.actions.githubusercontent.com:sub": [ - for repo in keys(local.repo_pathogens): - "repo:nextstrain/${repo}:*:job_workflow_ref:nextstrain/.github/.github/workflows/pathogen-repo-build.yaml@*" - ] + "token.actions.githubusercontent.com:sub": flatten([ + [for repo in keys(local.repo_pathogens): + "repo:nextstrain/${repo}:*:job_workflow_ref:nextstrain/.github/.github/workflows/pathogen-repo-build.yaml@*:workflow_ref:*"], + + # Special case for seasonal flu's deploy-private-nextflu workflow which needs to download the private builds + # from AWS Batch before bundling/deploying them through Netlify. + # This special case can be removed when we finally sunset the private site. + # -Jover, 07 June 2024 + "repo:nextstrain/seasonal-flu:*:job_workflow_ref::workflow_ref:nextstrain/seasonal-flu/.github/workflows/deploy-private-nextflu.yaml", + ]) } }, } diff --git a/env/production/aws-iam-role-GitHubActionsRoleNextstrainRepo@.tf b/env/production/aws-iam-role-GitHubActionsRoleNextstrainRepo@.tf index 41d6434..0fbdaaf 100644 --- a/env/production/aws-iam-role-GitHubActionsRoleNextstrainRepo@.tf +++ b/env/production/aws-iam-role-GitHubActionsRoleNextstrainRepo@.tf @@ -19,7 +19,7 @@ resource "aws_iam_role" "GitHubActionsRoleNextstrainRepo" { "Condition": { "StringLike": { "token.actions.githubusercontent.com:aud": "sts.amazonaws.com", - "token.actions.githubusercontent.com:sub": "repo:nextstrain/${each.key}:*:job_workflow_ref:nextstrain/.github/.github/workflows/pathogen-repo-build.yaml@*" + "token.actions.githubusercontent.com:sub": "repo:nextstrain/${each.key}:*:job_workflow_ref:nextstrain/.github/.github/workflows/pathogen-repo-build.yaml@*:workflow_ref:*" } }, } diff --git a/env/production/github-oidc.tf b/env/production/github-oidc.tf index b6494bf..1b916dc 100644 --- a/env/production/github-oidc.tf +++ b/env/production/github-oidc.tf @@ -9,7 +9,10 @@ resource "github_actions_repository_oidc_subject_claim_customization_template" " "repo", "context", - # …plus the //@ of the workflow obtaining the token, if any. + # …plus the //@ of the *reusable* workflow obtaining the token, if any. "job_workflow_ref", + + # …plus the //@ of the workflow obtaining the token. + "workflow_ref", ] }