wip! repo-specific permissions

nextstrain · Feb 17, 2024 · b1ceb76 · b1ceb76
1 parent 6f45b37
commit b1ceb76
Showing 1 changed file with 92 additions and 2 deletions.
diff --git a/env/production/aws-iam-role-GitHubActionsRoleNextstrainBatchJobs.tf b/env/production/aws-iam-role-GitHubActionsRoleNextstrainBatchJobs.tf
@@ -1,3 +1,25 @@
+locals {
+  # XXX FIXME: define in external file instead
+  pathogens = [
+    {
+      "name": "mpox",
+      "repo": "nextstrain/mpox",
+      "prefix": "mpox_"
+    },
+    {
+      "name": "rsv",
+      "repo": "nextstrain/rsv",
+      "prefix": "rsv_"
+    },
+    {
+      "name": "seasonal-flu",
+      "repo": "nextstrain/seasonal-flu",
+      "prefix": "flu_seasonal_"
+    },
+    # XXX FIXME: ncov, ncov-ingest, forecasts-ncov
+  ]
+}
+
 import {
   to = aws_iam_role.GitHubActionsRoleNextstrainBatchJobs
   id = "GitHubActionsRoleNextstrainBatchJobs"
@@ -21,7 +43,12 @@ resource "aws_iam_role" "GitHubActionsRoleNextstrainBatchJobs" {
         "Condition": {
           "StringLike": {
             "token.actions.githubusercontent.com:aud": "sts.amazonaws.com",
-            "token.actions.githubusercontent.com:sub": "repo:nextstrain/.github:*"
+            "token.actions.githubusercontent.com:sub": concat(
+              [for repo in local.pathogens[*].repo: "repo:${repo}:*"],
+
+              # For testing our pathogen-repo-build.yaml workflow
+              ["repo:nextstrain/.github:*"],
+            )
           }
         },
       }
@@ -33,5 +60,68 @@ resource "aws_iam_role" "GitHubActionsRoleNextstrainBatchJobs" {
     aws_iam_policy.NextstrainJobsAccessToBucket.arn,
     aws_iam_policy.NextstrainJobsAccessToLogs.arn,
   ]
-  inline_policy {}
+  dynamic "inline_policy" {
+    for_each = local.pathogens
+    iterator = pathogen
+    content {
+      name = pathogen.value.name
+      policy = jsonencode({
+        "Version": "2012-10-17",
+        "Statement": [
+          # Technically this whole statement (ListPublicData) is unnecessary
+          # since the nextstrain-data and nextstrain-staging buckets already
+          # allow a superset of this with their bucket policies, but it's good to
+          # be explicit about what permissions we require?
+          #   -trs, 16 Feb 2024
+          {
+            "Sid": "ListPublicData",
+            "Effect": "Allow",
+            "Action": [
+              "s3:ListBucket"
+            ],
+            "Resource": [
+              "arn:aws:s3:::nextstrain-data",
+              "arn:aws:s3:::nextstrain-staging",
+            ],
+            "Condition": {
+              "StringLike": {
+                "token.actions.githubusercontent.com:aud": "sts.amazonaws.com",
+                "token.actions.githubusercontent.com:sub": "repo:${pathogen.value.repo}:*",
+                "s3:prefix": [
+                  "files/workflows/${pathogen.value.name}/*",
+                  "files/datasets/${pathogen.value.name}/*",
+                  "${pathogen.value.prefix}*.json",
+                ]
+              }
+            }
+          },
+          {
+            "Sid": "ReadWritePublicData",
+            "Effect": "Allow",
+            "Action": [
+              "s3:GetObject",
+              "s3:PutObject"
+            ],
+            "Resource": [
+              "arn:aws:s3:::nextstrain-data/files/workflows/${pathogen.value.name}/*",
+              "arn:aws:s3:::nextstrain-data/files/datasets/${pathogen.value.name}/*",
+              "arn:aws:s3:::nextstrain-data/${pathogen.value.prefix}*.json",
+              "arn:aws:s3:::nextstrain-staging/files/workflows/${pathogen.value.name}/*",
+              "arn:aws:s3:::nextstrain-staging/files/datasets/${pathogen.value.name}/*",
+              "arn:aws:s3:::nextstrain-staging/${pathogen.value.prefix}*.json",
+              "arn:aws:s3:::nextstrain-staging/trial_*_${pathogen.value.prefix}*.json"
+            ],
+            "Condition": {
+              "StringLike": {
+                "token.actions.githubusercontent.com:aud": "sts.amazonaws.com",
+                "token.actions.githubusercontent.com:sub": "repo:${pathogen.value.repo}:*",
+              }
+            }
+          },
+          # XXX FIXME: add general statements for nextstrain-data-private
+          # XXX FIXME: add custom statements for ncov, ncov-ingest, forecasts-ncov
+        ]
+      })
+    }
+  }
 }