Merge pull request #428 from jdno/rustup-builds

Create S3 bucket for Rustup build artifacts
rust-lang · Jul 1, 2024 · ae202dc · ae202dc
2 parents 835f4b7 + 68b75d9
commit ae202dc
Show file tree

Hide file tree

Showing 4 changed files with 78 additions and 0 deletions.
diff --git a/terragrunt/accounts/legacy/rustup-prod/rustup/.terraform.lock.hcl b/terragrunt/accounts/legacy/rustup-prod/rustup/.terraform.lock.hcl
diff --git a/terragrunt/accounts/legacy/rustup-prod/rustup/terragrunt.hcl b/terragrunt/accounts/legacy/rustup-prod/rustup/terragrunt.hcl
@@ -0,0 +1,8 @@
+terraform {
+  source = "../../../../..//terragrunt/modules/rustup"
+}
+
+include {
+  path           = find_in_parent_folders()
+  merge_strategy = "deep"
+}
diff --git a/terragrunt/modules/rustup/_terraform.tf b/terragrunt/modules/rustup/_terraform.tf
@@ -0,0 +1,11 @@
+terraform {
+  required_version = "~> 1.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 4.20"
+    }
+  }
+}
+
diff --git a/terragrunt/modules/rustup/s3.tf b/terragrunt/modules/rustup/s3.tf
@@ -0,0 +1,34 @@
+# The rust-lang/rustup repository on GitHub builds and uploads Rustup artifacts
+# to this S3 bucket.
+resource "aws_s3_bucket" "builds" {
+  provider = aws.us-east-1
+
+  bucket = "rustup-builds"
+}
+
+module "ci_role" {
+  source = "../gha-oidc-role"
+  org    = "rust-lang"
+  repo   = "rustup"
+  branch = "master"
+}
+
+resource "aws_iam_policy" "upload_builds" {
+  name = "upload-rustup-builds"
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Sid      = "WriteToRustupBuilds"
+        Effect   = "Allow"
+        Action   = ["s3:PutObject"]
+        Resource = ["${aws_s3_bucket.builds.arn}/*"]
+      }
+    ]
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "ci_upload_builds" {
+  role       = module.ci_role.role.id
+  policy_arn = aws_iam_policy.upload_builds.arn
+}