From 05ef439336f0d02771d51f0c388ef994acf201e1 Mon Sep 17 00:00:00 2001
From: Austin Abro <37223396+AustinAbro321@users.noreply.github.com>
Date: Mon, 22 Jul 2024 16:50:14 -0400
Subject: [PATCH] chore: updating permissions of eks & ecr nightly tests
 (#2745)

Signed-off-by: Austin Abro <AustinAbro321@gmail.com>
---
 .github/workflows/nightly-ecr.yml    |  5 +++--
 .github/workflows/nightly-eks.yml    |  8 ++++----
 packages/distros/eks/eks.yaml        | 17 +++++++++++++++++
 src/test/nightly/ecr_publish_test.go |  4 ++--
 4 files changed, 26 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/nightly-ecr.yml b/.github/workflows/nightly-ecr.yml
index 655d3c4dd1..f922e89dba 100644
--- a/.github/workflows/nightly-ecr.yml
+++ b/.github/workflows/nightly-ecr.yml
@@ -2,7 +2,6 @@ name: Test ECR Publishing
 on:
   schedule:
    - cron: '0 7 * * * ' ## Every day at 0700 UTC
-
   workflow_dispatch: ## Give us the ability to run this manually
 
 
@@ -28,11 +27,13 @@ jobs:
       - name: Build the Zarf binary
         run: make build-cli-linux-amd
 
-      - name: Configure AWS Credentials
+      - name: Auth with AWS
         uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
         with:
           role-to-assume: ${{ secrets.AWS_NIGHTLY_ROLE }}
+          role-session-name: ${{ github.job || github.event.client_payload.pull_request.head.sha || github.sha }}
           aws-region: us-east-1
+          role-duration-seconds: 3600
 
       # NOTE: The aws cli will need to be explicitly installed on self-hosted runners
       - name: Login to the ECR Registry
diff --git a/.github/workflows/nightly-eks.yml b/.github/workflows/nightly-eks.yml
index c4bee3432f..1fe4f4ad7c 100644
--- a/.github/workflows/nightly-eks.yml
+++ b/.github/workflows/nightly-eks.yml
@@ -2,7 +2,6 @@ name: Test EKS Cluster
 on:
   schedule:
    - cron: '0 7 * * *' ## Every day at 0700 UTC
-
   workflow_dispatch: ## Give us the ability to run this manually
     inputs:
       cluster_name:
@@ -36,12 +35,13 @@ jobs:
       - name: Build binary and zarf packages
         uses: ./.github/actions/packages
 
-      - name: Configure AWS Credentials
+      - name: Auth with AWS
         uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
         with:
           role-to-assume: ${{ secrets.AWS_NIGHTLY_ROLE }}
+          role-session-name: ${{ github.job || github.event.client_payload.pull_request.head.sha || github.sha }}
           aws-region: us-east-1
-          role-duration-seconds: 14400
+          role-duration-seconds: 3600
 
       - name: Build the eks package
         run: ./build/zarf package create packages/distros/eks -o build --confirm
@@ -55,7 +55,7 @@ jobs:
             --confirm
 
       - name: Run tests
-        run: make test-e2e ARCH=amd64
+        run: make test-e2e-with-cluster ARCH=amd64
 
       - name: Teardown the cluster
         if: always()
diff --git a/packages/distros/eks/eks.yaml b/packages/distros/eks/eks.yaml
index 50ae84a197..530da71f8c 100644
--- a/packages/distros/eks/eks.yaml
+++ b/packages/distros/eks/eks.yaml
@@ -5,15 +5,28 @@ metadata:
   name: ###ZARF_VAR_EKS_CLUSTER_NAME###
   region: ###ZARF_VAR_EKS_CLUSTER_REGION###
   version: "###ZARF_VAR_EKS_CLUSTER_VERSION###"
+  tags:
+    PermissionsBoundary: "zarf_dev_base_policy"
 
 iam:
   withOIDC: true
+  serviceRolePermissionsBoundary: "arn:aws:iam::173911864621:policy/zarf_dev_base_policy"
 
 addons:
   - name: aws-ebs-csi-driver
     version: "###ZARF_VAR_EBS_DRIVER_VERSION###"
     attachPolicyARNs:
       - arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy
+    permissionsBoundary: "arn:aws:iam::173911864621:policy/zarf_dev_base_policy"
+    tags:
+      PermissionsBoundary: "zarf_dev_base_policy"
+
+  - name: vpc-cni
+    attachPolicyARNs:
+      - arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy
+    permissionsBoundary: "arn:aws:iam::173911864621:policy/zarf_dev_base_policy"
+    tags:
+      PermissionsBoundary: "zarf_dev_base_policy"
 
 managedNodeGroups:
 - instanceType: ###ZARF_VAR_EKS_INSTANCE_TYPE###
@@ -21,3 +34,7 @@ managedNodeGroups:
   minSize: 3
   maxSize: 6
   spot: true
+  tags:
+    PermissionsBoundary: "zarf_dev_base_policy"
+  iam:
+    instanceRolePermissionsBoundary: "arn:aws:iam::173911864621:policy/zarf_dev_base_policy"
diff --git a/src/test/nightly/ecr_publish_test.go b/src/test/nightly/ecr_publish_test.go
index 7716ebf270..2d872c16e1 100644
--- a/src/test/nightly/ecr_publish_test.go
+++ b/src/test/nightly/ecr_publish_test.go
@@ -45,8 +45,8 @@ func TestECRPublishing(t *testing.T) {
 	testPackageVersion := "0.0.1"
 	testPackageFileName := fmt.Sprintf("zarf-package-%s-%s-%s.tar.zst", testPackageName, e2e.Arch, testPackageVersion)
 	testPackageLocation := filepath.Join(tmpDir, testPackageFileName)
-	registryURL := "oci://public.ecr.aws/t8y5r5z5/zarf-nightly"
-	upstreamPackageURL := fmt.Sprintf("%s/%s:%s-%s", registryURL, testPackageName, testPackageVersion, e2e.Arch)
+	registryURL := "oci://public.ecr.aws/z6q5p6f7/zarf-nightly"
+	upstreamPackageURL := fmt.Sprintf("%s/%s:%s", registryURL, testPackageName, testPackageVersion)
 	keyFlag := fmt.Sprintf("--key=%s", "./src/test/packages/zarf-test.pub")
 
 	// Build the package with our test signature