-
Notifications
You must be signed in to change notification settings - Fork 493
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ci: add GHA for publishing CF templates to S3 #2800
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The policy used here is the original one from the docs, the only difference is the account id being set dynamically.
The role is currently set to be able to be assumed by anyone/anything and should be appropriately restricted by user.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The policy used here is the original one from the docs with some changes, as it had a few mistakes that needed to be adjusted as seen in comments below.
The role is currently set to be able to be assumed by anyone/anything and should be appropriately restricted by user.
"Sid": "CreateLambdaPolicy", | ||
"Effect": "Allow", | ||
"Action": ["iam:CreatePolicy"], | ||
"Resource": {"Fn::Sub": "arn:aws:iam::${AWS::AccountId}:policy/artilleryio-lambda-policy-*"} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In the original policy from the docs Resource
here was missing -*
at the end.
"ecr:GetDownloadUrlForLayer", | ||
"ecr:BatchGetImage" | ||
], | ||
"Resource": "arn:aws:ecr:*:248481025674:repository/artillery-worker" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The EcrPullImagePermissions
needed to be changed so that instead of setting a Condition
we set the Resource
to the arn of the repository of the exact account we are pulling from.
The initial policy from the docs was using:
{
"Sid": "EcrPullImagePermissions",
"Effect": "Allow",
"Action": [
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage"
],
"Resource": "*",
"Condition": {
"StringLike": {
"aws:sourceArn": "arn:aws:lambda:*:123456789000:function:artilleryio-*"
}
}
}
722e883
to
74e7827
Compare
Description
Creating a GHA for publishing 2 CloudFormation templates to S3. The templates are for creating IAM resources users need to run Lambda / Fargate tests.
Once the templates are hosted on S3, CloudFormation quick-create links can be created and added to the docs in button format, simplifying the set up process for users.
The templates will create an an
ArtilleryDistributedTestingFargateRole
/ArtilleryDistributedTestingLambdaRole
with theArtilleryDistributedTestingFargatePolicy
/ArtilleryDistributedTestingLambdaPolicy
respectively.The policies used are the original ones from the docs, though the Lambda one needed a few fixes to function properly:
The
Resource
in theCreateLambdaPolicy
was missing-*
The
EcrPullImagePermissions
needed to be changed so that instead of setting aCondition
we set theResource
to the arn of the repository of the exact account we are pulling fromTesting
Manually tested both Cloudformation templates making sure that all the necessary resources are created, and tested e2e by running the Fargate and Lambda tests.
Tested that the GHA appropriately updates the templates on S3.
Notes
Pre-merge checklist