Add Terraform for registry-k8s-io s3 buckets #3605
Conversation
k8s-ci-robot
added
cncf-cla: yes
|
Currently having issues with making the buckets publicly accessible but other than that it appears to be working terraform apply -var prefix=test-/hold |
k8s-ci-robot
added
the
do-not-merge/hold
k8s-ci-robot
added
the
approved
|
/approve /hold for @jaypipes to peek (feel free to remove hold in a day or so) |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: ameukam, BobyMCbobs, dims The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
removed
the
lgtm
|
I managed to get there with the public bucket read 🎉 cc @jaypipes |
This was commented out in case it might've been used. Removing since the "syncing" will just be pushing to all of the buckets.
| limitations under the License. | ||
| */ | ||
|
|
||
| variable "prefix" { |
There was a problem hiding this comment.
Is this to support things like a sandbox?
There was a problem hiding this comment.
Yeah! So before or after it's provisioned, for testing the Terraform a prefix can be added to test in another account with different names for things.
| bucket = aws_s3_bucket.registry-k8s-io.bucket | ||
|
|
||
| rule { | ||
| object_ownership = "BucketOwnerEnforced" |
| "s3:PutObject", | ||
| "s3:GetObject", | ||
| "s3:ListBucket", | ||
| "s3:DeleteObject" |
There was a problem hiding this comment.
Since the Resource here refers to just the bucket resource, I believe the only permission you need in this block is:
s3:ListBucket
since all of the other permissions are only applicable to the Object resources referenced by the Resource string "${aws_s3_bucket.registry-k8s-io.arn}/*"
There was a problem hiding this comment.
The intent of this aws_iam_user_policy is to allow the IAM user created in the above folder's accounts.tf to r/w the bucket for CI related things. The IAM user would be the one that is used with the promotion tools.
Should be permissions still be reduced here?
There was a problem hiding this comment.
@BobyMCbobs The IAM user that is writing objects to these buckets needs these permissions:
On the bucket resource (i.e. "${aws_s3_bucket.registry-k8s-io.arn}/":
s3:ListBucket
On the object resources within that bucket (i.e. "${aws_s3_bucket.registry-k8s-io.arn}/*":
s3:PutObjects3:GetObjects3:DeleteObject
Hope that makes sense! :)
| "Action" : [ | ||
| "s3:PutObject", | ||
| "s3:GetObject", | ||
| "s3:ListBucket", |
There was a problem hiding this comment.
And here, I don't believe you need to have s3:ListBucket since that is applicable to the bucket, not the objects within it.
| type = string | ||
| } | ||
|
|
||
| variable "prefix" { |
|
/unhold |
k8s-ci-robot
removed
the
do-not-merge/hold
|
/lgtm |
k8s-ci-robot
added
the
lgtm
| resource "aws_iam_user" "registry-k8s-io-access" { | ||
| name = "${var.prefix}registry-k8s-io-access" | ||
| path = "/" | ||
| } |
There was a problem hiding this comment.
What's the purpose of this IAM user?
There was a problem hiding this comment.
It's the principal that has the ability to push to the mirrored image layers we're storing in S3. I suppose we could have used an IAM Role instead of an IAM User, though.
Adds
to be used for registry.k8s.io in AWS