-
Notifications
You must be signed in to change notification settings - Fork 789
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Terraform for registry-k8s-io s3 buckets #3605
Add Terraform for registry-k8s-io s3 buckets #3605
Conversation
Currently having issues with making the buckets publicly accessible but other than that it appears to be working terraform apply -var prefix=test- /hold |
/approve /hold for @jaypipes to peek (feel free to remove hold in a day or so) |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: ameukam, BobyMCbobs, dims The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
I managed to get there with the public bucket read 🎉 cc @jaypipes |
This was commented out in case it might've been used. Removing since the "syncing" will just be pushing to all of the buckets.
limitations under the License. | ||
*/ | ||
|
||
variable "prefix" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this to support things like a sandbox?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah! So before or after it's provisioned, for testing the Terraform a prefix can be added to test in another account with different names for things.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
bucket = aws_s3_bucket.registry-k8s-io.bucket | ||
|
||
rule { | ||
object_ownership = "BucketOwnerEnforced" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
"s3:PutObject", | ||
"s3:GetObject", | ||
"s3:ListBucket", | ||
"s3:DeleteObject" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since the Resource
here refers to just the bucket resource, I believe the only permission you need in this block is:
s3:ListBucket
since all of the other permissions are only applicable to the Object
resources referenced by the Resource
string "${aws_s3_bucket.registry-k8s-io.arn}/*"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The intent of this aws_iam_user_policy is to allow the IAM user created in the above folder's accounts.tf to r/w the bucket for CI related things. The IAM user would be the one that is used with the promotion tools.
Should be permissions still be reduced here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@BobyMCbobs The IAM user that is writing objects to these buckets needs these permissions:
On the bucket resource (i.e. "${aws_s3_bucket.registry-k8s-io.arn}/"
:
s3:ListBucket
On the object resources within that bucket (i.e. "${aws_s3_bucket.registry-k8s-io.arn}/*"
:
s3:PutObject
s3:GetObject
s3:DeleteObject
Hope that makes sense! :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"Action" : [ | ||
"s3:PutObject", | ||
"s3:GetObject", | ||
"s3:ListBucket", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
And here, I don't believe you need to have s3:ListBucket
since that is applicable to the bucket, not the objects within it.
type = string | ||
} | ||
|
||
variable "prefix" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Might be useful to have a comment here explaining the use of the prefix variable.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@jaypipes, this is a good idea. I'll add it
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added a comment in 6dc9f4c
/unhold |
/lgtm |
resource "aws_iam_user" "registry-k8s-io-access" { | ||
name = "${var.prefix}registry-k8s-io-access" | ||
path = "/" | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What's the purpose of this IAM user?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's the principal that has the ability to push to the mirrored image layers we're storing in S3. I suppose we could have used an IAM Role instead of an IAM User, though.
Adds
to be used for registry.k8s.io in AWS