Skip to content

feat(iam)!: separate build workflow user from asset repositories + add S3 asset support#402

Merged
agustincelentano merged 4 commits into
mainfrom
feat/separate-build-user-from-asset-repositories
Jun 25, 2026
Merged

feat(iam)!: separate build workflow user from asset repositories + add S3 asset support#402
agustincelentano merged 4 commits into
mainfrom
feat/separate-build-user-from-asset-repositories

Conversation

@agustincelentano

Copy link
Copy Markdown
Collaborator

What

Separates the shared build workflow IAM identity from the per-destination asset repository permission modules, and adds first-class support for S3 asset repositories (Lambda/bundle assets).

Until now the build workflow user (the IAM identity the CI uses to publish assets) was created inside infrastructure/aws/iam/ecr. That worked while ECR was the only destination, but Lambda assets publish to S3, and the same user needs S3 permissions. This PR extracts the identity into its own module and lets each destination grant permissions to a shared group.

Changes

New modules

  • infrastructure/aws/iam/build-user — creates the shared build workflow user, its access key, and the asset-publishers group (the attachment point for per-destination policies). Exposes build_workflow_access_key_id/secret and group_name.
  • infrastructure/aws/iam/s3-assets — grants s3:PutObject/s3:GetObject on an assets bucket to the build workflow group. Inputs: cluster_name, build_workflow_group_name, assets_bucket.
  • nullplatform/asset/s3 — registers an S3 bucket as a nullplatform asset repository (nullplatform_provider_config of type s3-configuration), exposing it as aws.s3_assets_bucket. Input: bucket_name.

Modified

  • infrastructure/aws/iam/ecr — no longer creates the user/access key/group/membership. Now only manages ECR permissions and attaches its policy to the group received via the new required input build_workflow_group_name. Removes the build_workflow_access_key_id/secret outputs.

⚠ BREAKING CHANGE (iam/ecr)

infrastructure/aws/iam/ecr changes its contract:

  • New required input build_workflow_group_name.
  • Removes outputs build_workflow_access_key_id and build_workflow_access_key_secret (now provided by build-user).
  • No longer creates the build user, access key, group or membership.

Consumers must instantiate build-user, pass its group_name to ecr (and s3-assets), take the build credentials from build-user outputs, and migrate state to avoid recreating the IAM user (which would rotate the access keys and break CI):

tofu state mv 'module.ecr.aws_iam_user.nullplatform_build_workflow_user' \
              'module.build_user.aws_iam_user.nullplatform_build_workflow_user'
tofu state mv 'module.ecr.aws_iam_access_key.nullplatform_build_workflow_user_key' \
              'module.build_user.aws_iam_access_key.nullplatform_build_workflow_user_key'

The IAM group is renamed ecr-managersasset-publishers (recreated; does not affect the user's keys). Full steps in infrastructure/aws/iam/build-user/README.md.

Notes

  • The s3-configuration provider specification used by nullplatform/asset/s3 is platform-global (organization_id: null), so the module works across orgs. It is not present in this repo's seeders — worth confirming it ships in all installations before release.
  • READMEs include hand-written TF_DOCS tables; the release pipeline regenerates them with terraform-docs.

Verification

  • tofu fmt/validate pass on all three IAM modules and asset/s3; pre-commit hooks (fmt, validate, tofu test, commitlint) pass.
  • Composition test (build-user → ecr + s3-assets via group_name) validates.
  • Migrated end-to-end in a real implementation: state mv preserved the user (plan shows 0 changes on the user/access key), group recreated as asset-publishers with both ECR + S3 policies, asset/s3 imported the existing provider with no diff, and np asset push --type lambda now uploads the zip to S3 successfully.

🤖 Generated with Claude Code

…3-assets

Extract the shared build workflow IAM identity (user, access key, group) out of
the ecr module into a new infrastructure/aws/iam/build-user module, and add a new
infrastructure/aws/iam/s3-assets module that grants S3 publish permissions
(s3:PutObject/GetObject on the assets bucket) to the build workflow group. The ecr
module now only manages ECR permissions and attaches its policy to the group
received via the new build_workflow_group_name input.

BREAKING CHANGE: infrastructure/aws/iam/ecr no longer creates the build workflow
user, access key or group, and no longer outputs build_workflow_access_key_id /
build_workflow_access_key_secret. Consumers must instantiate the new build-user
module, pass its group_name to ecr (new required input build_workflow_group_name)
and to s3-assets, take the build credentials from build-user outputs, and run a
tofu state mv to preserve the existing user and access key (see
infrastructure/aws/iam/build-user/README.md). The IAM group is renamed from
ecr-managers to asset-publishers (recreated; does not rotate the user's keys).
Add nullplatform/asset/s3, which registers an AWS S3 bucket as a nullplatform
asset repository by creating a nullplatform_provider_config of type
"s3-configuration" (platform-global spec in the assets-repository category) with
the target bucket.name. The platform exposes this bucket as aws.s3_assets_bucket,
which the backend uses to build the S3 upload URL for Lambda/bundle assets.

Unlike asset/ecr, this provider config carries no build credentials: S3 assets are
published with the shared build workflow credentials (BUILD_AWS_*), so the build
workflow user must be granted S3 permissions via infrastructure/aws/iam/s3-assets.
Comment thread infrastructure/aws/iam/ci-build-workflow-user/main.tf Fixed
Comment thread infrastructure/aws/iam/ci-build-workflow-user/main.tf
Rename infrastructure/aws/iam/build-user to ci-build-workflow-user for clarity:
the name now states the purpose explicitly (the CI build-workflow identity that
pipelines use to publish assets). The aws_iam_user's name is unchanged
(nullplatform-<cluster>-build-workflow-user), so existing users are not recreated.
Updates the ecr and s3-assets module docs/inputs that reference it.
Comment on lines +9 to +11
resource "aws_iam_group" "asset_publishers" {
name = "nullplatform-${var.cluster_name}-asset-publishers"
}
@agustincelentano agustincelentano merged commit 9ae9e09 into main Jun 25, 2026
44 checks passed
@agustincelentano agustincelentano deleted the feat/separate-build-user-from-asset-repositories branch June 25, 2026 15:18
This was referenced Jun 25, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants