feat(iam)!: separate build workflow user from asset repositories + add S3 asset support#402
Merged
agustincelentano merged 4 commits intoJun 25, 2026
Conversation
…3-assets Extract the shared build workflow IAM identity (user, access key, group) out of the ecr module into a new infrastructure/aws/iam/build-user module, and add a new infrastructure/aws/iam/s3-assets module that grants S3 publish permissions (s3:PutObject/GetObject on the assets bucket) to the build workflow group. The ecr module now only manages ECR permissions and attaches its policy to the group received via the new build_workflow_group_name input. BREAKING CHANGE: infrastructure/aws/iam/ecr no longer creates the build workflow user, access key or group, and no longer outputs build_workflow_access_key_id / build_workflow_access_key_secret. Consumers must instantiate the new build-user module, pass its group_name to ecr (new required input build_workflow_group_name) and to s3-assets, take the build credentials from build-user outputs, and run a tofu state mv to preserve the existing user and access key (see infrastructure/aws/iam/build-user/README.md). The IAM group is renamed from ecr-managers to asset-publishers (recreated; does not rotate the user's keys).
Add nullplatform/asset/s3, which registers an AWS S3 bucket as a nullplatform asset repository by creating a nullplatform_provider_config of type "s3-configuration" (platform-global spec in the assets-repository category) with the target bucket.name. The platform exposes this bucket as aws.s3_assets_bucket, which the backend uses to build the S3 upload URL for Lambda/bundle assets. Unlike asset/ecr, this provider config carries no build credentials: S3 assets are published with the shared build workflow credentials (BUILD_AWS_*), so the build workflow user must be granted S3 permissions via infrastructure/aws/iam/s3-assets.
Rename infrastructure/aws/iam/build-user to ci-build-workflow-user for clarity: the name now states the purpose explicitly (the CI build-workflow identity that pipelines use to publish assets). The aws_iam_user's name is unchanged (nullplatform-<cluster>-build-workflow-user), so existing users are not recreated. Updates the ecr and s3-assets module docs/inputs that reference it.
Comment on lines
+9
to
+11
| resource "aws_iam_group" "asset_publishers" { | ||
| name = "nullplatform-${var.cluster_name}-asset-publishers" | ||
| } |
sebastiancorrea81
approved these changes
Jun 25, 2026
This was referenced Jun 25, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Separates the shared build workflow IAM identity from the per-destination asset repository permission modules, and adds first-class support for S3 asset repositories (Lambda/bundle assets).
Until now the build workflow user (the IAM identity the CI uses to publish assets) was created inside
infrastructure/aws/iam/ecr. That worked while ECR was the only destination, but Lambda assets publish to S3, and the same user needs S3 permissions. This PR extracts the identity into its own module and lets each destination grant permissions to a shared group.Changes
New modules
infrastructure/aws/iam/build-user— creates the shared build workflow user, its access key, and theasset-publishersgroup (the attachment point for per-destination policies). Exposesbuild_workflow_access_key_id/secretandgroup_name.infrastructure/aws/iam/s3-assets— grantss3:PutObject/s3:GetObjecton an assets bucket to the build workflow group. Inputs:cluster_name,build_workflow_group_name,assets_bucket.nullplatform/asset/s3— registers an S3 bucket as a nullplatform asset repository (nullplatform_provider_configof types3-configuration), exposing it asaws.s3_assets_bucket. Input:bucket_name.Modified
infrastructure/aws/iam/ecr— no longer creates the user/access key/group/membership. Now only manages ECR permissions and attaches its policy to the group received via the new required inputbuild_workflow_group_name. Removes thebuild_workflow_access_key_id/secretoutputs.⚠ BREAKING CHANGE (
iam/ecr)infrastructure/aws/iam/ecrchanges its contract:build_workflow_group_name.build_workflow_access_key_idandbuild_workflow_access_key_secret(now provided bybuild-user).Consumers must instantiate
build-user, pass itsgroup_nametoecr(ands3-assets), take the build credentials frombuild-useroutputs, and migrate state to avoid recreating the IAM user (which would rotate the access keys and break CI):The IAM group is renamed
ecr-managers→asset-publishers(recreated; does not affect the user's keys). Full steps ininfrastructure/aws/iam/build-user/README.md.Notes
s3-configurationprovider specification used bynullplatform/asset/s3is platform-global (organization_id: null), so the module works across orgs. It is not present in this repo's seeders — worth confirming it ships in all installations before release.Verification
tofu fmt/validatepass on all three IAM modules andasset/s3; pre-commit hooks (fmt, validate, tofu test, commitlint) pass.group_name) validates.state mvpreserved the user (plan shows 0 changes on the user/access key), group recreated asasset-publisherswith both ECR + S3 policies,asset/s3imported the existing provider with no diff, andnp asset push --type lambdanow uploads the zip to S3 successfully.🤖 Generated with Claude Code