From 2967974ba5d1333c1a7b9e29ef42555e3443d8a8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luis=20D=C3=ADaz?= Date: Fri, 9 Jan 2026 13:57:49 +0100 Subject: [PATCH 1/3] Add s3 bucket for anonymous credentials manifests --- tf/environments/dev/main.tf | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/tf/environments/dev/main.tf b/tf/environments/dev/main.tf index 5f50e181..22bb7d31 100644 --- a/tf/environments/dev/main.tf +++ b/tf/environments/dev/main.tf @@ -237,6 +237,14 @@ resource "random_id" "artifact_id" { byte_length = 4 } +resource "aws_s3_bucket" "anoncred_manifests" { + bucket = "anoncred-manifests-${var.aws_region}" + object_lock_enabled = true + versioning { + enabled = true + } +} + resource "aws_s3_bucket" "ooniprobe_failed_reports" { bucket = "ooniprobe-failed-reports-${var.aws_region}" } From c02ddfe279584183f2b7090c3ed1db06a483ebe9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luis=20D=C3=ADaz?= Date: Mon, 12 Jan 2026 13:49:09 +0100 Subject: [PATCH 2/3] Add public bucket settings to s3 --- tf/environments/dev/main.tf | 57 +++++++++++++++++++++++++++++++++++++ 1 file changed, 57 insertions(+) diff --git a/tf/environments/dev/main.tf b/tf/environments/dev/main.tf index 22bb7d31..b761e137 100644 --- a/tf/environments/dev/main.tf +++ b/tf/environments/dev/main.tf @@ -245,6 +245,63 @@ resource "aws_s3_bucket" "anoncred_manifests" { } } +resource "aws_s3_bucket_versioning" "anoncred_manifests_version" { + bucket = aws_s3_bucket.anoncred_manifests.id + versioning_configuration { + status = "Enabled" + } +} + +resource "aws_s3_bucket_policy" "anonc_manifsts_policy" { + bucket = aws_s3_bucket.anoncred_manifests.id + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Sid = "PublicList" + Effect = "Allow" + Principal = "*" + Action = "s3:ListBucket" + Resource = aws_s3_bucket.anoncred_manifests.arn + }, + { + Sid = "PublicRead" + Effect = "Allow" + Principal = "*" + Action = "s3:GetObject" + Resource = "${aws_s3_bucket.anoncred_manifests.arn}/*" + } + ] + }) +} + +resource "aws_s3_bucket_ownership_controls" "anonc_manifests" { + bucket = aws_s3_bucket.anoncred_manifests.id + rule { + object_ownership = "BucketOwnerPreferred" + } +} + +resource "aws_s3_bucket_public_access_block" "anonc_manifests" { + bucket = aws_s3_bucket.anoncred_manifests.id + + block_public_acls = false + block_public_policy = false + ignore_public_acls = false + restrict_public_buckets = false +} + +resource "aws_s3_bucket_acl" "anonc_manifests" { + depends_on = [ + aws_s3_bucket_ownership_controls.anonc_manifests, + aws_s3_bucket_public_access_block.anonc_manifests, + ] + + bucket = aws_s3_bucket.anoncred_manifests.id + acl = "public-read" +} + resource "aws_s3_bucket" "ooniprobe_failed_reports" { bucket = "ooniprobe-failed-reports-${var.aws_region}" } From ad7fb0318a579150ed4f21e16161e7c81be0a21a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luis=20D=C3=ADaz?= Date: Wed, 14 Jan 2026 12:19:20 +0100 Subject: [PATCH 3/3] Add manifest files to s3 --- tf/environments/dev/main.tf | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/tf/environments/dev/main.tf b/tf/environments/dev/main.tf index b761e137..23ec0f4d 100644 --- a/tf/environments/dev/main.tf +++ b/tf/environments/dev/main.tf @@ -302,6 +302,34 @@ resource "aws_s3_bucket_acl" "anonc_manifests" { acl = "public-read" } +# Anonymous credentials manifest. +# +# Stored here to be publicly available, verifiable, and version controlled +resource "aws_s3_object" "manifest" { + bucket = aws_s3_bucket.anoncred_manifests.id + key = "manifest.json" + content = jsonencode({ + nym_scope = "ooni.org/{probe_cc}/{probe_asn}" + submission_policy = { + "*/*" = "*" + } + public_parameters = "ASAAAAAAAAAApNRh7fk+riQoD24/O1deyv96zzUKrPl/iVfFArlNGjABIAAAAAAAAADcq4aiJe0vkFuO1YnByaMEiB8ZA/rqf1d4O/SzFec8bAMAAAAAAAAAIAAAAAAAAAD+Z9JjHXAYvJdxloiGdIaqUQF208Oq7YTdvRYDrZY8SyAAAAAAAAAAUGiViBIvG4Xd7Cv29tLNuC/y0lTINIw63Je/Zm0XXGQgAAAAAAAAAFbDFU/rX+kMZEwVlx4ZeaqYLTbYO30Kz37W8DNx2Cw3" + }) +} + +# Test manifest used for integration tests +resource "aws_s3_object" "test_manifest" { + bucket = aws_s3_bucket.anoncred_manifests.id + key = "test_manifest.json" + content = jsonencode({ + nym_scope = "ooni.org/{probe_cc}/{probe_asn}" + submission_policy = { + "*/*" = "*" + } + public_parameters = "ASAAAAAAAAAAIKrSuwbE4aYXbC1VvFTCtPo1vUILohyRb/n6mkNQx3kBIAAAAAAAAABszBl0xj4qhFI5QwT7PQ0xji+ol5GBL13C2unPmDARUQMAAAAAAAAAIAAAAAAAAACWDzG7YtM9HEwD1B3cRXOxU8i0BbYlew0K+Gu6QKGwTSAAAAAAAAAAZPVqGmnoY9XSyzWyfgX05kZ8L21DZ+Pt6l5lsQXpezcgAAAAAAAAAOQ0W+VAKzDLrac3x2msH90sef2c+VLl0aHdOX/lMlVa" + }) +} + resource "aws_s3_bucket" "ooniprobe_failed_reports" { bucket = "ooniprobe-failed-reports-${var.aws_region}" }