Skip to content

provision aws tokens for rust-lang/rust #666

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

provision aws tokens for rust-lang/rust #666

wants to merge 1 commit into from

Conversation

marcoieni
Copy link
Member

@marcoieni marcoieni commented Feb 11, 2025
edited
Loading

Related to rust-lang/infra-team#188

This PR creates two new terragrunt states:

I copied terragrunt/modules/static-website from the corresponding terraform module as it wasn't in terragrunt yet.

Why I didn't setup the staging resources in the ci-staging account

  1. The staging account doesn't have access to the rust-lang.org Route 53 Hosted Zone. This means it would be more complex to get this done because we would need to find a way to use a different domain (such as ci-staging.infra.rust-lang.org). Me and JD verified that in terragrunt this was never done.
  2. In the future, we might want to move the prod resources to the ci-prod aws account. Having the staging resources in the legacy account and moving the staging resources to the ci-staging account first, is going to be handy to prevent possible issues that might happen to the prod resources.

Commands I ran to import the state in prod

### done (I already ran these commands) ###
terragrunt import aws_s3_bucket.inventories rust-inventories
terragrunt import aws_s3_bucket.artifacts rust-lang-ci2
terragrunt import aws_s3_bucket.caches rust-lang-ci-sccache2

# ID obtained from `terraform state show module.public.aws_s3_bucket_inventory.artifacts`
terragrunt import aws_s3_bucket_inventory.artifacts rust-lang-ci2:all-objects-csv

# ID obtained from `terraform state show 'module.public.aws_s3_bucket_policy.artifacts["true"]'`
terragrunt import aws_s3_bucket_policy.artifacts[0] rust-lang-ci2

# ID obtained from `terraform state show 'module.public.aws_s3_bucket_policy.caches["true"]'`
terragrunt import aws_s3_bucket_policy.caches[0] rust-lang-ci-sccache2

##### caches static website #####

# ID obtained from `terraform state show 'module.public.module.caches_cdn["true"].module.certificate.aws_acm_certificate.cert'`
AWS_REGION=us-east-1 tg import 'module.caches_cdn.module.certificate.aws_acm_certificate.cert' "arn:aws:acm:us-east-1:890664054962:certificate/e99c2320-f3e6-4bfb-b115-94bfc39a56d5"

# ID obtained from `terraform state show 'module.public.module.caches_cdn["true"].aws_route53_record.website'`
terragrunt import module.caches_cdn.aws_route53_record.website Z237AC8WS9NFCS_ci-caches.rust-lang.org_CNAME

# ID obtained from `terraform state show 'module.public.module.caches_cdn["true"].module.certificate.aws_route53_record.cert_validation["ci-caches.rust-lang.org"]'
terragrunt import 'module.caches_cdn.module.certificate.aws_route53_record.cert_validation["ci-caches.rust-lang.org"]' Z237AC8WS9NFCS__0062654447e2b1cc2c228f28a2ffd38d.ci-caches.rust-lang.org._CNAME

# ID obtained from `terraform state show 'module.public.module.caches_cdn["true"].aws_cloudfront_distribution.website'`
terragrunt import module.caches_cdn.aws_cloudfront_distribution.website E2SRGWG3SJFYDC

#### artifacts static website ######

# ID obtained from `terraform state show 'module.public.module.artifacts_cdn["true"].module.certificate.aws_acm_certificate.cert'`
terragrunt import 'module.artifacts_cdn.module.certificate.aws_acm_certificate.cert' "arn:aws:acm:us-east-1:890664054962:certificate/58cce1dd-adfa-4fd2-8cdd-539b89f5f500"

terragrunt import 'module.artifacts_cdn.aws_route53_record.website' Z237AC8WS9NFCS_ci-artifacts.rust-lang.org_CNAME

terragrunt import 'module.artifacts_cdn.module.certificate.aws_route53_record.cert_validation["ci-artifacts.rust-lang.org"]' 'Z237AC8WS9NFCS__d8b0665760c58453311c4c28e03e32d2.ci-artifacts.rust-lang.org._CNAME'

terragrunt import module.artifacts_cdn.aws_cloudfront_distribution.website E3OK0DB0OA1ZDV

Resources that we want to create

  • aws_cloudfront_response_headers_policy.s3 (it's not in the terraform state)
  • aws_iam_role.try_builds
  • aws_iam_role_policy.try_builds
  • aws_iam_user_policy.artifacts_write
  • aws_iam_user_policy.caches_write
  • aws_s3_bucket_acl.artifacts (the aws_s3_bucket_acl needs to be created because I fixed a warning in the terraform code).
  • aws_s3_bucket_acl.caches
  • aws_s3_bucket_lifecycle_configuration.artifacts_lifecycle (the aws_s3_bucket_lifecycle_configuration needs to be created because I fixed a warning in the terraform code).
  • aws_s3_bucket_lifecycle_configuration.caches_lifecycle
  • module.artifacts_user.aws_iam_access_key.ci
  • module.artifacts_user.aws_iam_user.ci
  • module.artifacts_user.github_actions_environment_secret.aws_access_key_id[0]
  • module.artifacts_user.github_actions_environment_secret.aws_secret_access_key[0]
  • module.caches_user.aws_iam_access_key.ci
  • module.caches_user.github_actions_environment_secret.aws_access_key_id[0]
  • module.caches_user.github_actions_environment_secret.aws_secret_access_key[0]
  • module.caches_cdn.module.certificate.aws_acm_certificate_validation.cert (if imported, terraform errors: resource aws_acm_certificate_validation doesn't support import)

What do to after this PR is approved

  • apply staging
  • apply prod

marcoieni
marcoieni commented Apr 15, 2025
View reviewed changes
terragrunt/modules/gha-iam-user/main.tf
@@ -2,7 +2,7 @@ terraform {
required_providers {
github = {
source = "integrations/github"
version = "~> 6.2.3"
version = "~> 6.2"
Copy link
Member Author

@marcoieni marcoieni Apr 15, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this allows to update to versions >= 6.3

marcoieni
marcoieni commented Apr 30, 2025
View reviewed changes
terragrunt/modules/rustc-ci/artifacts.tf
]
Action = [
"s3:GetObject",
"s3:DeleteObject",
Copy link
Member Author

@marcoieni marcoieni Apr 30, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is Delete needed? I copied because it was already there, but I don't think the CI needs to delete objects 🤔

Same for the caches bucket.

marcoieni
marcoieni commented Apr 30, 2025
View reviewed changes
terragrunt/modules/rustc-ci/artifacts.tf
locals {
rustc_builds = "rustc-builds"
rustc_builds_alt = "rustc-builds-alt"
iam_prefix = "rustc-ci--rust-lang--${var.repo}"
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This iam_prefix should guarantee that the iam stuff doesn't conflict with the existing one in the legacy account

@marcoieni marcoieni force-pushed the rustc-ci-rust-lang-rust branch from 7569cac to b00f87c Compare April 30, 2025 21:21
@marcoieni marcoieni marked this pull request as ready for review April 30, 2025 21:21
@marcoieni marcoieni force-pushed the rustc-ci-rust-lang-rust branch 11 times, most recently from b717629 to 74a99a2 Compare May 16, 2025 13:33
@marcoieni
Copy link
Member Author

applied to staging
image
https://github.com/rust-lang/bors-kindergarten/settings/secrets/actions

@marcoieni marcoieni force-pushed the rustc-ci-rust-lang-rust branch 2 times, most recently from e14451a to 951f380 Compare May 16, 2025 14:05
@marcoieni marcoieni force-pushed the rustc-ci-rust-lang-rust branch from 951f380 to 1409906 Compare May 16, 2025 14:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@marcoieni