aherman
/
boundary
mirror of https://github.com/hashicorp/boundary
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

chore(e2e): Update CI user for testing (#3203)

Browse Source
pull/3204/head
Josh Brand 3 years ago committed by GitHub
parent 22ecf95449
commit 8b8b665483
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 11 additions and 88 deletions
Show Stats Download Patch File Download Diff File

61
enos/ci/service-user-iam/github-actions-doormat.tf
Unescape View File

@ -1,61 +0,0 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
locals {
doormat_service_user_arn = "arn:aws:iam::397512762488:user/doormatServiceUser"
// "Github Actions Doormat repositories and qualifiers"
// see: https://docs.prod.secops.hashicorp.services/doormat/gha/
github_actions_doormat_rwqs = {
boundary-enterprise = {
ci = "github.com/hashicorp/boundary-enterprise@event_name=workflow_dispatch+push:ref=refs/heads/main+refs/heads/release/0.8.x+refs/heads/release/0.10.x+refs/heads/release/0.11.x///event_name=pull_request:base_ref=main+release/0.8.x+release/0.10.x+release/0.11.x",
ci-bootstrap = "github.com/hashicorp/boundary-enterprise@event_name=schedule"
}
boundary-hcp = {
ci = "github.com/hashicorp/boundary-hcp@event_name=workflow_dispatch+push:ref=refs/heads/main+refs/heads/release/0.8.x+refs/heads/release/0.10.x+refs/heads/release/0.11.x///event_name=pull_request:base_ref=main+release/0.8.x+release/0.10.x+release/0.11.x",
ci-bootstrap = "github.com/hashicorp/boundary-hcp@event_name=schedule"
}
}
ent_policies_json = {
ci = data.aws_iam_policy_document.enos_policy_document.json
ci-bootstrap = data.aws_iam_policy_document.combined_policy_document.json
}
repo_github_actions_doormat_rwqs = local.is_ent ? local.github_actions_doormat_rwqs[var.repository] : {}
}
// Doormat Github Actions assume policy
data "aws_iam_policy_document" "github_actions_doormat_assume" {
count = local.is_ent ? 1 : 0
provider = aws.us_east_1
statement {
actions = [
"sts:AssumeRole",
"sts:SetSourceIdentity",
"sts:TagSession"
]
principals {
type = "AWS"
identifiers = [local.doormat_service_user_arn] # infrasec_prod
}
}
}
# Doormat Github Actions roles
resource "aws_iam_role" "github_actions_doormat_role" {
for_each = local.repo_github_actions_doormat_rwqs
provider = aws.us_east_1
name = "${var.repository}-GHA-${each.key}"
tags = {
hc-service-uri = each.value
}
max_session_duration = 43200
assume_role_policy = data.aws_iam_policy_document.github_actions_doormat_assume[0].json
inline_policy {
name = "AssumeServiceUserPolicy"
policy = local.ent_policies_json[each.key]
}
}

21
enos/ci/service-user-iam/main.tf
Unescape View File

@ -16,30 +16,24 @@ terraform {
}
locals {
enterprise_repositories = ["boundary-enterprise", "boundary-hcp"]
is_ent = contains(local.enterprise_repositories, var.repository)
service_user = data.aws_iam_user.service_user.user_name
oss_aws_account_id = "271311691044"
service_user = data.aws_iam_user.service_user.user_name
}
data "aws_caller_identity" "current" {}
data "aws_iam_user" "service_user" {
# This is the user created in the hashicorp/hc-service-users repo
user_name = "github_actions-boundary_ci"
user_name = var.repository == "boundary" ? "github_actions-boundary_ci" : "github_actions-boundary_enterprise_ci"
}
resource "aws_iam_role" "role" {
count = local.is_ent ? 0 : 1 // only create a role for the OSS repositories
provider = aws.us_east_1
name = local.service_user
assume_role_policy = data.aws_iam_policy_document.assume_role_policy_document[0].json
assume_role_policy = data.aws_iam_policy_document.assume_role_policy_document.json
}
data "aws_iam_policy_document" "assume_role_policy_document" {
count = local.is_ent ? 0 : 1 // only create a policy for the OSS repositories
provider = aws.us_east_1
statement {
@ -48,17 +42,15 @@ data "aws_iam_policy_document" "assume_role_policy_document" {
principals {
type = "AWS"
identifiers = ["arn:aws:iam::${local.oss_aws_account_id}:user/${local.service_user}"]
identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:user/${local.service_user}"]
}
}
}
resource "aws_iam_role_policy" "role_policy" {
count = local.is_ent ? 0 : 1 // only create a policy for the OSS repositories
provider = aws.us_east_1
role = aws_iam_role.role[0].name
role = aws_iam_role.role.name
name = "${local.service_user}_policy"
policy = data.aws_iam_policy_document.combined_policy_document.json
}
@ -258,7 +250,6 @@ data "aws_iam_policy_document" "aws_nuke_policy_document" {
}
resource "aws_iam_policy" "demo_user" {
count = local.is_ent ? 0 : 1 // only create a policy for the OSS repositories
name = "BoundaryDemoPermissionsBoundary"
path = "/"
description = "Used to allow temporary IAM user creation for end-to-end tests"

15
enos/ci/service-user-iam/outputs.tf
Unescape View File

@ -2,16 +2,9 @@
# SPDX-License-Identifier: MPL-2.0
output "ci_roles" {
value = local.is_ent ? [for role in aws_iam_role.github_actions_doormat_role : {
name = role.name
arn = role.arn
policy = [for policy in role.inline_policy : {
name = policy.name
policy = jsondecode(policy.policy)
}][0]
}] : [{
name = aws_iam_role.role[0].name
arn = aws_iam_role.role[0].arn
policy = aws_iam_role_policy.role_policy[0].policy
value = [{
name = aws_iam_role.role.name
arn = aws_iam_role.role.arn
policy = aws_iam_role_policy.role_policy.policy
}]
}

2
enos/enos-scenario-e2e-static-with-vault.hcl
Unescape View File

@ -16,7 +16,7 @@ scenario "e2e_static_with_vault" {
locals {
aws_ssh_private_key_path = abspath(var.aws_ssh_private_key_path)
boundary_install_dir = abspath(var.boundary_install_dir)
boundary_license_path = abspath(var.boundary_license_path != null ? var.boundary_license_path : joinpath(path.root, "./support/boundary.hclic"))
license_path = abspath(var.boundary_license_path != null ? var.boundary_license_path : joinpath(path.root, "./support/boundary.hclic"))
local_boundary_dir = abspath(var.local_boundary_dir)
build_path = {
"local" = "/tmp",

Write Preview
Loading…
Cancel
Save