diff --git a/images/ubuntu-focal/github_agent.ubuntu.pkr.hcl b/images/ubuntu-focal/github_agent.ubuntu.pkr.hcl index 1385f1c2a0..26d2f26ad6 100644 --- a/images/ubuntu-focal/github_agent.ubuntu.pkr.hcl +++ b/images/ubuntu-focal/github_agent.ubuntu.pkr.hcl @@ -104,7 +104,7 @@ source "amazon-ebs" "githubrunner" { associate_public_ip_address = var.associate_public_ip_address temporary_security_group_source_public_ip = var.temporary_security_group_source_public_ip - ssh_interface = "session_manager" + ssh_interface = "session_manager" # needed because tower control is blocking port 22 iam_instance_profile = "AmazonSSMRoleForInstancesQuickSetup" source_ami_filter { diff --git a/modules/runners/policies-custom.tf b/modules/runners/policies-custom.tf new file mode 100644 index 0000000000..ba50f25a26 --- /dev/null +++ b/modules/runners/policies-custom.tf @@ -0,0 +1,73 @@ +resource "aws_iam_role_policy" "gh_artifacts_bucket" { + name = "github-ci-loop-artifacts-bucket" + role = aws_iam_role.runner.name + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Sid = "githubActionArtifacts", + Action = [ + "s3:ListBucket", + "s3:GetObject", + "s3:GetObjectTagging", + "s3:DeleteObject", + "s3:PutObject", + "s3:PutObjectAcl", + "s3:PutObjectTagging" + ] + Effect = "Allow" + Resource = [ + "arn:aws:s3:::github-ci-loop-artifacts/*", + "arn:aws:s3:::github-ci-loop-artifacts", + "arn:aws:s3:::packages.shs-ie-01.intelliflo.services/*", + "arn:aws:s3:::packages.shs-ie-01.intelliflo.services", + "arn:aws:s3:::mssql-migrations.shs-ie-01.intelliflo.services/*", + "arn:aws:s3:::mssql-migrations.shs-ie-01.intelliflo.services" + ] + } + ] + }) +} + +resource "aws_iam_role_policy" "runner_ecr_scan_push_access" { + name = "ecr-scan-push-access" + role = aws_iam_role.runner.name + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Sid = "githubActionEcr", + Action = [ + "ecr:DescribeImageScanFindings", + "ecr:StartImageScan", + "ecr:GetDownloadUrlForLayer", + "ecr:DescribeRegistry", + "ecr:GetAuthorizationToken", + "ecr:ListTagsForResource", + "ecr:UploadLayerPart", + "ecr:BatchDeleteImage", + "ecr:ListImages", + "ecr:PutImage", + "ecr:BatchGetImage", + "ecr:CompleteLayerUpload", + "ecr:DescribeImages", + "ecr:DescribeRepositories", + "ecr:InitiateLayerUpload", + "ecr:BatchCheckLayerAvailability" + ] + Effect = "Allow" + Resource = "*" + } + ] + }) +} + +resource "aws_iam_role_policy_attachment" "runner_code_artifact_admin_access" { + role = aws_iam_role.runner.name + policy_arn = "arn:aws:iam::aws:policy/AWSCodeArtifactAdminAccess" +} + +resource "aws_iam_role_policy_attachment" "runner_basic_ecr_access" { + role = aws_iam_role.runner.name + policy_arn = "arn:aws:iam::aws:policy/service-role/AWSAppRunnerServicePolicyForECRAccess" +} diff --git a/modules/runners/policies-runner.tf b/modules/runners/policies-runner.tf index 2a765a620b..d1b9190930 100644 --- a/modules/runners/policies-runner.tf +++ b/modules/runners/policies-runner.tf @@ -71,30 +71,3 @@ resource "aws_iam_role_policy" "ec2" { } # see also logging.tf for logging and metrics policies - -resource "aws_iam_role_policy" "gh_artifacts_bucket" { - name = "github-ci-loop-artifacts-bucket" - role = aws_iam_role.runner.name - policy = templatefile("${path.module}/policies/instance-s3-gh-policy.json", - { - s3_arn = "arn:aws:s3:::github-ci-loop-artifacts" - s3_packages_arn = "arn:aws:s3:::packages.shs-ie-01.intelliflo.services" - } - ) -} - -resource "aws_iam_role_policy" "runner_ecr_scan_push_access" { - name = "ecr-scan-push-access" - role = aws_iam_role.runner.name - policy = file("${path.module}/policies/instance-ecr-gh-policy.json") -} - -resource "aws_iam_role_policy_attachment" "runner_code_artifact_admin_access" { - role = aws_iam_role.runner.name - policy_arn = "arn:aws:iam::aws:policy/AWSCodeArtifactAdminAccess" -} - -resource "aws_iam_role_policy_attachment" "runner_basic_ecr_access" { - role = aws_iam_role.runner.name - policy_arn = "arn:aws:iam::aws:policy/service-role/AWSAppRunnerServicePolicyForECRAccess" -} diff --git a/modules/runners/policies/instance-ecr-gh-policy.json b/modules/runners/policies/instance-ecr-gh-policy.json deleted file mode 100644 index e60506cc0b..0000000000 --- a/modules/runners/policies/instance-ecr-gh-policy.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "githubActionEcr", - "Effect": "Allow", - "Action": [ - "ecr:DescribeImageScanFindings", - "ecr:StartImageScan", - "ecr:GetDownloadUrlForLayer", - "ecr:DescribeRegistry", - "ecr:GetAuthorizationToken", - "ecr:ListTagsForResource", - "ecr:UploadLayerPart", - "ecr:BatchDeleteImage", - "ecr:ListImages", - "ecr:PutImage", - "ecr:BatchGetImage", - "ecr:CompleteLayerUpload", - "ecr:DescribeImages", - "ecr:DescribeRepositories", - "ecr:InitiateLayerUpload", - "ecr:BatchCheckLayerAvailability" - ], - "Resource": "*" - } - ] -} \ No newline at end of file diff --git a/modules/runners/policies/instance-s3-gh-policy.json b/modules/runners/policies/instance-s3-gh-policy.json deleted file mode 100644 index d218c27ed2..0000000000 --- a/modules/runners/policies/instance-s3-gh-policy.json +++ /dev/null @@ -1,24 +0,0 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "githubActionArtifacts", - "Effect": "Allow", - "Action": [ - "s3:ListBucket", - "s3:GetObject", - "s3:GetObjectTagging", - "s3:DeleteObject", - "s3:PutObject", - "s3:PutObjectAcl", - "s3:PutObjectTagging" - ], - "Resource": [ - "${s3_arn}/*", - "${s3_arn}", - "${s3_packages_arn}/*", - "${s3_packages_arn}" - ] - } - ] -} \ No newline at end of file