terraform-iam: configure OIDC for NixOS/nix releases

Author: zimbatm

terraform-iam/assume_administrator_access_policy_document/main.tf

@@ -0,0 +1,46 @@
+terraform {
+  required_providers {
+    aws = {
+      source = "hashicorp/aws"
+    }
+  }
+}
+
+variable "sso_account_id" {
+  description = "AWS account ID where the AdministratorAccess permission set lives."
+  type        = string
+}
+
+variable "sso_region" {
+  description = "Region of the AWS SSO instance."
+  type        = string
+  default     = "eu-north-1"
+}
+
+locals {
+  administrator_role_pattern = format(
+    "arn:aws:iam::%s:role/aws-reserved/sso.amazonaws.com/%s/AWSReservedSSO_AWSAdministratorAccess_*",
+    var.sso_account_id,
+    var.sso_region,
+  )
+}
+
+data "aws_iam_policy_document" "this" {
+  statement {
+    effect  = "Allow"
+    actions = ["sts:AssumeRole"]
+    principals {
+      type        = "AWS"
+      identifiers = [format("arn:aws:iam::%s:root", var.sso_account_id)]
+    }
+    condition {
+      test     = "ArnLike"
+      variable = "aws:PrincipalArn"
+      values   = [local.administrator_role_pattern]
+    }
+  }
+}
+
+output "json" {
+  value = data.aws_iam_policy_document.this.json
+}

terraform-iam/assume_github_actions_policy_document/main.tf

@@ -0,0 +1,40 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+    }
+  }
+}
+
+variable "subject_filter" {
+  type = list(string)
+}
+
+data "aws_caller_identity" "current" {}
+
+data "aws_iam_openid_connect_provider" "github_actions" {
+  url = "https://token.actions.githubusercontent.com"
+}
+
+data "aws_iam_policy_document" "assume_github_actions" {
+
+  statement {
+    effect  = "Allow"
+    actions = ["sts:AssumeRoleWithWebIdentity"]
+
+    principals {
+      type        = "Federated"
+      identifiers = [data.aws_iam_openid_connect_provider.github_actions.arn]
+    }
+
+    condition {
+      test     = "StringLike"
+      variable = "token.actions.githubusercontent.com:sub"
+      values   = var.subject_filter
+    }
+  }
+}
+
+output "json" {
+  value = data.aws_iam_policy_document.assume_github_actions.json
+}

terraform-iam/nix_repo_oidc.tf

@@ -0,0 +1,92 @@
+# In this document we configure OIDC from GitHub to allow automatically
+# publishing NixOS/nix releases using GitHub Actions.
+#
+# This means that everyone with merge rights in the Nix repo can publish
+# releases (with a public trail).
+
+data "aws_iam_policy_document" "nix_release" {
+  statement {
+    effect = "Allow"
+    actions = [
+      "s3:GetObject",
+      "s3:PutObject"
+    ]
+    # Only allow uploading in the /nix/ prefix in the bucket
+    resources = ["arn:aws:s3:::nix-releases/nix/*"]
+  }
+
+  statement {
+    effect = "Allow"
+    actions = [
+      "s3:ListBucket",
+      "s3:ListBucketMultipartUploads"
+    ]
+    resources = ["arn:aws:s3:::nix-releases"]
+    condition {
+      test     = "StringLike"
+      variable = "s3:prefix"
+      values   = ["nix/*"]
+    }
+  }
+
+  statement {
+    effect = "Allow"
+    actions = [
+      "s3:PutObject"
+    ]
+    # The release also publishes the install script when it's the latest
+    # release.
+    resources = ["arn:aws:s3:::nix-channels/nix-latest/install"]
+  }
+
+  statement {
+    effect = "Allow"
+    actions = [
+      "s3:ListBucket"
+    ]
+    resources = ["arn:aws:s3:::nix-channels"]
+    condition {
+      test     = "StringLike"
+      variable = "s3:prefix"
+      values   = ["nix-latest/*"]
+    }
+  }
+}
+
+resource "aws_iam_policy" "nix_release" {
+  name   = "nix-release"
+  policy = data.aws_iam_policy_document.nix_release.json
+}
+
+data "aws_caller_identity" "current" {}
+
+module "assume_administrator_access" {
+  source         = "./assume_administrator_access_policy_document"
+  sso_account_id = data.aws_caller_identity.current.account_id
+  sso_region     = "eu-north-1"
+}
+
+module "assume_nix_release" {
+  source         = "./assume_github_actions_policy_document"
+
+  # Only allow to assume this role in the NixOS/nix repo, and while running
+  # in the "releases" environment.
+  subject_filter = ["repo:NixOS/nix:environment:releases"]
+}
+
+data "aws_iam_policy_document" "assume_nix_release" {
+  source_policy_documents = [
+    module.assume_administrator_access.json,
+    module.assume_nix_release.json,
+  ]
+}
+
+resource "aws_iam_role" "nix_release" {
+  name                = "nix-release"
+  assume_role_policy  = data.aws_iam_policy_document.assume_nix_release.json
+  managed_policy_arns = [aws_iam_policy.nix_release.arn]
+}
+
+output "nix_release_role_arn" {
+  value = aws_iam_role.nix_release.arn
+}