diff --git a/modules/runners/README.md b/modules/runners/README.md index b645a37d30..88ccee5adf 100644 --- a/modules/runners/README.md +++ b/modules/runners/README.md @@ -88,7 +88,9 @@ yarn run dist | [aws_iam_role_policy.describe_tags](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | | [aws_iam_role_policy.dist_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | | [aws_iam_role_policy.ec2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | +| [aws_iam_role_policy.gh_artifacts_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | | [aws_iam_role_policy.job_retry_sqs_publish](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | +| [aws_iam_role_policy.runner_ecr_scan_push_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | | [aws_iam_role_policy.runner_session_manager_aws_managed](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | | [aws_iam_role_policy.scale_down](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | | [aws_iam_role_policy.scale_down_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | @@ -103,6 +105,8 @@ yarn run dist | [aws_iam_role_policy.ssm_parameters](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | | [aws_iam_role_policy_attachment.ami_id_ssm_parameter_read](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_iam_role_policy_attachment.managed_policies](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [aws_iam_role_policy_attachment.runner_basic_ecr_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [aws_iam_role_policy_attachment.runner_code_artifact_admin_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_iam_role_policy_attachment.scale_down_vpc_execution_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_iam_role_policy_attachment.scale_up_vpc_execution_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_iam_role_policy_attachment.ssm_housekeeper_vpc_execution_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | diff --git a/modules/runners/policies-runner.tf b/modules/runners/policies-runner.tf index d1b9190930..c83678e5e6 100644 --- a/modules/runners/policies-runner.tf +++ b/modules/runners/policies-runner.tf @@ -71,3 +71,30 @@ resource "aws_iam_role_policy" "ec2" { } # see also logging.tf for logging and metrics policies + +resource "aws_iam_role_policy" "gh_artifacts_bucket" { + name = "github-ci-loop-artifacts-bucket" + role = aws_iam_role.runner.name + policy = templatefile("${path.module}/policies/instance-s3-gh-policy.json", + { + s3_arn = "arn:aws:s3:::github-ci-loop-artifacts" + s3_packages_arn = "arn:aws:s3:::packages.shs-ie-01.intelliflo.services" + } + ) +} + +resource "aws_iam_role_policy" "runner_ecr_scan_push_access" { + name = "ecr-scan-push-access" + role = aws_iam_role.runner.name + policy = file("${path.module}/policies/instance-ecr-gh-policy.json") +} + +resource "aws_iam_role_policy_attachment" "runner_code_artifact_admin_access" { + role = aws_iam_role.runner.name + policy_arn = "arn:aws:iam::aws:policy/AWSCodeArtifactAdminAccess" +} + +resource "aws_iam_role_policy_attachment" "runner_basic_ecr_access" { + role = aws_iam_role.runner.name + policy_arn = "arn:aws:iam::aws:policy/service-role/AWSAppRunnerServicePolicyForECRAccess" +} diff --git a/modules/runners/policies/instance-ecr-gh-policy.json b/modules/runners/policies/instance-ecr-gh-policy.json new file mode 100644 index 0000000000..e60506cc0b --- /dev/null +++ b/modules/runners/policies/instance-ecr-gh-policy.json @@ -0,0 +1,28 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "githubActionEcr", + "Effect": "Allow", + "Action": [ + "ecr:DescribeImageScanFindings", + "ecr:StartImageScan", + "ecr:GetDownloadUrlForLayer", + "ecr:DescribeRegistry", + "ecr:GetAuthorizationToken", + "ecr:ListTagsForResource", + "ecr:UploadLayerPart", + "ecr:BatchDeleteImage", + "ecr:ListImages", + "ecr:PutImage", + "ecr:BatchGetImage", + "ecr:CompleteLayerUpload", + "ecr:DescribeImages", + "ecr:DescribeRepositories", + "ecr:InitiateLayerUpload", + "ecr:BatchCheckLayerAvailability" + ], + "Resource": "*" + } + ] +} \ No newline at end of file diff --git a/modules/runners/policies/instance-s3-gh-policy.json b/modules/runners/policies/instance-s3-gh-policy.json new file mode 100644 index 0000000000..d218c27ed2 --- /dev/null +++ b/modules/runners/policies/instance-s3-gh-policy.json @@ -0,0 +1,24 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "githubActionArtifacts", + "Effect": "Allow", + "Action": [ + "s3:ListBucket", + "s3:GetObject", + "s3:GetObjectTagging", + "s3:DeleteObject", + "s3:PutObject", + "s3:PutObjectAcl", + "s3:PutObjectTagging" + ], + "Resource": [ + "${s3_arn}/*", + "${s3_arn}", + "${s3_packages_arn}/*", + "${s3_packages_arn}" + ] + } + ] +} \ No newline at end of file diff --git a/modules/runners/templates/user-data.sh b/modules/runners/templates/user-data.sh index 68edb79b0a..e2becf0a99 100644 --- a/modules/runners/templates/user-data.sh +++ b/modules/runners/templates/user-data.sh @@ -53,7 +53,7 @@ install_with_retry docker service docker start usermod -a -G docker ec2-user -install_with_retry amazon-cloudwatch-agent jq git +install_with_retry amazon-cloudwatch-agent jq git zip install_with_retry --allowerasing curl user_name=ec2-user