Switch bootstrap to NixOS foundation account (#97)

* Switch bootstrap to NixOS foundation account

* limit what instances can be spawned

* Remove hardcoded region

* no region

* fix policy

* arn

* Fix

* more granular IAM

* t3a not supported in NixOS' default region

* github pages needs to list all regions

* Skip smoketests if they were already performed

* Fix assuming roles for debugging. these roles are named differently outside of us-east-1

* Set up an AWS config and fix roles so they can be assumed by admin for debugging

* skip terminated instances: the tests already passed for this ami

* fix skip

.config/aws/config

@@ -0,0 +1,31 @@
+[sso-session nixos]
+sso_start_url = https://nixos.awsapps.com/start
+sso_region = eu-north-1
+sso_registration_scopes = sso:account:access
+
+[profile default]
+sso_session = nixos
+sso_account_id = 427812963091
+sso_role_name = AWSAdministratorAccess
+output = yaml
+region = eu-north-1
+
+[profile upload-ami]
+source_profile = default
+role_arn = arn:aws:iam::427812963091:role/upload-ami
+
+[profile github-pages]
+source_profile = default
+role_arn = arn:aws:iam::427812963091:role/github-pages
+
+[profile plan]
+source_profile = default
+role_arn = arn:aws:iam::427812963091:role/plan
+
+[profile state]
+source_profile = default
+role_arn = arn:aws:iam::427812963091:role/state
+
+[profile apply]
+source_profile = default
+role_arn = arn:aws:iam::427812963091:role/apply

.envrc

@@ -1 +1,5 @@
+source $(direnv fetchurl "https://raw.githubusercontent.com/numtide/prj-spec/main/contrib/direnv" "sha256-54YaaGly6Q0E8GhFT9fB/h9tN1PDERo2/4R4X0Pdi/c=")
+
+export AWS_CONFIG_FILE=$PRJ_CONFIG_HOME/aws/config
+
 use flake

.github/workflows/upload-legacy-ami.yml

@@ -9,8 +9,6 @@ on:
   workflow_dispatch:
   schedule:
     - cron: '0 0 * * 0' 
-env:
-  AWS_REGION: eu-central-1
 jobs:
   upload-ami:
     name: Upload Legacy Amazon Image
@@ -42,10 +40,7 @@ jobs:
       - uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
         with:
           role-to-assume: arn:aws:iam::${{ vars.AWS_ACCOUNT_ID }}:role/upload-ami
-          aws-region: ${{ env.AWS_REGION }}
-
-      - name: For all regions disable-image-block-public-access
-        run: nix run .#disable-image-block-public-access
+          aws-region: ${{ vars.AWS_REGION }}
 
       - name: Upload Smoke test AMI
         id: upload_smoke_test_ami
@@ -63,17 +58,17 @@ jobs:
         # NOTE: make sure smoke test isn't cancelled. Such that instance gets cleaned up.
         run: |
           image_ids='${{ steps.upload_smoke_test_ami.outputs.image_ids }}'
-          image_id=$(echo "$image_ids" | jq -r '.["${{ env.AWS_REGION }}"]')
+          image_id=$(echo "$image_ids" | jq -r '.["${{ vars.AWS_REGION }}"]')
           run_id='${{ github.run_id }}'
-          nix run .#smoke-test -- --image-id "$image_id" --region "${{ env.AWS_REGION }}" --run-id "$run_id"
+          nix run .#smoke-test -- --image-id "$image_id"
 
       - name: Clean up smoke test
         if: ${{ cancelled() }}
         run: |
           image_ids='${{ steps.upload_smoke_test_ami.outputs.image_ids }}'
-          image_id=$(echo "$image_ids" | jq -r '.["${{ env.AWS_REGION }}"]')
+          image_id=$(echo "$image_ids" | jq -r '.["${{ vars.AWS_REGION }}"]')
           run_id='${{ github.run_id }}'
-          nix run .#smoke-test -- --image-id "$image_id" --region "${{ env.AWS_REGION }}" --run-id "$run_id" --cancel
+          nix run .#smoke-test -- --image-id "$image_id" --cancel
       
 
       # NOTE: We do not pass run-id as we're not  building the image ourselves
@@ -109,11 +104,10 @@ jobs:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - uses: DeterminateSystems/nix-installer-action@cd46bde16ab981b0a7b2dce0574509104543276e # v9
       - uses: DeterminateSystems/magic-nix-cache-action@eeabdb06718ac63a7021c6132129679a8e22d0c7 # v3
-      - uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.1 with:
+      - uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.1
         with:
-          # TODO: Separate role?
-          role-to-assume: arn:aws:iam::${{ vars.AWS_ACCOUNT_ID }}:role/upload-ami
-          aws-region: ${{ env.AWS_REGION }}
+          role-to-assume: arn:aws:iam::${{ vars.AWS_ACCOUNT_ID }}:role/github-pages
+          aws-region: ${{ vars.AWS_REGION }}
       - name: Describe images
         run: nix run .#describe-images > ./site/images.json
       - name: Upload pages

.gitignore

@@ -3,3 +3,4 @@ result*
 .direnv
 .vscode
 .nixos-test-history
+.data

tf/assume_administrator_access_policy_document/main.tf

@@ -20,7 +20,7 @@ data "aws_iam_policy_document" "this" {
     condition {
       test     = "ArnLike"
       variable = "aws:PrincipalArn"
-      values   = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_AdministratorAccess_*"]
+      values = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:assumed-role/AWSReservedSSO_AWSAdministratorAccess_*/*"]
     }
   }
 }

tf/assume_github_actions_policy_document/main.tf

@@ -17,7 +17,7 @@ data "aws_iam_openid_connect_provider" "github_actions" {
   url = "https://token.actions.githubusercontent.com"
 }
 
-data "aws_iam_policy_document" "assume_upload_ami" {
+data "aws_iam_policy_document" "assume_github_actions" {
 
   statement {
     effect  = "Allow"
@@ -37,5 +37,5 @@ data "aws_iam_policy_document" "assume_upload_ami" {
 }
 
 output "json" {
-  value = data.aws_iam_policy_document.assume_upload_ami.json
+  value = data.aws_iam_policy_document.assume_github_actions.json
 }