Comparing changes
Open a pull request
base repository: NixOS/nixpkgs
base: 82578fc72513
head repository: NixOS/nixpkgs
compare: c06b97175b9d
- 10 commits
- 1 file changed
- 2 contributors
Commits on Oct 30, 2020
-
nixos ec2/create-amis.sh: shellcheck: SC2155: Declare and assign sepa…
…rately to avoid masking return values.
-
nixos ec2/create-amis.sh: shellcheck: explicitly make the additions t…
…o block_device_mappings single strings
-
create-amis: allow customizing the service role name
The complete setup on the AWS end can be configured with the following Terraform configuration. It generates a ./credentials.sh which I just copy/pasted in to the create-amis.sh script near the top. Note: the entire stack of users and bucket can be destroyed at the end of the import. variable "region" { type = string } variable "availability_zone" { type = string } provider "aws" { region = var.region } resource "aws_s3_bucket" "nixos-amis" { bucket_prefix = "nixos-amis-" lifecycle_rule { enabled = true abort_incomplete_multipart_upload_days = 1 expiration { days = 7 } } } resource "local_file" "credential-file" { file_permission = "0700" filename = "${path.module}/credentials.sh" sensitive_content = <<SCRIPT export service_role_name="${aws_iam_role.vmimport.name}" export bucket="${aws_s3_bucket.nixos-amis.bucket}" export AWS_ACCESS_KEY_ID="${aws_iam_access_key.uploader.id}" export AWS_SECRET_ACCESS_KEY="${aws_iam_access_key.uploader.secret}" SCRIPT } # The following resources are for the *uploader* resource "aws_iam_user" "uploader" { name = "nixos-amis-uploader" } resource "aws_iam_access_key" "uploader" { user = aws_iam_user.uploader.name } resource "aws_iam_user_policy" "upload-to-nixos-amis" { user = aws_iam_user.uploader.name policy = data.aws_iam_policy_document.upload-policy-document.json } data "aws_iam_policy_document" "upload-policy-document" { statement { effect = "Allow" actions = [ "s3:ListBucket", "s3:GetBucketLocation", ] resources = [ aws_s3_bucket.nixos-amis.arn ] } statement { effect = "Allow" actions = [ "s3:PutObject", "s3:GetObject", "s3:DeleteObject", ] resources = [ "${aws_s3_bucket.nixos-amis.arn}/*" ] } statement { effect = "Allow" actions = [ "ec2:ImportSnapshot", "ec2:DescribeImportSnapshotTasks", "ec2:DescribeImportSnapshotTasks", "ec2:RegisterImage", "ec2:DescribeImages" ] resources = [ "*" ] } } # The following resources are for the *vmimport service user* # See: https://docs.aws.amazon.com/vm-import/latest/userguide/vmie_prereqs.html#vmimport-role resource "aws_iam_role" "vmimport" { assume_role_policy = data.aws_iam_policy_document.vmimport-trust.json } resource "aws_iam_role_policy" "vmimport-access" { role = aws_iam_role.vmimport.id policy = data.aws_iam_policy_document.vmimport-access.json } data "aws_iam_policy_document" "vmimport-access" { statement { effect = "Allow" actions = [ "s3:GetBucketLocation", "s3:GetObject", "s3:ListBucket", ] resources = [ aws_s3_bucket.nixos-amis.arn, "${aws_s3_bucket.nixos-amis.arn}/*" ] } statement { effect = "Allow" actions = [ "ec2:ModifySnapshotAttribute", "ec2:CopySnapshot", "ec2:RegisterImage", "ec2:Describe*" ] resources = [ "*" ] } } data "aws_iam_policy_document" "vmimport-trust" { statement { effect = "Allow" principals { type = "Service" identifiers = [ "vmie.amazonaws.com" ] } actions = [ "sts:AssumeRole" ] condition { test = "StringEquals" variable = "sts:ExternalId" values = [ "vmimport" ] } } }
-
create-amis: improve wording around the service name's IAM role
Co-authored-by: Cole Helbling <cole.e.helbling@outlook.com>
-
Merge pull request #102173 from grahamc/create-amis
create-amis.sh: fixup shellcheck issues, improve error logging, and add configurable service names
This comparison is taking too long to generate.
Unfortunately it looks like we can’t render this comparison for you right now. It might be too big, or there might be something weird with your repository.
You can try running this command locally to see the comparison on your machine:
git diff 82578fc72513...c06b97175b9d