.mairu.json and development role

.mairu.json

@@ -0,0 +1,4 @@
+{
+  "server": "https://amc.rubykaigi.net/api/remote/",
+  "role": "arn:aws:iam::005216166247:role/SponsorAppDev"
+}

README.md

@@ -26,7 +26,9 @@ yarn run watch
 - `S3_FILES_BUCKET` S3 bucket name
 - `S3_FILES_PREFIX` (optional)
 - `S3_FILES_ROLE` IAM Role ARN which allows `s3:PutBucket` to all objects on the bucket
-  - You also have to supply a valid AWS credentials to the app in a standard SDK way, e.g. IAM instance profile, ECS task IAM role, and `ENV['AWS_ACCESS_KEY_ID']`.
+  - RubyKaigi staff can use `arn:aws:iam::005216166247:role/SponsorAppDevUser`
+
+You also have to supply a valid AWS credentials to the app in a standard SDK way. RubyKaigi staff refer to https://rubykaigi.org/go/aws for setup access.
 
 #### GitHub
 

tf/.mairu.json

@@ -0,0 +1,4 @@
+{
+  "server": "https://amc.rubykaigi.net/api/remote/",
+  "role": "arn:aws:iam::005216166247:role/OrgzAdmin"
+}

tf/acm.tf

@@ -1,7 +1,7 @@
-data "aws_acm_certificate" "wild-rk-n" {
-  domain      = "*.rubykaigi.net"
-  most_recent = true
-}
+#data "aws_acm_certificate" "wild-rk-n" {
+#  domain      = "*.rubykaigi.net"
+#  most_recent = true
+#}
 
 data "aws_acm_certificate" "use1-sponsorships-rk-o" {
   provider    = aws.use1

tf/aws.tf

@@ -1,3 +1,5 @@
+data "aws_caller_identity" "current" {}
+
 locals {
   aws_account_id = "005216166247"
 }

tf/iam_SponsorAppDev.tf

@@ -0,0 +1,53 @@
+resource "aws_iam_role" "SponsorAppDev" {
+  name                 = "SponsorAppDev"
+  description          = "SponsorAppDev"
+  assume_role_policy   = data.aws_iam_policy_document.SponsorAppDev-trust.json
+  max_session_duration = 43200
+}
+
+data "aws_iam_policy_document" "SponsorAppDev-trust" {
+  statement {
+    effect  = "Allow"
+    actions = ["sts:AssumeRoleWithWebIdentity", "sts:TagSession"]
+    principals {
+      type = "Federated"
+      identifiers = [
+        "arn:aws:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/amc.rubykaigi.net",
+      ]
+    }
+    condition {
+      test     = "StringLike"
+      variable = "amc.rubykaigi.net:sub"
+      values   = ["${data.aws_caller_identity.current.account_id}:SponsorAppDev:*"]
+    }
+  }
+
+}
+
+resource "aws_iam_role_policy" "SponsorAppDev" {
+  role   = aws_iam_role.SponsorAppDev.name
+  policy = data.aws_iam_policy_document.SponsorAppDev.json
+}
+data "aws_iam_policy_document" "SponsorAppDev" {
+  statement {
+    effect = "Allow"
+    actions = [
+      "sts:AssumeRole",
+    ]
+    resources = [
+      aws_iam_role.SponsorAppDevUser.arn,
+    ]
+  }
+  statement {
+    effect = "Allow"
+    actions = [
+      "s3:PutObject",
+      "s3:GetObject",
+      "s3:ListBucket",
+    ]
+    resources = [
+      aws_s3_bucket.files-dev.arn,
+      "${aws_s3_bucket.files-dev.arn}/*",
+    ]
+  }
+}

tf/iam_SponsorAppDevUser.tf

@@ -0,0 +1,35 @@
+resource "aws_iam_role" "SponsorAppDevUser" {
+  name                 = "SponsorAppDevUser"
+  description          = "SponsorAppDevUser"
+  assume_role_policy   = data.aws_iam_policy_document.SponsorAppDevUser-trust.json
+  max_session_duration = 43200
+}
+
+data "aws_iam_policy_document" "SponsorAppDevUser-trust" {
+  statement {
+    effect  = "Allow"
+    actions = ["sts:AssumeRole"]
+    principals {
+      type = "AWS"
+      identifiers = [
+        "arn:aws:iam::${local.aws_account_id}:root",
+      ]
+    }
+  }
+}
+
+resource "aws_iam_role_policy" "SponsorAppDevUser" {
+  role   = aws_iam_role.SponsorAppDevUser.name
+  policy = data.aws_iam_policy_document.SponsorAppDevUser.json
+}
+data "aws_iam_policy_document" "SponsorAppDevUser" {
+  statement {
+    effect = "Allow"
+    actions = [
+      "s3:PutObject",
+    ]
+    resources = [
+      "${aws_s3_bucket.files-dev.arn}/*",
+    ]
+  }
+}