Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create pytorch-ci-artifacts s3 bucket #33

Merged
merged 1 commit into from
Feb 22, 2024
Merged

Create pytorch-ci-artifacts s3 bucket #33

merged 1 commit into from
Feb 22, 2024

Conversation

zxiiro
Copy link
Collaborator

@zxiiro zxiiro commented Feb 15, 2024
edited
Loading

Create the pytorch-ci-artifacts s3 bucket for storing build artifacts and apply the necessary access policy to the build nodes for the actions runners.

Issue: #34

malfet
malfet approved these changes Feb 20, 2024
View reviewed changes
Copy link

@malfet malfet left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, but it would be good to have test plan of sorts. For example, I don't see where it says, that it would apply public read policy to all objects created in this bucket by default (though it would not matter much right now, as it's not used to store anything yet)

@zxiiro
Create pytorch-ci-artifacts s3 bucket
b95e7dd 
Create the pytorch-ci-artifacts s3 bucket for storing build artifacts
and apply the necessary access policy to the build nodes for the
actions runners. This creates a publicly available S3 Bucket for read
access to anonymous users. While requiring OIDC authentication for
write access by GitHub Actions.

Issue: #34
Signed-off-by: Thanh Ha <thanh.ha@linuxfoundation.org>
@zxiiro zxiiro force-pushed the zxiiro/s3-artifacts branch from 2249692 to b95e7dd Compare February 20, 2024 18:39
@zxiiro
Copy link
Collaborator Author

zxiiro commented Feb 20, 2024

LGTM, but it would be good to have test plan of sorts. For example, I don't see where it says, that it would apply public read policy to all objects created in this bucket by default (though it would not matter much right now, as it's not used to store anything yet)

I was working on that this morning (sorry the issue #34 was created after this PR and I had further discussions with @jeanschmidt on Slack). The updated PR creates a public access S3 Bucket for read access. Write access is permitted through OIDC authentication which the GitHub Actions pushing to this will need to handle via the configure-aws-credentials action..

zxiiro
zxiiro commented Feb 20, 2024
View reviewed changes
aws/391835788720/us-east-1/ci-artifacts.tf
}
}

resource "aws_s3_bucket_website_configuration" "pytorch_ci_artifacts_website" {
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This makes a publicly available web URL for the S3 bucket to download artifacts from. We purposely disallow navigating the website to prevent snooping so users will need to know the direct URL for the artifacts they want to access.

What typically I've seen other projects do is create a index.html to list all of the artifacts for the build and store the build URL for the S3 bucket to that index file so that there's only 1 URL per build to remember and download the rest of the artifacts from.

@jeanschmidt
Copy link
Contributor

LGTM, as a slight improvement I would rename the file to s3.tf so to use it when we have more buckets to manage. And move the role + policies to the iam_policy file.

Still this is a organizational decision I don't have strong view. But we need to pick a standard, if we go by this layout might be important to move everything to its own file mechanic-related instead of by type-related.

@zxiiro
Copy link
Collaborator Author

zxiiro commented Feb 21, 2024

LGTM, as a slight improvement I would rename the file to s3.tf so to use it when we have more buckets to manage. And move the role + policies to the iam_policy file.

Still this is a organizational decision I don't have strong view. But we need to pick a standard, if we go by this layout might be important to move everything to its own file mechanic-related instead of by type-related.

I don't have a strong opinion either but I do like that everything related to this specific S3 Bucket is in 1 file. Less jumping around to figure out how this bucket is configured. Especially because this is a global bucket that needs to be a well known resource.

@zxiiro zxiiro requested a review from jwagantall February 21, 2024 16:27
@jeanschmidt jeanschmidt merged commit fcee0ad into main Feb 22, 2024
2 checks passed
@jeanschmidt jeanschmidt deleted the zxiiro/s3-artifacts branch February 22, 2024 15:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jeanschmidt jeanschmidt jeanschmidt approved these changes

@malfet malfet malfet approved these changes

@DanilBaibak DanilBaibak Awaiting requested review from DanilBaibak

@jwagantall jwagantall Awaiting requested review from jwagantall

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@zxiiro @jeanschmidt @malfet