Merge pull request #441 from rust-lang/pa-start-release

Create the `start-release` lambda

terraform/releases/_terraform.tf

@@ -6,7 +6,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "~> 4.20"
+      version = "~> 5.58"
     }
     external = {
       source  = "hashicorp/external"

terraform/releases/impl/main.tf

@@ -2,7 +2,7 @@ terraform {
   required_providers {
     aws = {
       source                = "hashicorp/aws"
-      version               = "~> 4.20"
+      version               = "~> 5.58"
       configuration_aliases = [aws.east1]
     }
   }

terraform/releases/impl/outputs.tf

@@ -1,3 +1,7 @@
 output "promote_release_role_id" {
   value = aws_iam_role.promote_release.unique_id
 }
+
+output "codebuild_project_arn" {
+  value = aws_codebuild_project.promote_release.arn
+}

terraform/releases/lambdas/start-release/index.py

@@ -0,0 +1,86 @@
+#!/usr/bin/env python3
+
+# We want to grant folks on the release team the ability to start publishing
+# releases, but simply granting them permission to start the CodeBuild job
+# grants way too many privileges. For example, it would allow them to bypass
+# startup checks, override the commit being released, or worse override the
+# command being executed by CodeBuild to exfiltrate secrets.
+#
+# To solve the problem, this script accepts a limited set of actions allowed to
+# be executed, and invokes CodeBuild with the right environment variables. This
+# means we can safely grant the release team access to this function.
+
+import boto3
+import time
+
+
+codebuild = boto3.client("codebuild")
+
+
+def handler(event, context):
+    match event["action"]:
+        case "update-rust-branches":
+            # The channel for updating branches is not actually used by
+            # promote-release, but we have to pass it anyway.
+            return run_build("promote-branches", "prod", "nightly")
+
+        case "publish-rust-dev-nightly":
+            return run_build("promote-release", "dev", "nightly")
+
+        case "publish-rust-dev-beta":
+            return run_build("promote-release", "dev", "beta")
+
+        case "publish-rust-dev-stable":
+            return run_build(
+                "promote-release",
+                "dev",
+                "stable",
+                {
+                    "PROMOTE_RELEASE_BLOG_REPOSITORY": "rust-lang/blog.rust-lang.org",
+                    "PROMOTE_RELEASE_BLOG_SCHEDULED_RELEASE_DATE": event["date"],
+                },
+            )
+
+        case "publish-rust-dev-stable-rebuild":
+            return run_build(
+                "promote-release",
+                "dev",
+                "stable",
+                {
+                    "PROMOTE_RELEASE_BYPASS_STARTUP_CHECKS": "1",
+                },
+            )
+
+        case "publish-rust-prod-stable":
+            return run_build("promote-release", "prod", "stable")
+
+        case action:
+            raise RuntimeError(f"unsupported action: {action}")
+
+
+def run_build(action, env, channel, extra_vars=None):
+    vars = {
+        "PROMOTE_RELEASE_ACTION": action,
+        "PROMOTE_RELEASE_CHANNEL": channel,
+    }
+    if extra_vars is not None:
+        vars.update(extra_vars)
+
+    build = codebuild.start_build(
+        projectName=f"promote-release--{env}",
+        environmentVariablesOverride=[
+            {"name": name, "value": value, "type": "PLAINTEXT"}
+            for name, value in vars.items()
+        ],
+    )["build"]
+
+    # Continue fetching information about the build
+    while "streamName" not in build["logs"]:
+        time.sleep(1)
+        build = codebuild.batch_get_builds(ids=[build["id"]])["builds"][0]
+
+    return {
+        "build_id": build["id"],
+        "logs_group": build["logs"]["groupName"],
+        "logs_link": build["logs"]["deepLink"],
+    }

terraform/releases/start-release.tf

@@ -0,0 +1,47 @@
+resource "aws_iam_role" "start_release" {
+  name = "start-release-lambda"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Action = "sts:AssumeRole"
+        Principal = {
+          Service = "lambda.amazonaws.com"
+        }
+      }
+    ]
+  })
+
+  inline_policy {
+    name = "permissions"
+    policy = jsonencode({
+      Version = "2012-10-17"
+      Statement = [
+        {
+          Effect = "Allow"
+          Action = [
+            "codebuild:StartBuild",
+            "codebuild:BatchGetBuilds",
+          ]
+          Resource = [
+            module.dev.codebuild_project_arn,
+            module.prod.codebuild_project_arn,
+          ]
+        }
+      ]
+    })
+  }
+}
+
+module "lambda_start_release" {
+  source = "../shared/modules/lambda"
+
+  name            = "start-release"
+  source_dir      = "lambdas/start-release"
+  handler         = "index.handler"
+  runtime         = "python3.12"
+  role_arn        = aws_iam_role.start_release.arn
+  timeout_seconds = 900 # 15 minutes
+}

terraform/shared/modules/lambda/main.tf

@@ -1,8 +1,9 @@
 terraform {
   required_providers {
     aws = {
-      source  = "hashicorp/aws"
-      version = "~> 4.20"
+      source = "hashicorp/aws"
+      // Allow both 4.x and 5.x while we upgrade everything to 5.x.
+      version = ">= 4.20, < 6"
     }
   }
 }