From 82d422b343bf3c458373907c271172599eaab457 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luis=20D=C3=ADaz?= Date: Mon, 19 Jan 2026 13:57:11 +0100 Subject: [PATCH 1/5] Add tf to deploy anonymous credentials to prod --- tf/environments/prod/main.tf | 108 +++++++++++++++++++++++++++++++++-- 1 file changed, 104 insertions(+), 4 deletions(-) diff --git a/tf/environments/prod/main.tf b/tf/environments/prod/main.tf index 51a231ca..c256f6be 100644 --- a/tf/environments/prod/main.tf +++ b/tf/environments/prod/main.tf @@ -41,6 +41,11 @@ provider "aws" { } data "aws_availability_zones" "available" {} +# +# Manually managed with the AWS console +data "aws_ssm_parameter" "anonc_secret_key" { + name = "/oonidevops/secrets/zkp/secret_key" +} data "aws_secretsmanager_secret" "do_token" { name = "oonidevops/digitalocean_access_token" @@ -275,6 +280,86 @@ resource "aws_s3_bucket" "ooni_private_config_bucket" { bucket = "ooni-config-${var.aws_region}-${random_id.artifact_id.hex}" } +resource "aws_s3_bucket" "anoncred_manifests" { + bucket = "anoncred-manifests-${var.aws_region}" + object_lock_enabled = true + versioning { + enabled = true + } +} + +resource "aws_s3_bucket_versioning" "anoncred_manifests_version" { + bucket = aws_s3_bucket.anoncred_manifests.id + versioning_configuration { + status = "Enabled" + } +} + +resource "aws_s3_bucket_policy" "anonc_manifsts_policy" { + bucket = aws_s3_bucket.anoncred_manifests.id + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Sid = "PublicList" + Effect = "Allow" + Principal = "*" + Action = "s3:ListBucket" + Resource = aws_s3_bucket.anoncred_manifests.arn + }, + { + Sid = "PublicRead" + Effect = "Allow" + Principal = "*" + Action = "s3:GetObject" + Resource = "${aws_s3_bucket.anoncred_manifests.arn}/*" + } + ] + }) +} + +resource "aws_s3_bucket_ownership_controls" "anonc_manifests" { + bucket = aws_s3_bucket.anoncred_manifests.id + rule { + object_ownership = "BucketOwnerPreferred" + } +} + +resource "aws_s3_bucket_public_access_block" "anonc_manifests" { + bucket = aws_s3_bucket.anoncred_manifests.id + + block_public_acls = false + block_public_policy = false + ignore_public_acls = false + restrict_public_buckets = false +} + +resource "aws_s3_bucket_acl" "anonc_manifests" { + depends_on = [ + aws_s3_bucket_ownership_controls.anonc_manifests, + aws_s3_bucket_public_access_block.anonc_manifests, + ] + + bucket = aws_s3_bucket.anoncred_manifests.id + acl = "public-read" +} + +# Anonymous credentials manifest. +# +# Stored here to be publicly available, verifiable, and version controlled +resource "aws_s3_object" "manifest" { + bucket = aws_s3_bucket.anoncred_manifests.id + key = "manifest.json" + content = jsonencode({ + nym_scope = "ooni.org/{probe_cc}/{probe_asn}" + submission_policy = { + "*/*" = "*" + } + public_parameters = "ASAAAAAAAAAAQuyVwuNRQJrFaYWNoTRktq7raodC5dwqXFBNlB5yPxoBIAAAAAAAAACySi3MEUQH886Jymv1Ft8ic+1w2gmmKmr6Kmse0C+mWwMAAAAAAAAAIAAAAAAAAAAW614MmIZZmvRrwG9vvEO5znoEkG413cUSDwVc/cstaCAAAAAAAAAAfo7B0TYG+ytQ5cEs6vENzPPkXOHNuLE+uVaC5upvgFMgAAAAAAAAAMhi0YHpOV60CphCTxCo0BO95oOdpz3VwOPcp4DNuOkN" + }) +} + data "aws_secretsmanager_secret_version" "deploy_key" { secret_id = module.adm_iam_roles.oonidevops_deploy_key_arn depends_on = [module.adm_iam_roles] @@ -584,7 +669,7 @@ resource "aws_iam_role_policy" "ooniprobe_role" { role = module.ooniapi_cluster.container_host_role.name policy = < Date: Wed, 21 Jan 2026 13:07:39 +0100 Subject: [PATCH 2/5] fix typo; set branch to master --- tf/environments/prod/main.tf | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/tf/environments/prod/main.tf b/tf/environments/prod/main.tf index c256f6be..3371d37f 100644 --- a/tf/environments/prod/main.tf +++ b/tf/environments/prod/main.tf @@ -295,7 +295,7 @@ resource "aws_s3_bucket_versioning" "anoncred_manifests_version" { } } -resource "aws_s3_bucket_policy" "anonc_manifsts_policy" { +resource "aws_s3_bucket_policy" "anonc_manifests_policy" { bucket = aws_s3_bucket.anoncred_manifests.id policy = jsonencode({ @@ -706,7 +706,8 @@ module "ooniapi_ooniprobe_deployer" { service_name = "ooniprobe" repo = "ooni/backend" - branch_name = "userauth-dep" + # branch_name = "userauth-dep" + branch_name = "master" trigger_path = "ooniapi/services/ooniprobe/**" buildspec_path = "ooniapi/services/ooniprobe/buildspec.yml" codestar_connection_arn = aws_codestarconnections_connection.oonidevops.arn @@ -855,7 +856,8 @@ module "fastpath_builder" { service_name = "fastpath" repo = "ooni/backend" - branch_name = "userauth-dep" + # branch_name = "userauth-dep" + branch_name = "master" buildspec_path = "fastpath/buildspec.yml" trigger_path = "fastpath/**" codestar_connection_arn = aws_codestarconnections_connection.oonidevops.arn From fb5d1b26c6ac96128577e1ea99770ac3a7afc574 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luis=20D=C3=ADaz?= Date: Wed, 21 Jan 2026 13:16:13 +0100 Subject: [PATCH 3/5] rename anonymous credentials bucket --- tf/environments/prod/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tf/environments/prod/main.tf b/tf/environments/prod/main.tf index 3371d37f..bf3a01af 100644 --- a/tf/environments/prod/main.tf +++ b/tf/environments/prod/main.tf @@ -281,7 +281,7 @@ resource "aws_s3_bucket" "ooni_private_config_bucket" { } resource "aws_s3_bucket" "anoncred_manifests" { - bucket = "anoncred-manifests-${var.aws_region}" + bucket = "ooni-anoncreds-manifests-${var.aws_region}" object_lock_enabled = true versioning { enabled = true From 14569edaf6d1b45b69c3e55ee3078c557a67b2dc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luis=20D=C3=ADaz?= Date: Wed, 21 Jan 2026 13:35:22 +0100 Subject: [PATCH 4/5] Add fastpath tags --- ansible/roles/fastpath/tasks/main.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/ansible/roles/fastpath/tasks/main.yml b/ansible/roles/fastpath/tasks/main.yml index c11c8c4e..4187c5bb 100644 --- a/ansible/roles/fastpath/tasks/main.yml +++ b/ansible/roles/fastpath/tasks/main.yml @@ -145,11 +145,15 @@ command: id -u {{fastpath_user}} register: user_uid changed_when: false + tags: + - fastpath - name: Get GID of a specific user command: id -g {{fastpath_user}} register: user_gid changed_when: false + tags: + - fastpath - name: Ensure fastpath is running community.docker.docker_container: From 603b983028133466819296f5ad20a31d07228647 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luis=20D=C3=ADaz?= Date: Wed, 21 Jan 2026 15:41:44 +0100 Subject: [PATCH 5/5] remove comments --- tf/environments/prod/main.tf | 2 -- 1 file changed, 2 deletions(-) diff --git a/tf/environments/prod/main.tf b/tf/environments/prod/main.tf index bf3a01af..d16093cc 100644 --- a/tf/environments/prod/main.tf +++ b/tf/environments/prod/main.tf @@ -706,7 +706,6 @@ module "ooniapi_ooniprobe_deployer" { service_name = "ooniprobe" repo = "ooni/backend" - # branch_name = "userauth-dep" branch_name = "master" trigger_path = "ooniapi/services/ooniprobe/**" buildspec_path = "ooniapi/services/ooniprobe/buildspec.yml" @@ -856,7 +855,6 @@ module "fastpath_builder" { service_name = "fastpath" repo = "ooni/backend" - # branch_name = "userauth-dep" branch_name = "master" buildspec_path = "fastpath/buildspec.yml" trigger_path = "fastpath/**"