feat(cloud): add VIP managed machines S3 configuration

[itzlambda]

Adds Terraform configuration for syncing VIP (managed machines) from S3.

New variables:

• vip_s3_bucket / vip_s3_key - S3 location of machines CSV
• vip_s3_region - Optional region override
• vip_poll_interval_secs - Sync frequency

When vip_s3_bucket is set, an IAM policy is attached to grant the API service S3 read access.

Summary by CodeRabbit

• New Features

  • Added VIP (Managed Machines) configuration support with S3 integration for machine synchronization
  • Introduced new configuration parameters: S3 bucket location, object key, region, and polling interval

• Chores

  • Exposed task role name as a service configuration output

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

This PR adds VIP (Managed Machines) S3 integration to the Basilica API infrastructure. New Terraform variables, IAM policies, and environment variables configure the API service to read VIP machine configurations from an S3 bucket with configurable polling intervals. An additional ECS service output exposes the task role name.

Changes

Cohort / File(s)	Summary
VIP S3 Configuration Variables scripts/cloud/variables.tf	Added four new Terraform variables: vip_s3_bucket, vip_s3_key, vip_s3_region, and vip_poll_interval_secs to configure VIP machine synchronization from S3
VIP S3 Integration in Compute Resources scripts/cloud/compute.tf	Added environment variables (BASILICA_API_AGGREGATOR__VIP__S3_BUCKET, BASILICA_API_AGGREGATOR__VIP__S3_KEY, BASILICA_API_AGGREGATOR__VIP__S3_REGION, BASILICA_API_AGGREGATOR__VIP__POLL_INTERVAL_SECS) to Basilica API service and created IAM policy api_vip_s3_access granting S3 GetObject and ListBucket permissions
ECS Service Output scripts/cloud/modules/ecs-service/outputs.tf	Exported new output task_role_name exposing the task IAM role name
Example Terraform Configuration scripts/cloud/terraform.tfvars.example	Added VIP configuration block with documentation for S3 bucket, key, region, and polling interval settings

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

• Duplicate IAM policy resource: The summary indicates aws_iam_role_policy api_vip_s3_access appears twice in compute.tf—verify whether this is intentional or an accidental duplication that should be removed.
• IAM policy correctness: Confirm the S3 permissions (GetObject, ListBucket) follow least-privilege principles and that resource ARNs are correctly scoped.
• Environment variable consistency: Review naming conventions and fallback logic for BASILICA_API_AGGREGATOR__VIP__S3_REGION (should fall back to AWS region if empty).
• Variable defaults: Ensure default values (empty strings for S3 config, 60 seconds for poll interval) align with intended behavior.

Poem

🐰✨ A warren of machines now lives in S3's gleaming keep,
VIP configs polled with gentle grace, while permissions run deep.
IAM keys unlock the treasure, as task roles take their stride,
Infrastructure hops forward—managed machines now amplified! 🌟

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The pull request title directly and accurately summarizes the main change: adding VIP managed machines S3 configuration to the cloud infrastructure code.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch vip-cloud-s3-config

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between d32e2df and 4685217.

📒 Files selected for processing (4)

• scripts/cloud/compute.tf
• scripts/cloud/modules/ecs-service/outputs.tf
• scripts/cloud/terraform.tfvars.example
• scripts/cloud/variables.tf

🧰 Additional context used

🪛 Gitleaks (8.30.0)

scripts/cloud/compute.tf

[high] 413-413: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

🔇 Additional comments (4)

scripts/cloud/modules/ecs-service/outputs.tf (1)

26-29: LGTM!

The new output follows the established pattern and correctly exposes the task role name, enabling IAM policy attachments in the parent module.

scripts/cloud/variables.tf (1)

198-224: LGTM!

The VIP variable definitions are well-structured with appropriate types, sensible defaults, and clear descriptions. The 60-second default polling interval provides reasonable freshness without excessive S3 API calls.

scripts/cloud/compute.tf (1)

410-415: LGTM!

The VIP environment variable configuration correctly follows the nested naming convention and includes appropriate fallback logic for the S3 region. The tostring() conversion for the polling interval ensures proper type handling.

scripts/cloud/terraform.tfvars.example (1)

119-151: LGTM!

The VIP configuration documentation is well-structured and provides clear guidance with:

• Descriptive section headers
• Example values for all variables
• Detailed CSV format specification including all required columns
• Helpful inline notes

This documentation will help users configure VIP machine synchronization correctly.

[coderabbitai]

🛠️ Refactor suggestion | 🟠 Major

Refine IAM policy to follow least privilege principle.

The current policy structure has several issues:

1. Incorrect resource mapping: s3:ListBucket operates on the bucket resource, while s3:GetObject operates on object resources. Both actions shouldn't share the same Resource array.

2. Missing wildcard for object access: Line 464 should specify objects under the key path, not just the exact key (especially if it's a prefix or could be empty).

3. Overly broad when vip_s3_key is empty: If vip_s3_key defaults to "", line 464 becomes arn:aws:s3:::bucket/, which grants access to all objects.

🔎 Proposed IAM policy fix

 resource "aws_iam_role_policy" "api_vip_s3_access" {
   count = var.vip_s3_bucket != "" ? 1 : 0
   name  = "${local.name_prefix}-api-vip-s3-access"
   role  = module.basilica_api_service.task_role_name
 
   policy = jsonencode({
     Version = "2012-10-17"
     Statement = [
+      {
+        Effect = "Allow"
+        Action = [
+          "s3:ListBucket"
+        ]
+        Resource = [
+          "arn:aws:s3:::${var.vip_s3_bucket}"
+        ]
+      },
       {
         Effect = "Allow"
         Action = [
-          "s3:GetObject",
-          "s3:ListBucket"
+          "s3:GetObject"
         ]
         Resource = [
-          "arn:aws:s3:::${var.vip_s3_bucket}",
-          "arn:aws:s3:::${var.vip_s3_bucket}/${var.vip_s3_key}"
+          var.vip_s3_key != "" ? "arn:aws:s3:::${var.vip_s3_bucket}/${var.vip_s3_key}" : "arn:aws:s3:::${var.vip_s3_bucket}/*"
         ]
       }
     ]
   })
 }

This separates ListBucket (bucket-level) from GetObject (object-level) permissions and handles the empty vip_s3_key case explicitly.

🤖 Prompt for AI Agents

In scripts/cloud/compute.tf around lines 448-469, the IAM policy mixes bucket-
and object-level ARNs and lacks a wildcard for object prefixes; update the
policy to grant s3:ListBucket only to the bucket ARN
("arn:aws:s3:::${var.vip_s3_bucket}") and grant s3:GetObject to object ARNs with
a wildcard for the key prefix (use "arn:aws:s3:::${var.vip_s3_bucket}/*" when
var.vip_s3_key is empty, otherwise
"arn:aws:s3:::${var.vip_s3_bucket}/${var.vip_s3_key}*"); implement this by
splitting the Statement into two entries (one for ListBucket with the bucket
ARN, one for GetObject with the conditional/wildcard object ARN) so least
privilege and correct resource mapping are enforced.