Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

BAU: reduce lamba policies #5604

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
+166 −7
Open

BAU: reduce lamba policies #5604

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
8bc09a6
BAU: New role module to reduce policy attachment
whi-tw Nov 29, 2024
5a85b5b
POC: use the new lambda role module
whi-tw Nov 29, 2024
7742330
fixup! BAU: New role module to reduce policy attachment
whi-tw Dec 6, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 9 additions & 7 deletions ci/terraform/account-management/authenticate.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,15 +1,17 @@
module "account_management_api_authenticate_role" {
source = "../modules/lambda-role"
source = "../modules/lambda-role-policy-reduction"
environment = var.environment
role_name = "account-management-api-authenticate-role"
vpc_arn = local.vpc_arn

policies_to_attach = [
aws_iam_policy.dynamo_am_user_read_access_policy.arn,
aws_iam_policy.audit_signing_key_lambda_kms_signing_policy.arn,
aws_iam_policy.parameter_policy.arn,
module.account_management_txma_audit.access_policy_arn
]
policy_documents_to_attach = {
additional = [
data.aws_iam_policy_document.dynamo_user_read_policy_document.json,
data.aws_iam_policy_document.account_management_audit_payload_kms_signing_policy_document.json,
data.aws_iam_policy_document.redis_parameter_policy.json,
module.account_management_txma_audit.access_policy_document.json
]
}
}

module "authenticate" {
Expand Down
7 changes: 7 additions & 0 deletions ci/terraform/modules/lambda-role-policy-reduction/output.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
output "arn" {
value = aws_iam_role.lambda_role.arn
}

output "name" {
value = aws_iam_role.lambda_role.name
}
73 changes: 73 additions & 0 deletions ci/terraform/modules/lambda-role-policy-reduction/policy.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,73 @@
data "aws_iam_policy_document" "logging_policy_document" {
statement {
effect = "Allow"

actions = [
"logs:CreateLogStream",
"logs:PutLogEvents"
]

resources = [
"arn:aws:logs:*:*:*",
]
}
}

data "aws_iam_policy_document" "endpoint_xray_policy" {
statement {
effect = "Allow"
actions = [
"xray:*"
]

resources = [
"*",
]
}
}
Dismissed Show dismissed Hide dismissed
Dismissed Show dismissed Hide dismissed

data "aws_iam_policy_document" "networking_policy_document" {
count = var.vpc_arn == "" ? 0 : 1
statement {
effect = "Allow"

actions = [
"ec2:DescribeNetworkInterfaces",
"ec2:CreateNetworkInterface",
"ec2:DeleteNetworkInterface"
]
resources = [
"*"
]
condition {
test = "ArnLikeIfExists"
variable = "ec2:Vpc"
values = [var.vpc_arn]
}
}
}

locals {
policy_documents_to_attach = merge({
base = concat([
data.aws_iam_policy_document.logging_policy_document.json,
data.aws_iam_policy_document.endpoint_xray_policy.json,
],
var.vpc_arn == "" ? [] : [data.aws_iam_policy_document.networking_policy_document[0].json]),
}, var.policy_documents_to_attach)
Comment on lines +52 to +57
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do the order of these policies matter? i.e. if the json object keys are not returned in the same order, will that cause AWS/terraform to fail to deploy the change (see previous conversations about changes to policy ordering messing up a deployment)?

}

data "aws_iam_policy_document" "iam-policy-document" {
for_each = local.policy_documents_to_attach
source_policy_documents = each.value
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need to worry about this?

Statements defined in source_policy_documents must have unique sids

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ethanmills thanks for taking a look - I was going to reach out for input.

Yeah, that's a super valid point I hadn't considered. If we go ahead with this approach, I'll add a validation step in to ensure uniqueness.

}

resource "aws_iam_policy" "iam-policy" {
for_each = local.policy_documents_to_attach

name_prefix = "${var.role_name}-${each.key}-policy"
path = "/${var.environment}/${var.role_name}/"
description = "Combined IAM policy ${each.key} for ${var.role_name}"

policy = data.aws_iam_policy_document.iam-policy-document[each.key].json
}
40 changes: 40 additions & 0 deletions ci/terraform/modules/lambda-role-policy-reduction/role.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
resource "aws_iam_role" "lambda_role" {
name_prefix = "execution-role"
path = "/${var.environment}/${var.role_name}/"
assume_role_policy = data.aws_iam_policy_document.lambda_can_assume_role.json

tags = var.default_tags
}

data "aws_iam_policy_document" "lambda_can_assume_role" {
version = "2012-10-17"

statement {
effect = "Allow"
principals {
identifiers = [
"lambda.amazonaws.com"
]
type = "Service"
}

actions = [
"sts:AssumeRole"
]
}
}

resource "aws_iam_role_policy_attachment" "provided_policies" {
for_each = aws_iam_policy.iam-policy

role = aws_iam_role.lambda_role.name
policy_arn = each.value.arn

depends_on = [
aws_iam_role.lambda_role
]
}
resource "aws_iam_role_policy_attachments_exclusive" "exclusively_managed_policies" {
role_name = aws_iam_role.lambda_role.name
policy_arns = aws_iam_policy.iam-policy[*].arn
}
33 changes: 33 additions & 0 deletions ci/terraform/modules/lambda-role-policy-reduction/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
variable "role_name" {
type = string
}

variable "environment" {
type = string
}

variable "default_tags" {
default = {}
type = map(string)
description = "Default tags to apply to all resources"
}

variable "policy_documents_to_attach" {
type = map(list(string))
default = {}
description = "Policy documents to combine and attach to the role"

validation {
condition = !contains(keys(var.policy_documents_to_attach), "base")
error_message = "policy_documents_to_attach cannot contain a key named 'base'"
}
validation {
condition = length(keys(var.policy_documents_to_attach)) <= 20
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Off by 1 here. We already have 1 policy defined, base

error_message = "policy_documents_to_attach cannot contain more than 20 keys"
}
}

variable "vpc_arn" {
default = ""
type = string
}
4 changes: 4 additions & 0 deletions ci/terraform/modules/txma-audit-queue/output.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,3 +13,7 @@ output "kms_key_arn" {
output "access_policy_arn" {
value = aws_iam_policy.txma_audit_queue_access_policy.arn
}

output "access_policy_document" {
value = data.aws_iam_policy_document.txma_audit_queue_access_policy_document
}