From 8f5d01ec7c7be677a7ac1248235dbe87858c5179 Mon Sep 17 00:00:00 2001 From: Edward Proctor Date: Wed, 27 Dec 2023 10:13:10 +0000 Subject: [PATCH 1/4] Initial commmit creating new role --- .../bootstrap/member-bootstrap/iam.tf | 41 +++++++++++++++++++ 1 file changed, 41 insertions(+) diff --git a/terraform/environments/bootstrap/member-bootstrap/iam.tf b/terraform/environments/bootstrap/member-bootstrap/iam.tf index 2d54f6052..5da380023 100644 --- a/terraform/environments/bootstrap/member-bootstrap/iam.tf +++ b/terraform/environments/bootstrap/member-bootstrap/iam.tf @@ -472,3 +472,44 @@ data "aws_iam_policy_document" "policy" { resources = ["*"] #tfsec:ignore:AWS099 tfsec:ignore:AWS097 } } + +# MemberInfrastructureBedrockEuCentral +module "member-access-eu-central" { + count = local.account_data.account-type == "member" && terraform.workspace != "testing-test" ? 1 : 0 + source = "github.com/ministryofjustice/modernisation-platform-terraform-cross-account-access?ref=v2.3.0" + account_id = local.modernisation_platform_account.id + additional_trust_roles = [one(data.aws_iam_roles.github_actions_role.arns), one(data.aws_iam_roles.member-sso-admin-access.arns)] + policy_arn = aws_iam_policy.member-access-us-east[0].id + role_name = "MemberInfrastructureBedrockEuCentral" +} + +# lots of SCA ignores and skips on this one as it is the main role allowing members to build most things in the platform +#tfsec:ignore:aws-iam-no-policy-wildcards +data "aws_iam_policy_document" "member-access-eu-central" { + statement { + #checkov:skip=CKV_AWS_108 + #checkov:skip=CKV_AWS_111 + #checkov:skip=CKV_AWS_107 + #checkov:skip=CKV_AWS_109 + #checkov:skip=CKV_AWS_110 + #checkov:skip=CKV2_AWS_40 + effect = "Allow" + actions = [ + "bedrock:*" + ] + resources = ["*"] #tfsec:ignore:AWS099 tfsec:ignore:AWS097 + } + + statement { + effect = "Deny" + actions = ["*"] + resources = ["*"] + } +} + +resource "aws_iam_policy" "member-access-us-east" { + count = local.account_data.account-type == "member" ? 1 : 0 + name = "MemberInfrastructureAccessUSEastActions" + description = "Restricted policy for US East usage" + policy = data.aws_iam_policy_document.member-access-us-east.json +} From 0c6adbd391d3a5e0173a40f32350d3f10b9f8b80 Mon Sep 17 00:00:00 2001 From: Edward Proctor Date: Wed, 27 Dec 2023 10:33:41 +0000 Subject: [PATCH 2/4] Missed refrence change --- terraform/environments/bootstrap/member-bootstrap/iam.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/environments/bootstrap/member-bootstrap/iam.tf b/terraform/environments/bootstrap/member-bootstrap/iam.tf index 5da380023..e92402005 100644 --- a/terraform/environments/bootstrap/member-bootstrap/iam.tf +++ b/terraform/environments/bootstrap/member-bootstrap/iam.tf @@ -507,9 +507,9 @@ data "aws_iam_policy_document" "member-access-eu-central" { } } -resource "aws_iam_policy" "member-access-us-east" { +resource "aws_iam_policy" "member-access-eu-central" { count = local.account_data.account-type == "member" ? 1 : 0 name = "MemberInfrastructureAccessUSEastActions" description = "Restricted policy for US East usage" - policy = data.aws_iam_policy_document.member-access-us-east.json + policy = data.aws_iam_policy_document.member-access-eu-central.json } From 290e334abc99df21542b5b7f281a59647a371ceb Mon Sep 17 00:00:00 2001 From: Edward Proctor Date: Wed, 27 Dec 2023 13:03:45 +0000 Subject: [PATCH 3/4] Missed refrence change --- terraform/environments/bootstrap/member-bootstrap/iam.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/bootstrap/member-bootstrap/iam.tf b/terraform/environments/bootstrap/member-bootstrap/iam.tf index e92402005..abd08e25b 100644 --- a/terraform/environments/bootstrap/member-bootstrap/iam.tf +++ b/terraform/environments/bootstrap/member-bootstrap/iam.tf @@ -509,7 +509,7 @@ data "aws_iam_policy_document" "member-access-eu-central" { resource "aws_iam_policy" "member-access-eu-central" { count = local.account_data.account-type == "member" ? 1 : 0 - name = "MemberInfrastructureAccessUSEastActions" + name = "MemberInfrastructureBedrockEuCentralActions" description = "Restricted policy for US East usage" policy = data.aws_iam_policy_document.member-access-eu-central.json } From 7bb9767bf101a76a9b7816810b0b7ffbc9608b6c Mon Sep 17 00:00:00 2001 From: Edward Proctor Date: Wed, 27 Dec 2023 16:58:51 +0000 Subject: [PATCH 4/4] Added deny permissions --- .../bootstrap/member-bootstrap/iam.tf | 41 +++++++++++++++++++ 1 file changed, 41 insertions(+) diff --git a/terraform/environments/bootstrap/member-bootstrap/iam.tf b/terraform/environments/bootstrap/member-bootstrap/iam.tf index abd08e25b..be2d76496 100644 --- a/terraform/environments/bootstrap/member-bootstrap/iam.tf +++ b/terraform/environments/bootstrap/member-bootstrap/iam.tf @@ -499,6 +499,47 @@ data "aws_iam_policy_document" "member-access-eu-central" { ] resources = ["*"] #tfsec:ignore:AWS099 tfsec:ignore:AWS097 } + statement { + effect = "Deny" + actions = [ + "iam:AddClientIDToOpenIDConnectProvider", + "iam:AddUserToGroup", + "iam:AttachGroupPolicy", + "iam:AttachUserPolicy", + "iam:CreateAccountAlias", + "iam:CreateGroup", + "iam:CreateLoginProfile", + "iam:CreateOpenIDConnectProvider", + "iam:CreateSAMLProvider", + "iam:CreateUser", + "iam:CreateVirtualMFADevice", + "iam:DeactivateMFADevice", + "iam:DeleteAccountAlias", + "iam:DeleteAccountPasswordPolicy", + "iam:DeleteGroup", + "iam:DeleteGroupPolicy", + "iam:DeleteLoginProfile", + "iam:DeleteOpenIDConnectProvider", + "iam:DeleteSAMLProvider", + "iam:DeleteUser", + "iam:DeleteUserPermissionsBoundary", + "iam:DeleteUserPolicy", + "iam:DeleteVirtualMFADevice", + "iam:DetachGroupPolicy", + "iam:DetachUserPolicy", + "iam:EnableMFADevice", + "iam:RemoveClientIDFromOpenIDConnectProvider", + "iam:RemoveUserFromGroup", + "iam:ResyncMFADevice", + "iam:UpdateAccountPasswordPolicy", + "iam:UpdateGroup", + "iam:UpdateLoginProfile", + "iam:UpdateOpenIDConnectProviderThumbprint", + "iam:UpdateSAMLProvider", + "iam:UpdateUser" + ] + resources = ["*"] +} statement { effect = "Deny"