Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

🐛 Add dynamodb permissions to 'oidc_assume_role_member' #6789

Closed
wants to merge 1 commit into from
Closed

🐛 Add dynamodb permissions to 'oidc_assume_role_member' #6789

wants to merge 1 commit into from

Conversation

ASTRobinson
Copy link
Contributor

@ASTRobinson ASTRobinson commented Apr 12, 2024
edited
Loading

investigation into BUG #6702 This PR adds the dynamodb:GetItem and dynamodb:PutItem permissions

Error message (account numbers removed)

Error message: 2 errors occurred:
	* operation error DynamoDB: PutItem, https response error StatusCode: 400,
RequestID: api error
AccessDeniedException: User:
arn:aws:sts:::assumed-role/github-actions/githubactionsrolesession
is not authorized to perform: dynamodb:PutItem on resource:
arn:aws:dynamodb:eu-west-2::table/modernisation-platform-terraform-state-lock
because no identity-based policy allows the dynamodb:PutItem action
	* Unable to retrieve item from DynamoDB table
"modernisation-platform-terraform-state-lock": operation error DynamoDB

@github-actions GitHub Actions
Copy link
Contributor

Please check the plan carefully before deploying these changes.

⚠️ Making changes to the terraform/environments/bootstrap/member-bootstrap/iam.tf file will alter the IAM permissions for all members on the MP platform. In particular the member-access policy which defines the permissions members have for building IaC in their environments or the github OIDC role that defines the permissions for their application CI/CD pipelines. Please ensure that any permissions changes have been agreed with the wider team.

@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Success

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/bootstrap/member-bootstrap

Running Trivy in terraform/environments/bootstrap/member-bootstrap
2024-04-12T17:12:08.678Z �[34mINFO�[0m Need to update DB
2024-04-12T17:12:08.678Z �[34mINFO�[0m DB Repository: ghcr.io/aquasecurity/trivy-db:2
2024-04-12T17:12:08.678Z �[34mINFO�[0m Downloading DB...
2024-04-12T17:12:10.779Z �[34mINFO�[0m Vulnerability scanning is enabled
2024-04-12T17:12:10.779Z �[34mINFO�[0m Misconfiguration scanning is enabled
2024-04-12T17:12:10.779Z �[34mINFO�[0m Need to update the built-in policies
2024-04-12T17:12:10.779Z �[34mINFO�[0m Downloading the built-in policies...
46.13 KiB / 46.13 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-04-12T17:12:11.361Z �[34mINFO�[0m Secret scanning is enabled
2024-04-12T17:12:11.361Z �[34mINFO�[0m If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-04-12T17:12:11.361Z �[34mINFO�[0m Please see also https://aquasecurity.github.io/trivy/v0.50/docs/scanner/secret/#recommendation for faster secret detection
2024-04-12T17:12:15.325Z �[34mINFO�[0m Number of language-specific files: 0
2024-04-12T17:12:15.325Z �[34mINFO�[0m Detected config files: 5

github.com/ministryofjustice/modernisation-platform-github-oidc-role?ref=c3bde7c787038ff5536bfb1b73781072edbb74da/main.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 3)
Failures: 0 (HIGH: 0, CRITICAL: 0)

iam.tf (terraform)

Tests: 157 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 157)
Failures: 0 (HIGH: 0, CRITICAL: 0)

instance-scheduler.tf (terraform)

Tests: 13 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 13)
Failures: 0 (HIGH: 0, CRITICAL: 0)

ssm.tf (terraform)

Tests: 8 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 8)
Failures: 0 (HIGH: 0, CRITICAL: 0)

trivy_exitcode=0

</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/bootstrap/member-bootstrap

*****************************

Running Checkov in terraform/environments/bootstrap/member-bootstrap
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-04-12 17:12:17,990 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-cross-account-access?ref=6819b090bce6d3068d55c7c7b9b3fd18c9dca648:None (for external modules, the --download-external-modules flag is required)
2024-04-12 17:12:17,990 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-assumable-roles:~> 5 (for external modules, the --download-external-modules flag is required)
2024-04-12 17:12:17,990 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-assumable-role:~> 5 (for external modules, the --download-external-modules flag is required)
2024-04-12 17:12:17,991 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=0179859e6fafc567843cd55c0b05d325d5012dc4:None (for external modules, the --download-external-modules flag is required)
2024-04-12 17:12:17,991 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-github-oidc-role?ref=c3bde7c787038ff5536bfb1b73781072edbb74da:None (for external modules, the --download-external-modules flag is required)
2024-04-12 17:12:17,991 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-github-oidc-provider?ref=82f546bd5f002674138a2ccdade7d7618c6758b3:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 123, Failed checks: 0, Skipped checks: 50


checkov_exitcode=0

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/bootstrap/member-bootstrap

*****************************

Running tflint in terraform/environments/bootstrap/member-bootstrap
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

Trivy Scan Success

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/bootstrap/member-bootstrap

*****************************

Running Trivy in terraform/environments/bootstrap/member-bootstrap
2024-04-12T17:12:08.678Z	�[34mINFO�[0m	Need to update DB
2024-04-12T17:12:08.678Z	�[34mINFO�[0m	DB Repository: ghcr.io/aquasecurity/trivy-db:2
2024-04-12T17:12:08.678Z	�[34mINFO�[0m	Downloading DB...
2024-04-12T17:12:10.779Z	�[34mINFO�[0m	Vulnerability scanning is enabled
2024-04-12T17:12:10.779Z	�[34mINFO�[0m	Misconfiguration scanning is enabled
2024-04-12T17:12:10.779Z	�[34mINFO�[0m	Need to update the built-in policies
2024-04-12T17:12:10.779Z	�[34mINFO�[0m	Downloading the built-in policies...
46.13 KiB / 46.13 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-04-12T17:12:11.361Z	�[34mINFO�[0m	Secret scanning is enabled
2024-04-12T17:12:11.361Z	�[34mINFO�[0m	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-04-12T17:12:11.361Z	�[34mINFO�[0m	Please see also https://aquasecurity.github.io/trivy/v0.50/docs/scanner/secret/#recommendation for faster secret detection
2024-04-12T17:12:15.325Z	�[34mINFO�[0m	Number of language-specific files: 0
2024-04-12T17:12:15.325Z	�[34mINFO�[0m	Detected config files: 5

github.com/ministryofjustice/modernisation-platform-github-oidc-role?ref=c3bde7c787038ff5536bfb1b73781072edbb74da/main.tf (terraform)
=====================================================================================================================================
Tests: 3 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 3)
Failures: 0 (HIGH: 0, CRITICAL: 0)


iam.tf (terraform)
==================
Tests: 157 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 157)
Failures: 0 (HIGH: 0, CRITICAL: 0)


instance-scheduler.tf (terraform)
=================================
Tests: 13 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 13)
Failures: 0 (HIGH: 0, CRITICAL: 0)


ssm.tf (terraform)
==================
Tests: 8 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 8)
Failures: 0 (HIGH: 0, CRITICAL: 0)

trivy_exitcode=0

@ASTRobinson ASTRobinson mentioned this pull request Apr 12, 2024
Closed
@ASTRobinson ASTRobinson marked this pull request as ready for review April 15, 2024 08:34
@ASTRobinson ASTRobinson requested a review from a team as a code owner April 15, 2024 08:34
@ASTRobinson
Copy link
Contributor Author

closing as the wrong solution for the problem, carrying on investigation on ministryofjustice/modernisation-platform-environments#5761

@dms1981 dms1981 deleted the bug/nuke-workflow branch April 30, 2024 13:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@ASTRobinson