feat: custom policy + hardened trust relationship #132
Conversation
adding a condition on the trust policy for the codebuild project arn ensures the iam role can not be used by any other codebuild project. codebuild projects could be extremely permissive, even when least privileged so enforcing the role can only be used by the intended codebuild project limits to ability for a threat actor to quietly take control of a powerful role and do threat actory things.
|
@johncblandii or @srhopkins looks like you were assigned this PR. Is there anything else you need from me to get this in? we'd like to take advantage of this module, but need these changes for security reasons (#131) |
| @@ -254,10 +254,22 @@ variable "logs_config" { | |||
| description = "Configuration for the builds to store log data to CloudWatch or S3." | |||
| } | |||
|
|
|||
| variable "default_permissions_enabled" { | |||
There was a problem hiding this comment.
Could we use the presence of the custom policy instead of this flag?
There was a problem hiding this comment.
it's possible one wants the defaults and custom policy. I used the enable variable to follow conventions elsewhere in the module.
happy to change that, if you'd prefer it to be an either or.
There was a problem hiding this comment.
Thanks @bt-macole - this is a really good improvement.
A couple of comments.
bt-macole
force-pushed
the
add-custom-policy-support
branch
from
09aebaf to
126c38d
Compare
| description = "When 'true' default base iam permissions to get up and running with codebuild are attached. Those who want a least priveleged policy can instead set to `false` and use the `custom policy` variable." | ||
| } | ||
|
|
||
| variable "custom_policy" { |
There was a problem hiding this comment.
This one would need updating to match the variable change
There was a problem hiding this comment.
updated and reran tests
--- PASS: TestExamplesComplete (61.73s)
--- PASS: TestExamplesCustom (62.47s)
--- PASS: TestExamplesVPC (87.75s)
PASS
ok github.com/cloudposse/terraform-aws-codebuild 88.190s
examples/custom/main.tf
Outdated
| cache_type = var.cache_type | ||
|
|
||
| default_permissions_enabled = var.default_permissions_enabled | ||
| custom_policy = [jsonencode(var.custom_policy)] |
the default permissions are good for getting up and running, however, they are far more permissive than any least privileged policy would like, being `*` for all resources for anything in the default list + any and all additional_permissions. this allows users to still utilize the quick up and running policy, while also being able to disable it and replace it with a least privileged custom policy. the lifecycle rule ensure that users don't get confused by additional permissions and custom policy variables, failing on a plan if they attempt to use additional_permissions with default_permissions_enabled set to `false`.
bt-macole
force-pushed
the
add-custom-policy-support
branch
from
534dc45 to
98576ab
Compare
bt-macole
changed the title
bt-macole
changed the title
|
I think you'll need to re-run |
```terraform --- PASS: TestExamplesCustom (62.77s) --- PASS: TestExamplesComplete (62.87s) --- PASS: TestExamplesVPC (78.32s) PASS ok github.com/cloudposse/terraform-aws-codebuild 78.790s ```
bt-macole
force-pushed
the
add-custom-policy-support
branch
from
98576ab to
a2a68a6
Compare
hehe my bad! too used to precommit running terraform fmt and terraform-docs in our repo 🤦 |
|
/terratest |
|
Thanks @bt-macole we got there! |
what
Updated trust policy so only the codebuild project in this module can use the iam role.
Added ability to toggle on/off default permissions
Added support for attaching a custom policy
why
fe75886
9f0163f
Test Output:
references
resolves: #131