Skip to content

Commit

Permalink
adjust oidc perms
Browse files Browse the repository at this point in the history
  • Loading branch information
@alismx
alismx committed Jul 17, 2024
1 parent 0106221 commit 8ca2f59
Show file tree
Hide file tree
Showing 2 changed files with 60 additions and 16 deletions.
73 changes: 57 additions & 16 deletions terraform/implementation/setup/iam.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,22 +29,63 @@ data "aws_iam_policy_document" "github_assume_role" {
# trivy:ignore:AVD-AWS-0057
data "aws_iam_policy_document" "github" {
statement {
actions = [
"appmesh:*",
"dynamodb:*",
"ec2:*",
"ecr:*",
"ecs:*",
"elasticloadbalancing:*",
"iam:*",
"logs:*",
"s3:*",
"servicediscovery:*",
"ecs:UpdateService",
]
resources = [
"*"
]
actions = [
"appmesh:DescribeMesh",
"appmesh:ListTagsForResource",
"appmesh:DescribeVirtualNode",
"appmesh:DescribeVirtualService",
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:DeleteItem",
"ec2:DescribeAddresses",
"ec2:DescribeVpcs",
"ec2:DescribeVpcAttribute",
"ec2:DescribeSubnets",
"ec2:DescribeRouteTables",
"ec2:DescribeInternetGateways",
"ec2:DescribeSecurityGroups",
"ec2:DescribeNetworkAcls",
"ec2:DescribeAddress",
"ec2:DescribeSecurityGroupRules",
"ec2:DescribeFlowLogs",
"ec2:DescribeNatGateways",
"ecr:GetAuthorizationToken",
"ecr:DescribeRepositories",
"ecr:ListTagsForResource",
"ecs:DescribeClusters",
"ecs:DescribeTaskDefinition",
"ecs:DescribeServices",
"ecs:UpdateService",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeTargetGroupAttributes",
"elasticloadbalancing:DescribeLoadBalancerAttributes",
"elasticloadbalancing:DescribeTags",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeRules",
"iam:GetRole",
"iam:GetPolicy",
"iam:ListRolePolicies",
"iam:GetPolicyVersion",
"iam:ListAttachedRolePolicies",
"logs:DescribeLogGroups",
"logs:ListTagsLogGroup",
"s3:listBucket",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:GetObjectAttributes",
"servicediscovery:GetNamespace",
"servicediscovery:ListTagsForResource",
"servicediscovery:GetService",
]
resources = [
"arn:aws:ecr:${var.region}:${data.aws_caller_identity.current.account_id}:repository*",
"arn:aws:ecs:${var.region}:${data.aws_caller_identity.current.account_id}:cluster*",
"arn:aws:logs:${var.region}:${data.aws_caller_identity.current.account_id}:log-group*",
"arn:aws:appmesh:${var.region}:${data.aws_caller_identity.current.account_id}:mesh*"
]
}
}

Expand Down
3 changes: 3 additions & 0 deletions terraform/implementation/setup/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -69,15 +69,18 @@ resource "local_file" "setup_env" {
BUCKET=${aws_s3_bucket.tfstate.bucket}
DYNAMODB_TABLE=${aws_dynamodb_table.tfstate_lock.id}
REGION=${var.region}
AWS_ROLE_ARN=${aws_iam_role.github.arn}
EOT
filename = ".env"
}

resource "local_file" "ecs_env" {
content = <<-EOT
WORKSPACE=${terraform.workspace}
BUCKET=${aws_s3_bucket.tfstate.bucket}
DYNAMODB_TABLE=${aws_dynamodb_table.tfstate_lock.id}
REGION=${var.region}
AWS_ROLE_ARN=${aws_iam_role.github.arn}
EOT
filename = "../ecs/.env"
}

0 comments on commit 8ca2f59

Please sign in to comment.