Skip to content

v2.0.2

Latest
Compare
Choose a tag to compare
@github-actions github-actions released this 23 Feb 00:52
· 18 commits to main since this release
20c1b29

🚀 Enhancements

feat: custom policy + hardened trust relationship @bt-macole (#132)

what

Updated trust policy so only the codebuild project in this module can use the iam role.
Added ability to toggle on/off default permissions
Added support for attaching a custom policy

Fully backward compatible

why

fe75886

adding a condition on the trust policy for the codebuild project arn ensures
the iam role can not be used by any other codebuild project.

codebuild projects could be extremely permissive, even when least privileged
so enforcing the role can only be used by the intended codebuild project
limits to ability for a threat actor to quietly take control of a powerful
role and do threat actory things.

9f0163f

the default permissions are good for getting up and running, however, they are far more
permissive than any least privileged policy would like, being `*` for all resources for
anything in the default list + any and all additional_permissions.

this allows users to still utilize the quick up and running policy, while also being able
to disable it and replace it with a least privileged custom policy.

the lifecycle rule ensure that users don't get confused by additional permissions and custom
policy variables, failing on a plan if they attempt to use additional_permissions with
default_permissions_enabled set to `false`.

Test Output:

    --- PASS: TestExamplesCustom (62.77s)
    --- PASS: TestExamplesComplete (62.87s)
    --- PASS: TestExamplesVPC (78.32s)
    PASS
    ok      github.com/cloudposse/terraform-aws-codebuild   78.790s

references

resolves: #131