From 1f8beb63fc16688c070d0bf85d0310612d0589a9 Mon Sep 17 00:00:00 2001 From: Massimiliano Giovagnoli Date: Thu, 21 Mar 2024 17:25:53 +0100 Subject: [PATCH] feat(iam): add infra reader role for gha oidc Signed-off-by: Massimiliano Giovagnoli --- config/clusters/iam.tf | 520 ++++++++++++++++++++++++++++++++++++++--- 1 file changed, 489 insertions(+), 31 deletions(-) diff --git a/config/clusters/iam.tf b/config/clusters/iam.tf index 442835de12..495ad5a40d 100644 --- a/config/clusters/iam.tf +++ b/config/clusters/iam.tf @@ -143,16 +143,16 @@ data "aws_iam_policy_document" "driverkit_s3_access" { # GHA OIDC Provider, required to integrate with any GHA workflow module "iam_github_oidc_provider" { - source = "terraform-aws-modules/iam/aws//modules/iam-github-oidc-provider" - version = "5.10.0" + source = "terraform-aws-modules/iam/aws//modules/iam-github-oidc-provider" + version = "5.10.0" } # Rules repository module "rules_s3_role" { - source = "terraform-aws-modules/iam/aws//modules/iam-github-oidc-role" + source = "terraform-aws-modules/iam/aws//modules/iam-github-oidc-role" version = "5.10.0" - create = true + create = true subjects = [ "falcosecurity/rules:ref:refs/heads/main", "falcosecurity/rules:ref:refs/tags/*" @@ -189,10 +189,10 @@ data "aws_iam_policy_document" "rules_s3_access" { # Plugins repository module "plugins_s3_role" { - source = "terraform-aws-modules/iam/aws//modules/iam-github-oidc-role" + source = "terraform-aws-modules/iam/aws//modules/iam-github-oidc-role" version = "5.10.0" - name = "github_actions-plugins-s3" - create = true + name = "github_actions-plugins-s3" + create = true subjects = [ "falcosecurity/plugins:ref:refs/heads/master", "falcosecurity/plugins:ref:refs/tags/*" @@ -229,10 +229,10 @@ data "aws_iam_policy_document" "plugins_s3_access" { # Test-infra repository module "test-infra_cluster_role" { - source = "terraform-aws-modules/iam/aws//modules/iam-github-oidc-role" + source = "terraform-aws-modules/iam/aws//modules/iam-github-oidc-role" version = "5.10.0" - name = "github_actions-test-infra-cluster" - create = true + name = "github_actions-test-infra-cluster" + create = true subjects = [ "falcosecurity/test-infra:ref:refs/heads/master" ] @@ -260,11 +260,24 @@ data "aws_iam_policy_document" "test-infra_cluster_access" { } } +module "test-infra_reader" { + source = "terraform-aws-modules/iam/aws//modules/iam-github-oidc-role" + version = "5.10.0" + name = "github_actions-test-infra-reader" + create = true + subjects = [ + "falcosecurity/test-infra:ref:refs/heads/*" + ] + policies = { + test-infra_read_access = "arn:aws:iam::aws:policy/ReadOnlyAccess" + } +} + module "test-infra_s3_role" { - source = "terraform-aws-modules/iam/aws//modules/iam-github-oidc-role" + source = "terraform-aws-modules/iam/aws//modules/iam-github-oidc-role" version = "5.10.0" - name = "github_actions-test-infra-s3" - create = true + name = "github_actions-test-infra-s3" + create = true subjects = [ "falcosecurity/test-infra:ref:refs/heads/master" ] @@ -300,10 +313,10 @@ data "aws_iam_policy_document" "test-infra_s3_access" { # Falco repository (dev packages) module "falco_dev_s3_role" { - source = "terraform-aws-modules/iam/aws//modules/iam-github-oidc-role" + source = "terraform-aws-modules/iam/aws//modules/iam-github-oidc-role" version = "5.10.0" - name = "github_actions-falco-dev-s3" - create = true + name = "github_actions-falco-dev-s3" + create = true subjects = [ "falcosecurity/falco:ref:refs/heads/master", "falcosecurity/falco:ref:refs/tags/*" @@ -350,10 +363,10 @@ data "aws_iam_policy_document" "falco_dev_s3_access" { # Falco repository (releases) module "falco_s3_role" { - source = "terraform-aws-modules/iam/aws//modules/iam-github-oidc-role" + source = "terraform-aws-modules/iam/aws//modules/iam-github-oidc-role" version = "5.10.0" - name = "github_actions-falco-s3" - create = true + name = "github_actions-falco-s3" + create = true subjects = [ "falcosecurity/falco:ref:refs/tags/*" ] @@ -402,7 +415,7 @@ module "falco_ecr_role" { source = "terraform-aws-modules/iam/aws//modules/iam-github-oidc-role" name = "github_actions-falco-ecr" version = "5.10.0" - create = true + create = true subjects = [ "falcosecurity/falco:ref:refs/heads/master", "falcosecurity/falco:ref:refs/tags/*" @@ -441,7 +454,7 @@ data "aws_iam_policy_document" "falco_ecr_access" { ] } statement { - sid = "BuildFalcoECRTokenAccess" + sid = "BuildFalcoECRTokenAccess" effect = "Allow" actions = [ "ecr-public:GetAuthorizationToken", @@ -457,7 +470,7 @@ module "falcosidekick_ecr_role" { source = "terraform-aws-modules/iam/aws//modules/iam-github-oidc-role" name = "github_actions-falcosidekick-ecr" version = "5.10.0" - create = true + create = true subjects = [ "falcosecurity/falcosidekick:ref:refs/heads/master", "falcosecurity/falcosidekick:ref:refs/tags/*" @@ -492,7 +505,7 @@ data "aws_iam_policy_document" "falcosidekick_ecr_access" { ] } statement { - sid = "BuildFalcosidekickECRTokenAccess" + sid = "BuildFalcosidekickECRTokenAccess" effect = "Allow" actions = [ "ecr-public:GetAuthorizationToken", @@ -508,7 +521,7 @@ module "falcosidekick_ui_ecr_role" { source = "terraform-aws-modules/iam/aws//modules/iam-github-oidc-role" name = "github_actions-falcosidekick-ui-ecr" version = "5.10.0" - create = true + create = true subjects = [ "falcosecurity/falcosidekick-ui:ref:refs/heads/master", "falcosecurity/falcosidekick-ui:ref:refs/tags/*" @@ -543,7 +556,7 @@ data "aws_iam_policy_document" "falcosidekick_ui_ecr_access" { ] } statement { - sid = "BuildFalcosidekickUIECRTokenAccess" + sid = "BuildFalcosidekickUIECRTokenAccess" effect = "Allow" actions = [ "ecr-public:GetAuthorizationToken", @@ -559,7 +572,7 @@ module "falcoctl_ecr_role" { source = "terraform-aws-modules/iam/aws//modules/iam-github-oidc-role" name = "github_actions-falcoctl-ecr" version = "5.10.0" - create = true + create = true subjects = [ "falcosecurity/falcoctl:ref:refs/heads/main", "falcosecurity/falcoctl:ref:refs/tags/*" @@ -594,7 +607,452 @@ data "aws_iam_policy_document" "falcoctl_ecr_access" { ] } statement { - sid = "BuildFalcoctlECRTokenAccess" + sid = "BuildFalcoctlECRTokenAccess" + effect = "Allow" + actions = [ + "ecr-public:GetAuthorizationToken", + "sts:GetServiceBearerToken" + ] + resources = ["*"] + } +} + +##### AWS LoadBalancer Controller + +module "load_balancer_controller" { + source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc" + version = "4.1.0" + create_role = true + role_name = "${local.cluster_name}-loadbalancer-controller" + provider_url = replace(module.eks.cluster_oidc_issuer_url, "https://", "") + role_policy_arns = [aws_iam_policy.loadbalancer_controller.arn] + oidc_fully_qualified_subjects = [ + "system:serviceaccount:kube-system:aws-load-balancer-controller", + ] +} + +resource "aws_iam_policy" "loadbalancer_controller" { + name_prefix = "${local.cluster_name}-lb-controller" + description = "EKS loadbalancer controller policy for cluster ${module.eks.cluster_id}" + policy = data.aws_iam_policy_document.loadbalancer_controller.json +} + +data "aws_iam_policy_document" "loadbalancer_controller" { + statement { + sid = "loadbalancercontroller" + effect = "Allow" + + actions = [ + "iam:CreateServiceLinkedRole", + "ec2:DescribeAccountAttributes", + "ec2:DescribeAddresses", + "ec2:DescribeInternetGateways", + "ec2:DescribeVpcs", + "ec2:DescribeSubnets", + "ec2:DescribeSecurityGroups", + "ec2:DescribeInstances", + "ec2:DescribeNetworkInterfaces", + "ec2:DescribeTags", + "elasticloadbalancing:DescribeLoadBalancers", + "elasticloadbalancing:DescribeLoadBalancerAttributes", + "elasticloadbalancing:DescribeListeners", + "elasticloadbalancing:DescribeListenerCertificates", + "elasticloadbalancing:DescribeSSLPolicies", + "elasticloadbalancing:DescribeRules", + "elasticloadbalancing:DescribeTargetGroups", + "elasticloadbalancing:DescribeTargetGroupAttributes", + "elasticloadbalancing:DescribeTargetHealth", + "elasticloadbalancing:DescribeTags", + "cognito-idp:DescribeUserPoolClient", + "acm:ListCertificates", + "acm:DescribeCertificate", + "iam:ListServerCertificates", + "iam:GetServerCertificate", + "waf-regional:GetWebACL", + "waf-regional:GetWebACLForResource", + "waf-regional:AssociateWebACL", + "waf-regional:DisassociateWebACL", + "wafv2:GetWebACL", + "wafv2:GetWebACLForResource", + "wafv2:AssociateWebACL", + "wafv2:DisassociateWebACL", + "shield:GetSubscriptionState", + "shield:DescribeProtection", + "shield:CreateProtection", + "shield:DeleteProtection", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:RevokeSecurityGroupIngress", + "ec2:CreateSecurityGroup", + "elasticloadbalancing:SetWebAcl", + "elasticloadbalancing:ModifyListener", + "elasticloadbalancing:AddListenerCertificates", + "elasticloadbalancing:RemoveListenerCertificates", + "elasticloadbalancing:ModifyRule", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:DeleteListener", + "elasticloadbalancing:CreateRule", + "elasticloadbalancing:DeleteRule", + "elasticloadbalancing:CreateTargetGroup", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:AddTags", + "elasticloadbalancing:RemoveTags", + "ec2:CreateTags", + "ec2:DeleteTags", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:RevokeSecurityGroupIngress", + "ec2:DeleteSecurityGroup", + "elasticloadbalancing:ModifyLoadBalancerAttributes", + "elasticloadbalancing:SetIpAddressType", + "elasticloadbalancing:SetSecurityGroups", + "elasticloadbalancing:SetSubnets", + "elasticloadbalancing:DeleteLoadBalancer", + "elasticloadbalancing:ModifyTargetGroup", + "elasticloadbalancing:ModifyTargetGroupAttributes", + "elasticloadbalancing:DeleteTargetGroup", + "elasticloadbalancing:RegisterTargets", + "elasticloadbalancing:DeregisterTargets" + ] + resources = [ + "*" + ] + } +} + +module "test-infra_s3_role" { + source = "terraform-aws-modules/iam/aws//modules/iam-github-oidc-role" + version = "5.10.0" + name = "github_actions-test-infra-s3" + create = true + subjects = [ + "falcosecurity/test-infra:ref:refs/heads/master" + ] + policies = { + test-infra_s3_access = "${aws_iam_policy.test-infra_s3_access.arn}" + } +} + +resource "aws_iam_policy" "test-infra_s3_access" { + name_prefix = "github_actions-test-infra-s3" + description = "GitHub actions S3 access policy for test-infra update-drivers-website workflow" + policy = data.aws_iam_policy_document.test-infra_s3_access.json +} + +data "aws_iam_policy_document" "test-infra_s3_access" { + statement { + sid = "UploadTestInfraS3Access" + effect = "Allow" + actions = [ + "s3:PutObject", + "s3:GetObjectAcl", + "s3:GetObject", + "s3:DeleteObject", + "s3:PutObjectAcl" + ] + resources = [ + "arn:aws:s3:::falco-distribution/driver/site/*", + "arn:aws:s3:::falco-distribution/driver/site", + ] + } +} + +# Falco repository (dev packages) + +module "falco_dev_s3_role" { + source = "terraform-aws-modules/iam/aws//modules/iam-github-oidc-role" + version = "5.10.0" + name = "github_actions-falco-dev-s3" + create = true + subjects = [ + "falcosecurity/falco:ref:refs/heads/master", + "falcosecurity/falco:ref:refs/tags/*" + ] + policies = { + falco_s3_access = "${aws_iam_policy.falco_dev_s3_access.arn}" + } +} + +resource "aws_iam_policy" "falco_dev_s3_access" { + name_prefix = "github_actions-falco-dev-s3" + description = "GitHub actions S3 access policy for falco repo dev workflows" + policy = data.aws_iam_policy_document.falco_dev_s3_access.json +} + +data "aws_iam_policy_document" "falco_dev_s3_access" { + statement { + sid = "UploadFalcoDevS3Access" + effect = "Allow" + actions = [ + "s3:PutObject", + "s3:GetObjectAcl", + "s3:GetObject", + "s3:DeleteObject", + "s3:PutObjectAcl" + ] + resources = [ + "arn:aws:s3:::falco-distribution/packages/*-dev/*", + "arn:aws:s3:::falco-distribution/packages/*-dev/", + ] + } + statement { + sid = "BuildFalcoDevCloudFrontAccess" + effect = "Allow" + actions = [ + "cloudfront:CreateInvalidation" + ] + resources = [ + "arn:aws:cloudfront::292999226676:distribution/E1CQNPFWRXLGQD" + ] + } +} + +# Falco repository (releases) + +module "falco_s3_role" { + source = "terraform-aws-modules/iam/aws//modules/iam-github-oidc-role" + version = "5.10.0" + name = "github_actions-falco-s3" + create = true + subjects = [ + "falcosecurity/falco:ref:refs/tags/*" + ] + policies = { + falco_s3_access = "${aws_iam_policy.falco_s3_access.arn}" + } +} + +resource "aws_iam_policy" "falco_s3_access" { + name_prefix = "github_actions-falco-s3" + description = "GitHub actions S3 access policy for falco repo workflows" + policy = data.aws_iam_policy_document.falco_s3_access.json +} + +data "aws_iam_policy_document" "falco_s3_access" { + statement { + sid = "UploadFalcoS3Access" + effect = "Allow" + actions = [ + "s3:PutObject", + "s3:GetObjectAcl", + "s3:GetObject", + "s3:DeleteObject", + "s3:PutObjectAcl" + ] + resources = [ + "arn:aws:s3:::falco-distribution/packages/*", + "arn:aws:s3:::falco-distribution/packages/", + ] + } + statement { + sid = "BuildFalcoCloudFrontAccess" + effect = "Allow" + actions = [ + "cloudfront:CreateInvalidation" + ] + resources = [ + "arn:aws:cloudfront::292999226676:distribution/E1CQNPFWRXLGQD" + ] + } +} + +# Falco repository (ECR) + +module "falco_ecr_role" { + source = "terraform-aws-modules/iam/aws//modules/iam-github-oidc-role" + name = "github_actions-falco-ecr" + version = "5.10.0" + create = true + subjects = [ + "falcosecurity/falco:ref:refs/heads/master", + "falcosecurity/falco:ref:refs/tags/*" + ] + policies = { + falco_ecr_access = "${aws_iam_policy.falco_ecr_access.arn}" + } +} + +resource "aws_iam_policy" "falco_ecr_access" { + name_prefix = "github_actions-falco-ecr" + description = "GitHub actions ECR access policy for falco" + policy = data.aws_iam_policy_document.falco_ecr_access.json +} + +data "aws_iam_policy_document" "falco_ecr_access" { + statement { + sid = "BuildFalcoECRAccess" + effect = "Allow" + actions = [ + "ecr-public:BatchCheckLayerAvailability", + "ecr-public:GetRepositoryPolicy", + "ecr-public:DescribeRepositories", + "ecr-public:DescribeImages", + "ecr-public:InitiateLayerUpload", + "ecr-public:UploadLayerPart", + "ecr-public:CompleteLayerUpload", + "ecr-public:PutImage" + ] + resources = [ + "arn:aws:ecr-public::292999226676:repository/falco", + "arn:aws:ecr-public::292999226676:repository/falco-driver-loader", + "arn:aws:ecr-public::292999226676:repository/falco-no-driver", + "arn:aws:ecr-public::292999226676:repository/falco-driver-loader-legacy", + "arn:aws:ecr-public::292999226676:repository/falco-distroless" + ] + } + statement { + sid = "BuildFalcoECRTokenAccess" + effect = "Allow" + actions = [ + "ecr-public:GetAuthorizationToken", + "sts:GetServiceBearerToken" + ] + resources = ["*"] + } +} + +# Falcosidekick repository + +module "falcosidekick_ecr_role" { + source = "terraform-aws-modules/iam/aws//modules/iam-github-oidc-role" + name = "github_actions-falcosidekick-ecr" + version = "5.10.0" + create = true + subjects = [ + "falcosecurity/falcosidekick:ref:refs/heads/master", + "falcosecurity/falcosidekick:ref:refs/tags/*" + ] + policies = { + falcosidekick_ecr_access = "${aws_iam_policy.falcosidekick_ecr_access.arn}" + } +} + +resource "aws_iam_policy" "falcosidekick_ecr_access" { + name_prefix = "github_actions-falcosidekick-ecr" + description = "GitHub actions ECR access policy for falcosidekick" + policy = data.aws_iam_policy_document.falcosidekick_ecr_access.json +} + +data "aws_iam_policy_document" "falcosidekick_ecr_access" { + statement { + sid = "BuildFalcosidekickECRAccess" + effect = "Allow" + actions = [ + "ecr-public:BatchCheckLayerAvailability", + "ecr-public:GetRepositoryPolicy", + "ecr-public:DescribeRepositories", + "ecr-public:DescribeImages", + "ecr-public:InitiateLayerUpload", + "ecr-public:UploadLayerPart", + "ecr-public:CompleteLayerUpload", + "ecr-public:PutImage" + ] + resources = [ + "arn:aws:ecr-public::292999226676:repository/falcosidekick" + ] + } + statement { + sid = "BuildFalcosidekickECRTokenAccess" + effect = "Allow" + actions = [ + "ecr-public:GetAuthorizationToken", + "sts:GetServiceBearerToken" + ] + resources = ["*"] + } +} + +# Falcosidekick-UI repository + +module "falcosidekick_ui_ecr_role" { + source = "terraform-aws-modules/iam/aws//modules/iam-github-oidc-role" + name = "github_actions-falcosidekick-ui-ecr" + version = "5.10.0" + create = true + subjects = [ + "falcosecurity/falcosidekick-ui:ref:refs/heads/master", + "falcosecurity/falcosidekick-ui:ref:refs/tags/*" + ] + policies = { + falcosidekick_ui_ecr_access = "${aws_iam_policy.falcosidekick_ui_ecr_access.arn}" + } +} + +resource "aws_iam_policy" "falcosidekick_ui_ecr_access" { + name_prefix = "github_actions-falcosidekick-ui-ecr" + description = "GitHub actions ECR access policy for falcosidekick-ui" + policy = data.aws_iam_policy_document.falcosidekick_ui_ecr_access.json +} + +data "aws_iam_policy_document" "falcosidekick_ui_ecr_access" { + statement { + sid = "BuildFalcosidekickUIECRAccess" + effect = "Allow" + actions = [ + "ecr-public:BatchCheckLayerAvailability", + "ecr-public:GetRepositoryPolicy", + "ecr-public:DescribeRepositories", + "ecr-public:DescribeImages", + "ecr-public:InitiateLayerUpload", + "ecr-public:UploadLayerPart", + "ecr-public:CompleteLayerUpload", + "ecr-public:PutImage" + ] + resources = [ + "arn:aws:ecr-public::292999226676:repository/falcosidekick-ui" + ] + } + statement { + sid = "BuildFalcosidekickUIECRTokenAccess" + effect = "Allow" + actions = [ + "ecr-public:GetAuthorizationToken", + "sts:GetServiceBearerToken" + ] + resources = ["*"] + } +} + +# Falcoctl repository + +module "falcoctl_ecr_role" { + source = "terraform-aws-modules/iam/aws//modules/iam-github-oidc-role" + name = "github_actions-falcoctl-ecr" + version = "5.10.0" + create = true + subjects = [ + "falcosecurity/falcoctl:ref:refs/heads/main", + "falcosecurity/falcoctl:ref:refs/tags/*" + ] + policies = { + falcoctl_ecr_access = "${aws_iam_policy.falcoctl_ecr_access.arn}" + } +} + +resource "aws_iam_policy" "falcoctl_ecr_access" { + name_prefix = "github_actions-falcoctl-ecr" + description = "GitHub actions ECR access policy for falcoctl" + policy = data.aws_iam_policy_document.falcoctl_ecr_access.json +} + +data "aws_iam_policy_document" "falcoctl_ecr_access" { + statement { + sid = "BuildFalcoctlECRAccess" + effect = "Allow" + actions = [ + "ecr-public:BatchCheckLayerAvailability", + "ecr-public:GetRepositoryPolicy", + "ecr-public:DescribeRepositories", + "ecr-public:DescribeImages", + "ecr-public:InitiateLayerUpload", + "ecr-public:UploadLayerPart", + "ecr-public:CompleteLayerUpload", + "ecr-public:PutImage" + ] + resources = [ + "arn:aws:ecr-public::292999226676:repository/falcoctl" + ] + } + statement { + sid = "BuildFalcoctlECRTokenAccess" effect = "Allow" actions = [ "ecr-public:GetAuthorizationToken", @@ -607,10 +1065,10 @@ data "aws_iam_policy_document" "falcoctl_ecr_access" { # falco-playground repository module "falco_playground_s3_role" { - source = "terraform-aws-modules/iam/aws//modules/iam-github-oidc-role" + source = "terraform-aws-modules/iam/aws//modules/iam-github-oidc-role" version = "5.10.0" - name = "github_actions-falco-playground-s3" - create = true + name = "github_actions-falco-playground-s3" + create = true subjects = [ "falcosecurity/falco-playground:ref:refs/tags/*" ] @@ -642,7 +1100,7 @@ data "aws_iam_policy_document" "falco_playground_s3_access" { ] } statement { - sid = "UploadFalcoPlaygroundS3BucketAccess" + sid = "UploadFalcoPlaygroundS3BucketAccess" effect = "Allow" actions = [ "s3:ListBucket"