From 369152a59a3dd5c6797484f6386d9b75eb1de67f Mon Sep 17 00:00:00 2001 From: Massimiliano Giovagnoli Date: Thu, 21 Mar 2024 18:49:58 +0100 Subject: [PATCH] fix(iam): add permissions to generate infra plan Signed-off-by: Massimiliano Giovagnoli --- config/clusters/iam.tf | 23 ++++++++++++++++++++++- config/clusters/iam_variables.tf | 5 +++++ 2 files changed, 27 insertions(+), 1 deletion(-) create mode 100644 config/clusters/iam_variables.tf diff --git a/config/clusters/iam.tf b/config/clusters/iam.tf index cf0b7e6201..c58f66e84d 100644 --- a/config/clusters/iam.tf +++ b/config/clusters/iam.tf @@ -266,10 +266,31 @@ module "test-infra_reader" { name = "github_actions-test-infra-reader" create = true subjects = [ - "falcosecurity/test-infra:ref:refs/heads/*" + "falcosecurity/test-infra:ref:*" ] policies = { test-infra_read_access = "arn:aws:iam::aws:policy/ReadOnlyAccess" + test-infra_state_lock = "${aws_iam_policy.test-infra_state_lock.arn}" + } +} + +resource "aws_iam_policy" "test-infra_state_lock" { + name_prefix = "github_actions-test-infra-cluster" + description = "Access policy for test-infra Terraform remote state lock" + policy = data.aws_iam_policy_document.test-infra_state_lock.json +} + +data "aws_iam_policy_document" "test-infra_state_lock" { + statement { + sid = "DeployTestInfraClusterAccess" + effect = "Allow" + actions = [ + "dynamodb:PutItem", + "dynamodb:DeleteItem" + ] + resources = [ + "arn:aws:dynamodb:::table/${var.state_dynamodb_table_name}" + ] } } diff --git a/config/clusters/iam_variables.tf b/config/clusters/iam_variables.tf new file mode 100644 index 0000000000..5d6043dc2f --- /dev/null +++ b/config/clusters/iam_variables.tf @@ -0,0 +1,5 @@ +variable "state_dynamodb_table_name" { + type = string + description = "The name of the DynamoDB table for the Terraform state" + default = "falco-test-infra-state-lock" +}