TFC AWS permission updates required for cluster infrastructure #1020
Conversation
marcpomfret
force-pushed
the
marc/tfc-aws-iam-updates
branch
from
db2c8ed to
c1ec43d
Compare
marcpomfret
requested review from
theseanything,
sengi and
samsimpson1
and removed request for
theseanything
| "iam:PassRole" | ||
| "iam:CreateServiceLinkedRole" |
There was a problem hiding this comment.
mostly note to self: at some point in the near future we should get to the bottom of exactly when/whether PassRole and CreateServiceLinkedRole are needed 🙃 I'm fine with this for now though. (We'd need to spend a bunch of time painstakingly testing turnup-from-scratch in the test account and seeing which permissions it breaks without — and we've more impactful security improvements to make for now!)
There was a problem hiding this comment.
fwiw I'm pretty sure at least one of them is needed at cluster turnup. CreateServiceLinkedRole also definitely used to be, but I dunno if it still is (last time I ran the cluster turnup TF from scratch was about 3 EKS versions ago so who knows 😄)
There was a problem hiding this comment.
anyway def not a problem for right now :)
Updates needed to terraform-cloud-run policy to allow terraform cloud to deploy the cluster-infrastructure workspaces
Added the following to allow
acm
elasticfilesystem
secretsmanager
Provider removed from deny as need to access GetOpenIDConnectProvider
Consolidation of manual additions
apigateway & lambda had been added to Allow policy in production manually at the same time as the policy had been created but not reflected in the code here so have added those also and removed PassRole from Deny for the same reason.
https://trello.com/c/Xfn52Fg4/3322-automate-terraform-plan-review-apply-and-drift-detection-terraform-cloud