fix: DBTP-1694 - Fix policy issues (#316)

environment-pipelines/iam.tf

@@ -302,6 +302,16 @@ data "aws_iam_policy_document" "load_balancer" {
       ]
     }
   }
+
+  statement {
+    actions = [
+      "cloudfront:ListCachePolicies",
+      "cloudfront:GetCachePolicy"
+    ]
+    resources = [
+      "arn:aws:cloudfront::${data.aws_caller_identity.current.account_id}:cache-policy/*"
+    ]
+  }
 }
 
 resource "aws_iam_policy" "load_balancer" {
@@ -815,6 +825,98 @@ resource "aws_iam_policy" "opensearch" {
   policy      = data.aws_iam_policy_document.opensearch.json
 }
 
+data "aws_iam_policy_document" "origin_secret_rotate_access" {
+  statement {
+    effect = "Allow"
+    actions = [
+      "lambda:GetPolicy",
+      "lambda:RemovePermission",
+      "lambda:DeleteFunction",
+      "lambda:TagResource",
+      "lambda:PutFunctionConcurrency",
+      "lambda:AddPermission"
+    ]
+    resources = [
+      for env in local.environment_config : "arn:aws:lambda:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:function:${var.application}-${env.name}-origin-secret-rotate"
+    ]
+  }
+
+  statement {
+    effect = "Allow"
+    actions = [
+      "lambda:GetLayerVersion"
+    ]
+    resources = [
+      "arn:aws:lambda:eu-west-2:763451185160:layer:python-requests:1"
+    ]
+  }
+
+  statement {
+    sid    = "WAFv2ReadAccess"
+    effect = "Allow"
+    actions = [
+      "wafv2:GetWebACL",
+      "wafv2:GetWebACLForResource",
+      "wafv2:ListTagsForResource",
+      "wafv2:DeleteWebACL",
+      "wafv2:CreateWebACL",
+      "wafv2:TagResource",
+      "wafv2:AssociateWebACL"
+    ]
+    resources = [
+      "arn:aws:wafv2:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:regional/webacl/*/*"
+    ]
+  }
+
+  statement {
+    sid    = "WAFv2RuleSetAccess"
+    effect = "Allow"
+    actions = [
+      "wafv2:CreateWebACL"
+    ]
+    resources = [
+      "arn:aws:wafv2:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:regional/managedruleset/*/*"
+    ]
+  }
+
+  statement {
+    effect = "Allow"
+    actions = [
+      "secretsmanager:DescribeSecret",
+      "secretsmanager:GetSecretValue",
+      "secretsmanager:GetResourcePolicy",
+      "secretsmanager:DeleteResourcePolicy",
+      "secretsmanager:CancelRotateSecret",
+      "secretsmanager:DeleteSecret",
+      "secretsmanager:CreateSecret",
+      "secretsmanager:TagResource",
+      "secretsmanager:PutResourcePolicy",
+      "secretsmanager:PutSecretValue",
+      "secretsmanager:RotateSecret"
+    ]
+    resources = [
+      for env in local.environment_config : "arn:aws:secretsmanager:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:secret:${var.application}-${env.name}-origin-verify-header-secret-*"
+    ]
+  }
+
+  statement {
+    effect = "Allow"
+    actions = [
+      "iam:TagRole"
+    ]
+    resources = [
+      for env in local.environment_config : "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${var.application}-${env.name}-origin-secret-rotate-role"
+    ]
+  }
+}
+
+resource "aws_iam_policy" "origin_secret_rotate_access" {
+  name        = "${var.application}-${var.pipeline_name}-pipeline-origin-secret-rotate-access"
+  path        = "/${var.application}/codebuild/"
+  description = "Allow ${var.application} codebuild job to access lambda resources"
+  policy      = data.aws_iam_policy_document.origin_secret_rotate_access.json
+}
+
 # Policies for AWS Copilot
 data "aws_iam_policy_document" "copilot_assume_role" {
   dynamic "statement" {
@@ -1010,25 +1112,6 @@ resource "aws_iam_policy" "codepipeline" {
   policy      = data.aws_iam_policy_document.codepipeline.json
 }
 
-data "aws_iam_policy_document" "cloudfront" {
-  statement {
-    actions = [
-      "cloudfront:ListCachePolicies",
-      "cloudfront:GetCachePolicy"
-    ]
-    resources = [
-      "arn:aws:cloudfront::${data.aws_caller_identity.current.account_id}:cache-policy/*"
-    ]
-  }
-}
-
-resource "aws_iam_policy" "cloudfront" {
-  name        = "${var.application}-${var.pipeline_name}-pipeline-cloudfront"
-  path        = "/${var.application}/codebuild/"
-  description = "Allow ${var.application} codebuild job access to cloudfront cache policies"
-  policy      = data.aws_iam_policy_document.cloudfront.json
-}
-
 # Roles
 resource "aws_iam_role" "environment_pipeline_codepipeline" {
   name               = "${var.application}-${var.pipeline_name}-environment-pipeline-codepipeline"
@@ -1052,11 +1135,6 @@ resource "aws_iam_role_policy_attachment" "attach_cloudformation_policy" {
   policy_arn = aws_iam_policy.cloudformation.arn
 }
 
-resource "aws_iam_role_policy_attachment" "attach_cloudfront_policy" {
-  role       = aws_iam_role.environment_pipeline_codebuild.name
-  policy_arn = aws_iam_policy.cloudfront.arn
-}
-
 resource "aws_iam_role_policy_attachment" "attach_codepipeline_policy" {
   role       = aws_iam_role.environment_pipeline_codebuild.name
   policy_arn = aws_iam_policy.codepipeline.arn
@@ -1067,110 +1145,6 @@ resource "aws_iam_role_policy_attachment" "attach_redis_policy" {
   policy_arn = aws_iam_policy.redis.arn
 }
 
-data "aws_iam_policy_document" "lambda_policy_access" {
-
-  dynamic "statement" {
-    for_each = local.environment_config
-    content {
-      sid    = "LambdaPolicyAccess"
-      effect = "Allow"
-      actions = [
-        "lambda:GetPolicy",
-        "lambda:RemovePermission",
-        "lambda:DeleteFunction",
-        "lambda:TagResource",
-        "lambda:PutFunctionConcurrency",
-        "lambda:AddPermission"
-      ]
-      resources = [
-        "arn:aws:lambda:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:function:${var.application}-${statement.value.name}-origin-secret-rotate"
-      ]
-    }
-  }
-
-  statement {
-    sid    = "LambdaLayerAccess"
-    effect = "Allow"
-    actions = [
-      "lambda:GetLayerVersion"
-    ]
-    resources = [
-      "arn:aws:lambda:eu-west-2:763451185160:layer:python-requests:1"
-    ]
-  }
-}
-
-data "aws_iam_policy_document" "wafv2_read_access" {
-  statement {
-    sid    = "WAFv2ReadAccess"
-    effect = "Allow"
-    actions = [
-      "wafv2:GetWebACL",
-      "wafv2:GetWebACLForResource",
-      "wafv2:ListTagsForResource",
-      "wafv2:DeleteWebACL",
-      "wafv2:CreateWebACL",
-      "wafv2:TagResource",
-      "wafv2:AssociateWebACL"
-    ]
-    resources = [
-      "arn:aws:wafv2:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:regional/webacl/*/*"
-    ]
-  }
-  statement {
-    sid    = "WAFv2RuleSetAccess"
-    effect = "Allow"
-    actions = [
-      "wafv2:CreateWebACL"
-    ]
-    resources = [
-      "arn:aws:wafv2:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:regional/managedruleset/*/*"
-    ]
-  }
-}
-
-data "aws_iam_policy_document" "secret_manager_read_access" {
-  dynamic "statement" {
-    for_each = local.environment_config
-    content {
-      sid    = "SecretManagerReadAccess"
-      effect = "Allow"
-      actions = [
-        "secretsmanager:DescribeSecret",
-        "secretsmanager:GetSecretValue",
-        "secretsmanager:GetResourcePolicy",
-        "secretsmanager:DeleteResourcePolicy",
-        "secretsmanager:CancelRotateSecret",
-        "secretsmanager:DeleteSecret",
-        "secretsmanager:CreateSecret",
-        "secretsmanager:TagResource",
-        "secretsmanager:PutResourcePolicy",
-        "secretsmanager:PutSecretValue",
-        "secretsmanager:RotateSecret"
-      ]
-      resources = [
-        "arn:aws:secretsmanager:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:secret:${var.application}-${statement.value.name}-origin-verify-header-secret-*"
-      ]
-    }
-  }
-}
-
-data "aws_iam_policy_document" "origin_secret_rotation_role_access" {
-  dynamic "statement" {
-    for_each = local.environment_config
-    content {
-      sid    = "OriginSecretRotationRoleAccess"
-      effect = "Allow"
-      actions = [
-        "iam:TagRole"
-      ]
-      resources = [
-        "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${var.application}-${statement.value.name}-origin-secret-rotate-role"
-      ]
-    }
-  }
-}
-
 resource "aws_iam_role_policy_attachment" "attach_postgres_policy" {
   role       = aws_iam_role.environment_pipeline_codebuild.name
   policy_arn = aws_iam_policy.postgres.arn
@@ -1196,31 +1170,12 @@ resource "aws_iam_role_policy_attachment" "attach_ecs_policy" {
   policy_arn = aws_iam_policy.ecs.arn
 }
 
-# Inline policies
-resource "aws_iam_role_policy" "lambda_policy_access_for_environment_codebuild" {
-  name   = "${var.application}-${var.pipeline_name}-lambda-policy-access-for-environment-codebuild"
-  role   = aws_iam_role.environment_pipeline_codebuild.name
-  policy = data.aws_iam_policy_document.lambda_policy_access.json
-}
-
-resource "aws_iam_role_policy" "wafv2_read_access_for_environment_codebuild" {
-  name   = "${var.application}-${var.pipeline_name}-waf2-read-access-for-environment-codebuild"
-  role   = aws_iam_role.environment_pipeline_codebuild.name
-  policy = data.aws_iam_policy_document.wafv2_read_access.json
-}
-
-resource "aws_iam_role_policy" "secret_manager_read_access_for_environment_codebuild" {
-  name   = "${var.application}-${var.pipeline_name}-secret-manager-read-access-for-environment-codebuild"
-  role   = aws_iam_role.environment_pipeline_codebuild.name
-  policy = data.aws_iam_policy_document.secret_manager_read_access.json
-}
-
-resource "aws_iam_role_policy" "origin_secret_rotation_role_access_for_environment_codebuild" {
-  name   = "${var.application}-${var.pipeline_name}-origin-secret-rotation-role-access-for-environment-codebuild"
-  role   = aws_iam_role.environment_pipeline_codebuild.name
-  policy = data.aws_iam_policy_document.origin_secret_rotation_role_access.json
+resource "aws_iam_role_policy_attachment" "attach_origin_secret_rotate_policy" {
+  role       = aws_iam_role.environment_pipeline_codebuild.name
+  policy_arn = aws_iam_policy.origin_secret_rotate_access.arn
 }
 
+# Inline policies
 resource "aws_iam_role_policy" "artifact_store_access_for_environment_codepipeline" {
   name   = "${var.application}-${var.pipeline_name}-artifact-store-access-for-environment-codepipeline"
   role   = aws_iam_role.environment_pipeline_codepipeline.name

environment-pipelines/tests/unit.tftest.hcl

@@ -203,13 +203,6 @@ override_data {
   }
 }
 
-override_data {
-  target = data.aws_iam_policy_document.cloudfront
-  values = {
-    json = "{\"Sid\": \"Cloudfront\"}"
-  }
-}
-
 override_data {
   target = data.aws_ssm_parameter.log-destination-arn
   values = {
@@ -218,30 +211,9 @@ override_data {
 }
 
 override_data {
-  target = data.aws_iam_policy_document.lambda_policy_access
-  values = {
-    json = "{\"Sid\": \"LambdaPolicyAccess\"}"
-  }
-}
-
-override_data {
-  target = data.aws_iam_policy_document.wafv2_read_access
-  values = {
-    json = "{\"Sid\": \"WAFv2ReadAccess\"}"
-  }
-}
-
-override_data {
-  target = data.aws_iam_policy_document.secret_manager_read_access
-  values = {
-    json = "{\"Sid\": \"SecretManagerReadAccess\"}"
-  }
-}
-
-override_data {
-  target = data.aws_iam_policy_document.origin_secret_rotation_role_access
+  target = data.aws_iam_policy_document.origin_secret_rotate_access
   values = {
-    json = "{\"Sid\": \"SecretRotationRolePolicy\"}"
+    json = "{\"Sid\": \"OriginSecretRotateAccess\"}"
   }
 }