search

alphagov / govuk-infrastructure

Terraform turnup automation for the EKS Kubernetes clusters that host GOV.UK. See https://github.com/alphagov/govuk-helm-charts for application config.
MIT License
138 stars 24 forks source link

Explictly list GH repos that can write to ECR. #1346

Closed sengi closed 2 months ago

sengi commented 2 months ago

We were using GitHub Topics (labels that can be applied to a repo) to determine which repos should be permitted to write to our ECR container registry.

Turns out this is inadequate, because anyone in the alphagov GitHub org who can create repos (roughly 700 people, most of whom don't work on the GOV.UK web CMS) can create a repo and set whatever topics they like on it, then get write access to our private ECR.

For now, let's just go back to maintaining a list of authorised repos. That shouldn't be too toily in the short term, since we don't create new repos all that often.

sengi commented 2 months ago

Heh what are the odds this blows up on some stoopid IAM policy size limit or something 🤔😂

sengi commented 2 months ago

dammit 😭