bcgov / cloud-pathfinder

This is the technology and UX backend repo for the cloud pathfinder ZenHub task board
https://app.zenhub.com/workspaces/cloud-pathfinder-5e4dbb426c3c6af8dcbf06a7/board?repos=241742911
Creative Commons Zero v1.0 Universal
2 stars 8 forks source link

Create long life AWS test accounts #1589

Closed crochcunill closed 1 year ago

crochcunill commented 2 years ago

Description of the issue Currently the AWS credentials associated to an account (project set) last six hours. This is a problem to automate certain tests. Specifically, I am thinking the test that will check the BCGov iam-role permission boundary

Additional context At this moment these test are in the drawing board, so they may change, but at this moment the approach will be to use the AWS CLI to execute some allowed and non-allowed actions. The allowed action should results in the action being completed (for example to create a new service instance) or denied (unable to created/use some service).

Probably will need one long life test account per role, to test each role individually.

Information about the BC Gov iam-role permission boundary can be found at

https://github.com/BCDevOps/terraform-aws-keycloak-lz-sso-setup https://github.com/BCDevOps/terraform-aws-keycloak-lz-sso-setup/blob/a185c0cfca1299ddc5ada1551767a5291002a0f7/main.tf#L68

Definition of Done A set of accounts that will not have the AWS credentials limited to 6h

crochcunill commented 2 years ago

Related to #1615

crochcunill commented 1 year ago

This ticket will not be done for several reason. The main is that long live AWS accounts are a security risk. Also, the test are run in the context of regression testing in opposition to CI/CD, and the step to copy and paste the ephemeral credentials is neither critical nor time consuming.

crochcunill commented 1 year ago

This issue can be closed. The implementation of the OIDC authentication means that it may be possible to create a trust relationship between a process running in GitHub and AWS making the long life AWS unnecessary.