Closed crochcunill closed 1 year ago
Related to #1615
This ticket will not be done for several reason. The main is that long live AWS accounts are a security risk. Also, the test are run in the context of regression testing in opposition to CI/CD, and the step to copy and paste the ephemeral credentials is neither critical nor time consuming.
This issue can be closed. The implementation of the OIDC authentication means that it may be possible to create a trust relationship between a process running in GitHub and AWS making the long life AWS unnecessary.
Description of the issue Currently the AWS credentials associated to an account (project set) last six hours. This is a problem to automate certain tests. Specifically, I am thinking the test that will check the BCGov iam-role permission boundary
Additional context At this moment these test are in the drawing board, so they may change, but at this moment the approach will be to use the AWS CLI to execute some allowed and non-allowed actions. The allowed action should results in the action being completed (for example to create a new service instance) or denied (unable to created/use some service).
Probably will need one long life test account per role, to test each role individually.
Information about the BC Gov iam-role permission boundary can be found at
https://github.com/BCDevOps/terraform-aws-keycloak-lz-sso-setup https://github.com/BCDevOps/terraform-aws-keycloak-lz-sso-setup/blob/a185c0cfca1299ddc5ada1551767a5291002a0f7/main.tf#L68
Definition of Done A set of accounts that will not have the AWS credentials limited to 6h