search

cds-snc / dns

DNS Configuration for domains managed by CDS
15 stars 15 forks source link

Notification.Canada.Ca Write access #395

Closed ben851 closed 1 week ago

ben851 commented 3 weeks ago

We would like to take over managing notification.canada.ca using our own terraform repository. Would it be possible to provide write access to the notification.canada.ca route53 zone in the CDS DNS AWS account to:

Notify Core Team: @cds-snc/notify-core

Additionally, the notification-production account will need IAM roles it can assume to manage the hosted zone records as part of the cds-snc/notification-terraform workflows. Two roles will be needed:

  1. Terraform plan: read access to the hosted zone records
  2. Terraform apply: write access to the hosted zone records (but no delete of hosted zone itself, because reasons)
sylviamclaughlin commented 2 weeks ago

To accomplish the above, we will need to create an IAM role in the Canadian Digital Services AWS account. The IAM policy will need to have the following:

  1. Have ability to mange notification.canada.ca hosted zone records but NOT the hosted zone itself.
  2. Have a trust policy allowing the role to be asumed by the OIDC Github role running prod terraform apply.
sylviamclaughlin commented 2 weeks ago

The policy code for part 1 will look similar to:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "route53:ListResourceRecordSets",
        "route53:ChangeResourceRecordSets",
        "route53:GetChange"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:route53:::hostedzone/HOSTED_ZONE_ID_FOR_NOTIFICATION_CANADA_CA"
    },
    {
      "Action": [
        "route53:ListHostedZones",
        "route53:GetHostedZoneCount",
        "route53:ListHostedZonesByName"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}

For the second part, we will need to modify the notification_apply_oidc role to contain the following:

data "aws_iam_policy_document" "assume_dns_manager" {
  statement {
    sid = "AssumeProdDNSManagerRoles"

    actions = [
      "sts:AssumeRole",
    ]

    resources = [
      "arn:aws:iam::CanadianDigitalServicesAWSAccountID:role/prod_dns_manager"
    ]
  }
}

resource "aws_iam_policy" "assume_prod_dns_manager" {
  name   = terrafrom_apply_oidc_role
  policy = data.aws_iam_policy_document.assume_dns_manager.json
}

resource "aws_iam_role_policy_attachment" "assume_prod_dns_manager" {
  role       = terrafrom_apply_oidc_role
  policy_arn = aws_iam_policy.assume_prod_dns_manager.arn
}
sylviamclaughlin commented 1 week ago

PR has been created to address this issue here - https://github.com/cds-snc/dns/pull/397