Adding a new iam role that will allow notify to manage notifcation.canada.ca domain

[sylviamclaughlin]

Summary | Résumé

Closes #395

New IAM role that will allow the following:

1. List hosted zones, get hosted zones count and list hosted zone names permissions.
2. Change hosted zone records only for notification.canada.ca hosted zone.
3. Allow this role to be assumed by the github oidc role

[ben851]

This looks good, but we will also need the notify core team to have at least read access to the zone so that we can do debugging etc.

[github-actions[bot]]

DNS

✅   Terraform Init: success ✅   Terraform Validate: success ✅   Terraform Format: success ✅   Terraform Plan: success ✅   Conftest: success

Plan: 3 to add, 0 to change, 0 to destroy

Show summary

| CHANGE | NAME | |--------|---------------------------------------------------------------------| | add | `aws_iam_policy.notify_prod_dns_manager_policy` | | | `aws_iam_role.notify_prod_dns_manager` | | | `aws_iam_role_policy_attachment.prod_dns_manager_policy_attachment` |

Show plan

```terraform Resource actions are indicated with the following symbols: + create Terraform will perform the following actions: # aws_iam_policy.notify_prod_dns_manager_policy will be created + resource "aws_iam_policy" "notify_prod_dns_manager_policy" { + arn = (known after apply) + attachment_count = (known after apply) + description = "Policy to manage Route53 records for notification.canada.ca hosted zone" + id = (known after apply) + name = "notify_prod_dns_manager_policy" + name_prefix = (known after apply) + path = "/" + policy = jsonencode( { + Statement = [ + { + Action = [ + "route53:ListResourceRecordSets", + "route53:ChangeResourceRecordSets", + "route53:GetChange", ] + Effect = "Allow" + Resource = "arn:aws:route53:::hostedzone/Z1XG153PQF3VV5" }, + { + Action = [ + "route53:GetHostedZone", + "route53:ListHostedZones", + "route53:GetHostedZoneCount", + "route53:ListHostedZonesByName", ] + Effect = "Allow" + Resource = "*" }, ] + Version = "2012-10-17" } ) + policy_id = (known after apply) + tags_all = (known after apply) } # aws_iam_role.notify_prod_dns_manager will be created + resource "aws_iam_role" "notify_prod_dns_manager" { + arn = (known after apply) + assume_role_policy = jsonencode( { + Statement = [ + { + Action = "sts:AssumeRole" + Effect = "Allow" + Principal = { + AWS = "arn:aws:iam::296255494825:role/notification-terraform-apply" } }, ] + Version = "2012-10-17" } ) + create_date = (known after apply) + force_detach_policies = false + id = (known after apply) + managed_policy_arns = (known after apply) + max_session_duration = 3600 + name = "notify_prod_dns_manager" + name_prefix = (known after apply) + path = "/" + tags_all = (known after apply) + unique_id = (known after apply) + inline_policy { + name = (known after apply) + policy = (known after apply) } } # aws_iam_role_policy_attachment.prod_dns_manager_policy_attachment will be created + resource "aws_iam_role_policy_attachment" "prod_dns_manager_policy_attachment" { + id = (known after apply) + policy_arn = (known after apply) + role = "notify_prod_dns_manager" } Plan: 3 to add, 0 to change, 0 to destroy. ───────────────────────────────────────────────────────────────────────────── Saved the plan to: plan.tfplan To perform exactly these actions, run the following command to apply: terraform apply "plan.tfplan" ```

Show Conftest results

```sh WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.notify_prod_dns_manager_policy"] WARN - plan.json - main - Missing Common Tags: ["aws_iam_role.notify_prod_dns_manager"] WARN - plan.json - main - Missing Common Tags: ["aws_route53_zone.alpha-canada-ca-public"] WARN - plan.json - main - Missing Common Tags: ["aws_route53_zone.cds-snc-ca-public"] WARN - plan.json - main - Missing Common Tags: ["aws_route53_zone.notification-canada-ca-public"] WARN - plan.json - main - Missing Common Tags: ["aws_route53_zone.platform-canada-ca-public"] 25 tests, 19 passed, 6 warnings, 0 failures, 0 exceptions ```