search

cds-snc / dns

DNS Configuration for domains managed by CDS
18 stars 15 forks source link

Adding list tags permissions for Notify IAM #403

Closed ben851 closed 1 month ago

ben851 commented 1 month ago

Summary | Résumé

Our Terraform is failing:

is not authorized to perform: route53:ListTagsForResource on resource: arn:aws:route53:::hostedzone/Z1XG153PQF3VV5 because no identity-based policy allows the route53:ListTagsForResource action

Adding in the required permissions

Test instructions | Instructions pour tester la modification

TF Plan works 🤞

github-actions[bot] commented 1 month ago

DNS

✅   Terraform Init: success ✅   Terraform Validate: success ✅   Terraform Format: success ✅   Terraform Plan: success ✅   Conftest: success 

Plan: 0 to add, 2 to change, 0 to destroy
Show summary | CHANGE | NAME | |--------|-------------------------------------------------| | update | `aws_iam_policy.notify_prod_dns_manager_policy` | | | `aws_iam_role.notify_prod_dns_manager` |
Show plan ```terraform Resource actions are indicated with the following symbols: ~ update in-place Terraform will perform the following actions: # aws_iam_policy.notify_prod_dns_manager_policy will be updated in-place ~ resource "aws_iam_policy" "notify_prod_dns_manager_policy" { id = "arn:aws:iam::866996500832:policy/notify_prod_dns_manager_policy" name = "notify_prod_dns_manager_policy" ~ policy = jsonencode( ~ { ~ Statement = [ ~ { ~ Action = [ # (2 unchanged elements hidden) "route53:GetChange", + "route53:ListTagsForResource", ] # (2 unchanged attributes hidden) }, { Action = [ "route53:GetHostedZone", "route53:ListHostedZones", "route53:GetHostedZoneCount", "route53:ListHostedZonesByName", ] Effect = "Allow" Resource = "*" }, ] # (1 unchanged attribute hidden) } ) tags = {} # (7 unchanged attributes hidden) } # aws_iam_role.notify_prod_dns_manager will be updated in-place ~ resource "aws_iam_role" "notify_prod_dns_manager" { ~ assume_role_policy = (sensitive value) id = "notify_prod_dns_manager" name = "notify_prod_dns_manager" tags = {} # (11 unchanged attributes hidden) } Plan: 0 to add, 2 to change, 0 to destroy. ───────────────────────────────────────────────────────────────────────────── Saved the plan to: plan.tfplan To perform exactly these actions, run the following command to apply: terraform apply "plan.tfplan" ```
Show Conftest results ```sh WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.Route53TerraformDeploy"] WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.notify_prod_dns_manager_policy"] WARN - plan.json - main - Missing Common Tags: ["aws_iam_role.notify_prod_dns_manager"] WARN - plan.json - main - Missing Common Tags: ["aws_iam_user.dns-github-deployer"] WARN - plan.json - main - Missing Common Tags: ["aws_route53_zone.alpha-canada-ca-public"] WARN - plan.json - main - Missing Common Tags: ["aws_route53_zone.cds-snc-ca-public"] WARN - plan.json - main - Missing Common Tags: ["aws_route53_zone.notification-canada-ca-public"] WARN - plan.json - main - Missing Common Tags: ["aws_route53_zone.platform-canada-ca-public"] 27 tests, 19 passed, 8 warnings, 0 failures, 0 exceptions ```