search

cds-snc / simplify-privacy-statements-V2

starter-app repo based version of privacy app.
https://simplify-privacy-statements.alpha.canada.ca
MIT License
5 stars 1 forks source link

bug/add-lambda-efs-full-access #241

Closed omartehsin1 closed 1 year ago

omartehsin1 commented 1 year ago

Summary | Résumé

Lambda module didn't have the full access to mount the file system. Added the policy.

github-actions[bot] commented 1 year ago

Production: app

✅   Terraform Format: success ✅   Terraform Plan: success ✅   Conftest: success

Plan: 4 to add, 0 to change, 0 to destroy
Show plan ```terraform Resource actions are indicated with the following symbols: + create Terraform will perform the following actions: # aws_lambda_function_url.generated_statement_url will be created + resource "aws_lambda_function_url" "generated_statement_url" { + authorization_type = "NONE" + function_arn = (known after apply) + function_name = "generated_statement_lambda_function" + function_url = (known after apply) + id = (known after apply) + url_id = (known after apply) } # module.generated_statement_lambda.aws_iam_policy.policies[0] will be created + resource "aws_iam_policy" "policies" { + arn = (known after apply) + id = (known after apply) + name = "generated_statement_lambda_function-0" + path = "/" + policy = jsonencode( { + Statement = [ + { + Action = [ + "cloudwatch:DescribeAlarmsForMetric", + "cloudwatch:GetMetricData", + "ec2:CreateNetworkInterface", + "ec2:DeleteNetworkInterface", + "ec2:DescribeAvailabilityZones", + "ec2:DescribeNetworkInterfaceAttribute", + "ec2:DescribeNetworkInterfaces", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSubnets", + "ec2:DescribeVpcAttribute", + "ec2:DescribeVpcs", + "ec2:ModifyNetworkInterfaceAttribute", + "elasticfilesystem:CreateFileSystem", + "elasticfilesystem:CreateMountTarget", + "elasticfilesystem:CreateTags", + "elasticfilesystem:CreateAccessPoint", + "elasticfilesystem:CreateReplicationConfiguration", + "elasticfilesystem:DeleteFileSystem", + "elasticfilesystem:DeleteMountTarget", + "elasticfilesystem:DeleteTags", + "elasticfilesystem:DeleteAccessPoint", + "elasticfilesystem:DeleteFileSystemPolicy", + "elasticfilesystem:DeleteReplicationConfiguration", + "elasticfilesystem:DescribeAccountPreferences", + "elasticfilesystem:DescribeBackupPolicy", + "elasticfilesystem:DescribeFileSystems", + "elasticfilesystem:DescribeFileSystemPolicy", + "elasticfilesystem:DescribeLifecycleConfiguration", + "elasticfilesystem:DescribeMountTargets", + "elasticfilesystem:DescribeMountTargetSecurityGroups", + "elasticfilesystem:DescribeTags", + "elasticfilesystem:DescribeAccessPoints", + "elasticfilesystem:DescribeReplicationConfigurations", + "elasticfilesystem:ModifyMountTargetSecurityGroups", + "elasticfilesystem:PutAccountPreferences", + "elasticfilesystem:PutBackupPolicy", + "elasticfilesystem:PutLifecycleConfiguration", + "elasticfilesystem:PutFileSystemPolicy", + "elasticfilesystem:UpdateFileSystem", + "elasticfilesystem:TagResource", + "elasticfilesystem:UntagResource", + "elasticfilesystem:ListTagsForResource", + "elasticfilesystem:Backup", + "elasticfilesystem:Restore", + "kms:DescribeKey", + "kms:ListAliases", ] + Effect = "Allow" + Resource = "*" }, + { + Action = "iam:CreateServiceLinkedRole" + Condition = { + StringEquals = { + "iam:AWSServiceName" = [ + "elasticfilesystem.amazonaws.com", ] } } + Effect = "Allow" + Resource = "*" }, ] + Version = "2012-10-17" } ) + policy_id = (known after apply) + tags = { + "CostCentre" = "simplify-privacy-statements-production" + "Terraform" = "true" } + tags_all = { + "CostCentre" = "simplify-privacy-statements-production" + "Terraform" = "true" } } # module.generated_statement_lambda.aws_iam_role_policy_attachment.attachments[0] will be created + resource "aws_iam_role_policy_attachment" "attachments" { + id = (known after apply) + policy_arn = (known after apply) + role = "generated_statement_lambda_function" } # module.generated_statement_lambda.aws_lambda_function.this will be created + resource "aws_lambda_function" "this" { + architectures = [ + "x86_64", ] + arn = (known after apply) + function_name = "generated_statement_lambda_function" + id = (known after apply) + image_uri = "414662622316.dkr.ecr.ca-central-1.amazonaws.com/privacy-statement-container:latest" + invoke_arn = (known after apply) + last_modified = (known after apply) + memory_size = 128 + package_type = "Image" + publish = false + qualified_arn = (known after apply) + qualified_invoke_arn = (known after apply) + reserved_concurrent_executions = -1 + role = "arn:aws:iam::414662622316:role/generated_statement_lambda_function" + signing_job_arn = (known after apply) + signing_profile_version_arn = (known after apply) + skip_destroy = false + source_code_hash = (known after apply) + source_code_size = (known after apply) + tags = { + "CostCentre" = "simplify-privacy-statements-production" + "Terraform" = "true" } + tags_all = { + "CostCentre" = "simplify-privacy-statements-production" + "Terraform" = "true" } + timeout = 30 + version = (known after apply) + environment { + variables = { + "BINARY_CONTENT_TYPES" = "application/vnd.openxmlformats-officedocument.wordprocessingml.document" } } + ephemeral_storage { + size = 512 } + file_system_config { + arn = "arn:aws:elasticfilesystem:ca-central-1:414662622316:access-point/fsap-0f66b64c3791a5d33" + local_mount_path = "/mnt/access" } + tracing_config { + mode = "PassThrough" } + vpc_config { + security_group_ids = [ + "sg-033c29e939a74c39b", ] + subnet_ids = [ + "subnet-04892391188217b74", + "subnet-066c6b13009cc761a", + "subnet-0f0e20195a44b2a73", ] + vpc_id = (known after apply) } } Plan: 4 to add, 0 to change, 0 to destroy. ───────────────────────────────────────────────────────────────────────────── Saved the plan to: plan.tfplan To perform exactly these actions, run the following command to apply: terraform apply "plan.tfplan" Releasing state lock. This may take a few moments... ```
Show Conftest results ```sh 18 tests, 18 passed, 0 warnings, 0 failures, 0 exceptions ```