Closed vc13837 closed 3 months ago
Proposed solution:
Add permissions for cloudformation to the memberinfrastructureaccess role Add aws_cloudformation_stack to the plan evaluator User to store cloudformation template in environments repo and deploy with the tf resource above
Have reviewed the list of policy actions for cloudformation in https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscloudformation.html. I have excluded those permissions that pertain to operations on stack resources (e.g. CreateChangeSet) and stack-set operations and instead included only those permissions that deal with the stack itself.
Issues with the cloudformation:ResouceTypes
variable is resulting in the condition not allowing AWS::WAFv2::WebACL types to be created. Have spent time with AWS reviewing the policy. Will be talking to them again today.
On hold as this and the work Mark is undertaking both need sprinkler IAM and will conflict with the other.
Given the issues using the documented statements, we are putting in place a short-term workaround whereby cloudformation permissions will be added but these will be trapped by the plan evaluator script and the PR will require MP approval.
Once both PRs are applied I'll contact LAA Ops to confirm they can now create cf stacks. I will also create a new ticket for when we have a solution from AWS.
New ticket added for the follow-up work - https://github.com/ministryofjustice/modernisation-platform/issues/7220
Shceduled baseline run and the change has been applied. Have contacted VIncent with the update.
User Story
As an Ops Engineer migrating the application CWA I need to deploy the WAFv2 Web ACL using CloudFormation So that the migration of CWA can continue without changes to existing security rules
Value / Purpose
I would like to deploy WAFv2 Web ACL in Modernisation Platform. However with Terraform there is an issue where the rules cannot go more than 3 levels deeps - https://github.com/hashicorp/terraform-provider-aws/issues/15580, thus current work around is to deploy using CloudFormation.
The only resource being deployed via CloudFormation is
AWS::WAFv2::WebACL
, thus other resource creation can be blocked policy-wise to stop other users using CloudFormation as a workaround to deploy any resources they like.Useful Contacts
Vincent Cheung (via Slack please)
Additional Information
No response
Proposal / Unknowns
Assumption:
Definition of Done