search

ministryofjustice / modernisation-platform

A place for the core work of the Modernisation Platform • This repository is defined and managed in Terraform
https://user-guide.modernisation-platform.service.justice.gov.uk
MIT License
683 stars 291 forks source link

CloudFormation Stack deployment using Terraform #6991

Closed vc13837 closed 3 months ago

vc13837 commented 4 months ago

User Story

As an Ops Engineer migrating the application CWA I need to deploy the WAFv2 Web ACL using CloudFormation So that the migration of CWA can continue without changes to existing security rules

Value / Purpose

I would like to deploy WAFv2 Web ACL in Modernisation Platform. However with Terraform there is an issue where the rules cannot go more than 3 levels deeps - https://github.com/hashicorp/terraform-provider-aws/issues/15580, thus current work around is to deploy using CloudFormation.

The only resource being deployed via CloudFormation is AWS::WAFv2::WebACL, thus other resource creation can be blocked policy-wise to stop other users using CloudFormation as a workaround to deploy any resources they like.

Useful Contacts

Vincent Cheung (via Slack please)

Additional Information

No response

Proposal / Unknowns

Assumption:

Definition of Done

davidkelliott commented 4 months ago

Proposed solution:

Add permissions for cloudformation to the memberinfrastructureaccess role Add aws_cloudformation_stack to the plan evaluator User to store cloudformation template in environments repo and deploy with the tf resource above

mikereiddigital commented 4 months ago

Have reviewed the list of policy actions for cloudformation in https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscloudformation.html. I have excluded those permissions that pertain to operations on stack resources (e.g. CreateChangeSet) and stack-set operations and instead included only those permissions that deal with the stack itself.

mikereiddigital commented 4 months ago

Issues with the cloudformation:ResouceTypes variable is resulting in the condition not allowing AWS::WAFv2::WebACL types to be created. Have spent time with AWS reviewing the policy. Will be talking to them again today.

mikereiddigital commented 3 months ago

On hold as this and the work Mark is undertaking both need sprinkler IAM and will conflict with the other.

mikereiddigital commented 3 months ago

Given the issues using the documented statements, we are putting in place a short-term workaround whereby cloudformation permissions will be added but these will be trapped by the plan evaluator script and the PR will require MP approval.

mikereiddigital commented 3 months ago

Also PR - https://github.com/ministryofjustice/modernisation-platform/pull/7215

mikereiddigital commented 3 months ago

Once both PRs are applied I'll contact LAA Ops to confirm they can now create cf stacks. I will also create a new ticket for when we have a solution from AWS.

mikereiddigital commented 3 months ago

New ticket added for the follow-up work - https://github.com/ministryofjustice/modernisation-platform/issues/7220

mikereiddigital commented 3 months ago

Shceduled baseline run and the change has been applied. Have contacted VIncent with the update.