search

ministryofjustice / operations-engineering

This repository is home to the Operations Engineering's tools and utilities for managing, monitoring, and optimising software development processes at the Ministry of Justice. • This repository is defined and managed in Terraform
https://user-guide.operations-engineering.service.justice.gov.uk/
MIT License
14 stars 5 forks source link

:sparkles: Add IAM user and policy for OctoDNS #4567

Closed jasonBirchall closed 3 months ago

jasonBirchall commented 3 months ago

This PR connects to https://github.com/ministryofjustice/operations-engineering/issues/4565

This will create a new user for managing credentials until the route53 provider in OctoDNS gives us the ability to use RBAC. Access and Secret keys are stored in the dns repository.

github-actions[bot] commented 3 months ago

iam plan

data.aws_iam_openid_connect_provider.github: Reading...
aws_iam_policy.github_dormant_user_policy: Refreshing state... [id=arn:aws:iam::880656497252:policy/DormantUserS3Access]
data.aws_iam_policy_document.r53_read_policy_document: Reading...
data.aws_iam_policy_document.r53_read_policy_document: Read complete after 0s [id=2046999383]
aws_iam_policy.r53_read_policy: Refreshing state... [id=arn:aws:iam::880656497252:policy/r53_read_policy]
data.aws_iam_openid_connect_provider.github: Read complete after 0s [id=arn:aws:iam::880656497252:oidc-provider/token.actions.githubusercontent.com]
data.aws_iam_policy_document.github_actions_assume_role_policy_document: Reading...
data.aws_iam_policy_document.github_actions_assume_role_policy_document: Read complete after 0s [id=1907641846]
aws_iam_role.r53_backup_role: Refreshing state... [id=operations-engineering-r53-backup-role]
aws_iam_role.github_dormant_user_role: Refreshing state... [id=github_dormant_user_role]
aws_iam_role_policy_attachment.r53_read_policy_attachment: Refreshing state... [id=operations-engineering-r53-backup-role-20240227095015143600000001]
github_actions_secret.role_arn: Refreshing state... [id=operations-engineering:AWS_DSD_R53_EXPORT_ROLE_ARN]
github_actions_secret.aws_role_arn: Refreshing state... [id=operations-engineering:GH_DORMANT_USER_AWS_ROLE_ARN]
aws_iam_role_policy_attachment.role_policy_attachment: Refreshing state... [id=github_dormant_user_role-20240422144734306600000001]

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # aws_iam_access_key.octodns_access_key will be created
  + resource "aws_iam_access_key" "octodns_access_key" {
      + create_date                    = (known after apply)
      + encrypted_secret               = (known after apply)
      + encrypted_ses_smtp_password_v4 = (known after apply)
      + id                             = (known after apply)
      + key_fingerprint                = (known after apply)
      + secret                         = (sensitive value)
      + ses_smtp_password_v4           = (sensitive value)
      + status                         = "Active"
      + user                           = "octodns-cicd-user"
    }

  # aws_iam_policy.octodns_policy will be created
  + resource "aws_iam_policy" "octodns_policy" {
      + arn         = (known after apply)
      + description = "Policy for OctoDNS to manage Route53"
      + id          = (known after apply)
      + name        = "OctoDNSPolicy"
      + name_prefix = (known after apply)
      + path        = "/"
      + policy      = jsonencode(
            {
              + Statement = [
                  + {
                      + Action   = [
                          + "route53:ListHostedZones",
                          + "route53:GetHostedZone",
                          + "route53:ChangeResourceRecordSets",
                          + "route53:ListResourceRecordSets",
                        ]
                      + Effect   = "Allow"
                      + Resource = "*"
                    },
                ]
              + Version   = "2012-10-17"
            }
        )
      + policy_id   = (known after apply)
      + tags_all    = (known after apply)
    }

  # aws_iam_user.octodns_user will be created
  + resource "aws_iam_user" "octodns_user" {
      + arn           = (known after apply)
      + force_destroy = false
      + id            = (known after apply)
      + name          = "octodns-cicd-user"
      + path          = "/"
      + tags_all      = (known after apply)
      + unique_id     = (known after apply)
    }

  # aws_iam_user_policy_attachment.octodns_user_policy_attachment will be created
  + resource "aws_iam_user_policy_attachment" "octodns_user_policy_attachment" {
      + id         = (known after apply)
      + policy_arn = (known after apply)
      + user       = "octodns-cicd-user"
    }

  # github_actions_secret.octodns_aws_access_key_id will be created
  + resource "github_actions_secret" "octodns_aws_access_key_id" {
      + created_at      = (known after apply)
      + id              = (known after apply)
      + plaintext_value = (sensitive value)
      + repository      = "dns"
      + secret_name     = "OCTODNS_AWS_ACCESS_KEY_ID"
      + updated_at      = (known after apply)
    }

  # github_actions_secret.octodns_aws_secret_access_key will be created
  + resource "github_actions_secret" "octodns_aws_secret_access_key" {
      + created_at      = (known after apply)
      + id              = (known after apply)
      + plaintext_value = (sensitive value)
      + repository      = "dns"
      + secret_name     = "OCTODNS_AWS_SECRET_ACCESS_KEY"
      + updated_at      = (known after apply)
    }

Plan: 6 to add, 0 to change, 0 to destroy.

─────────────────────────────────────────────────────────────────────────────

Note: You didn't use the -out option to save this plan, so Terraform can't
guarantee to take exactly these actions if you run "terraform apply" now.
github-actions[bot] commented 3 months ago

🦙 MegaLinter status: ✅ SUCCESS

Descriptor Linter Files Fixed Errors Elapsed time
✅ REPOSITORY gitleaks yes no 0.84s

See detailed report in MegaLinter reports _Set VALIDATE_ALL_CODEBASE: true in mega-linter.yml to validate all sources, not only the diff_

_MegaLinter is graciously provided by OX Security_

github-actions[bot] commented 3 months ago

iam plan

data.aws_iam_openid_connect_provider.github: Reading...
aws_iam_policy.github_dormant_user_policy: Refreshing state... [id=arn:aws:iam::880656497252:policy/DormantUserS3Access]
data.aws_iam_policy_document.r53_read_policy_document: Reading...
data.aws_iam_policy_document.r53_read_policy_document: Read complete after 0s [id=2046999383]
aws_iam_policy.r53_read_policy: Refreshing state... [id=arn:aws:iam::880656497252:policy/r53_read_policy]
data.aws_iam_openid_connect_provider.github: Read complete after 0s [id=arn:aws:iam::880656497252:oidc-provider/token.actions.githubusercontent.com]
data.aws_iam_policy_document.github_actions_assume_role_policy_document: Reading...
data.aws_iam_policy_document.github_actions_assume_role_policy_document: Read complete after 0s [id=1907641846]
aws_iam_role.r53_backup_role: Refreshing state... [id=operations-engineering-r53-backup-role]
aws_iam_role.github_dormant_user_role: Refreshing state... [id=github_dormant_user_role]
aws_iam_role_policy_attachment.r53_read_policy_attachment: Refreshing state... [id=operations-engineering-r53-backup-role-20240227095015143600000001]
github_actions_secret.role_arn: Refreshing state... [id=operations-engineering:AWS_DSD_R53_EXPORT_ROLE_ARN]
aws_iam_role_policy_attachment.role_policy_attachment: Refreshing state... [id=github_dormant_user_role-20240422144734306600000001]
github_actions_secret.aws_role_arn: Refreshing state... [id=operations-engineering:GH_DORMANT_USER_AWS_ROLE_ARN]

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # aws_iam_access_key.octodns_access_key will be created
  + resource "aws_iam_access_key" "octodns_access_key" {
      + create_date                    = (known after apply)
      + encrypted_secret               = (known after apply)
      + encrypted_ses_smtp_password_v4 = (known after apply)
      + id                             = (known after apply)
      + key_fingerprint                = (known after apply)
      + secret                         = (sensitive value)
      + ses_smtp_password_v4           = (sensitive value)
      + status                         = "Active"
      + user                           = "octodns-cicd-user"
    }

  # aws_iam_policy.octodns_policy will be created
  + resource "aws_iam_policy" "octodns_policy" {
      + arn         = (known after apply)
      + description = "Policy for OctoDNS to manage Route53"
      + id          = (known after apply)
      + name        = "OctoDNSPolicy"
      + name_prefix = (known after apply)
      + path        = "/"
      + policy      = jsonencode(
            {
              + Statement = [
                  + {
                      + Action   = [
                          + "route53:ChangeResourceRecordSets",
                          + "route53:CreateHostedZone",
                          + "route53:ListHealthChecks",
                          + "route53:ListHostedZones",
                          + "route53:ListHostedZonesByName",
                          + "route53:ListResourceRecordSets",
                        ]
                      + Effect   = "Allow"
                      + Resource = "*"
                    },
                ]
              + Version   = "2012-10-17"
            }
        )
      + policy_id   = (known after apply)
      + tags_all    = (known after apply)
    }

  # aws_iam_user.octodns_user will be created
  + resource "aws_iam_user" "octodns_user" {
      + arn           = (known after apply)
      + force_destroy = false
      + id            = (known after apply)
      + name          = "octodns-cicd-user"
      + path          = "/"
      + tags_all      = (known after apply)
      + unique_id     = (known after apply)
    }

  # aws_iam_user_policy_attachment.octodns_user_policy_attachment will be created
  + resource "aws_iam_user_policy_attachment" "octodns_user_policy_attachment" {
      + id         = (known after apply)
      + policy_arn = (known after apply)
      + user       = "octodns-cicd-user"
    }

  # github_actions_secret.octodns_aws_access_key_id will be created
  + resource "github_actions_secret" "octodns_aws_access_key_id" {
      + created_at      = (known after apply)
      + id              = (known after apply)
      + plaintext_value = (sensitive value)
      + repository      = "dns"
      + secret_name     = "OCTODNS_AWS_ACCESS_KEY_ID"
      + updated_at      = (known after apply)
    }

  # github_actions_secret.octodns_aws_secret_access_key will be created
  + resource "github_actions_secret" "octodns_aws_secret_access_key" {
      + created_at      = (known after apply)
      + id              = (known after apply)
      + plaintext_value = (sensitive value)
      + repository      = "dns"
      + secret_name     = "OCTODNS_AWS_SECRET_ACCESS_KEY"
      + updated_at      = (known after apply)
    }

Plan: 6 to add, 0 to change, 0 to destroy.

─────────────────────────────────────────────────────────────────────────────

Note: You didn't use the -out option to save this plan, so Terraform can't
guarantee to take exactly these actions if you run "terraform apply" now.
github-actions[bot] commented 3 months ago

Your PR is applying here: https://github.com/ministryofjustice/operations-engineering/actions/workflows/cicd-terraform-dsd-iam.yml?query=event%3Apush+branch%3Amain