search

ooni / devops

0 stars 1 forks source link

fix: dynamoDB permissions #22

Closed DecFox closed 3 months ago

DecFox commented 3 months ago

Closes #21 This diff extends the dynamoDB permissions for the oonidevops-github-policy.

github-actions[bot] commented 3 months ago

Terraform Run Output 🤖

Format and Style 🖌success

Initialization ⚙️success

Validation 🤖success

Validation Output ``` $ terraform validate Success! The configuration is valid. ```

Plan 📖success

Show Plan ``` $ terraform plan Acquiring state lock. This may take a few moments... ```
Pusher @DecFox
Action pull_request
Environment dev
Workflow .github/workflows/check_terraform.yml
Last updated Thu, 14 Mar 2024 17:53:24 GMT
github-actions[bot] commented 3 months ago

Ansible Run Output 🤖

Ansible Playbook Recap 🔍

Ansible playbook output 📖success

Show Execution ``` $ ansible-playbook playbook.yml --check --diff -i ../tf/modules/ansible_inventory/inventories/inventory-dev.ini [WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit localhost does not match 'all' [WARNING]: Could not match supplied host pattern, ignoring: clickhouse_servers PLAY [ClickHouse servers] ****************************************************** skipping: no hosts matched PLAY RECAP ********************************************************************* ```
Pusher @DecFox
Action pull_request
Working Directory
Workflow .github/workflows/check_ansible.yml
Last updated Thu, 14 Mar 2024 17:53:56 GMT
hellais commented 3 months ago

If we want to allow all permissions on dynamodb, should we then perhaps scope the permissions to arn:aws:dynamodb:eu-central-1:905418398257:table/oonidevops-dev-terraform-state-lock, where 905418398257 is ooni_dev_org_id, so that if we end up using dynamodb for something else that isn't the terraform state lock we aren't giving full permissions to github?