Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: Conditionally create default NonSecureTransportAccessedViaMountTarget policy statement #35

Merged
merged 4 commits into from
Nov 21, 2024
Merged

fix: Conditionally create default NonSecureTransportAccessedViaMountTarget policy statement #35

merged 4 commits into from
Nov 21, 2024

Conversation

magreenbaum
Copy link
Member

@magreenbaum magreenbaum commented Nov 13, 2024
edited
Loading

Description

The statement for NonSecureTransportAccessedViaMountTarget overrides any restricted permissions to IAM principals and actions that are passed into policy_statements. We can check if policy_statements are passed in and if not then create the mentioned statement.

Other options would be to create a separate new variable like use_default_deny_nonsecure_transport_policy but this may be redundant if we pass in policy_statement to customize access. We could also remove the NonSecureTransportAccessedViaMountTarget statement altogether and require users to pass in any additional permissions via policy_statement. That would make it a breaking change though.

Motivation and Context

Closes: #30

Breaking Changes

Potentially if users are passing in policy_statements to restrict IAM principals but are still making use of the allow all IAM principals (and related actions) that NonSecureTransportAccessedViaMountTarget provides instead. In that case, the NonSecureTransportAccessedViaMountTarget statement will be removed.

How Has This Been Tested?

  • I have updated at least one of the examples/* to demonstrate and validate my change(s)
  • I have tested and validated these changes using one or more of the provided examples/* projects
  • I have executed pre-commit run -a on my pull request

antonbabenko
antonbabenko requested changes Nov 20, 2024
View reviewed changes
main.tf Outdated Show resolved Hide resolved
@antonbabenko antonbabenko changed the title fix: Conditionally create default NonSecureTransportAccessedViaMountTarget statement only if policy_statements is not provided fix: Conditionally create default NonSecureTransportAccessedViaMountTarget policy statement Nov 21, 2024
@antonbabenko antonbabenko merged commit 7c58eb1 into terraform-aws-modules:master Nov 21, 2024
7 checks passed
@antonbabenko
Copy link
Member

Thank you, @magreenbaum !

antonbabenko pushed a commit that referenced this pull request Nov 21, 2024
@semantic-release-bot
chore(release): version 1.6.5 [skip ci]
be2b7c7 
## [1.6.5](v1.6.4...v1.6.5) (2024-11-21)

### Bug Fixes

* Conditionally create default `NonSecureTransportAccessedViaMountTarget` policy statement ([#35](#35)) ([7c58eb1](7c58eb1))
@antonbabenko
Copy link
Member

This PR is included in version 1.6.5 🎉

@magreenbaum magreenbaum deleted the fix/deny_nonsecure_transport_default_policy branch November 21, 2024 23:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@antonbabenko antonbabenko antonbabenko approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

deny_nonsecure_transport grants read-write access to all principals
2 participants
@magreenbaum @antonbabenko