diff --git a/postgres/database-dump/locals.tf b/postgres/database-dump/locals.tf index dd3e7c072..42dfd75a5 100644 --- a/postgres/database-dump/locals.tf +++ b/postgres/database-dump/locals.tf @@ -11,6 +11,8 @@ locals { dump_kms_key_alias = "alias/${local.task_name}" dump_bucket_name = local.task_name + ecr_repository_arn = "arn:aws:ecr-public::763451185160:repository/database-copy" + s3_permissions = [ "s3:ListBucket", "s3:PutObject", diff --git a/postgres/database-dump/main.tf b/postgres/database-dump/main.tf index 43f7b8c33..87c9afbc4 100644 --- a/postgres/database-dump/main.tf +++ b/postgres/database-dump/main.tf @@ -1,22 +1,30 @@ data "aws_caller_identity" "current" {} data "aws_iam_policy_document" "allow_task_creation" { - # TODO: fix these in next iteration of DBTP:1109 - # checkov:skip=CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints" - # checkov:skip=CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions" statement { - sid = "AllowTaskCreation" + sid = "AllowPullFromEcr" effect = "Allow" actions = [ "ecr:GetAuthorizationToken", "ecr:BatchCheckLayerAvailability", "ecr:GetDownloadUrlForLayer", - "ecr:BatchGetImage", + "ecr:BatchGetImage" + ] + resources = [local.ecr_repository_arn] + } + + statement { + sid = "AllowLogs" + effect = "Allow" + actions = [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ] - resources = ["*"] + resources = [ + "arn:aws:logs:eu-west-2:${data.aws_caller_identity.current.account_id}:log-group:/ecs/${local.task_name}", + "arn:aws:logs:eu-west-2:${data.aws_caller_identity.current.account_id}:log-group:/ecs/${local.task_name}:log-stream:*", + ] } } diff --git a/postgres/database-dump/tests/unit.tftest.hcl b/postgres/database-dump/tests/unit.tftest.hcl index fbbd74775..01a755bfb 100644 --- a/postgres/database-dump/tests/unit.tftest.hcl +++ b/postgres/database-dump/tests/unit.tftest.hcl @@ -29,17 +29,17 @@ run "data_dump_unit_test" { } assert { - condition = contains(jsondecode(data.aws_iam_policy_document.allow_task_creation.json).Statement[0].Action, "logs:CreateLogGroup") + condition = contains(jsondecode(data.aws_iam_policy_document.allow_task_creation.json).Statement[1].Action, "logs:CreateLogGroup") error_message = "Permission not found: logs:CreateLogGroup" } assert { - condition = contains(jsondecode(data.aws_iam_policy_document.allow_task_creation.json).Statement[0].Action, "logs:CreateLogStream") + condition = contains(jsondecode(data.aws_iam_policy_document.allow_task_creation.json).Statement[1].Action, "logs:CreateLogStream") error_message = "Permission not found: logs:CreateLogStream" } assert { - condition = contains(jsondecode(data.aws_iam_policy_document.allow_task_creation.json).Statement[0].Action, "logs:PutLogEvents") + condition = contains(jsondecode(data.aws_iam_policy_document.allow_task_creation.json).Statement[1].Action, "logs:PutLogEvents") error_message = "Permission not found: logs:PutLogEvents" } diff --git a/postgres/database-load/locals.tf b/postgres/database-load/locals.tf index fcec72dcf..50c42007b 100644 --- a/postgres/database-load/locals.tf +++ b/postgres/database-load/locals.tf @@ -13,6 +13,8 @@ locals { dump_kms_key_alias = "alias/${local.dump_task_name}" dump_bucket_name = local.dump_task_name + ecr_repository_arn = "arn:aws:ecr-public::763451185160:repository/database-copy" + s3_permissions = [ "s3:ListBucket", "s3:GetObject", diff --git a/postgres/database-load/main.tf b/postgres/database-load/main.tf index 2451a7a11..fbf398c10 100644 --- a/postgres/database-load/main.tf +++ b/postgres/database-load/main.tf @@ -1,3 +1,5 @@ +data "aws_caller_identity" "current" {} + data "aws_kms_key" "data_dump_kms_key" { key_id = local.dump_kms_key_alias } @@ -7,22 +9,30 @@ data "aws_s3_bucket" "data_dump_bucket" { } data "aws_iam_policy_document" "allow_task_creation" { - # TODO: fix these in next iteration of DBTP:1109 - # checkov:skip=CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints" - # checkov:skip=CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions" statement { - sid = "AllowTaskCreation" + sid = "AllowPullFromEcr" effect = "Allow" actions = [ "ecr:GetAuthorizationToken", "ecr:BatchCheckLayerAvailability", "ecr:GetDownloadUrlForLayer", "ecr:BatchGetImage", + ] + resources = [local.ecr_repository_arn] + } + + statement { + sid = "AllowLogs" + effect = "Allow" + actions = [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ] - resources = ["*"] + resources = [ + "arn:aws:logs:eu-west-2:${data.aws_caller_identity.current.account_id}:log-group:/ecs/${local.task_name}", + "arn:aws:logs:eu-west-2:${data.aws_caller_identity.current.account_id}:log-group:/ecs/${local.task_name}:log-stream:*", + ] } } diff --git a/postgres/database-load/tests/unit.tftest.hcl b/postgres/database-load/tests/unit.tftest.hcl index b6f14fa48..f2892b915 100644 --- a/postgres/database-load/tests/unit.tftest.hcl +++ b/postgres/database-load/tests/unit.tftest.hcl @@ -57,17 +57,17 @@ run "data_load_unit_test" { } assert { - condition = contains(jsondecode(data.aws_iam_policy_document.allow_task_creation.json).Statement[0].Action, "logs:CreateLogGroup") + condition = contains(jsondecode(data.aws_iam_policy_document.allow_task_creation.json).Statement[1].Action, "logs:CreateLogGroup") error_message = "Permission not found: logs:CreateLogGroup" } assert { - condition = contains(jsondecode(data.aws_iam_policy_document.allow_task_creation.json).Statement[0].Action, "logs:CreateLogStream") + condition = contains(jsondecode(data.aws_iam_policy_document.allow_task_creation.json).Statement[1].Action, "logs:CreateLogStream") error_message = "Permission not found: logs:CreateLogStream" } assert { - condition = contains(jsondecode(data.aws_iam_policy_document.allow_task_creation.json).Statement[0].Action, "logs:PutLogEvents") + condition = contains(jsondecode(data.aws_iam_policy_document.allow_task_creation.json).Statement[1].Action, "logs:PutLogEvents") error_message = "Permission not found: logs:PutLogEvents" }