BFD-3583: Update GHA IAM Role with permissions to apply static-site T…

…erraservice (#2430)
CMSgov · Sep 12, 2024 · 093db53 · 093db53
1 parent bd6e135
commit 093db53
Show file tree

Hide file tree

Showing 7 changed files with 250 additions and 21 deletions.
diff --git a/ops/terraform/env/mgmt/data-sources.tf b/ops/terraform/env/mgmt/data-sources.tf
@@ -57,3 +57,10 @@ data "aws_ssm_parameter" "cpm_aws_account_arn" {
 data "aws_ssm_parameters_by_path" "common_sensitive" {
   path = "/bfd/${local.env}/common/sensitive"
 }
+
+data "aws_ec2_managed_prefix_list" "vpn" {
+  filter {
+    name   = "prefix-list-name"
+    values = ["cmscloud-vpn"]
+  }
+}
diff --git a/ops/terraform/env/mgmt/github-actions-iam.tf b/ops/terraform/env/mgmt/github-actions-iam.tf
@@ -101,6 +101,239 @@ resource "aws_iam_policy" "github_actions_ecr" {
   )
 }
 
+resource "aws_iam_policy" "github_actions_tf_state" {
+  name        = "bfd-${local.env}-gha-tf-state"
+  description = "Grants permissions necessary for GHA to modify/read Terraform state"
+  path        = "/"
+  policy = jsonencode(
+    {
+      Statement = [
+        {
+          Sid    = "AllowTerraformDynamoStateManagement"
+          Effect = "Allow"
+          Action = [
+            "dynamodb:DeleteItem",
+            "dynamodb:GetItem",
+            "dynamodb:PutItem"
+          ]
+          Resource = "arn:aws:dynamodb:${local.region}:${local.account_id}:table/bfd-tf-table"
+        },
+        {
+          Sid    = "AllowTerraformS3StateManagement"
+          Effect = "Allow"
+          Action = [
+            "s3:ListBucket",
+            "s3:GetObject*",
+            "s3:PutObject*"
+          ]
+          Resource = ["arn:aws:s3:::bfd-tf-state", "arn:aws:s3:::bfd-tf-state/*"]
+        },
+        {
+          Sid    = "AllowDescribeAndUseOfStateCMK"
+          Effect = "Allow"
+          Action = [
+            "kms:Encrypt",
+            "kms:Decrypt",
+            "kms:ReEncrypt*",
+            "kms:GenerateDataKey*",
+            "kms:DescribeKey"
+          ]
+          Resource = data.aws_kms_key.tf_state.arn
+        },
+      ]
+      Version = "2012-10-17"
+    }
+  )
+}
+
+resource "aws_iam_policy" "github_actions_tf_logs" {
+  name        = "bfd-${local.env}-gha-tf-logs"
+  description = "Grants permissions necessary for GHA to submit Terraform logs to CloudWatch Logs"
+  path        = "/"
+  policy = jsonencode(
+    {
+      Statement = [
+        {
+          Sid    = "AllowCloudWatchLogsDescribeActions"
+          Effect = "Allow"
+          Action = [
+            "logs:DescribeLogGroups",
+            "logs:DescribeLogStreams"
+          ]
+          Resource = "*"
+        },
+        {
+          Sid    = "AllowCloudWatchLogStreamActions"
+          Effect = "Allow"
+          Action = [
+            "logs:CreateLogStream",
+            "logs:PutLogEvents"
+          ]
+          Resource = [
+            "arn:aws:logs:${local.region}:${local.account_id}:log-group:*:log-stream:*"
+          ]
+        },
+        {
+          Sid    = "AllowDescribeAndEncryptWithDataCMKs"
+          Effect = "Allow"
+          Action = [
+            "kms:Encrypt",
+            "kms:GenerateDataKey*",
+            "kms:DescribeKey"
+          ]
+          Resource = local.all_kms_data_key_arns
+        }
+      ]
+      Version = "2012-10-17"
+    }
+  )
+}
+
+# FUTURE: When IAM Role-based permissions are introduced, refactor this policy out into a generic resource
+resource "aws_iam_policy" "github_actions_static_site" {
+  name = "bfd-${local.env}-static-site"
+  description = join("", [
+    "Grants permissions necessary to apply the static-site Terraservice and manipulate the Static",
+    " Site artifacts in any environment"
+  ])
+  path = "/"
+  policy = jsonencode(
+    {
+      Statement = [
+        {
+          Sid = "AllowAllCloudfrontActions"
+          Action = [
+            "cloudfront:*"
+          ]
+          Effect   = "Allow"
+          Resource = "*"
+        },
+        {
+          Sid    = "AllowManagementOfStaticSiteBuckets"
+          Effect = "Allow"
+          Action = [
+            "s3:CreateBucket*",
+            "s3:PutBucket*",
+            "s3:GetBucket*",
+            "s3:ListBucket*",
+            "s3:DeleteBucket*",
+            "s3:*LifecycleConfiguration",
+            "s3:*EncryptionConfiguration",
+            "s3:*AccelerateConfiguration",
+            "s3:*ReplicationConfiguration"
+          ]
+          Resource = ["arn:aws:s3:::bfd-*-static", "arn:aws:s3:::bfd-*-staticlogging"]
+        },
+        {
+          Sid    = "AllowFullControlOfStaticSiteBucketObjects"
+          Effect = "Allow"
+          Action = [
+            "s3:CreateObject*",
+            "s3:PutObject*",
+            "s3:GetObject*",
+            "s3:ListObject*",
+            "s3:DeleteObject*",
+            "s3:AbortMultipartUpload",
+            "s3:ListMultipartUploadParts"
+          ]
+          Resource = ["arn:aws:s3:::bfd-*-static/*", "arn:aws:s3:::bfd-*-staticlogging/*"]
+        },
+        {
+          Sid    = "AllowUnconditionalDescribeActions"
+          Effect = "Allow"
+          Action = [
+            "ec2:DescribeManagedPrefixLists",
+            "ec2:DescribeRouteTables",
+            "ec2:DescribeVpcs",
+            "route53:ListHostedZones",
+            "s3:ListAllMyBuckets",
+            "sts:GetCallerIdentity"
+          ]
+          Resource = "*"
+        },
+        {
+          Sid    = "AllowGetHostedZoneParams"
+          Effect = "Allow"
+          Action = [
+            "ssm:GetParameter"
+          ]
+          Resource = [
+            "arn:aws:ssm:${local.region}:${local.account_id}:parameter/bfd/mgmt/common/sensitive/r53_hosted_zone_root_domain",
+            "arn:aws:ssm:${local.region}:${local.account_id}:parameter/bfd/mgmt/common/sensitive/r53_hosted_zone_root_is_private"
+          ]
+        },
+        {
+          Sid    = "AllowGetStaticSiteAndCommonParams"
+          Effect = "Allow"
+          Action = [
+            "ssm:GetParametersByPath"
+          ]
+          Resource = [
+            "arn:aws:ssm:${local.region}:${local.account_id}:parameter/bfd/*/static-site*",
+            "arn:aws:ssm:${local.region}:${local.account_id}:parameter/bfd/*/common*"
+          ]
+        },
+        {
+          Sid    = "AllowGetVpnPrefixList"
+          Effect = "Allow"
+          Action = [
+            "ec2:GetManagedPrefixListEntries"
+          ]
+          Resource = data.aws_ec2_managed_prefix_list.vpn.arn
+        },
+        {
+          Sid    = "AllowGetRootHostedZone"
+          Effect = "Allow"
+          Action = [
+            "route53:GetHostedZone"
+          ]
+          Resource = aws_route53_zone.zones["root"].arn
+        },
+        {
+          Sid    = "AllowListingRoute53ResourceRecordSets"
+          Effect = "Allow"
+          Action = [
+            "route53:ListResourceRecordSets"
+          ]
+          Resource = "arn:aws:route53:::hostedzone/*"
+        },
+        {
+          Sid    = "AllowListingRoute53Tags"
+          Effect = "Allow"
+          Action = [
+            "route53:ListTagsForResource"
+          ]
+          Resource = [
+            "arn:aws:route53:::healthcheck/*",
+            "arn:aws:route53:::hostedzone/*"
+          ]
+        },
+        {
+          Sid    = "AllowDescribeVpcAttributes"
+          Effect = "Allow"
+          Action = [
+            "ec2:DescribeVpcAttribute"
+          ]
+          Resource = "arn:aws:ec2:${local.region}:${local.account_id}:vpc/*"
+        },
+        {
+          Sid    = "AllowDescribeAndUseOfCMKs"
+          Effect = "Allow"
+          Action = [
+            "kms:Encrypt",
+            "kms:Decrypt",
+            "kms:ReEncrypt*",
+            "kms:GenerateDataKey*",
+            "kms:DescribeKey"
+          ]
+          Resource = concat(local.all_kms_config_key_arns, local.all_kms_data_key_arns)
+        }
+      ]
+      Version = "2012-10-17"
+    }
+  )
+}
+
 data "tls_certificate" "github_actions" {
   url = "https://token.actions.githubusercontent.com/.well-known/openid-configuration"
 }
@@ -119,7 +352,10 @@ resource "aws_iam_role" "github_actions" {
   managed_policy_arns = [
     aws_iam_policy.code_artifact_rw.arn,
     aws_iam_policy.github_actions_s3its.arn,
-    aws_iam_policy.github_actions_ecr.arn
+    aws_iam_policy.github_actions_ecr.arn,
+    aws_iam_policy.github_actions_tf_state.arn,
+    aws_iam_policy.github_actions_tf_logs.arn,
+    aws_iam_policy.github_actions_static_site.arn
   ]
 
   assume_role_policy = jsonencode(

diff --git a/ops/terraform/env/mgmt/main.tf b/ops/terraform/env/mgmt/main.tf
@@ -28,6 +28,7 @@ locals {
   init_fail_alarm_name  = "bfd-${local.env}-cloud-init-failure"
   #
 
+  all_kms_data_key_arns = concat(values(aws_kms_key.data_keys)[*].arn, values(aws_kms_key.data_keys_alt)[*].arn)
   all_kms_config_key_arns = flatten(
     [
       for v in concat(

diff --git a/ops/terraform/services/static-site/README.md b/ops/terraform/services/static-site/README.md
@@ -32,9 +32,7 @@ terraform apply
 
 ## Inputs
 
-| Name | Description | Type | Default | Required |
-|------|-------------|------|---------|:--------:|
-| <a name="input_bfd_version_override"></a> [bfd\_version\_override](#input\_bfd\_version\_override) | BFD release version override. When empty, defaults to resolving the release version from GitHub releases. | `string` | `null` | no |
+No inputs.
 
 <!-- GENERATED WITH `terraform-docs .`
      Manually updating the README.md will be overwritten.
@@ -50,7 +48,6 @@ terraform apply
 | [aws_cloudfront_origin_access_control.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_origin_access_control) | resource |
 | [aws_s3_bucket.cloudfront_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
 | [aws_s3_bucket.static_site](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
-| [aws_s3_bucket_acl.cloudfront_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource |
 | [aws_s3_bucket_logging.static_site](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_logging) | resource |
 | [aws_s3_bucket_ownership_controls.cloudfront_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_ownership_controls) | resource |
 | [aws_s3_bucket_ownership_controls.static_site](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_ownership_controls) | resource |

diff --git a/ops/terraform/services/static-site/main.tf b/ops/terraform/services/static-site/main.tf
@@ -14,11 +14,9 @@ locals {
     role  = local.service
     SaaS  = "Cloudfront"
   }
-  env                = module.terraservice.env
-  seed_env           = module.terraservice.seed_env
-  is_ephemeral_env   = module.terraservice.is_ephemeral_env
-  latest_bfd_release = module.terraservice.latest_bfd_release
-  bfd_version        = var.bfd_version_override == null ? local.latest_bfd_release : var.bfd_version_override
+
+  env      = module.terraservice.env
+  seed_env = module.terraservice.seed_env
 
   service   = "static-site"
   layer     = "data"

diff --git a/ops/terraform/services/static-site/s3.tf b/ops/terraform/services/static-site/s3.tf
@@ -1,5 +1,5 @@
 resource "aws_s3_bucket" "static_site" {
-  bucket = local.is_ephemeral_env ? null : local.static_cloudfront_name
+  bucket = local.static_cloudfront_name
 
   tags = {
     Layer = "static-${local.layer}",
@@ -71,11 +71,6 @@ resource "aws_s3_bucket_ownership_controls" "cloudfront_logging" {
   }
 }
 
-resource "aws_s3_bucket_acl" "cloudfront_logging" {
-  bucket = aws_s3_bucket.cloudfront_logging.bucket
-  acl    = "log-delivery-write"
-}
-
 resource "aws_s3_bucket_server_side_encryption_configuration" "cloudfront_logging" {
   bucket = aws_s3_bucket.cloudfront_logging.bucket
   rule {

diff --git a/ops/terraform/services/static-site/variables.tf b/ops/terraform/services/static-site/variables.tf