Skip to content

PLT-1130:Create Roles and Policies for each API #253

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Jun 20, 2025
Merged

PLT-1130:Create Roles and Policies for each API #253

merged 3 commits into from
Jun 20, 2025

Conversation

christopher-maboh
Copy link
Contributor

@christopher-maboh christopher-maboh commented Jun 16, 2025
edited
Loading

🎫 Ticket

https://jira.cms.gov/browse/PLT-1130

🛠 Changes

The policy was updated to separate global actions required by Snyk (ecr:GetAuthorizationToken, ecr:DescribeRepositories) from scoped repository actions, which are now restricted to only teams e.g bcda-, dpc-, ab2d-* ECR repositories.

ℹ️ Context

This change ensures each team (e.g., BCDA, AB2D, DPC) can only scan their own ECR repositories in Snyk by restricting repository-level permissions in IAM policies. While Snyk requires global access to list all repositories (ecr:DescribeRepositories), teams can only add and scan images from their respective repos.

🧪 Validation

See checks.
link to successful tf plan https://github.com/CMSgov/ab2d-bcda-dpc-platform/actions/runs/15692016486/job/44209308692?pr=253.

please note plan fails for legacy account because snyk external id's was not updated in param store for legacy account

role ARN snyk integration tested see comments and screenshot of snyk integration behavior for this role and policy on Jira ticket

@christopher-maboh christopher-maboh requested a review from gsf June 16, 2025 21:00
@christopher-maboh christopher-maboh requested a review from a team as a code owner June 16, 2025 21:00
@christopher-maboh christopher-maboh merged commit b380251 into main Jun 20, 2025
5 of 11 checks passed
@christopher-maboh christopher-maboh deleted the PLT-1130 branch June 20, 2025 15:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gfreeman-navapbc gfreeman-navapbc gfreeman-navapbc approved these changes

@juliareynolds-nava juliareynolds-nava juliareynolds-nava approved these changes

@gsf gsf Awaiting requested review from gsf

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@christopher-maboh @gfreeman-navapbc @juliareynolds-nava