chore: remove secretmanager and kms permissions from workload (#60)

iru · web-flow · commit 7a1805873acd · 2022-02-10T19:15:54.000+01:00
* chore: remove secretmanager and kms permissions from workload as they're not required
* doc: ssm usage
* chore: small changes for future permission refact
diff --git a/modules/infrastructure/permissions/cloud-scanning/main.tf b/modules/infrastructure/permissions/cloud-scanning/main.tf
@@ -44,7 +44,8 @@ data "aws_iam_policy_document" "cloud_scanner" {
       "ecr:ListTagsForResource",
       "ecr:DescribeImageScanFindings"
     ]
-    resources = ["*"] # TODO. make an input-var out of this, so user can pin it to its own ECR ARN's
+    resources = ["*"]
+    # resources = var.is_organizational ? ["arn:aws:ecr:*:*:repository/*", "arn:aws:ecr-public::*:repository/*", "arn:aws:ecr-public::*:registry/*"] : ["arn:aws:ecr-public::${data.aws_caller_identity.me.account_id}:repository/*", "arn:aws:ecr-public::${data.aws_caller_identity.me.account_id}:repository/*", "arn:aws:ecr-public::${data.aws_caller_identity.me.account_id}:registry/*"]O. make an input-var out of this, so user can pin it to its own ECR ARN's
   }
 
   statement {
@@ -53,16 +54,7 @@ data "aws_iam_policy_document" "cloud_scanner" {
     actions = [
       "ecs:DescribeTaskDefinition"
     ]
-    resources = ["*"] # TODO
-  }
-
-  statement {
-    sid    = "AllowScanningTo" # TODO
-    effect = "Allow"
-    actions = [
-      "kms:Decrypt",
-      "secretsmanager:GetSecretValue"
-    ]
-    resources = ["*"] # TODO
+    resources = ["*"]
+    #resources = [var.is_organizational?"arn:aws:ecs:*:425287181461:cluster/*":var.ecs_cluster_name] # TODO pin-down
   }
 }
diff --git a/modules/infrastructure/ssm/README.md b/modules/infrastructure/ssm/README.md
@@ -1,6 +1,9 @@
-# AWS Security Manager
+# AWS System Manager
 
 
+Sysdig Secure for Cloud uses [ssm](https://docs.aws.amazon.com/systems-manager/latest/userguide/what-is-systems-manager.html) in order to store the `sysdig_secure_api_token` parameter in its "Parameter Store"
+and pass it, in a safe way, to all the modules that require it.
+
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 ## Requirements
 
diff --git a/modules/services/cloud-connector/README.md b/modules/services/cloud-connector/README.md
@@ -34,7 +34,6 @@ A task deployed on an **ECS deployment** will detect events in your infrastructu
 | [aws_iam_role.task](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role_policy.ecr_reader](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [aws_iam_role_policy.execution](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
-| [aws_iam_role_policy.secrets_reader](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [aws_iam_role_policy.task](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [aws_iam_role_policy.task_definition_reader](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [aws_iam_role_policy.task_read_parameters](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
@@ -49,7 +48,6 @@ A task deployed on an **ECS deployment** will detect events in your infrastructu
 | [aws_iam_policy_document.execution](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.execution_assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.iam_role_task_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
-| [aws_iam_policy_document.secrets_reader](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.task_assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.task_definition_reader](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.task_read_parameters](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
diff --git a/modules/services/cloud-connector/permissions.tf b/modules/services/cloud-connector/permissions.tf
@@ -52,13 +52,15 @@ data "aws_iam_policy_document" "iam_role_task_policy" {
       "s3:ListBucket",
     ]
     resources = ["*"]
+    # resources = [var.cloudtrail_s3_arn # would need this as param]
   }
   statement {
     effect = "Allow"
     actions = [
       "sts:AssumeRole",
     ]
     resources = ["*"]
+    #    resources = [var.connector_ecs_task_role_name]
   }
 
   statement {
@@ -107,24 +109,7 @@ data "aws_iam_policy_document" "task_definition_reader" {
       "ecs:DescribeTaskDefinition"
     ]
     resources = ["*"]
-  }
-}
-
-
-resource "aws_iam_role_policy" "secrets_reader" {
-  name   = "SecretsReader"
-  role   = local.ecs_task_role_id
-  policy = data.aws_iam_policy_document.secrets_reader.json
-}
-
-data "aws_iam_policy_document" "secrets_reader" {
-  statement {
-    effect = "Allow"
-    actions = [
-      "kms:Decrypt",
-      "secretsmanager:GetSecretValue"
-    ]
-    resources = ["*"]
+    #    resources = var.is_organizational?["arn:aws:ecs:*:*:cluster/*"]:["arn:aws:ecs:*:${data.aws_caller_identity.me.account_id}:cluster/${var.ecs_cluster_name}"]
   }
 }
 
@@ -155,6 +140,7 @@ data "aws_iam_policy_document" "ecr_reader" {
       "ecr:DescribeImageScanFindings"
     ]
     resources = ["*"]
+    # resources = var.is_organizational ? ["arn:aws:ecr:*:*:repository/*", "arn:aws:ecr-public::*:repository/*", "arn:aws:ecr-public::*:registry/*"] : ["arn:aws:ecr-public::${data.aws_caller_identity.me.account_id}:repository/*", "arn:aws:ecr-public::${data.aws_caller_identity.me.account_id}:repository/*", "arn:aws:ecr-public::${data.aws_caller_identity.me.account_id}:registry/*"]
   }
 }
 

Original file line number	Diff line number	Diff line change
`@@ -44,7 +44,8 @@ data "aws_iam_policy_document" "cloud_scanner" {`
`44`	`44`	`"ecr:ListTagsForResource",`
`45`	`45`	`"ecr:DescribeImageScanFindings"`
`46`	`46`	`]`
`47`		`- resources = ["*"] # TODO. make an input-var out of this, so user can pin it to its own ECR ARN's`
	`47`	`+ resources = ["*"]`
	`48`	`+ # resources = var.is_organizational ? ["arn:aws:ecr:::repository/", "arn:aws:ecr-public:::repository/", "arn:aws:ecr-public:::registry/"] : ["arn:aws:ecr-public::${data.aws_caller_identity.me.account_id}:repository/", "arn:aws:ecr-public::${data.aws_caller_identity.me.account_id}:repository/", "arn:aws:ecr-public::${data.aws_caller_identity.me.account_id}:registry/"]O. make an input-var out of this, so user can pin it to its own ECR ARN's`
`48`	`49`	`}`
`49`	`50`
`50`	`51`	`statement {`
`@@ -53,16 +54,7 @@ data "aws_iam_policy_document" "cloud_scanner" {`
`53`	`54`	`actions = [`
`54`	`55`	`"ecs:DescribeTaskDefinition"`
`55`	`56`	`]`
`56`		`- resources = ["*"] # TODO`
`57`		`- }`
`58`		`-`
`59`		`- statement {`
`60`		`- sid = "AllowScanningTo" # TODO`
`61`		`- effect = "Allow"`
`62`		`- actions = [`
`63`		`- "kms:Decrypt",`
`64`		`- "secretsmanager:GetSecretValue"`
`65`		`- ]`
`66`		`- resources = ["*"] # TODO`
	`57`	`+ resources = ["*"]`
	`58`	`+ #resources = [var.is_organizational?"arn:aws:ecs::425287181461:cluster/":var.ecs_cluster_name] # TODO pin-down`
`67`	`59`	`}`
`68`	`60`	`}`
Original file line number	Diff line number	Diff line change
`@@ -52,13 +52,15 @@ data "aws_iam_policy_document" "iam_role_task_policy" {`
`52`	`52`	`"s3:ListBucket",`
`53`	`53`	`]`
`54`	`54`	`resources = ["*"]`
	`55`	`+ # resources = [var.cloudtrail_s3_arn # would need this as param]`
`55`	`56`	`}`
`56`	`57`	`statement {`
`57`	`58`	`effect = "Allow"`
`58`	`59`	`actions = [`
`59`	`60`	`"sts:AssumeRole",`
`60`	`61`	`]`
`61`	`62`	`resources = ["*"]`
	`63`	`+ # resources = [var.connector_ecs_task_role_name]`
`62`	`64`	`}`
`63`	`65`
`64`	`66`	`statement {`
`@@ -107,24 +109,7 @@ data "aws_iam_policy_document" "task_definition_reader" {`
`107`	`109`	`"ecs:DescribeTaskDefinition"`
`108`	`110`	`]`
`109`	`111`	`resources = ["*"]`
`110`		`- }`
`111`		`-}`
`112`		`-`
`113`		`-`
`114`		`-resource "aws_iam_role_policy" "secrets_reader" {`
`115`		`- name = "SecretsReader"`
`116`		`- role = local.ecs_task_role_id`
`117`		`- policy = data.aws_iam_policy_document.secrets_reader.json`
`118`		`-}`
`119`		`-`
`120`		`-data "aws_iam_policy_document" "secrets_reader" {`
`121`		`- statement {`
`122`		`- effect = "Allow"`
`123`		`- actions = [`
`124`		`- "kms:Decrypt",`
`125`		`- "secretsmanager:GetSecretValue"`
`126`		`- ]`
`127`		`- resources = ["*"]`
	`112`	`+ # resources = var.is_organizational?["arn:aws:ecs:::cluster/"]:["arn:aws:ecs::${data.aws_caller_identity.me.account_id}:cluster/${var.ecs_cluster_name}"]`
`128`	`113`	`}`
`129`	`114`	`}`
`130`	`115`
`@@ -155,6 +140,7 @@ data "aws_iam_policy_document" "ecr_reader" {`
`155`	`140`	`"ecr:DescribeImageScanFindings"`
`156`	`141`	`]`
`157`	`142`	`resources = ["*"]`
	`143`	`+ # resources = var.is_organizational ? ["arn:aws:ecr:::repository/", "arn:aws:ecr-public:::repository/", "arn:aws:ecr-public:::registry/"] : ["arn:aws:ecr-public::${data.aws_caller_identity.me.account_id}:repository/", "arn:aws:ecr-public::${data.aws_caller_identity.me.account_id}:repository/", "arn:aws:ecr-public::${data.aws_caller_identity.me.account_id}:registry/"]`
`158`	`144`	`}`
`159`	`145`	`}`
`160`	`146`