From 3c428483f99b662375b49fff62c7a457a92954b6 Mon Sep 17 00:00:00 2001 From: Benettonkkb Date: Thu, 5 Feb 2026 01:52:20 +0000 Subject: [PATCH 1/6] Separate Terraform plan and apply roles for incubator --- terraform/aws-gha-oidc-providers.tf | 43 +++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) diff --git a/terraform/aws-gha-oidc-providers.tf b/terraform/aws-gha-oidc-providers.tf index 534abe2..cc906ca 100644 --- a/terraform/aws-gha-oidc-providers.tf +++ b/terraform/aws-gha-oidc-providers.tf @@ -9,4 +9,47 @@ module "iam_oidc_gha_incubator" { policy_arns = [ "arn:aws:iam::aws:policy/AdministratorAccess" ] + +} +module "iam_oidc_incubator_tf_plan" { + source = "./modules/aws-gha-oidc-providers" + + role_name = "incubator-tf-plan" + use_wildcard = true + github_branch = "refs/heads/*" # concerning IAM audit, ok, as it is read-only + github_repo = "hackforla/incubator" + + policy_arns = [ + "arn:aws:iam::aws:policy/ReadOnlyAccess" + ] +} +resource "aws_iam_role" "incubator_tf_apply" { + name = "incubator-tf-apply" + + assume_role_policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Effect = "Allow" + Action = "sts:AssumeRoleWithWebIdentity" + Principal = { + Federated = module.iam_oidc_gha_incubator.provider_arn + } + Condition = { + StringEquals = { + "token.actions.githubusercontent.com:aud" = "sts.amazonaws.com" + } + StringLike = { + "token.actions.githubusercontent.com:sub" = "repo:hackforla/incubator:ref:refs/heads/main" + } + } + } + ] + }) } + +resource "aws_iam_role_policy_attachment" "incubator_tf_apply_admin" { + role = aws_iam_role.incubator_tf_apply.name + policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess" +} + From ca2eae6d35bce128ee10834283ab7ce9fe0f220e Mon Sep 17 00:00:00 2001 From: Benettonkkb Date: Thu, 26 Feb 2026 02:36:17 +0000 Subject: [PATCH 2/6] Applying recommended role detail changes for plan and apply --- terraform/aws-gha-oidc-providers.tf | 46 ++++++++++++++++++++++------- 1 file changed, 35 insertions(+), 11 deletions(-) diff --git a/terraform/aws-gha-oidc-providers.tf b/terraform/aws-gha-oidc-providers.tf index cc906ca..c537eff 100644 --- a/terraform/aws-gha-oidc-providers.tf +++ b/terraform/aws-gha-oidc-providers.tf @@ -11,18 +11,39 @@ module "iam_oidc_gha_incubator" { ] } -module "iam_oidc_incubator_tf_plan" { - source = "./modules/aws-gha-oidc-providers" +resource "aws_iam_role" "incubator_tf_plan" { + name = "incubator-tf-plan" - role_name = "incubator-tf-plan" - use_wildcard = true - github_branch = "refs/heads/*" # concerning IAM audit, ok, as it is read-only - github_repo = "hackforla/incubator" + assume_role_policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Effect = "Allow" + Action = "sts:AssumeRoleWithWebIdentity" + Principal = { + Federated = module.iam_oidc_gha_incubator.provider_arn + } + Condition = { + StringEquals = { + "token.actions.githubusercontent.com:aud" = "sts.amazonaws.com" + } + StringLike = { + "token.actions.githubusercontent.com:sub" = [ + "repo:hackforla/incubator:ref:refs/heads/*", + "repo:hackforla/incubator:pull_request" + ] + } + } + } + ] + }) +} - policy_arns = [ - "arn:aws:iam::aws:policy/ReadOnlyAccess" - ] +resource "aws_iam_role_policy_attachment" "incubator_tf_plan_readonly" { + role = aws_iam_role.incubator_tf_plan.name + policy_arn = "arn:aws:iam::aws:policy/ReadOnlyAccess" } + resource "aws_iam_role" "incubator_tf_apply" { name = "incubator-tf-apply" @@ -40,7 +61,10 @@ resource "aws_iam_role" "incubator_tf_apply" { "token.actions.githubusercontent.com:aud" = "sts.amazonaws.com" } StringLike = { - "token.actions.githubusercontent.com:sub" = "repo:hackforla/incubator:ref:refs/heads/main" + "token.actions.githubusercontent.com:sub" = [ + "repo:hackforla/incubator:ref:refs/heads/main", + "repo:hackforla/incubator:pull_request" + ] } } } @@ -50,6 +74,6 @@ resource "aws_iam_role" "incubator_tf_apply" { resource "aws_iam_role_policy_attachment" "incubator_tf_apply_admin" { role = aws_iam_role.incubator_tf_apply.name - policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess" + policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess" } From d62db78576edda4fb1f4d742c8af32f298014b28 Mon Sep 17 00:00:00 2001 From: Benettonkkb Date: Thu, 12 Mar 2026 01:17:20 +0000 Subject: [PATCH 3/6] Removed Pull Request condition from incubator_tf_apply --- terraform/aws-gha-oidc-providers.tf | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/terraform/aws-gha-oidc-providers.tf b/terraform/aws-gha-oidc-providers.tf index c537eff..f6ca3db 100644 --- a/terraform/aws-gha-oidc-providers.tf +++ b/terraform/aws-gha-oidc-providers.tf @@ -62,8 +62,7 @@ resource "aws_iam_role" "incubator_tf_apply" { } StringLike = { "token.actions.githubusercontent.com:sub" = [ - "repo:hackforla/incubator:ref:refs/heads/main", - "repo:hackforla/incubator:pull_request" + "repo:hackforla/incubator:ref:refs/heads/main" ] } } From 401f503537684d3ccde119b2a55b44b4f72aaf84 Mon Sep 17 00:00:00 2001 From: Benettonkkb Date: Thu, 2 Apr 2026 01:04:55 +0000 Subject: [PATCH 4/6] new TF Plan read policy for secrets manager and fixed lines --- terraform/aws-custom-policies.tf | 4 ++++ .../incubator-tf-plan-secrets-read-policy.json | 17 +++++++++++++++++ terraform/aws-gha-oidc-providers.tf | 8 ++++++-- 3 files changed, 27 insertions(+), 2 deletions(-) create mode 100644 terraform/aws-custom-policies/incubator-tf-plan-secrets-read-policy.json diff --git a/terraform/aws-custom-policies.tf b/terraform/aws-custom-policies.tf index 31edcc1..bb3112c 100644 --- a/terraform/aws-custom-policies.tf +++ b/terraform/aws-custom-policies.tf @@ -9,5 +9,9 @@ module "aws_custom_policies" { description = "Policy enforcing MFA for devops security users" filename = "enforce-mfa-for-users-policy.json" } + "IncubatorTfPlanSecretsRead" = { + description = "Allows incubator tf plan role to read specific Secrets Manager secrets needed for terraform plan" + filename = "incubator-tf-plan-secrets-read-policy.json" + } } } diff --git a/terraform/aws-custom-policies/incubator-tf-plan-secrets-read-policy.json b/terraform/aws-custom-policies/incubator-tf-plan-secrets-read-policy.json new file mode 100644 index 0000000..37cd9fd --- /dev/null +++ b/terraform/aws-custom-policies/incubator-tf-plan-secrets-read-policy.json @@ -0,0 +1,17 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "AllowReadSpecificSecretsForTerraformPlan", + "Effect": "Allow", + "Action": [ + "secretsmanager:GetSecretValue" + ], + "Resource": [ + "arn:aws:secretsmanager:us-west-2:035866691871:secret:home-unite-us-cognito-client*", + "arn:aws:secretsmanager:us-west-2:035866691871:secret:home-unite-us-google-clientid*", + "arn:aws:secretsmanager:us-west-2:035866691871:secret:home-unite-us-google-secret*" + ] + } + ] +} \ No newline at end of file diff --git a/terraform/aws-gha-oidc-providers.tf b/terraform/aws-gha-oidc-providers.tf index f6ca3db..ab561de 100644 --- a/terraform/aws-gha-oidc-providers.tf +++ b/terraform/aws-gha-oidc-providers.tf @@ -40,13 +40,17 @@ resource "aws_iam_role" "incubator_tf_plan" { } resource "aws_iam_role_policy_attachment" "incubator_tf_plan_readonly" { - role = aws_iam_role.incubator_tf_plan.name + role = aws_iam_role.incubator_tf_plan.name policy_arn = "arn:aws:iam::aws:policy/ReadOnlyAccess" } +resource "aws_iam_role_policy_attachment" "incubator_tf_plan_secrets_read" { + role = aws_iam_role.incubator_tf_plan.name + policy_arn = module.aws_custom_policies.policy_arns["IncubatorTfPlanSecretsRead"] +} + resource "aws_iam_role" "incubator_tf_apply" { name = "incubator-tf-apply" - assume_role_policy = jsonencode({ Version = "2012-10-17" Statement = [ From f2eb239440686c5bceb8a505af685ea7ed710957 Mon Sep 17 00:00:00 2001 From: Benettonkkb Date: Wed, 29 Apr 2026 21:02:48 +0000 Subject: [PATCH 5/6] Executed feedback: generalized custom policy .json and home-unite-us secrets --- .../incubator-tf-plan-secrets-read-policy.json | 17 ----------------- .../aws-custom-policies/tf-plan-scoped.json | 15 +++++++++++++++ 2 files changed, 15 insertions(+), 17 deletions(-) delete mode 100644 terraform/aws-custom-policies/incubator-tf-plan-secrets-read-policy.json create mode 100644 terraform/aws-custom-policies/tf-plan-scoped.json diff --git a/terraform/aws-custom-policies/incubator-tf-plan-secrets-read-policy.json b/terraform/aws-custom-policies/incubator-tf-plan-secrets-read-policy.json deleted file mode 100644 index 37cd9fd..0000000 --- a/terraform/aws-custom-policies/incubator-tf-plan-secrets-read-policy.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "AllowReadSpecificSecretsForTerraformPlan", - "Effect": "Allow", - "Action": [ - "secretsmanager:GetSecretValue" - ], - "Resource": [ - "arn:aws:secretsmanager:us-west-2:035866691871:secret:home-unite-us-cognito-client*", - "arn:aws:secretsmanager:us-west-2:035866691871:secret:home-unite-us-google-clientid*", - "arn:aws:secretsmanager:us-west-2:035866691871:secret:home-unite-us-google-secret*" - ] - } - ] -} \ No newline at end of file diff --git a/terraform/aws-custom-policies/tf-plan-scoped.json b/terraform/aws-custom-policies/tf-plan-scoped.json new file mode 100644 index 0000000..95c9af4 --- /dev/null +++ b/terraform/aws-custom-policies/tf-plan-scoped.json @@ -0,0 +1,15 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "AllowReadSpecificSecretsForTerraformPlan", + "Effect": "Allow", + "Action": [ + "secretsmanager:GetSecretValue" + ], + "Resource": [ + "arn:aws:secretsmanager:us-west-2:035866691871:secret:*" + ] + } + ] +} \ No newline at end of file From e54f538fb9a63e9c79b8f52a392d2af16b1842d7 Mon Sep 17 00:00:00 2001 From: Benettonkkb Date: Wed, 29 Apr 2026 21:38:29 +0000 Subject: [PATCH 6/6] Previous push rejected for deprecated aws resource. Fixed, and aligned cross-reference. --- terraform/aws-custom-policies.tf | 2 +- terraform/modules/aws-gha-oidc-providers/main.tf | 10 ++++++++-- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/terraform/aws-custom-policies.tf b/terraform/aws-custom-policies.tf index bb3112c..ac2c698 100644 --- a/terraform/aws-custom-policies.tf +++ b/terraform/aws-custom-policies.tf @@ -11,7 +11,7 @@ module "aws_custom_policies" { } "IncubatorTfPlanSecretsRead" = { description = "Allows incubator tf plan role to read specific Secrets Manager secrets needed for terraform plan" - filename = "incubator-tf-plan-secrets-read-policy.json" + filename = "tf-plan-scoped.json" } } } diff --git a/terraform/modules/aws-gha-oidc-providers/main.tf b/terraform/modules/aws-gha-oidc-providers/main.tf index 44178a1..7f9e6b2 100644 --- a/terraform/modules/aws-gha-oidc-providers/main.tf +++ b/terraform/modules/aws-gha-oidc-providers/main.tf @@ -50,8 +50,7 @@ resource "aws_iam_openid_connect_provider" "github_actions" { resource "aws_iam_role" "github_actions_oidc" { - name = var.role_name - managed_policy_arns = var.policy_arns + name = var.role_name assume_role_policy = jsonencode({ "Version" : "2012-10-17", @@ -71,4 +70,11 @@ resource "aws_iam_role" "github_actions_oidc" { } }] }) +} + +resource "aws_iam_role_policy_attachment" "github_actions_oidc" { + for_each = toset(var.policy_arns) + + role = aws_iam_role.github_actions_oidc.name + policy_arn = each.value } \ No newline at end of file