From 3c428483f99b662375b49fff62c7a457a92954b6 Mon Sep 17 00:00:00 2001 From: Benettonkkb Date: Thu, 5 Feb 2026 01:52:20 +0000 Subject: [PATCH 1/4] Separate Terraform plan and apply roles for incubator --- terraform/aws-gha-oidc-providers.tf | 43 +++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) diff --git a/terraform/aws-gha-oidc-providers.tf b/terraform/aws-gha-oidc-providers.tf index 534abe2..cc906ca 100644 --- a/terraform/aws-gha-oidc-providers.tf +++ b/terraform/aws-gha-oidc-providers.tf @@ -9,4 +9,47 @@ module "iam_oidc_gha_incubator" { policy_arns = [ "arn:aws:iam::aws:policy/AdministratorAccess" ] + +} +module "iam_oidc_incubator_tf_plan" { + source = "./modules/aws-gha-oidc-providers" + + role_name = "incubator-tf-plan" + use_wildcard = true + github_branch = "refs/heads/*" # concerning IAM audit, ok, as it is read-only + github_repo = "hackforla/incubator" + + policy_arns = [ + "arn:aws:iam::aws:policy/ReadOnlyAccess" + ] +} +resource "aws_iam_role" "incubator_tf_apply" { + name = "incubator-tf-apply" + + assume_role_policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Effect = "Allow" + Action = "sts:AssumeRoleWithWebIdentity" + Principal = { + Federated = module.iam_oidc_gha_incubator.provider_arn + } + Condition = { + StringEquals = { + "token.actions.githubusercontent.com:aud" = "sts.amazonaws.com" + } + StringLike = { + "token.actions.githubusercontent.com:sub" = "repo:hackforla/incubator:ref:refs/heads/main" + } + } + } + ] + }) } + +resource "aws_iam_role_policy_attachment" "incubator_tf_apply_admin" { + role = aws_iam_role.incubator_tf_apply.name + policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess" +} + From ca2eae6d35bce128ee10834283ab7ce9fe0f220e Mon Sep 17 00:00:00 2001 From: Benettonkkb Date: Thu, 26 Feb 2026 02:36:17 +0000 Subject: [PATCH 2/4] Applying recommended role detail changes for plan and apply --- terraform/aws-gha-oidc-providers.tf | 46 ++++++++++++++++++++++------- 1 file changed, 35 insertions(+), 11 deletions(-) diff --git a/terraform/aws-gha-oidc-providers.tf b/terraform/aws-gha-oidc-providers.tf index cc906ca..c537eff 100644 --- a/terraform/aws-gha-oidc-providers.tf +++ b/terraform/aws-gha-oidc-providers.tf @@ -11,18 +11,39 @@ module "iam_oidc_gha_incubator" { ] } -module "iam_oidc_incubator_tf_plan" { - source = "./modules/aws-gha-oidc-providers" +resource "aws_iam_role" "incubator_tf_plan" { + name = "incubator-tf-plan" - role_name = "incubator-tf-plan" - use_wildcard = true - github_branch = "refs/heads/*" # concerning IAM audit, ok, as it is read-only - github_repo = "hackforla/incubator" + assume_role_policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Effect = "Allow" + Action = "sts:AssumeRoleWithWebIdentity" + Principal = { + Federated = module.iam_oidc_gha_incubator.provider_arn + } + Condition = { + StringEquals = { + "token.actions.githubusercontent.com:aud" = "sts.amazonaws.com" + } + StringLike = { + "token.actions.githubusercontent.com:sub" = [ + "repo:hackforla/incubator:ref:refs/heads/*", + "repo:hackforla/incubator:pull_request" + ] + } + } + } + ] + }) +} - policy_arns = [ - "arn:aws:iam::aws:policy/ReadOnlyAccess" - ] +resource "aws_iam_role_policy_attachment" "incubator_tf_plan_readonly" { + role = aws_iam_role.incubator_tf_plan.name + policy_arn = "arn:aws:iam::aws:policy/ReadOnlyAccess" } + resource "aws_iam_role" "incubator_tf_apply" { name = "incubator-tf-apply" @@ -40,7 +61,10 @@ resource "aws_iam_role" "incubator_tf_apply" { "token.actions.githubusercontent.com:aud" = "sts.amazonaws.com" } StringLike = { - "token.actions.githubusercontent.com:sub" = "repo:hackforla/incubator:ref:refs/heads/main" + "token.actions.githubusercontent.com:sub" = [ + "repo:hackforla/incubator:ref:refs/heads/main", + "repo:hackforla/incubator:pull_request" + ] } } } @@ -50,6 +74,6 @@ resource "aws_iam_role" "incubator_tf_apply" { resource "aws_iam_role_policy_attachment" "incubator_tf_apply_admin" { role = aws_iam_role.incubator_tf_apply.name - policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess" + policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess" } From d62db78576edda4fb1f4d742c8af32f298014b28 Mon Sep 17 00:00:00 2001 From: Benettonkkb Date: Thu, 12 Mar 2026 01:17:20 +0000 Subject: [PATCH 3/4] Removed Pull Request condition from incubator_tf_apply --- terraform/aws-gha-oidc-providers.tf | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/terraform/aws-gha-oidc-providers.tf b/terraform/aws-gha-oidc-providers.tf index c537eff..f6ca3db 100644 --- a/terraform/aws-gha-oidc-providers.tf +++ b/terraform/aws-gha-oidc-providers.tf @@ -62,8 +62,7 @@ resource "aws_iam_role" "incubator_tf_apply" { } StringLike = { "token.actions.githubusercontent.com:sub" = [ - "repo:hackforla/incubator:ref:refs/heads/main", - "repo:hackforla/incubator:pull_request" + "repo:hackforla/incubator:ref:refs/heads/main" ] } } From 401f503537684d3ccde119b2a55b44b4f72aaf84 Mon Sep 17 00:00:00 2001 From: Benettonkkb Date: Thu, 2 Apr 2026 01:04:55 +0000 Subject: [PATCH 4/4] new TF Plan read policy for secrets manager and fixed lines --- terraform/aws-custom-policies.tf | 4 ++++ .../incubator-tf-plan-secrets-read-policy.json | 17 +++++++++++++++++ terraform/aws-gha-oidc-providers.tf | 8 ++++++-- 3 files changed, 27 insertions(+), 2 deletions(-) create mode 100644 terraform/aws-custom-policies/incubator-tf-plan-secrets-read-policy.json diff --git a/terraform/aws-custom-policies.tf b/terraform/aws-custom-policies.tf index 31edcc1..bb3112c 100644 --- a/terraform/aws-custom-policies.tf +++ b/terraform/aws-custom-policies.tf @@ -9,5 +9,9 @@ module "aws_custom_policies" { description = "Policy enforcing MFA for devops security users" filename = "enforce-mfa-for-users-policy.json" } + "IncubatorTfPlanSecretsRead" = { + description = "Allows incubator tf plan role to read specific Secrets Manager secrets needed for terraform plan" + filename = "incubator-tf-plan-secrets-read-policy.json" + } } } diff --git a/terraform/aws-custom-policies/incubator-tf-plan-secrets-read-policy.json b/terraform/aws-custom-policies/incubator-tf-plan-secrets-read-policy.json new file mode 100644 index 0000000..37cd9fd --- /dev/null +++ b/terraform/aws-custom-policies/incubator-tf-plan-secrets-read-policy.json @@ -0,0 +1,17 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "AllowReadSpecificSecretsForTerraformPlan", + "Effect": "Allow", + "Action": [ + "secretsmanager:GetSecretValue" + ], + "Resource": [ + "arn:aws:secretsmanager:us-west-2:035866691871:secret:home-unite-us-cognito-client*", + "arn:aws:secretsmanager:us-west-2:035866691871:secret:home-unite-us-google-clientid*", + "arn:aws:secretsmanager:us-west-2:035866691871:secret:home-unite-us-google-secret*" + ] + } + ] +} \ No newline at end of file diff --git a/terraform/aws-gha-oidc-providers.tf b/terraform/aws-gha-oidc-providers.tf index f6ca3db..ab561de 100644 --- a/terraform/aws-gha-oidc-providers.tf +++ b/terraform/aws-gha-oidc-providers.tf @@ -40,13 +40,17 @@ resource "aws_iam_role" "incubator_tf_plan" { } resource "aws_iam_role_policy_attachment" "incubator_tf_plan_readonly" { - role = aws_iam_role.incubator_tf_plan.name + role = aws_iam_role.incubator_tf_plan.name policy_arn = "arn:aws:iam::aws:policy/ReadOnlyAccess" } +resource "aws_iam_role_policy_attachment" "incubator_tf_plan_secrets_read" { + role = aws_iam_role.incubator_tf_plan.name + policy_arn = module.aws_custom_policies.policy_arns["IncubatorTfPlanSecretsRead"] +} + resource "aws_iam_role" "incubator_tf_apply" { name = "incubator-tf-apply" - assume_role_policy = jsonencode({ Version = "2012-10-17" Statement = [