From 16085fa56a2202f13df27ebfd3229d06da75f001 Mon Sep 17 00:00:00 2001 From: Noah Paige Date: Thu, 21 Sep 2023 14:27:25 -0400 Subject: [PATCH 1/2] Change CB policies to managed and prevent updates --- deploy/stacks/pipeline.py | 74 ++++++++++++++++++++++++--------------- 1 file changed, 45 insertions(+), 29 deletions(-) diff --git a/deploy/stacks/pipeline.py b/deploy/stacks/pipeline.py index 39944fef5..df86064e5 100644 --- a/deploy/stacks/pipeline.py +++ b/deploy/stacks/pipeline.py @@ -143,7 +143,7 @@ def __init__( 'cdk synth', 'echo ${CODEBUILD_SOURCE_VERSION}' ], - role=self.baseline_codebuild_role, + role=self.baseline_codebuild_role.without_policy_updates(), vpc=self.vpc, ), cross_account_keys=True, @@ -225,10 +225,10 @@ def set_codebuild_iam_roles(self): assumed_by=iam.ServicePrincipal('codebuild.amazonaws.com'), ) - self.baseline_codebuild_policy = iam.Policy( + self.baseline_codebuild_policy = iam.ManagedPolicy( self, - 'BaselineCodeBuildPolicy', - policy_name=f'{self.resource_prefix}-{self.git_branch}-baseline-codebuild-policy', + 'BaselineCodeBuildManagedPolicy', + managed_policy_name=f'{self.resource_prefix}-{self.git_branch}-baseline-cb-policy', roles=[self.baseline_codebuild_role, self.expanded_codebuild_role], statements= [ iam.PolicyStatement( @@ -252,7 +252,14 @@ def set_codebuild_iam_roles(self): actions=[ 'ecr:GetAuthorizationToken', 'ec2:DescribePrefixLists', - 'ec2:DescribeManagedPrefixLists' + 'ec2:DescribeManagedPrefixLists', + 'ec2:CreateNetworkInterface', + 'ec2:DescribeNetworkInterfaces', + 'ec2:DeleteNetworkInterface', + 'ec2:DescribeSubnets', + 'ec2:DescribeSecurityGroups', + 'ec2:DescribeDhcpOptions', + 'ec2:DescribeVpcs', ], resources=['*'], ), @@ -272,6 +279,8 @@ def set_codebuild_iam_roles(self): 'kms:Decrypt', 'kms:Encrypt', 'kms:GenerateDataKey', + 'kms:ReEncrypt*', + 'kms:DescribeKey', 'secretsmanager:GetSecretValue', 'secretsmanager:DescribeSecret', 'ssm:GetParametersByPath', @@ -285,12 +294,17 @@ def set_codebuild_iam_roles(self): 'codebuild:UpdateReport', 'codebuild:BatchPutTestCases', 'codebuild:BatchPutCodeCoverages', - 'ec2:GetManagedPrefixListEntries' + 'ec2:GetManagedPrefixListEntries', + 'ec2:CreateNetworkInterfacePermission', + 'logs:CreateLogGroup', + 'logs:CreateLogStream', + 'logs:PutLogEvents', ], resources=[ f'arn:aws:s3:::{self.resource_prefix}*', f'arn:aws:s3:::{self.resource_prefix}*/*', f'arn:aws:codebuild:{self.region}:{self.account}:project/*{self.resource_prefix}*', + f'arn:aws:codebuild:{self.region}:{self.account}:report-group/{self.resource_prefix}*' f'arn:aws:secretsmanager:{self.region}:{self.account}:secret:*{self.resource_prefix}*', f'arn:aws:secretsmanager:{self.region}:{self.account}:secret:*dataall*', f'arn:aws:kms:{self.region}:{self.account}:key/*', @@ -300,14 +314,16 @@ def set_codebuild_iam_roles(self): f'arn:aws:codeartifact:{self.region}:{self.account}:repository/{self.resource_prefix}*', f'arn:aws:codeartifact:{self.region}:{self.account}:domain/{self.resource_prefix}*', f'arn:aws:ec2:{self.region}:{self.account}:prefix-list/*', + f'arn:aws:ec2:{self.region}:{self.account}:network-interface/*', + f'arn:aws:logs:{self.region}:{self.account}:log-group:/aws/codebuild/{self.resource_prefix}*', ], ), ], ) - self.expanded_codebuild_policy = iam.Policy( + self.expanded_codebuild_policy = iam.ManagedPolicy( self, - 'ExpandedCodeBuildPolicy', - policy_name=f'{self.resource_prefix}-{self.git_branch}-expanded-codebuild-policy', + 'ExpandedCodeBuildManagedPolicy', + managed_policy_name=f'{self.resource_prefix}-{self.git_branch}-expanded-cb-policy', roles=[self.expanded_codebuild_role], statements= [ iam.PolicyStatement( @@ -334,10 +350,10 @@ def set_codebuild_iam_roles(self): ) self.expanded_codebuild_policy.attach_to_role(self.git_project_role) self.baseline_codebuild_policy.attach_to_role(self.git_project_role) - self.git_release_policy = iam.Policy( + self.git_release_policy = iam.ManagedPolicy( self, - 'GitReleasePolicy', - policy_name=f'{self.resource_prefix}-{self.git_branch}-git-release-policy', + 'GitReleaseManagedPolicy', + managed_policy_name=f'{self.resource_prefix}-{self.git_branch}-gitrelease-policy', roles=[self.git_project_role], statements= [ iam.PolicyStatement( @@ -416,7 +432,7 @@ def set_quality_gate_stage(self): 'make drop-tables', 'make upgrade-db', ], - role=self.baseline_codebuild_role, + role=self.baseline_codebuild_role.without_policy_updates(), vpc=self.vpc, security_groups=[self.codebuild_sg], ), @@ -432,7 +448,7 @@ def set_quality_gate_stage(self): '. env/bin/activate', 'make check-security', ], - role=self.baseline_codebuild_role, + role=self.baseline_codebuild_role.without_policy_updates(), vpc=self.vpc, ), pipelines.CodeBuildStep( @@ -452,7 +468,7 @@ def set_quality_gate_stage(self): 'npm run copy-config', 'npm run lint -- --quiet', ], - role=self.baseline_codebuild_role, + role=self.baseline_codebuild_role.without_policy_updates(), vpc=self.vpc, ), ) @@ -487,7 +503,7 @@ def set_quality_gate_stage(self): ) ), commands=[], - role=self.baseline_codebuild_role, + role=self.baseline_codebuild_role.without_policy_updates(), vpc=self.vpc, security_groups=[self.codebuild_sg], ), @@ -503,7 +519,7 @@ def set_quality_gate_stage(self): 'cd source_build/ && zip -r ../source_build/source_build.zip *', f'aws s3api put-object --bucket {self.pipeline_bucket.bucket_name} --key source_build.zip --body source_build.zip', ], - role=self.baseline_codebuild_role, + role=self.baseline_codebuild_role.without_policy_updates(), vpc=self.vpc, security_groups=[self.codebuild_sg], ), @@ -523,7 +539,7 @@ def set_quality_gate_stage(self): 'cd source_build/ && zip -r ../source_build/source_build.zip *', f'aws s3api put-object --bucket {self.pipeline_bucket.bucket_name} --key source_build.zip --body source_build.zip', ], - role=self.baseline_codebuild_role, + role=self.baseline_codebuild_role.without_policy_updates(), vpc=self.vpc, security_groups=[self.codebuild_sg], ), @@ -564,7 +580,7 @@ def set_ecr_stage( commands=[ f"make deploy-image type=lambda image-tag=$IMAGE_TAG account={target_env['account']} region={target_env['region']} repo={repository_name}", ], - role=self.baseline_codebuild_role, + role=self.baseline_codebuild_role.without_policy_updates(), vpc=self.vpc, ), pipelines.CodeBuildStep( @@ -582,7 +598,7 @@ def set_ecr_stage( commands=[ f"make deploy-image type=ecs image-tag=$IMAGE_TAG account={target_env['account']} region={target_env['region']} repo={repository_name}", ], - role=self.baseline_codebuild_role, + role=self.baseline_codebuild_role.without_policy_updates(), vpc=self.vpc, ), ) @@ -648,7 +664,7 @@ def set_db_migration_stage( 'if [ "$(jq -r .builds[0].buildStatus codebuild-output.json)" = "FAILED" ]; then echo "Failed"; cat codebuild-output.json; exit -1; fi', 'cat codebuild-output.json ', ], - role=self.expanded_codebuild_role, + role=self.expanded_codebuild_role.without_policy_updates(), vpc=self.vpc, ), ) @@ -680,7 +696,7 @@ def set_stacks_updater_stage( f'cluster_arn="arn:aws:ecs:{target_env["region"]}:{target_env["account"]}:cluster/$cluster_name"', f'aws --profile buildprofile ecs run-task --task-definition $task_definition --cluster "$cluster_arn" --launch-type "FARGATE" --network-configuration "$network_config" --launch-type FARGATE --propagate-tags TASK_DEFINITION', ], - role=self.expanded_codebuild_role, + role=self.expanded_codebuild_role.without_policy_updates(), vpc=self.vpc, ), ) @@ -735,7 +751,7 @@ def set_cloudfront_stage(self, target_env): 'aws s3 sync build/ s3://$bucket --profile buildprofile', "aws cloudfront create-invalidation --distribution-id $distributionId --paths '/*' --profile buildprofile", ], - role=self.expanded_codebuild_role, + role=self.expanded_codebuild_role.without_policy_updates(), vpc=self.vpc, ), self.cognito_config_action(target_env), @@ -770,7 +786,7 @@ def set_cloudfront_stage(self, target_env): 'aws s3 sync site/ s3://$bucket', "aws cloudfront create-invalidation --distribution-id $distributionId --paths '/*'", ], - role=self.expanded_codebuild_role, + role=self.expanded_codebuild_role.without_policy_updates(), vpc=self.vpc, ), ) @@ -797,7 +813,7 @@ def cw_rum_config_action(self, target_env): 'pip install boto3==1.20.46', 'python deploy/configs/rum_config.py', ], - role=self.expanded_codebuild_role, + role=self.expanded_codebuild_role.without_policy_updates(), vpc=self.vpc, ) @@ -824,7 +840,7 @@ def cognito_config_action(self, target_env): 'pip install boto3==1.20.46', 'python deploy/configs/cognito_urls_config.py', ], - role=self.expanded_codebuild_role, + role=self.expanded_codebuild_role.without_policy_updates(), vpc=self.vpc, ) @@ -882,7 +898,7 @@ def set_albfront_stage(self, target_env, repository_name): 'docker tag $IMAGE_TAG:$IMAGE_TAG $REPOSITORY_URI:$IMAGE_TAG', 'docker push $REPOSITORY_URI:$IMAGE_TAG', ], - role=self.expanded_codebuild_role, + role=self.expanded_codebuild_role.without_policy_updates(), vpc=self.vpc, ), pipelines.CodeBuildStep( @@ -906,7 +922,7 @@ def set_albfront_stage(self, target_env, repository_name): 'docker tag $IMAGE_TAG:$IMAGE_TAG $REPOSITORY_URI:$IMAGE_TAG', 'docker push $REPOSITORY_URI:$IMAGE_TAG', ], - role=self.expanded_codebuild_role, + role=self.expanded_codebuild_role.without_policy_updates(), vpc=self.vpc, ), ], @@ -957,7 +973,7 @@ def set_release_stage( }, ) ), - role=self.git_project_role, + role=self.git_project_role.without_policy_updates(), vpc=self.vpc, security_groups=[self.codebuild_sg], commands=[], From 02bfb29f8b4627beb9140e960c52f689fed5e281 Mon Sep 17 00:00:00 2001 From: Noah Paige Date: Fri, 22 Sep 2023 09:01:25 -0400 Subject: [PATCH 2/2] missing comma --- deploy/stacks/pipeline.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy/stacks/pipeline.py b/deploy/stacks/pipeline.py index df86064e5..44477ef22 100644 --- a/deploy/stacks/pipeline.py +++ b/deploy/stacks/pipeline.py @@ -304,7 +304,7 @@ def set_codebuild_iam_roles(self): f'arn:aws:s3:::{self.resource_prefix}*', f'arn:aws:s3:::{self.resource_prefix}*/*', f'arn:aws:codebuild:{self.region}:{self.account}:project/*{self.resource_prefix}*', - f'arn:aws:codebuild:{self.region}:{self.account}:report-group/{self.resource_prefix}*' + f'arn:aws:codebuild:{self.region}:{self.account}:report-group/{self.resource_prefix}*', f'arn:aws:secretsmanager:{self.region}:{self.account}:secret:*{self.resource_prefix}*', f'arn:aws:secretsmanager:{self.region}:{self.account}:secret:*dataall*', f'arn:aws:kms:{self.region}:{self.account}:key/*',