Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AWS ECR actions not tracked #68

Closed
wernerdiers opened this issue Nov 2, 2023 · 3 comments
Closed

AWS ECR actions not tracked #68

wernerdiers opened this issue Nov 2, 2023 · 3 comments

Comments

@wernerdiers
Copy link

Summary

AWS ECR actions are not tracked.

Steps to reproduce

When Terraform it appears that AWS ECR actions are not being tracked.

After configuring iamlive, run:

iamlive --set-ini --mode proxy --output-file policy.json  --refresh-rate 1 --sort-alphabetical --bind-addr 127.0.0.1:10080 --ca-bundle ~/.iamlive/ca.pem --ca-key ~/.iamlive/ca.key

In another terminal, run terraform:

TF_LOG=trace terraform apply --auto-approve

Finally, iamlive terminal session will just show:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "sts:GetCallerIdentity"
            ],
            "Resource": "*"
        }
    ]
}

Example Project

Terraform version:

$ terraform version
Terraform v1.4.2
on darwin_amd64
+ provider registry.terraform.io/hashicorp/aws v5.23.1

resource "aws_ecr_repository" "ecr_repo" {
  name                 = "test"
  image_tag_mutability = "MUTABLE"

  image_scanning_configuration {
    scan_on_push = false
  }

  encryption_configuration {
    encryption_type = "AES256"
  }

  tags = { 
    Tag1 = "test-1",
    Tag2 = "test-2" 
  }
}

# Set policy for accounts with Pull permissions 
resource "aws_ecr_repository_policy" "ecr_access" {
  repository = aws_ecr_repository.ecr_repo.name

  policy = <<EOF
{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Sid": "AllowCrossAccountPushPull",
            "Effect": "Allow",
            "Principal": {
                "AWS": ["arn:aws:iam::XXXXXXXXXX:root"]
            },
            "Action": [
                "ecr:GetDownloadUrlForLayer",
                "ecr:BatchGetImage",
                "ecr:BatchCheckLayerAvailability",
                "ecr:PutImage",
                "ecr:InitiateLayerUpload",
                "ecr:UploadLayerPart",
                "ecr:CompleteLayerUpload"
            ]
        }
    ]
}
EOF
}

What is the current bug behavior?

iamlive output (to std and file) just shows:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "sts:GetCallerIdentity"
            ],
            "Resource": "*"
        }
    ]
}

What is the expected correct behavior?

iamlive should parse and track the actions of AWS ECR resources

Output of checks

Manually parsing the terraform trace log file I have identified at least the following actions when performing creation, updates and deletion of resources:

{
  "ECR": [
    "CreateRepository",
    "DeleteRepository",
    "DeleteRepositoryPolicy",
    "DescribeRepositories",
    "GetRepositoryPolicy",
    "ListTagsForResource"
    "ListTagsForResource",
    "SetRepositoryPolicy",
    "TagResource",
    "UntagResource"
  ],
  "STS": [
    "GetCallerIdentity"
  ]
}
@iann0036
Copy link
Owner

iann0036 commented Nov 3, 2023

Hi @wernerdiers,

Thanks for raising. Could I confirm you've set the proxy environmental variables in the same terminal as the Terraform run prior to running, and can I check whether this is problematic for only ECR (and other services work)?

For clarity, your second terminal should look like:

export HTTP_PROXY=http://127.0.0.1:10080
export HTTPS_PROXY=http://127.0.0.1:10080
export AWS_CA_BUNDLE=~/.iamlive/ca.pem
TF_LOG=trace terraform apply --auto-approve

iann0036 added a commit that referenced this issue Nov 3, 2023
@iann0036
Add ECR special hostname handling #68
05937b1
@iann0036
Copy link
Owner

iann0036 commented Nov 3, 2023

Hey @wernerdiers,

I did a little digging and was able to replicate your issue. I've made a change to hopefully fix the ECR-specific method tracking. This update will be in release v1.1.2 (or build from main).

Give that new version a try and let me know how you go.

@wernerdiers
Copy link
Author

Thanks for the fix! it seems to be working now. This is the output with iamlive v1.1.2

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "sts:GetCallerIdentity",
                "ecr:CreateRepository"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ecr:DeleteRepository",
                "ecr:DeleteRepositoryPolicy",
                "ecr:DescribeRepositories",
                "ecr:GetRepositoryPolicy",
                "ecr:ListTagsForResource",
                "ecr:SetRepositoryPolicy"
            ],
            "Resource": "arn:aws:ecr:eu-west-1:xxxxxxxxxx:repository/test"
        }
    ]
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@iann0036 @wernerdiers