Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Add support for GitHub Enterprise Cloud #29

Merged
merged 4 commits into from
Jun 4, 2023
Merged

Conversation

unfunco
Copy link
Owner

@unfunco unfunco commented Jun 4, 2023

Adds support for GitHub Enterprise Cloud customers by adding a new variable called enterprise_slug which when populated, will configure the OIDC provider with a different issuer URL, and will condition the role to be assumed only when the iss claim includes the enterprise slug.

@unfunco unfunco added the feature 💡 A new feature. label Jun 4, 2023
@unfunco unfunco self-assigned this Jun 4, 2023
Copy link

@bridgecrew bridgecrew bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bridgecrew has found errors in this PR ⬇️

@@ -22,8 +24,6 @@ module "aws_oidc_github" {
iam_role_inline_policies = {
"example_inline_policy" : data.aws_iam_policy_document.example.json
}

additional_thumbprints = var.additional_thumbprints
}

data "aws_iam_policy_document" "example" {
Copy link

@bridgecrew bridgecrew bot Jun 4, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LOW  Ensure IAM policies do not allow data exfiltration
    Resource: aws_iam_policy_document.example | Bridgecrew ID: BC_AWS_IAM_55 | Checkov ID: CKV_AWS_108

How to Fix

        data "aws_iam_policy_document" "example" {
              statement {
                sid = "1"
                effect = "Allow"
                actions = [
                    "lambda:CreateFunction",
                    "lambda:CreateEventSourceMapping",
                    "dynamodb:CreateTable",
                ]
                resources = [
                  "*",
                ]
              }
            }

Description

Data Exfiltration actions allow certain read-only IAM actions without resource constraints, such as s3:GetObject, ssm:GetParameter*, or secretsmanager:GetSecretValue.

1 - Unrestricted s3:GetObject permissions has a long history of customer data leaks
2 - ssm:GetParameter* and secretsmanager:GetSecretValue are both used to access secrets.
3 - rds:CopyDBSnapshot and rds:CreateDBSnapshot can be used to exfiltrate RDS database contents.

For more information, visit the cloudsplaining documentation
https://cloudsplaining.readthedocs.io/en/latest/glossary/data-exfiltration/

     🎉   Fixed by commit 618feaa - Update example to avoid a security warning

@unfunco unfunco merged commit c1d6cc1 into main Jun 4, 2023
@unfunco unfunco deleted the feat/enterprise branch June 4, 2023 04:00
@github-actions github-actions bot mentioned this pull request Feb 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
feature 💡 A new feature.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant