From d16768f995aab425ded4347bae3e6bd57fd1eeae Mon Sep 17 00:00:00 2001 From: Darwin Chowdary Date: Fri, 17 Nov 2023 12:13:29 -0800 Subject: [PATCH 1/2] chore: update CFN stack to add managed policies to ci and release role --- cfn/ci_cd.yml | 55 +++++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 53 insertions(+), 2 deletions(-) diff --git a/cfn/ci_cd.yml b/cfn/ci_cd.yml index 73331d03b..d6c3a79f8 100644 --- a/cfn/ci_cd.yml +++ b/cfn/ci_cd.yml @@ -141,6 +141,7 @@ Resources: - !Ref SecretsManagerPolicyCI - !Ref ParameterStorePolicy - !Ref CodeBuildBasePolicyCI + - !Ref HierarchicalKeyringTestTableUsage - "arn:aws:iam::aws:policy/AWSCodeArtifactReadOnlyAccess" - "arn:aws:iam::aws:policy/AWSCodeArtifactAdminAccess" @@ -159,6 +160,7 @@ Resources: - !Ref CodeBuildBasePolicy - !Ref SecretsManagerPolicyRelease - !Ref ParameterStorePolicy + - !Ref HierarchicalKeyringTestTableUsage - "arn:aws:iam::aws:policy/AWSCodeArtifactReadOnlyAccess" - "arn:aws:iam::aws:policy/AWSCodeArtifactAdminAccess" @@ -382,17 +384,66 @@ Resources: "Effect": "Allow", "Resource": [ "arn:aws:kms:*:658956600833:key/*", - "arn:aws:kms:*:658956600833:alias/*" + "arn:aws:kms:*:658956600833:alias/*", + "arn:aws:kms:*:370957321024:key/*", + "arn:aws:kms:*:370957321024:alias/*" ], "Action": [ "kms:Encrypt", "kms:Decrypt", - "kms:GenerateDataKey" + "kms:ReEncrypt*", + "kms:Generate*", + "kms:GetPublicKey", + "kms:DescribeKey" ] } ] } + HierarchicalKeyringTestTableUsage: + Type: "AWS::IAM::ManagedPolicy" + Properties: + Description: "Allow Read, Write, and Delete of Items in HierarchicalKeyringTestTable" + ManagedPolicyName: !Sub "${ProjectName}-DDB-ReadWriteDelete-${AWS::Region}" + PolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Action: + - dynamodb:PutItem + - dynamodb:DeleteItem + - dynamodb:GetItem + - dynamodb:Query + Resource: + - "arn:aws:dynamodb:us-west-2:370957321024:table/HierarchicalKeyringTestTable" + - "arn:aws:dynamodb:us-west-2:370957321024:table/HierarchicalKeyringTestTable/index/*" + - Effect: Allow + Action: + - dynamodb:DescribeTable + - dynamodb:CreateTable + - dynamodb:PutItem + - dynamodb:DeleteItem + - dynamodb:GetItem + - dynamodb:Query + - dynamodb:ConditionCheckItem + - dynamodb:UpdateItem + Resource: + - "arn:aws:dynamodb:us-west-2:370957321024:table/KeyStoreTestTable" + - "arn:aws:dynamodb:us-west-2:370957321024:table/KeyStoreTestTable/index/*" + - Effect: Allow + Action: + - dynamodb:DescribeTable + - dynamodb:CreateTable + - dynamodb:PutItem + - dynamodb:DeleteItem + - dynamodb:GetItem + - dynamodb:Query + - dynamodb:ConditionCheckItem + - dynamodb:UpdateItem + Resource: + - "arn:aws:dynamodb:us-west-2:370957321024:table/KeyStoreDdbTable" + - "arn:aws:dynamodb:us-west-2:370957321024:table/KeyStoreDdbTable/index/*" + ParameterStorePolicy: Type: "AWS::IAM::ManagedPolicy" Properties: From fa2b5e16d03ec05d78f475fd5a110609ca81c7b9 Mon Sep 17 00:00:00 2001 From: Darwin Chowdary Date: Fri, 17 Nov 2023 15:28:08 -0800 Subject: [PATCH 2/2] chore: add CFN template for non-prod account role --- cfn/Public-ESDK-Java-CI.yml | 67 +++++++++++++++++++++++++++++++++++++ cfn/ci_cd.yml | 63 +++++++++++----------------------- 2 files changed, 86 insertions(+), 44 deletions(-) create mode 100644 cfn/Public-ESDK-Java-CI.yml diff --git a/cfn/Public-ESDK-Java-CI.yml b/cfn/Public-ESDK-Java-CI.yml new file mode 100644 index 000000000..132387677 --- /dev/null +++ b/cfn/Public-ESDK-Java-CI.yml @@ -0,0 +1,67 @@ +AWSTemplateFormatVersion: "2010-09-09" +Description: "DDB Table and IAM Managed Policies/Role for AWS KMS Hierarchical Keyring Testing" + +Parameters: + TableName: + Type: String + Description: Test Table Name + Default: HierarchicalKeyringTestTable + KeyStoreTable: + Type: String + Description: Key Store Test Table Name + Default: KeyStoreTestTable + ProjectName: + Type: String + Description: A prefix that will be applied to any names + Default: Public-ESDK-Java + GitHubRepo: + Type: String + Description: GitHub Repo that invokes CI + Default: aws/aws-encryption-sdk-java + +Resources: + GitHubCIRole: + Type: 'AWS::IAM::Role' + Properties: + RoleName: !Sub "GitHub-CI-${ProjectName}-Role-${AWS::Region}" + Description: "Access DDB, KMS, Resources for CI from GitHub" + ManagedPolicyArns: + - "arn:aws:iam::370957321024:policy/ESDK-Dafny-DDB-ReadWriteDelete-us-west-2" + - "arn:aws:iam::370957321024:policy/Hierarchical-GitHub-KMS-Key-Policy" + - "arn:aws:iam::370957321024:policy/KMS-Public-CMK-EncryptDecrypt-Key-Access" + - "arn:aws:iam::370957321024:policy/RSA-GitHub-KMS-Key-Policy" + AssumeRolePolicyDocument: !Sub | + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { "Federated": "arn:aws:iam::${AWS::AccountId}:oidc-provider/token.actions.githubusercontent.com" }, + "Action": "sts:AssumeRoleWithWebIdentity", + "Condition": { + "StringEquals": { + "token.actions.githubusercontent.com:aud": "sts.amazonaws.com" + }, + "StringLike": { + "token.actions.githubusercontent.com:sub": "repo:${GitHubRepo}:*" + } + } + }, + { + "Effect": "Allow", + "Principal": { + "AWS": "*" + }, + "Action": "sts:AssumeRole", + "Condition": { + "StringEquals": { + "aws:PrincipalArn": [ + "arn:aws:iam::587316601012:role/service-role/codebuild-AWS-ESDK-Java-service-role-ci", + "arn:aws:iam::587316601012:role/service-role/codebuild-AWS-ESDK-Java-service-role-release", + "arn:aws:iam::${AWS::AccountId}:role/ToolsDevelopment" + ] + } + } + } + ] + } diff --git a/cfn/ci_cd.yml b/cfn/ci_cd.yml index d6c3a79f8..df27dffdb 100644 --- a/cfn/ci_cd.yml +++ b/cfn/ci_cd.yml @@ -142,6 +142,7 @@ Resources: - !Ref ParameterStorePolicy - !Ref CodeBuildBasePolicyCI - !Ref HierarchicalKeyringTestTableUsage + - !Ref CodeBuildCISTSAllow - "arn:aws:iam::aws:policy/AWSCodeArtifactReadOnlyAccess" - "arn:aws:iam::aws:policy/AWSCodeArtifactAdminAccess" @@ -161,9 +162,27 @@ Resources: - !Ref SecretsManagerPolicyRelease - !Ref ParameterStorePolicy - !Ref HierarchicalKeyringTestTableUsage + - !Ref CodeBuildCISTSAllow - "arn:aws:iam::aws:policy/AWSCodeArtifactReadOnlyAccess" - "arn:aws:iam::aws:policy/AWSCodeArtifactAdminAccess" + CodeBuildCISTSAllow: + Type: "AWS::IAM::ManagedPolicy" + Properties: + ManagedPolicyName: !Sub CodeBuildCISTSAllow-${ProjectName} + Path: /service-role/ + PolicyDocument: | + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "sts:AssumeRole", + "Resource": "arn:aws:iam::370957321024:role/GitHub-CI-Public-ESDK-Java-Role-us-west-2" + } + ] + } + CodeBuildBatchPolicy: Type: "AWS::IAM::ManagedPolicy" Properties: @@ -400,50 +419,6 @@ Resources: ] } - HierarchicalKeyringTestTableUsage: - Type: "AWS::IAM::ManagedPolicy" - Properties: - Description: "Allow Read, Write, and Delete of Items in HierarchicalKeyringTestTable" - ManagedPolicyName: !Sub "${ProjectName}-DDB-ReadWriteDelete-${AWS::Region}" - PolicyDocument: - Version: '2012-10-17' - Statement: - - Effect: Allow - Action: - - dynamodb:PutItem - - dynamodb:DeleteItem - - dynamodb:GetItem - - dynamodb:Query - Resource: - - "arn:aws:dynamodb:us-west-2:370957321024:table/HierarchicalKeyringTestTable" - - "arn:aws:dynamodb:us-west-2:370957321024:table/HierarchicalKeyringTestTable/index/*" - - Effect: Allow - Action: - - dynamodb:DescribeTable - - dynamodb:CreateTable - - dynamodb:PutItem - - dynamodb:DeleteItem - - dynamodb:GetItem - - dynamodb:Query - - dynamodb:ConditionCheckItem - - dynamodb:UpdateItem - Resource: - - "arn:aws:dynamodb:us-west-2:370957321024:table/KeyStoreTestTable" - - "arn:aws:dynamodb:us-west-2:370957321024:table/KeyStoreTestTable/index/*" - - Effect: Allow - Action: - - dynamodb:DescribeTable - - dynamodb:CreateTable - - dynamodb:PutItem - - dynamodb:DeleteItem - - dynamodb:GetItem - - dynamodb:Query - - dynamodb:ConditionCheckItem - - dynamodb:UpdateItem - Resource: - - "arn:aws:dynamodb:us-west-2:370957321024:table/KeyStoreDdbTable" - - "arn:aws:dynamodb:us-west-2:370957321024:table/KeyStoreDdbTable/index/*" - ParameterStorePolicy: Type: "AWS::IAM::ManagedPolicy" Properties: