Merge pull request #1580 from aws/asmarp/limit-cdk-permissions

philasmar · web-flow · commit d471780250f4 · 2023-09-15T12:43:13.000-04:00
chore: restrict permissions for IAM role used by smoke tests
diff --git a/LambdaRuntimeDockerfiles/Infrastructure/src/Infrastructure/PipelineStack.cs b/LambdaRuntimeDockerfiles/Infrastructure/src/Infrastructure/PipelineStack.cs
@@ -290,6 +290,13 @@ internal PipelineStack(
                 }
             });
 
+            var smokeTestsLambdaFunctionRole = new Role(this, "SmokeTestsLambdaFunctionRole", new RoleProps
+            {
+                RoleName = $"image-function-tests-{Guid.NewGuid()}",
+                ManagedPolicies = new IManagedPolicy[] { ManagedPolicy.FromAwsManagedPolicyName("service-role/AWSLambdaBasicExecutionRole") },
+                AssumedBy = new ServicePrincipal("lambda.amazonaws.com")
+            });
+
             // Smoke test AMD64 image
             var amd64SmokeTests = new Project(this, "SmokeTests-amd64", new ProjectProps
             {
@@ -314,24 +321,82 @@ internal PipelineStack(
                     {"AWS_LAMBDA_DOTNET_FRAMEWORK_VERSION", new BuildEnvironmentVariable {Value = framework}},
                     {"AWS_LAMBDA_DOTNET_FRAMEWORK_CHANNEL", new BuildEnvironmentVariable {Value = channel}},
                     {"AWS_LAMBDA_DOTNET_BUILD_IMAGE", new BuildEnvironmentVariable {Value = dockerBuildImage}},
-                    {"AWS_LAMBDA_DOTNET_SDK_VERSION", new BuildEnvironmentVariable {Value = configuration.DotnetSdkVersions.ContainsKey(framework) ? configuration.DotnetSdkVersions[framework] : string.Empty }}
-                }
+                    {"AWS_LAMBDA_DOTNET_SDK_VERSION", new BuildEnvironmentVariable {Value = configuration.DotnetSdkVersions.ContainsKey(framework) ? configuration.DotnetSdkVersions[framework] : string.Empty }},
+                    {"AWS_LAMBDA_SMOKETESTS_LAMBDA_ROLE", new BuildEnvironmentVariable {Value = smokeTestsLambdaFunctionRole.RoleArn}}
+                },
             });
 
-            var smokeTestsPolicy = new PolicyStatement(new PolicyStatementProps
+            var smokeTestsPolicies = new List<PolicyStatement>();
+
+            // ECR Policies
+            smokeTestsPolicies.Add(new PolicyStatement(new PolicyStatementProps
             {
                 Effect = Effect.ALLOW,
                 Actions = new[]
                 {
-                    "sts:*",
-                    "iam:*",
-                    "ecr:*",
-                    "lambda:*"
+                    "ecr:BatchCheckLayerAvailability",
+                    "ecr:BatchDeleteImage",
+                    "ecr:BatchGetImage",
+                    "ecr:CompleteLayerUpload",
+                    "ecr:CreateRepository",
+                    "ecr:DescribeRepositories",
+                    "ecr:GetAuthorizationToken",
+                    "ecr:GetDownloadUrlForLayer",
+                    "ecr:InitiateLayerUpload",
+                    "ecr:PutImage",
+                    "ecr:UploadLayerPart"
+                },
+                Resources = new[] { 
+                    $"arn:aws:ecr:{configuration.Region}:{configuration.AccountId}:repository/image-function-tests",
+                    $"arn:aws:ecr:{configuration.Region}:{configuration.AccountId}:repository/{ecrRepositoryName}"
+                }
+            }));
+
+            // The following ECR policy needs to specify * as the resource since that is what is explicitly stated by the following error:
+            // An error occurred (AccessDeniedException) when calling the GetAuthorizationToken operation:
+            // User: *** is not authorized to perform: ecr:GetAuthorizationToken on resource: * because no identity-based policy
+            // allows the ecr:GetAuthorizationToken action
+            smokeTestsPolicies.Add(new PolicyStatement(new PolicyStatementProps
+            {
+                Effect = Effect.ALLOW,
+                Actions = new[]
+                {
+                    "ecr:GetAuthorizationToken"
                 },
                 Resources = new[] { "*" }
-            });
+            }));
 
-            amd64SmokeTests.AddToRolePolicy(smokeTestsPolicy);
+            // IAM Policies
+            smokeTestsPolicies.Add(new PolicyStatement(new PolicyStatementProps
+            {
+                Effect = Effect.ALLOW,
+                Actions = new[]
+                {
+                    "iam:PassRole"
+                },
+                Resources = new[] { smokeTestsLambdaFunctionRole.RoleArn }
+            }));
+
+            // Lambda Policies
+            smokeTestsPolicies.Add(new PolicyStatement(new PolicyStatementProps
+            {
+                Effect = Effect.ALLOW,
+                Actions = new[]
+                {
+                    "lambda:CreateFunction",
+                    "lambda:DeleteFunction",
+                    "lambda:GetFunction",
+                    "lambda:GetFunctionConfiguration",
+                    "lambda:InvokeFunction",
+                    "lambda:UpdateFunctionConfiguration"
+                },
+                Resources = new[] {
+                    $"arn:aws:lambda:{configuration.Region}:{configuration.AccountId}:function:image-function-tests-*"
+                }
+            }));
+
+            foreach (var policy in smokeTestsPolicies)
+                amd64SmokeTests.AddToRolePolicy(policy);
 
             var smokeTestsActions = new List<Action>();
             smokeTestsActions.Add(new CodeBuildAction(new CodeBuildActionProps
@@ -367,11 +432,13 @@ internal PipelineStack(
                         {"AWS_LAMBDA_DOTNET_FRAMEWORK_VERSION", new BuildEnvironmentVariable {Value = framework}},
                         {"AWS_LAMBDA_DOTNET_FRAMEWORK_CHANNEL", new BuildEnvironmentVariable {Value = channel}},
                         {"AWS_LAMBDA_DOTNET_BUILD_IMAGE", new BuildEnvironmentVariable {Value = dockerBuildImage}},
-                        {"AWS_LAMBDA_DOTNET_SDK_VERSION", new BuildEnvironmentVariable {Value = configuration.DotnetSdkVersions.ContainsKey(framework) ? configuration.DotnetSdkVersions[framework] : string.Empty }}
+                        {"AWS_LAMBDA_DOTNET_SDK_VERSION", new BuildEnvironmentVariable {Value = configuration.DotnetSdkVersions.ContainsKey(framework) ? configuration.DotnetSdkVersions[framework] : string.Empty }},
+                        {"AWS_LAMBDA_SMOKETESTS_LAMBDA_ROLE", new BuildEnvironmentVariable {Value = smokeTestsLambdaFunctionRole.RoleArn}}
                     }
                 });
 
-                arm64SmokeTests.AddToRolePolicy(smokeTestsPolicy);
+                foreach (var policy in smokeTestsPolicies)
+                    arm64SmokeTests.AddToRolePolicy(policy);
 
                 smokeTestsActions.Add(new CodeBuildAction(new CodeBuildActionProps
                 {
diff --git a/LambdaRuntimeDockerfiles/SmokeTests/test/ImageFunction.SmokeTests/ImageFunctionTests.cs b/LambdaRuntimeDockerfiles/SmokeTests/test/ImageFunction.SmokeTests/ImageFunctionTests.cs
@@ -41,7 +41,6 @@ public class ImageFunctionTests : IDisposable
         private static readonly RegionEndpoint TestRegion = RegionEndpoint.USWest2;
         private readonly AmazonLambdaClient _lambdaClient;
         private readonly AmazonIdentityManagementServiceClient _iamClient;
-        private readonly string _executionRoleName;
         private string _executionRoleArn;
 
         private static readonly string LambdaAssumeRolePolicy =
@@ -67,16 +66,17 @@ public class ImageFunctionTests : IDisposable
 
         public ImageFunctionTests()
         {
-            _executionRoleName = $"{TestIdentifier}-{Guid.NewGuid()}";
             _functionName = $"{TestIdentifier}-{Guid.NewGuid()}";
             var lambdaConfig = new AmazonLambdaConfig()
             {
                 RegionEndpoint = TestRegion
             };
             _lambdaClient = new AmazonLambdaClient(lambdaConfig);
             _iamClient = new AmazonIdentityManagementServiceClient(TestRegion);
+            _executionRoleArn = Environment.GetEnvironmentVariable("AWS_LAMBDA_SMOKETESTS_LAMBDA_ROLE");
             _imageUri = Environment.GetEnvironmentVariable("AWS_LAMBDA_IMAGE_URI");
 
+            Assert.NotNull(_executionRoleArn);
             Assert.NotNull(_imageUri);
 
             SetupAsync().GetAwaiter().GetResult();
@@ -166,7 +166,6 @@ private async Task<InvokeResponse> InvokeFunctionAsync(string payload)
 
         private async Task SetupAsync()
         {
-            await CreateRoleAsync();
             await CreateFunctionAsync();
         }
 
@@ -227,29 +226,6 @@ await _lambdaClient.CreateFunctionAsync(new CreateFunctionRequest
             }
         }
 
-        private async Task CreateRoleAsync()
-        {
-            var response = await _iamClient.CreateRoleAsync(new CreateRoleRequest
-            {
-                RoleName = _executionRoleName,
-                Description = $"Test role for {TestIdentifier}.",
-                AssumeRolePolicyDocument = LambdaAssumeRolePolicy
-            });
-            _executionRoleArn = response.Role.Arn;
-
-            // Wait  10 seconds to let execution role propagate
-            await Task.Delay(10000);
-
-            await _iamClient.AttachRolePolicyAsync(new AttachRolePolicyRequest
-            {
-                RoleName = _executionRoleName,
-                PolicyArn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
-            });
-
-            // Wait  10 seconds to let execution role propagate
-            await Task.Delay(10000);
-        }
-
         private static string GetArchitecture()
         {
             switch (RuntimeInformation.ProcessArchitecture)
@@ -297,7 +273,6 @@ protected virtual void Dispose(bool disposing)
 
         private async Task TearDownAsync()
         {
-            await DeleteRoleIfExistsAsync();
             await DeleteFunctionIfExistsAsync();
         }
 
@@ -316,30 +291,6 @@ await _lambdaClient.DeleteFunctionAsync(new DeleteFunctionRequest
             }
         }
 
-        private async Task DeleteRoleIfExistsAsync()
-        {
-            try
-            {
-                await _iamClient.DetachRolePolicyAsync(new DetachRolePolicyRequest
-                {
-                    RoleName = _executionRoleName,
-                    PolicyArn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
-                });
-
-                // Wait 10 seconds to let execution role propagate
-                await Task.Delay(10000);
-
-                await _iamClient.DeleteRoleAsync(new DeleteRoleRequest
-                {
-                    RoleName = _executionRoleName
-                });
-            }
-            catch (NoSuchEntityException)
-            {
-                // No action required
-            }
-        }
-
         #endregion
     }
 }
