From ce7f1b8e94030ae65e0d1f10a962a74e2275218d Mon Sep 17 00:00:00 2001 From: julialawrence Date: Thu, 5 Oct 2023 12:10:17 +0100 Subject: [PATCH 1/7] Adding explicit attach json policy var to avoid plan failures. --- main.tf | 2 +- test/unit-test/main.tf | 15 +++++++++++ test/unit-test/s3.tf | 58 ++++++++++++++++++++++++++++++++++++++++++ variables.tf | 8 ++++++ 4 files changed, 82 insertions(+), 1 deletion(-) create mode 100644 test/unit-test/s3.tf diff --git a/main.tf b/main.tf index 2c04b07..59591ad 100644 --- a/main.tf +++ b/main.tf @@ -37,7 +37,7 @@ resource "aws_iam_role" "this" { } resource "aws_iam_policy" "policy_from_json" { - count = var.create_role && can(var.policy_json) ? 1 : 0 + count = var.create_role && var.policy_json_attached ? 1 : 0 name = coalesce(var.policy_name, var.role_name, var.function_name) policy = var.policy_json tags = var.tags diff --git a/test/unit-test/main.tf b/test/unit-test/main.tf index bbd441d..e4d7427 100644 --- a/test/unit-test/main.tf +++ b/test/unit-test/main.tf @@ -5,6 +5,7 @@ module "module_test" { tags = local.tags description = "test lambda" role_name = "InstanceSchedulerLambdaFunctionPolicy" + policy_json_attached = true policy_json = data.aws_iam_policy_document.instance-scheduler-lambda-function-policy.json function_name = "instance-scheduler-lambda-function" create_role = true @@ -131,6 +132,20 @@ data "aws_iam_policy_document" "instance-scheduler-lambda-function-policy" { resources = ["*"] actions = ["kms:Decrypt"] } + statement { + sid = "s3Access" + effect = "Allow" + actions = [ + "s3:GetObject", + "s3:PutObject", + "s3:ListBucket", + "s3:GetBucketLocation" + ] + resources = [ + "${module.s3-bucket.bucket.arn}/*", + "${module.s3-bucket.bucket.arn}" + ] + } } resource "aws_lambda_invocation" "test_invocation" { diff --git a/test/unit-test/s3.tf b/test/unit-test/s3.tf new file mode 100644 index 0000000..94de481 --- /dev/null +++ b/test/unit-test/s3.tf @@ -0,0 +1,58 @@ +module "s3-bucket" { #tfsec:ignore:aws-s3-enable-versioning + source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0" + + bucket_prefix = "data-platform-products-${local.environment}" + versioning_enabled = false + # Refer to the below section "Replication" before enabling replication + replication_enabled = false + force_destroy = true + providers = { + # Here we use the default provider Region for replication. Destination buckets can be within the same Region as the + # source bucket. On the other hand, if you need to enable cross-region replication, please contact the Modernisation + # Platform team to add a new provider for the additional Region. + aws.bucket-replication = aws + } + + lifecycle_rule = [ + { + id = "main" + enabled = "Enabled" + prefix = "" + + tags = { + rule = "log" + autoclean = "true" + } + + transition = [ + { + days = 90 + storage_class = "STANDARD_IA" + }, { + days = 365 + storage_class = "GLACIER" + } + ] + + expiration = { + days = 730 + } + + noncurrent_version_transition = [ + { + days = 90 + storage_class = "STANDARD_IA" + }, { + days = 365 + storage_class = "GLACIER" + } + ] + + noncurrent_version_expiration = { + days = 730 + } + } + ] + + tags = local.tags +} \ No newline at end of file diff --git a/variables.tf b/variables.tf index af57aa8..7e62ec8 100644 --- a/variables.tf +++ b/variables.tf @@ -118,3 +118,11 @@ variable "memory_size" { type = number default = 128 } + +variable "policy_json_attached" { + + description = "A json policy document is being passed into the module" + type = bool + default = false + +} From 3dc297233bb0908d54335d95853c0127336c5431 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Thu, 5 Oct 2023 11:11:51 +0000 Subject: [PATCH 2/7] terraform-docs: automated action --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 71682e4..d12e274 100644 --- a/README.md +++ b/README.md @@ -92,6 +92,7 @@ No modules. | [package\_type](#input\_package\_type) | The Lambda deployment package type. Valid options: Image | `string` | `"Image"` | no | | [policy\_arns](#input\_policy\_arns) | List of policy statements ARN to attach to Lambda Function role | `list(string)` | `[]` | no | | [policy\_json](#input\_policy\_json) | An policy document as JSON to attach to the Lambda Function role | `string` | `null` | no | +| [policy\_json\_attached](#input\_policy\_json\_attached) | A json policy document is being passed into the module | `bool` | `false` | no | | [policy\_name](#input\_policy\_name) | IAM policy name. It override the default value, which is the same as role\_name | `string` | `null` | no | | [reserved\_concurrent\_executions](#input\_reserved\_concurrent\_executions) | The amount of reserved concurrent executions for this Lambda Function. A value of 0 disables Lambda Function from being triggered and -1 removes any concurrency limitations. Defaults to Unreserved Concurrency Limits -1. | `number` | `-1` | no | | [role\_description](#input\_role\_description) | Description of IAM role to use for Lambda Function | `string` | `null` | no | From 7971d955efc8a81704d9625ff20105046b995f6e Mon Sep 17 00:00:00 2001 From: julialawrence Date: Thu, 5 Oct 2023 12:13:49 +0100 Subject: [PATCH 3/7] Fixing terratest workflow. --- .github/workflows/go-terratest.yml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/.github/workflows/go-terratest.yml b/.github/workflows/go-terratest.yml index afbe1bc..a0b961c 100644 --- a/.github/workflows/go-terratest.yml +++ b/.github/workflows/go-terratest.yml @@ -14,9 +14,8 @@ jobs: name: Run Go Unit Tests runs-on: ubuntu-latest steps: - dependabot/github_actions/actions/setup-go-4.0.0 - - uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0 - - uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0 + - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 + - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 with: go-version: 1.18 - uses: hashicorp/setup-terraform@633666f66e0061ca3b725c73b2ec20cd13a8fdd1 # v2.0.3 @@ -28,4 +27,4 @@ jobs: run: go mod download - name: Run Go Tests working-directory: test - run: go test -v + run: go test -v \ No newline at end of file From 48d2ee6e2724b005a29ef0908b39f074dd9e3e83 Mon Sep 17 00:00:00 2001 From: julialawrence Date: Thu, 5 Oct 2023 12:18:39 +0100 Subject: [PATCH 4/7] Removing another can() statement. --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 59591ad..22d33ad 100644 --- a/main.tf +++ b/main.tf @@ -44,7 +44,7 @@ resource "aws_iam_policy" "policy_from_json" { } resource "aws_iam_role_policy_attachment" "policy_from_json" { - count = var.create_role && can(var.policy_json) ? 1 : 0 + count = var.create_role && var.policy_json_attached ? 1 : 0 role = aws_iam_role.this[0].name policy_arn = aws_iam_policy.policy_from_json[0].arn } From d4dd3a27ff4b7cb4bd3c2245d2d7613617f4ebd3 Mon Sep 17 00:00:00 2001 From: Murdo <109604278+murdo-moj@users.noreply.github.com> Date: Thu, 5 Oct 2023 13:19:07 +0100 Subject: [PATCH 5/7] Specified resource --- test/unit-test/main.tf | 2 +- test/unit-test/s3.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/test/unit-test/main.tf b/test/unit-test/main.tf index e4d7427..3ea74a5 100644 --- a/test/unit-test/main.tf +++ b/test/unit-test/main.tf @@ -74,7 +74,7 @@ data "aws_iam_policy_document" "instance-scheduler-lambda-function-policy" { "logs:CreateLogGroup" ] resources = [ - format("arn:aws:logs:eu-west-2:%s:*", data.aws_caller_identity.current.account_id) + format("arn:aws:logs:eu-west-2:%s:aws/lambda/fake", data.aws_caller_identity.current.account_id) ] } statement { diff --git a/test/unit-test/s3.tf b/test/unit-test/s3.tf index 94de481..43ec9d5 100644 --- a/test/unit-test/s3.tf +++ b/test/unit-test/s3.tf @@ -55,4 +55,4 @@ module "s3-bucket" { #tfsec:ignore:aws-s3-enable-versioning ] tags = local.tags -} \ No newline at end of file +} From b05e4f0f59fe19327a11176bad228c20639135aa Mon Sep 17 00:00:00 2001 From: Murdo <109604278+murdo-moj@users.noreply.github.com> Date: Thu, 5 Oct 2023 13:28:49 +0100 Subject: [PATCH 6/7] Use hash for module reference --- test/unit-test/main.tf | 1 + test/unit-test/s3.tf | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/test/unit-test/main.tf b/test/unit-test/main.tf index 3ea74a5..b2ebf11 100644 --- a/test/unit-test/main.tf +++ b/test/unit-test/main.tf @@ -126,6 +126,7 @@ data "aws_iam_policy_document" "instance-scheduler-lambda-function-policy" { } # checkov:skip=CKV_AWS_111: "Cannot restrict by KMS alias so leaving open" # checkov:skip=CKV_AWS_109: "Cannot restrict by KMS alias so leaving open" + # checkov:skip=CKV_AWS_356: "Cannot restrict by KMS alias so leaving open" statement { sid = "AllowToDecryptKMS" effect = "Allow" diff --git a/test/unit-test/s3.tf b/test/unit-test/s3.tf index 43ec9d5..b883a81 100644 --- a/test/unit-test/s3.tf +++ b/test/unit-test/s3.tf @@ -1,5 +1,5 @@ module "s3-bucket" { #tfsec:ignore:aws-s3-enable-versioning - source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0" + source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=8688bc1" # Hash for v7.0.0 bucket_prefix = "data-platform-products-${local.environment}" versioning_enabled = false From 93d515a7457136de03d47eddfad1416cc7772812 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Thu, 5 Oct 2023 12:29:32 +0000 Subject: [PATCH 7/7] Commit changes made by code formatters --- test/unit-test/s3.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/unit-test/s3.tf b/test/unit-test/s3.tf index b883a81..4843c30 100644 --- a/test/unit-test/s3.tf +++ b/test/unit-test/s3.tf @@ -1,4 +1,4 @@ -module "s3-bucket" { #tfsec:ignore:aws-s3-enable-versioning +module "s3-bucket" { #tfsec:ignore:aws-s3-enable-versioning source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=8688bc1" # Hash for v7.0.0 bucket_prefix = "data-platform-products-${local.environment}"