From a2c89c56a41af3105a5657061e2796311ee0ab87 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Javier=20S=C3=A1nchez=20Beltr=C3=A1n?= <36443689+javsanbel2@users.noreply.github.com> Date: Wed, 21 Aug 2024 13:17:43 +0200 Subject: [PATCH] Add optional deny global write access bucket policy section (#270) * Add optional deny global write access bucket policy section * docs * typo * test * test bool to string * variables.tf --- CHANGELOG.md | 4 ++++ VARIABLES.md | 17 +++++++++++++++++ s3.tf | 2 ++ templates/apiary-bucket-policy.json | 17 +++++++++++++++++ variables.tf | 12 ++++++++++++ 5 files changed, 52 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5063aca..fb0e130 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,10 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html). +## [7.3.0] - 2024-08-20 +### Added +- If apiary_managed_schemas has `deny_global_write_access` enabled, only `producer_roles` will be able to write in the specified schema. + ## [7.2.3] - 2024-08-14 ### Fixed - Changed terraform cron job api from `kubernetes_cron_job` to `kubernetes_cron_job_v1` to compatible with eks v1.25 and later. diff --git a/VARIABLES.md b/VARIABLES.md index b21aa88..2948bd2 100644 --- a/VARIABLES.md +++ b/VARIABLES.md @@ -335,3 +335,20 @@ common_producer_iamroles = [ ... ] ``` + +### Deny global writes to bucket - `deny_global_write_access` and `producer_roles` + +Write access is granted by default for roles within the same AWS account. If you would like to protect the bucket so only certain roles can write you can use `deny_global_write_access` and `producer_roles`. + +If you would like to protect all buckets you can set the default variable `deny_global_write_access` to `true`. However, enabling only one bucket looks like this: + +``` +apiary_managed_schemas = [ + { + schema_name = "sandbox" + ... + deny_global_write_access = true, + producer_roles = "arn:aws:iam::000000000:role/role-1,arn:aws:iam::000000000:role/role-2" + } +] +``` diff --git a/s3.tf b/s3.tf index 3c5211f..cb84f5f 100644 --- a/s3.tf +++ b/s3.tf @@ -26,6 +26,8 @@ locals { governance_iamroles = join("\",\"", var.apiary_governance_iamroles) consumer_prefix_roles = lookup(var.apiary_consumer_prefix_iamroles, schema["schema_name"], {}) common_producer_iamroles = join("\",\"", var.apiary_common_producer_iamroles) + deny_global_write_access = lookup(schema, "deny_global_write_access", var.deny_global_write_access) + producer_roles = lookup(schema, "producer_roles", var.producer_roles) }) } } diff --git a/templates/apiary-bucket-policy.json b/templates/apiary-bucket-policy.json index 57a49db..eb8e8f6 100644 --- a/templates/apiary-bucket-policy.json +++ b/templates/apiary-bucket-policy.json @@ -85,6 +85,23 @@ %{endif} %{endfor ~} %{endif} +%{if deny_global_write_access == "true" && producer_roles != "" } + { + "Sid": "Deny write permissions to everything except the specified roles", + "Effect": "Deny", + "Principal": "*", + "Action": [ + "s3:Put*", + "s3:Delete*" + ], + "Resource": "arn:aws:s3:::${bucket_name}/*", + "Condition": { + "StringNotLike": { + "aws:PrincipalArn": [ "${producer_roles}" ] + } + } + }, +%{endif} %{if deny_iamroles != ""} { "Sid": "Local role deny permissions", diff --git a/variables.tf b/variables.tf index 1ec9a04..58b10af 100644 --- a/variables.tf +++ b/variables.tf @@ -811,3 +811,15 @@ variable "tcp_keepalive_probes" { type = number default = 2 } + +variable "deny_global_write_access" { + description = "Deny all write permissions from the S3 bucket except producer_roles. See VARIABLES.md for more information." + type = bool + default = false +} + +variable "producer_roles" { + description = "Comma separated list of roles that are able to write into the bucket. See VARIABLES.md for more information." + type = string + default = "" +}