Bugfix over airflow deafult policy (#430)

ManagedKube · Apr 26, 2023 · 1fb6628 · 1fb6628
1 parent 9e3384b
commit 1fb6628
Show file tree

Hide file tree

Showing 2 changed files with 40 additions and 3 deletions.
diff --git a/terraform-modules/aws/airflow/README.md b/terraform-modules/aws/airflow/README.md
@@ -60,3 +60,39 @@ No requirements.
 |------|-------------|
 | <a name="output_arn"></a> [arn](#output\_arn) | n/a |
 | <a name="output_webserver_url"></a> [webserver\_url](#output\_webserver\_url) | n/a |
+
+
+## Rough edges
+In default section we have a statement policy as the following
+```
+{
+            "Effect": "Allow",
+            "Action": [
+                "kms:Decrypt",
+                "kms:DescribeKey",
+                "kms:GenerateDataKey*",
+                "kms:Encrypt"
+            ],
+            "Resource": "*",
+            "Condition": {
+                "StringLike": {
+                    "kms:ViaService": [
+                        "sqs.${aws_region}.amazonaws.com",
+                        "s3.${aws_region}.amazonaws.com"
+                    ]
+                }
+            }
+        }
+```
+We didn't want to leave this as 
+```
+"Resource": "*",
+``` 
+We were working hard to find out why this only works with asterisk, and in the end chat gtp helped me with the answer since there is little documentation.
+finally Chat GPT was able to help 
+
+### chat gpt said:
+if you are using the default aws/airflow (which is our case in airflow with default policy) KMS key, you do not need to include a specific policy for KMS in your 
+IAM role. The necessary permissions to use this key are already granted by the service to your Amazon MWAA environment.
+Since you are using the default aws/airflow KMS key, you cannot specify its ARN directly in the policy. You can set the "Resource" field to "*" to allow access to all 
+KMS keys in your account
diff --git a/terraform-modules/aws/airflow/default_iam_policy.json b/terraform-modules/aws/airflow/default_iam_policy.json
@@ -38,13 +38,14 @@
                 "logs:GetQueryResults"
             ],
             "Resource": [
-                "arn:aws:logs:${aws_region}:${aws_account_id}:log-group:airflow-${airflow_name}-*"
+                "arn:aws:logs:${aws_region}:${aws_account_id}:log-group:airflow-${airflow_name}-*:*"
             ]
         },
         {
             "Effect": "Allow",
             "Action": [
-                "logs:DescribeLogGroups"
+                "logs:DescribeLogGroups",
+                "logs:DescribeLogStreams"
             ],
             "Resource": [
                 "*"
@@ -84,7 +85,7 @@
                 "kms:GenerateDataKey*",
                 "kms:Encrypt"
             ],
-            "Resource": "arn:aws:kms:${aws_region}:${aws_account_id}:key/*",
+            "Resource": "*",
             "Condition": {
                 "StringLike": {
                     "kms:ViaService": [