Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support context security groups #73

Open
AlexanderMann opened this issue Mar 4, 2022 · 3 comments
Open

Support context security groups #73

AlexanderMann opened this issue Mar 4, 2022 · 3 comments

Comments

@AlexanderMann
Copy link

Motivation

One problem we're definitely seeing is a 🐔 and 🥚 security constraint around protecting Contexts in CCI. Our team use this provider to auto populate/generate Contexts in CCI with Service Account tokens generated from elsewhere in Terraform land.

Locking those Contexts down is currently a manual thing we have to do ourselves very quickly after running this. Since there's a non-zero time when the Context is unprotected and an escalation of privileges attack is there for a bit. Especially, if we forget to do it immediately, the attack surface area is much larger.

Notes

We tinkered with the CCI (unsupported 🙄 ) GraphQL API and were able to reconstruct the basic requests necessary to get everything working, just haven't had the time (yet) to translate everything into Go.

Add Security Group

Screen Shot 2022-02-23 at 09 49 11

Get Security Groups and provide mapping from name: id

query: "query Context($contextId: ID!) {
  context(id: $contextId) {
    id
    resources {
      createdAt
      truncatedValue
      variable
    }
    groups {
      edges {
        node {
          id
          name
        }
      }
    }
    owner {
      ... on Organization {
        id
        groups {
          edges {
            node {
              id
              name
            }
          }
        }
      }
    }
    name
  }
}

Suggested Musical Pairing

https://soundcloud.com/dragonette/martin-solveig-dragonette-hello
@bendrucker
Copy link
Collaborator

Would be good to put a request to Circle about adding this to the official API. If it's not already requested on https://discuss.circleci.com you could mention there.

PR welcome using the GraphQL API, as long as the docs mention the potential for unannounced breaking changes.

@AlexanderMann
Copy link
Author

⬆️ yeah, preach. There's chatter about wanting this feature for a while. I think having something out there actually using it is prolly the best way to actually get folks there working on it.

@AlexanderMann
Copy link
Author

@bendrucker bendrucker changed the title Feature: Security groups for CCI! Support context security groups Mar 4, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bendrucker @AlexanderMann