Merge pull request #907 from RenovoSolutions/iamfix

fix: IAM policy paths for parameters and secrets are incorrect
RenovoSolutions · Jun 18, 2024 · e3815d0 · e3815d0
2 parents 1f3f300 + 7802534
commit e3815d0
Show file tree

Hide file tree

Showing 8 changed files with 18 additions and 110 deletions.
diff --git a/.gitattributes b/.gitattributes
diff --git a/.github/workflows/upgrade-master.yml b/.github/workflows/upgrade-master.yml
diff --git a/.gitignore b/.gitignore
diff --git a/.projen/files.json b/.projen/files.json
diff --git a/.projenrc.ts b/.projenrc.ts
@@ -25,7 +25,7 @@ const project = new awscdk.AwsCdkConstructLibrary({
   ],
   depsUpgrade: true,
   depsUpgradeOptions: {
-    workflow: true,
+    workflow: false,
     exclude: ['projen'],
     workflowOptions: {
       schedule: javascript.UpgradeDependenciesSchedule.WEEKLY,

diff --git a/src/storage-helpers.ts b/src/storage-helpers.ts
@@ -1,6 +1,7 @@
 import {
   aws_iam as iam,
   aws_kms as kms,
+  Stack,
 } from 'aws-cdk-lib';
 import { Construct } from 'constructs';
 
@@ -37,7 +38,7 @@ export function configureSecretsManagerStorage(scope: Construct, props: SecretsM
           'secretsmanager:UpdateSecret',
         ],
         resources: [
-          `${props.secretsManagerPath}*`,
+          `arn:aws:secretsmanager:${Stack.of(scope).region}:${Stack.of(scope).account}:secret:${props.secretsManagerPath}*`,
         ],
       }),
       new iam.PolicyStatement({
@@ -80,7 +81,7 @@ export function configureSSMStorage(scope: Construct, props: SsmStorageProps): v
           'ssm:PutParameter',
         ],
         resources: [
-          `${props.parameterStorePath}*`,
+          `arn:aws:ssm:${Stack.of(scope).region}:${Stack.of(scope).account}:parameter${props.parameterStorePath}*`,
         ],
       }),
       new iam.PolicyStatement({

diff --git a/test/__snapshots__/certbot.test.ts.snap b/test/__snapshots__/certbot.test.ts.snap
diff --git a/test/certbot.test.ts b/test/certbot.test.ts
@@ -214,7 +214,7 @@ test('stack should contain no bucket when secrets manager is used and have appro
             'secretsmanager:UpdateSecret',
           ]),
           Effect: 'Allow',
-          Resource: Match.stringLikeRegexp('\/certbot\/certificates\/test.local\/.*'),
+          Resource: Match.stringLikeRegexp('arn:aws:secretsmanager:us-east-1:123456789012:secret:\/certbot\/certificates\/test.local\/.*'),
         },
         {
           Action: Match.arrayWith([
@@ -272,7 +272,7 @@ test('stack should have policy with specific resource path when path is given fo
             'secretsmanager:UpdateSecret',
           ]),
           Effect: 'Allow',
-          Resource: Match.stringLikeRegexp('\/certbot\/alternate\/path\/.*'),
+          Resource: Match.stringLikeRegexp('arn:aws:secretsmanager:us-east-1:123456789012:secret:\/certbot\/alternate\/path\/.*'),
         },
         {
           Action: Match.arrayWith([
@@ -321,7 +321,7 @@ test('stack should contain no bucket when parameter store is used and have appro
         {
           Action: 'ssm:PutParameter',
           Effect: 'Allow',
-          Resource: Match.stringLikeRegexp('\/certbot\/certificates\/test.local\/.*'),
+          Resource: Match.stringLikeRegexp('arn:aws:ssm:us-east-1:123456789012:parameter\/certbot\/certificates\/test.local\/.*'),
         },
         {
           Action: Match.arrayWith([
@@ -372,7 +372,7 @@ test('stack should have policy with specific resource path when path is given fo
         {
           Action: 'ssm:PutParameter',
           Effect: 'Allow',
-          Resource: Match.stringLikeRegexp('\/certbot\/alternate\/path\/.*'),
+          Resource: Match.stringLikeRegexp('arn:aws:ssm:us-east-1:123456789012:parameter\/certbot\/alternate\/path\/.*'),
         },
         {
           Action: Match.arrayWith([