From af4a936535b51b4c0448327daa61bb8e18a9190e Mon Sep 17 00:00:00 2001 From: Brandon Miller Date: Mon, 17 Jun 2024 21:45:10 -0400 Subject: [PATCH 1/2] fix: IAM policy paths for parameters and secrets are incorrect SSM and Secrets Manager policies were incorrectly given the path values and not the full ARN which created invalid policies. Parameters and Secrets use slightly different ending syntax but mostly the same otherwise. Policies and testing have been updated to reflect what should be proper ARNs Closes #906 --- .projenrc.ts | 2 +- src/storage-helpers.ts | 5 +++-- test/__snapshots__/certbot.test.ts.snap | 20 ++++++++++---------- test/certbot.test.ts | 8 ++++---- 4 files changed, 18 insertions(+), 17 deletions(-) diff --git a/.projenrc.ts b/.projenrc.ts index d4110481..a9bf17bc 100644 --- a/.projenrc.ts +++ b/.projenrc.ts @@ -25,7 +25,7 @@ const project = new awscdk.AwsCdkConstructLibrary({ ], depsUpgrade: true, depsUpgradeOptions: { - workflow: true, + workflow: false, exclude: ['projen'], workflowOptions: { schedule: javascript.UpgradeDependenciesSchedule.WEEKLY, diff --git a/src/storage-helpers.ts b/src/storage-helpers.ts index e8640014..b3be38f1 100644 --- a/src/storage-helpers.ts +++ b/src/storage-helpers.ts @@ -1,6 +1,7 @@ import { aws_iam as iam, aws_kms as kms, + Stack, } from 'aws-cdk-lib'; import { Construct } from 'constructs'; @@ -37,7 +38,7 @@ export function configureSecretsManagerStorage(scope: Construct, props: SecretsM 'secretsmanager:UpdateSecret', ], resources: [ - `${props.secretsManagerPath}*`, + `arn:aws:secretsmanager:${Stack.of(scope).region}:${Stack.of(scope).account}:secret:${props.secretsManagerPath}*`, ], }), new iam.PolicyStatement({ @@ -80,7 +81,7 @@ export function configureSSMStorage(scope: Construct, props: SsmStorageProps): v 'ssm:PutParameter', ], resources: [ - `${props.parameterStorePath}*`, + `arn:aws:ssm:${Stack.of(scope).region}:${Stack.of(scope).account}:parameter${props.parameterStorePath}*`, ], }), new iam.PolicyStatement({ diff --git a/test/__snapshots__/certbot.test.ts.snap b/test/__snapshots__/certbot.test.ts.snap index e09aca6d..b7d080df 100644 --- a/test/__snapshots__/certbot.test.ts.snap +++ b/test/__snapshots__/certbot.test.ts.snap @@ -400,7 +400,7 @@ Object { }, "Certbot2triggerImmediateE4EA1F78": Object { "Properties": Object { - "ScheduleExpression": "cron(10 0 15 1 ? 2021)", + "ScheduleExpression": "cron(10 0 14 1 ? 2021)", "State": "ENABLED", "Targets": Array [ Object { @@ -591,7 +591,7 @@ Object { "secretsmanager:UpdateSecret", ], "Effect": "Allow", - "Resource": "/certbot/certificates/test3.local/*", + "Resource": "arn:aws:secretsmanager:us-east-1:123456789012:secret:/certbot/certificates/test3.local/*", }, Object { "Action": Array [ @@ -708,7 +708,7 @@ Object { }, "Certbot3triggerImmediateF94A9166": Object { "Properties": Object { - "ScheduleExpression": "cron(10 0 15 1 ? 2021)", + "ScheduleExpression": "cron(10 0 14 1 ? 2021)", "State": "ENABLED", "Targets": Array [ Object { @@ -900,7 +900,7 @@ Object { "secretsmanager:UpdateSecret", ], "Effect": "Allow", - "Resource": "/certbot/certificates/test4.local/*", + "Resource": "arn:aws:secretsmanager:us-east-1:123456789012:secret:/certbot/certificates/test4.local/*", }, Object { "Action": Array [ @@ -998,7 +998,7 @@ Object { }, "Certbot4triggerImmediateA1AD5D75": Object { "Properties": Object { - "ScheduleExpression": "cron(10 0 15 1 ? 2021)", + "ScheduleExpression": "cron(10 0 14 1 ? 2021)", "State": "ENABLED", "Targets": Array [ Object { @@ -1219,7 +1219,7 @@ Object { Object { "Action": "ssm:PutParameter", "Effect": "Allow", - "Resource": "/certbot/certificates/test5.local/*", + "Resource": "arn:aws:ssm:us-east-1:123456789012:parameter/certbot/certificates/test5.local/*", }, Object { "Action": Array [ @@ -1298,7 +1298,7 @@ Object { }, "Certbot5triggerImmediate3FF9395A": Object { "Properties": Object { - "ScheduleExpression": "cron(10 0 15 1 ? 2021)", + "ScheduleExpression": "cron(10 0 14 1 ? 2021)", "State": "ENABLED", "Targets": Array [ Object { @@ -1520,7 +1520,7 @@ Object { Object { "Action": "ssm:PutParameter", "Effect": "Allow", - "Resource": "/certbot/certificates/test6.local/*", + "Resource": "arn:aws:ssm:us-east-1:123456789012:parameter/certbot/certificates/test6.local/*", }, Object { "Action": Array [ @@ -1599,7 +1599,7 @@ Object { }, "Certbot6triggerImmediate2E81CCDF": Object { "Properties": Object { - "ScheduleExpression": "cron(10 0 15 1 ? 2021)", + "ScheduleExpression": "cron(10 0 14 1 ? 2021)", "State": "ENABLED", "Targets": Array [ Object { @@ -2005,7 +2005,7 @@ Object { }, "CertbottriggerImmediate08D06D4E": Object { "Properties": Object { - "ScheduleExpression": "cron(10 0 15 1 ? 2021)", + "ScheduleExpression": "cron(10 0 14 1 ? 2021)", "State": "ENABLED", "Targets": Array [ Object { diff --git a/test/certbot.test.ts b/test/certbot.test.ts index f2c7ae79..5c5e9962 100644 --- a/test/certbot.test.ts +++ b/test/certbot.test.ts @@ -214,7 +214,7 @@ test('stack should contain no bucket when secrets manager is used and have appro 'secretsmanager:UpdateSecret', ]), Effect: 'Allow', - Resource: Match.stringLikeRegexp('\/certbot\/certificates\/test.local\/.*'), + Resource: Match.stringLikeRegexp('arn:aws:secretsmanager:us-east-1:123456789012:secret:\/certbot\/certificates\/test.local\/.*'), }, { Action: Match.arrayWith([ @@ -272,7 +272,7 @@ test('stack should have policy with specific resource path when path is given fo 'secretsmanager:UpdateSecret', ]), Effect: 'Allow', - Resource: Match.stringLikeRegexp('\/certbot\/alternate\/path\/.*'), + Resource: Match.stringLikeRegexp('arn:aws:secretsmanager:us-east-1:123456789012:secret:\/certbot\/alternate\/path\/.*'), }, { Action: Match.arrayWith([ @@ -321,7 +321,7 @@ test('stack should contain no bucket when parameter store is used and have appro { Action: 'ssm:PutParameter', Effect: 'Allow', - Resource: Match.stringLikeRegexp('\/certbot\/certificates\/test.local\/.*'), + Resource: Match.stringLikeRegexp('arn:aws:ssm:us-east-1:123456789012:parameter\/certbot\/certificates\/test.local\/.*'), }, { Action: Match.arrayWith([ @@ -372,7 +372,7 @@ test('stack should have policy with specific resource path when path is given fo { Action: 'ssm:PutParameter', Effect: 'Allow', - Resource: Match.stringLikeRegexp('\/certbot\/alternate\/path\/.*'), + Resource: Match.stringLikeRegexp('arn:aws:ssm:us-east-1:123456789012:parameter\/certbot\/alternate\/path\/.*'), }, { Action: Match.arrayWith([ From 7802534e551fc0684736114b62f9d8f44bcade86 Mon Sep 17 00:00:00 2001 From: Brandon Miller Date: Mon, 17 Jun 2024 22:53:13 -0400 Subject: [PATCH 2/2] ci: Remove upgrade workflow --- .gitattributes | 1 - .github/workflows/upgrade-master.yml | 90 ---------------------------- .gitignore | 1 - .projen/files.json | 1 - 4 files changed, 93 deletions(-) delete mode 100644 .github/workflows/upgrade-master.yml diff --git a/.gitattributes b/.gitattributes index a3feebc2..e6433892 100644 --- a/.gitattributes +++ b/.gitattributes @@ -6,7 +6,6 @@ /.github/pull_request_template.md linguist-generated /.github/workflows/build.yml linguist-generated /.github/workflows/release.yml linguist-generated -/.github/workflows/upgrade-master.yml linguist-generated /.github/workflows/upgrade-projen-master.yml linguist-generated /.gitignore linguist-generated /.npmignore linguist-generated diff --git a/.github/workflows/upgrade-master.yml b/.github/workflows/upgrade-master.yml deleted file mode 100644 index ea309dac..00000000 --- a/.github/workflows/upgrade-master.yml +++ /dev/null @@ -1,90 +0,0 @@ -# ~~ Generated by projen. To modify, edit .projenrc.ts and run "npx projen". - -name: upgrade-master -on: - workflow_dispatch: {} - schedule: - - cron: 0 0 * * 1 -jobs: - upgrade: - name: Upgrade - runs-on: ubuntu-latest - permissions: - contents: read - outputs: - patch_created: ${{ steps.create_patch.outputs.patch_created }} - steps: - - name: Checkout - uses: actions/checkout@v3 - with: - ref: master - - name: Setup Node.js - uses: actions/setup-node@v3 - with: - node-version: 18.x - - name: Install dependencies - run: yarn install --check-files --frozen-lockfile - - name: Upgrade dependencies - run: npx projen upgrade - - name: Find mutations - id: create_patch - run: |- - git add . - git diff --staged --patch --exit-code > .repo.patch || echo "patch_created=true" >> $GITHUB_OUTPUT - - name: Upload patch - if: steps.create_patch.outputs.patch_created - uses: actions/upload-artifact@v3 - with: - name: .repo.patch - path: .repo.patch - pr: - name: Create Pull Request - needs: upgrade - runs-on: ubuntu-latest - permissions: - contents: read - if: ${{ needs.upgrade.outputs.patch_created }} - steps: - - name: Checkout - uses: actions/checkout@v3 - with: - ref: master - - name: Download patch - uses: actions/download-artifact@v3 - with: - name: .repo.patch - path: ${{ runner.temp }} - - name: Apply patch - run: '[ -s ${{ runner.temp }}/.repo.patch ] && git apply ${{ runner.temp }}/.repo.patch || echo "Empty patch. Skipping."' - - name: Set git identity - run: |- - git config user.name "github-actions" - git config user.email "github-actions@github.com" - - name: Create Pull Request - id: create-pr - uses: peter-evans/create-pull-request@v4 - with: - token: ${{ secrets.PROJEN_GITHUB_TOKEN }} - commit-message: |- - chore(deps): upgrade dependencies - - Upgrades project dependencies. See details in [workflow run]. - - [Workflow Run]: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} - - ------ - - *Automatically created by projen via the "upgrade-master" workflow* - branch: github-actions/upgrade-master - title: "chore(deps): upgrade dependencies" - body: |- - Upgrades project dependencies. See details in [workflow run]. - - [Workflow Run]: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} - - ------ - - *Automatically created by projen via the "upgrade-master" workflow* - author: github-actions - committer: github-actions - signoff: true diff --git a/.gitignore b/.gitignore index 46b0f385..69e837ac 100644 --- a/.gitignore +++ b/.gitignore @@ -37,7 +37,6 @@ junit.xml /dist/changelog.md /dist/version.txt !/.github/workflows/release.yml -!/.github/workflows/upgrade-master.yml !/.github/pull_request_template.md !/test/ !/tsconfig.dev.json diff --git a/.projen/files.json b/.projen/files.json index 1bf9bddf..f264d813 100644 --- a/.projen/files.json +++ b/.projen/files.json @@ -5,7 +5,6 @@ ".github/pull_request_template.md", ".github/workflows/build.yml", ".github/workflows/release.yml", - ".github/workflows/upgrade-master.yml", ".github/workflows/upgrade-projen-master.yml", ".gitignore", ".projen/deps.json",