From b5f82b2c97b8040b709bf40ab03aad9a4e25c7fc Mon Sep 17 00:00:00 2001 From: Loren Gordon Date: Fri, 22 Nov 2024 16:18:41 -0800 Subject: [PATCH 1/2] Moves iam role conditions to trust policy instead of role policy, per aws guidance --- main.tf | 29 ++++++++++++++--------------- 1 file changed, 14 insertions(+), 15 deletions(-) diff --git a/main.tf b/main.tf index c02a8b4..bdbdf5a 100644 --- a/main.tf +++ b/main.tf @@ -97,10 +97,12 @@ locals { account_id = data.aws_caller_identity.this.account_id partition = data.aws_partition.this.partition + region = data.aws_region.this.name } data "aws_caller_identity" "this" {} data "aws_partition" "this" {} +data "aws_region" "this" {} data "aws_iam_policy_document" "cloudwatch_policy" { count = local.create_cloudwatch_iam_role ? 1 : 0 @@ -118,21 +120,6 @@ data "aws_iam_policy_document" "cloudwatch_policy" { "arn:${local.partition}:logs:*:*:log-group:${local.log_group_name}", "arn:${local.partition}:logs:*:*:log-group:${local.log_group_name}:*", ] - - condition { - test = "StringEquals" - variable = "aws:SourceAccount" - values = [local.account_id] - } - - condition { - test = "ArnLike" - variable = "aws:SourceArn" - values = [ - "arn:${local.partition}:logs:*:*:log-group:${local.log_group_name}", - "arn:${local.partition}:logs:*:*:log-group:${local.log_group_name}:*", - ] - } } } @@ -146,5 +133,17 @@ data "aws_iam_policy_document" "cloudwatch_trust" { type = "Service" identifiers = ["vpc-flow-logs.amazonaws.com"] } + + condition { + test = "StringEquals" + variable = "aws:SourceAccount" + values = [local.account_id] + } + + condition { + test = "ArnLike" + variable = "aws:SourceArn" + values = ["arn:aws:ec2:${local.region}:${local.account_id}:vpc-flow-log/*"] + } } } From 82e9e03b926fcc543f8bcb0b091309e20a793c9b Mon Sep 17 00:00:00 2001 From: Loren Gordon Date: Fri, 22 Nov 2024 16:18:47 -0800 Subject: [PATCH 2/2] Bumps version to 3.0.1 --- .bumpversion.cfg | 2 +- CHANGELOG.md | 11 +++++++++++ README.md | 1 + 3 files changed, 13 insertions(+), 1 deletion(-) diff --git a/.bumpversion.cfg b/.bumpversion.cfg index ab04341..beafd7c 100644 --- a/.bumpversion.cfg +++ b/.bumpversion.cfg @@ -1,5 +1,5 @@ [bumpversion] -current_version = 3.0.0 +current_version = 3.0.1 commit = True message = Bumps version to {new_version} tag = False diff --git a/CHANGELOG.md b/CHANGELOG.md index 76c9896..4e6bc47 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,17 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](http://keepachangelog.com/) and this project adheres to [Semantic Versioning](http://semver.org/). +### [3.0.1](https://github.com/plus3it/terraform-aws-tardigrade-vpc-flow-log/releases/tag/3.0.1) + +**Released**: 2024.11.22 + +**Summary**: + +* Moves iam role conditions to trust policy instead of role policy, per aws guidance + for mitigating confused deputy problem. See also: + * https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs-iam-role.html + * https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html + ### [3.0.0](https://github.com/plus3it/terraform-aws-tardigrade-vpc-flow-log/releases/tag/3.0.0) **Released**: 2024.11.20 diff --git a/README.md b/README.md index feaf610..93fb7d4 100644 --- a/README.md +++ b/README.md @@ -24,6 +24,7 @@ Terraform module to create a VPC Flow Log | [aws_iam_policy_document.cloudwatch_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.cloudwatch_trust](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_partition.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source | +| [aws_region.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | ## Inputs