Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

refactor: IAM Policy improvements on External DNS Add-on for TFSec compliance rules compliance. #1368

Merged
merged 5 commits into from
Jan 31, 2023
Merged

refactor: IAM Policy improvements on External DNS Add-on for TFSec compliance rules compliance. #1368

merged 5 commits into from
Jan 31, 2023

Conversation

rodrigobersa
Copy link
Contributor

What does this PR do?

Adjustments in data.aws_iam_policy_document.external_dns_iam_policy_document, on modules/kubernetes-addons/external-dns/data.tf to implement least privilege access policies for IAM Roles for Service Accounts (IRSA).

Motivation

More

  • Yes, I have tested the PR using my local account setup (Provide any test evidence report under Additional Notes)
  • Yes, I have added a new example under examples to support my PR
  • Yes, I have created another PR for add-ons under add-ons repo (if applicable)
  • Yes, I have updated the docs for this feature
  • Yes, I ran pre-commit run -a with this PR

Note: Not all the PRs require a new example and/or doc page. In general:

  • Use an existing example when possible to demonstrate a new addons usage
  • A new docs page under docs/add-ons/* is required for new a new addon

For Moderators

  • E2E Test successfully complete before merge?

Additional Notes

Pre Commit & TFSec check

➜  terraform-aws-eks-blueprints git:(2023-01-23-tfsec-kubernetes-addons-external-dns) pre-commit run --file modules/kubernetes-addons/external-dns/*                                    
trim trailing whitespace.................................................Passed
fix end of files.........................................................Passed
check for merge conflicts................................................Passed
detect private key.......................................................Passed
detect aws credentials...................................................Passed
Terraform fmt............................................................Passed
Terraform docs...........................................................Passed
Terraform validate with tflint...........................................Passed
Terraform validate.......................................................Passed
Terraform validate with tfsec........................(no files to check)Skipped

terraform-aws-eks-blueprints git:(2023-01-23-tfsec-kubernetes-addons-external-dns) tfsec modules/kubernetes-addons/external-dns 
  timings
  ──────────────────────────────────────────
  disk i/o             318µs
  parsing              14.712624ms
  adaptation           1.610084ms
  checks               3.343208ms
  total                19.983916ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    3
  blocks processed     57
  files read           13

  results
  ──────────────────────────────────────────
  passed               7
  ignored              0
  critical             0
  high                 0
  medium               0
  low                  0


No problems detected!

External DNS validation

  • Created DNS records in existing Hosted Zones.
kubectl annotate service nginx-nlb "external-dns.alpha.kubernetes.io/hostname=nginx.bersr.int"
service/nginx-nlb annotated
  • Container logs
kubectl -n external-dns logs external-dns-765d5689cc-lb4cr

time="2023-01-20T18:44:21Z" level=info msg="Applying provider record filter for domains: [bersr.int. .bersr.int.]"
time="2023-01-20T18:44:21Z" level=info msg="Desired change: CREATE cname-nginx.bersr.int TXT [Id: /hostedzone/Z06629041C592RU6HFCUC]"
time="2023-01-20T18:44:21Z" level=info msg="Desired change: CREATE nginx.bersr.int A [Id: /hostedzone/Z06629041C592RU6HFCUC]"
time="2023-01-20T18:44:21Z" level=info msg="Desired change: CREATE nginx.bersr.int TXT [Id: /hostedzone/Z06629041C592RU6HFCUC]"
time="2023-01-20T18:44:21Z" level=info msg="3 record(s) in zone bersr.int. [Id: /hostedzone/Z06629041C592RU6HFCUC] were successfully updated"
time="2023-01-20T18:45:21Z" level=info msg="Applying provider record filter for domains: [bersr.int. .bersr.int.]"
time="2023-01-20T18:45:21Z" level=info msg="All records are already up to date"
  • Validate DNS resolution
# curl nginx.bersr.int
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
html { color-scheme: light dark; }
body { width: 35em; margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif; }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>

<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>

<p><em>Thank you for using nginx.</em></p>
</body>
</html>

@rodrigobersa rodrigobersa changed the title refactor: IAM Policy improvements on External DNS for TFSec compliance rules compliance. refactor: IAM Policy improvements on External DNS Add-on for TFSec compliance rules compliance. Jan 25, 2023
@rodrigobersa rodrigobersa temporarily deployed to EKS Blueprints Test January 25, 2023 16:35 — with GitHub Actions Inactive
@rodrigobersa rodrigobersa marked this pull request as ready for review January 28, 2023 01:52
@rodrigobersa rodrigobersa requested a review from a team as a code owner January 28, 2023 01:52
@bryantbiggs bryantbiggs temporarily deployed to EKS Blueprints Test January 30, 2023 23:33 — with GitHub Actions Inactive
@bryantbiggs bryantbiggs merged commit 8421a3b into aws-ia:main Jan 31, 2023
vara-bonthu pushed a commit that referenced this pull request Feb 2, 2023
@rodrigobersa @vara-bonthu
refactor: IAM Policy improvements on External DNS Add-on for TFSec co…
7c0da3a 
…mpliance rules compliance. (#1368)

Co-authored-by: Rodrigo Bersa <bersr@amazon.com>
Co-authored-by: Bryant Biggs <bryantbiggs@gmail.com>
resolves undefined
allamand pushed a commit to allamand/terraform-aws-eks-blueprints that referenced this pull request Feb 2, 2023
@rodrigobersa @allamand
refactor: IAM Policy improvements on External DNS Add-on for TFSec co…
5d841d6 
…mpliance rules compliance. (aws-ia#1368)

Co-authored-by: Rodrigo Bersa <bersr@amazon.com>
Co-authored-by: Bryant Biggs <bryantbiggs@gmail.com>
resolves undefined
gminiba pushed a commit to gminiba/terraform-aws-eks-blueprints that referenced this pull request Mar 17, 2023
@rodrigobersa
refactor: IAM Policy improvements on External DNS Add-on for TFSec co…
13f8ec6 
…mpliance rules compliance. (aws-ia#1368)

Co-authored-by: Rodrigo Bersa <bersr@amazon.com>
Co-authored-by: Bryant Biggs <bryantbiggs@gmail.com>
resolves undefined
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bryantbiggs bryantbiggs bryantbiggs approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Improve security contexts promoting TFSec integration and usage.
3 participants
@rodrigobersa @bryantbiggs @bersr-aws