Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

refactor: IAM Policy improvements on AppMesh Controller Add-on for TFSec compliance rules compliance. #1373

Conversation

rodrigobersa
Copy link
Contributor

What does this PR do?

Adjustments in data.aws_iam_policy_document.this, on modules/kubernetes-addons/appmesh-controller/data.tf to implement least privilege access policies for IAM Roles for Service Accounts (IRSA).

Motivation

More

  • Yes, I have tested the PR using my local account setup (Provide any test evidence report under Additional Notes)
  • Yes, I have added a new example under examples to support my PR
  • Yes, I have created another PR for add-ons under add-ons repo (if applicable)
  • Yes, I have updated the docs for this feature
  • Yes, I ran pre-commit run -a with this PR

Note: Not all the PRs require a new example and/or doc page. In general:

  • Use an existing example when possible to demonstrate a new addons usage
  • A new docs page under docs/add-ons/* is required for new a new addon

For Moderators

  • E2E Test successfully complete before merge?

Additional Notes

Pre Commit & TFSec check

terraform-aws-eks-blueprints git:(2023-01-23-tfsec-kubernetes-addons-appmesh-controller) pre-commit run --file modules/kubernetes-addons/appmesh-controller/*
trim trailing whitespace.................................................Passed
fix end of files.........................................................Passed
check for merge conflicts................................................Passed
detect private key.......................................................Passed
detect aws credentials...................................................Passed
Terraform fmt............................................................Passed
Terraform docs...........................................................Passed
Terraform validate with tflint...........................................Passed
Terraform validate.......................................................Passed
Terraform validate with tfsec........................(no files to check)Skipped
terraform-aws-eks-blueprints git:(2023-01-23-tfsec-kubernetes-addons-appmesh-controller) tfsec modules/kubernetes-addons/appmesh-controller  
  timings
  ──────────────────────────────────────────
  disk i/o             280.956µs
  parsing              15.116249ms
  adaptation           2.164916ms
  checks               4.564125ms
  total                22.126246ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    3
  blocks processed     53
  files read           13

  results
  ──────────────────────────────────────────
  passed               66
  ignored              0
  critical             0
  high                 0
  medium               0
  low                  0


No problems detected!

AppMesh Controller.

kubectl get all -n my-apps

NAME                                READY   STATUS    RESTARTS   AGE
pod/my-service-a-7cbbd794f8-9gbql   2/2     Running   0          7m28s
pod/my-service-a-7cbbd794f8-rlbq8   2/2     Running   0          7m28s
pod/my-service-a-7cbbd794f8-z6v45   2/2     Running   0          7m28s

NAME                   TYPE           CLUSTER-IP       EXTERNAL-IP                                                              PORT(S)        AGE
service/my-service-a   LoadBalancer   10.100.187.154   aec01718b1b8b44b38d860aa34cd154d-813258185.us-west-2.elb.amazonaws.com   80:30454/TCP   7m28s

NAME                           READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/my-service-a   3/3     3            3           7m29s

NAME                                      DESIRED   CURRENT   READY   AGE
replicaset.apps/my-service-a-7cbbd794f8   3         3         3       7m29s

NAME                                                        ARN                                                                                                     AGE
virtualrouter.appmesh.k8s.aws/my-service-a-virtual-router   arn:aws:appmesh:us-west-2:978045894046:mesh/my-mesh/virtualRouter/my-service-a-virtual-router_my-apps   18m

NAME                                       ARN                                                                                    AGE
virtualnode.appmesh.k8s.aws/my-service-a   arn:aws:appmesh:us-west-2:978045894046:mesh/my-mesh/virtualNode/my-service-a_my-apps   19m

NAME                                          ARN                                                                                                         AGE
virtualservice.appmesh.k8s.aws/my-service-a   arn:aws:appmesh:us-west-2:978045894046:mesh/my-mesh/virtualService/my-service-a.my-apps.svc.cluster.local   15m
kubectl get mesh 
NAME      ARN                                                   AGE
my-mesh   arn:aws:appmesh:us-west-2:978045894046:mesh/my-mesh   22m
aws appmesh describe-mesh --mesh-name my-mesh
{
    "mesh": {
        "meshName": "my-mesh",
        "metadata": {
            "arn": "arn:aws:appmesh:us-west-2:978045894046:mesh/my-mesh",
            "createdAt": "2023-01-20T18:23:21.993000-05:00",
            "lastUpdatedAt": "2023-01-20T18:23:21.993000-05:00",
            "meshOwner": "978045894046",
            "resourceOwner": "978045894046",
            "uid": "ffe1590d-e4ce-42e6-83f6-dc28dc700086",
            "version": 1
        },
        "spec": {},
        "status": {
            "status": "ACTIVE"
        }
    }
}
aws appmesh describe-virtual-node --mesh-name my-mesh --virtual-node-name my-service-a_my-apps
{
    "virtualNode": {
        "meshName": "my-mesh",
        "metadata": {
            "arn": "arn:aws:appmesh:us-west-2:978045894046:mesh/my-mesh/virtualNode/my-service-a_my-apps",
            "createdAt": "2023-01-20T18:25:25.988000-05:00",
            "lastUpdatedAt": "2023-01-20T18:25:25.988000-05:00",
            "meshOwner": "978045894046",
            "resourceOwner": "978045894046",
            "uid": "115a090e-c2fc-456b-8ee8-05ad01408d50",
            "version": 1
        },
        "spec": {
            "backends": [],
            "listeners": [
                {
                    "portMapping": {
                        "port": 80,
                        "protocol": "http"
                    }
                }
            ],
            "serviceDiscovery": {
                "dns": {
                    "hostname": "my-service-a.my-apps.svc.cluster.local"
                }
            }
        },
        "status": {
            "status": "ACTIVE"
        },
        "virtualNodeName": "my-service-a_my-apps"
    }
}
aws appmesh describe-virtual-router --virtual-router-name my-service-a-virtual-router_my-apps --mesh-name my-mesh
{
    "virtualRouter": {
        "meshName": "my-mesh",
        "metadata": {
            "arn": "arn:aws:appmesh:us-west-2:978045894046:mesh/my-mesh/virtualRouter/my-service-a-virtual-router_my-apps",
            "createdAt": "2023-01-20T18:26:54.848000-05:00",
            "lastUpdatedAt": "2023-01-20T18:26:54.848000-05:00",
            "meshOwner": "978045894046",
            "resourceOwner": "978045894046",
            "uid": "690ed5c5-4b3a-4e8d-bf4e-5e10bb0d20d8",
            "version": 1
        },
        "spec": {
            "listeners": [
                {
                    "portMapping": {
                        "port": 80,
                        "protocol": "http"
                    }
                }
            ]
        },
        "status": {
            "status": "ACTIVE"
        },
        "virtualRouterName": "my-service-a-virtual-router_my-apps"
    }
}
aws appmesh describe-route --route-name my-service-a-route  --virtual-router-name my-service-a-virtual-router_my-apps --mesh-name my-mesh
{
    "route": {
        "meshName": "my-mesh",
        "metadata": {
            "arn": "arn:aws:appmesh:us-west-2:978045894046:mesh/my-mesh/virtualRouter/my-service-a-virtual-router_my-apps/route/my-service-a-route",
            "createdAt": "2023-01-20T18:26:54.870000-05:00",
            "lastUpdatedAt": "2023-01-20T18:26:54.870000-05:00",
            "meshOwner": "978045894046",
            "resourceOwner": "978045894046",
            "uid": "b82c7d36-761d-421c-8409-5d61d4a6adff",
            "version": 1
        },
        "routeName": "my-service-a-route",
        "spec": {
            "httpRoute": {
                "action": {
                    "weightedTargets": [
                        {
                            "virtualNode": "my-service-a_my-apps",
                            "weight": 1
                        }
                    ]
                },
                "match": {
                    "prefix": "/"
                }
            }
        },
        "status": {
            "status": "ACTIVE"
        },
        "virtualRouterName": "my-service-a-virtual-router_my-apps"
    }
}
aws appmesh describe-virtual-service --virtual-service-name my-service-a.my-apps.svc.cluster.local --mesh-name my-mesh
{
    "virtualService": {
        "meshName": "my-mesh",
        "metadata": {
            "arn": "arn:aws:appmesh:us-west-2:978045894046:mesh/my-mesh/virtualService/my-service-a.my-apps.svc.cluster.local",
            "createdAt": "2023-01-20T18:29:04.596000-05:00",
            "lastUpdatedAt": "2023-01-20T18:29:04.596000-05:00",
            "meshOwner": "978045894046",
            "resourceOwner": "978045894046",
            "uid": "3a1bb66f-6ffe-4596-a4c4-15edcf5be0c0",
            "version": 1
        },
        "spec": {
            "provider": {
                "virtualRouter": {
                    "virtualRouterName": "my-service-a-virtual-router_my-apps"
                }
            }
        },
        "status": {
            "status": "ACTIVE"
        },
        "virtualServiceName": "my-service-a.my-apps.svc.cluster.local"
    }
}

@rodrigobersa rodrigobersa temporarily deployed to EKS Blueprints Test January 25, 2023 03:11 — with GitHub Actions Inactive
@rodrigobersa rodrigobersa marked this pull request as ready for review January 28, 2023 01:13
@rodrigobersa rodrigobersa requested a review from a team as a code owner January 28, 2023 01:13
@bryantbiggs bryantbiggs temporarily deployed to EKS Blueprints Test January 30, 2023 23:33 — with GitHub Actions Inactive
@bryantbiggs bryantbiggs merged commit 1d744e7 into aws-ia:main Jan 31, 2023
vara-bonthu pushed a commit that referenced this pull request Feb 2, 2023
…Sec compliance rules compliance. (#1373)

Co-authored-by: Rodrigo Bersa <bersr@amazon.com>
Co-authored-by: Bryant Biggs <bryantbiggs@gmail.com>
resolves undefined
allamand pushed a commit to allamand/terraform-aws-eks-blueprints that referenced this pull request Feb 2, 2023
…Sec compliance rules compliance. (aws-ia#1373)

Co-authored-by: Rodrigo Bersa <bersr@amazon.com>
Co-authored-by: Bryant Biggs <bryantbiggs@gmail.com>
resolves undefined
gminiba pushed a commit to gminiba/terraform-aws-eks-blueprints that referenced this pull request Mar 17, 2023
…Sec compliance rules compliance. (aws-ia#1373)

Co-authored-by: Rodrigo Bersa <bersr@amazon.com>
Co-authored-by: Bryant Biggs <bryantbiggs@gmail.com>
resolves undefined
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Improve security contexts promoting TFSec integration and usage.
3 participants