[chore] Add conditionals for TRE permission boundaries #1186

aws-tyler · 2023-04-28T20:26:59Z

Added check to cloudformation templates to only include boundary permission updates if AppStream is enabled.

Testing (in Linux, Windows, and SageMaker):

Verified that credentials being used OUTSIDE of the AppStream environment could not access S3 data.
Verified that credentials being used INSIDE of the AppStream environment could access studies.

codecov · 2023-04-28T20:33:49Z

Codecov Report

Merging #1186 (74c4057) into develop (fcee7bb) will not change coverage.
The diff coverage is n/a.

❗ Current head 74c4057 differs from pull request most recent head 26b94a6. Consider uploading reports for the commit 26b94a6 to get more accurate results

Additional details and impacted files

@@           Coverage Diff            @@
##           develop    #1186   +/-   ##
========================================
  Coverage    52.19%   52.19%           
========================================
  Files          344      344           
  Lines        17177    17177           
  Branches      2648     2644    -4     
========================================
  Hits          8965     8965           
  Misses        7219     7219           
  Partials       993      993

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update fcee7bb...26b94a6. Read the comment docs.

…h-on-aws into atmikev/TRECheck # Conflicts: # addons/addon-base-raas/packages/base-raas-cfn-templates/src/templates/service-catalog/ec2-linux-instance.cfn.yml # addons/addon-base-raas/packages/base-raas-cfn-templates/src/templates/service-catalog/ec2-windows-instance.cfn.yml # addons/addon-base-raas/packages/base-raas-cfn-templates/src/templates/service-catalog/sagemaker-notebook-instance.cfn.yml

SanketD92

Could you also mention in the PR description the testing performed to verify these changes?

* git actions to origin (awslabs#1139) * chore(deps): bump golang.org/x/sys (awslabs#1138) Bumps [golang.org/x/sys](https://github.com/golang/sys) from 0.0.0-20201026173827-119d4633e4d1 to 0.1.0. - [Release notes](https://github.com/golang/sys/releases) - [Commits](https://github.com/golang/sys/commits/v0.1.0) --- updated-dependencies: - dependency-name: golang.org/x/sys dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: FernandoAranda <fernandoarandacarrillo@gmail.com> * Revert "chore(deps): bump golang.org/x/sys (awslabs#1138)" (awslabs#1140) This reverts commit c836c57. Co-authored-by: Fernando Aranda <farandac@amazon.com> * fix: s3 CLI command fix (awslabs#1149) * docs: remove Docusaurus and use IG (awslabs#1150) * fix: sagemaker autostop (awslabs#1153) * fix: autostop sagemaker fix for non TRE/no study mounting (awslabs#1154) * Minor documentation updates to reconcile differences between AWS website and Repository. Additionally included step for the Cloud9 installation instructions to specify a public subnet for VPC installation. If you do not you cannot use AWS Managed Temporary Credentials and will break the install of Cloud9 without a very verbose error message. (awslabs#1151) * chore(deps): bump golang.org/x/sys from 0.0.0-20201026173827-119d4633e4d1 to 0.1.0 in /addons/addon-raas-s3-copy/packages/s3-synchronizer (awslabs#1152) * fix: go mod format (awslabs#1163) * Add elasticmapreduce:AddTags permission to LaunchConstraint role (awslabs#1164) * fix: upgrade goland in buildspec (awslabs#1166) * fix: upgrade code build image for target env deploy project (awslabs#1168) * revert: revert Go version upgrade (awslabs#1169) * Update deploy-integ-appstream-egress.yml (awslabs#1172) * Update deploy-integ-appstream-egress.yml Added OIDC config for role assumption * Update deploy-integ.yml Adding OIDC changes to deploy-integ.yml * Update deploy-integ-appstream-egress.yml Delete comments * Update deploy-integ.yml replace hardcoded region * Update README.md Updating readme * OIDC permissions (awslabs#1173) * Add permissions to deploys * trigger unit tests --------- Co-authored-by: Marianna Ghirardelli <ghirard@amazon.com> * chore(deps): bump xml2js and aws-sdk in /scripts/load-test-workspaces (awslabs#1171) Bumps [xml2js](https://github.com/Leonidas-from-XIV/node-xml2js) to 0.5.0 and updates ancestor dependency [aws-sdk](https://github.com/aws/aws-sdk-js). These dependencies need to be updated together. Updates `xml2js` from 0.4.19 to 0.5.0 - [Release notes](https://github.com/Leonidas-from-XIV/node-xml2js/releases) - [Commits](Leonidas-from-XIV/node-xml2js@0.4.19...0.5.0) Updates `aws-sdk` from 2.814.0 to 2.1354.0 - [Release notes](https://github.com/aws/aws-sdk-js/releases) - [Changelog](https://github.com/aws/aws-sdk-js/blob/master/CHANGELOG.md) - [Commits](aws/aws-sdk-js@v2.814.0...v2.1354.0) --- updated-dependencies: - dependency-name: xml2js dependency-type: indirect - dependency-name: aws-sdk dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Tyler Mikev <112508158+aws-tyler@users.noreply.github.com> * fix: Make SageMaker IAM policy case insensitive (awslabs#1177) * chore(release): 5.2.8 (awslabs#1178) * chore(release): 5.2.8 * mend --------- Co-authored-by: Fernando Aranda <farandac@amazon.com> * Atmikev/creds restrictions (awslabs#1181) * Added SourceVPC boundaries for EC2 Linux, Windows, and EMR * Exporting S3 VpcEndpoint value from onboarding * Removing EMR changes * chore(release): 5.2.9 (awslabs#1182) * chore(release): 5.2.9 * chore(release): 5.2.9 * [feat] Use S3VPCE to prevent S3 access outside of VPC (awslabs#1183) * docs: Add Beta * fix: add OwnershipControls for LoggingBucket (awslabs#1185) * Revert "[feat] Use S3VPCE to prevent S3 access outside of VPC" (awslabs#1187) * chore(release): 5.2.10 (awslabs#1188) * [chore] Add conditionals for TRE permission boundaries (awslabs#1186) * [chore] Add conditionals for TRE permission boundaries * Updated cypress integration test configs * docs: Add Beta * Add an S3 Endpoint for Non-TRE deployments (awslabs#1189) * Update templates * always populate SolutionName * There is no isAppStream in EMR * Always autopopulate the value for SolutionName * Added script to reroute S3 connections through VPC * chore(release): 5.2.11 (awslabs#1191) * Deny all non-admins access to user list. * Omit the 'external-researcher' user role as it isn't included in the response from api/user-roles * fix: BYOB role updates for VPCE restrictions (awslabs#1197) * fix: BYOB role updates for VPCE restrictions * fix: making projectId required for BYOB (awslabs#1198) * fix: add missing proj ID for integ tests * chore: update pipeline test config (awslabs#1199) * docs: Add Beta * chore(release): v6.0.0 (awslabs#1200) * chore(release): 6.0.0 * EMR AL2 upgrade (awslabs#1205) * feat: remove hail provisioning from EMR and upgrade to AL2 * feat: swap to EMR installed JupyterHub instead of installing our own. * docs: Add Beta * chore(deps): bump fast-xml-parser, @aws-sdk/client-appstream, @aws-sdk/client-ec2 and @aws-sdk/client-s3 (awslabs#1207) Bumps [fast-xml-parser](https://github.com/NaturalIntelligence/fast-xml-parser) to 4.2.5 and updates ancestor dependencies [fast-xml-parser](https://github.com/NaturalIntelligence/fast-xml-parser), [@aws-sdk/client-appstream](https://github.com/aws/aws-sdk-js-v3/tree/HEAD/clients/client-appstream), [@aws-sdk/client-ec2](https://github.com/aws/aws-sdk-js-v3/tree/HEAD/clients/client-ec2) and [@aws-sdk/client-s3](https://github.com/aws/aws-sdk-js-v3/tree/HEAD/clients/client-s3). These dependencies need to be updated together. Updates `fast-xml-parser` from 4.2.4 to 4.2.5 - [Release notes](https://github.com/NaturalIntelligence/fast-xml-parser/releases) - [Changelog](https://github.com/NaturalIntelligence/fast-xml-parser/blob/master/CHANGELOG.md) - [Commits](NaturalIntelligence/fast-xml-parser@v4.2.4...v4.2.5) Updates `@aws-sdk/client-appstream` from 3.350.0 to 3.369.0 - [Release notes](https://github.com/aws/aws-sdk-js-v3/releases) - [Changelog](https://github.com/aws/aws-sdk-js-v3/blob/main/clients/client-appstream/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-js-v3/commits/v3.369.0/clients/client-appstream) Updates `@aws-sdk/client-ec2` from 3.350.0 to 3.369.0 - [Release notes](https://github.com/aws/aws-sdk-js-v3/releases) - [Changelog](https://github.com/aws/aws-sdk-js-v3/blob/main/clients/client-ec2/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-js-v3/commits/v3.369.0/clients/client-ec2) Updates `@aws-sdk/client-s3` from 3.350.0 to 3.369.0 - [Release notes](https://github.com/aws/aws-sdk-js-v3/releases) - [Changelog](https://github.com/aws/aws-sdk-js-v3/blob/main/clients/client-s3/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-js-v3/commits/v3.369.0/clients/client-s3) --- updated-dependencies: - dependency-name: fast-xml-parser dependency-type: indirect - dependency-name: "@aws-sdk/client-appstream" dependency-type: direct:production - dependency-name: "@aws-sdk/client-ec2" dependency-type: direct:production - dependency-name: "@aws-sdk/client-s3" dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Sanket Dharwadkar <sdharwad@amazon.com> Co-authored-by: Kevin Park <103979972+kpark277@users.noreply.github.com> * chore(deps-dev): bump word-wrap in /scripts/load-test-workspaces (awslabs#1210) * chore(deps-dev): bump word-wrap from 1.2.3 to 1.2.4 in /scripts/app-stream (awslabs#1211) * test: extend emr e2e test timeout to 20 min (awslabs#1214) * chore(deps-dev): bump word-wrap from 1.2.3 to 1.2.4 in /main/end-to-end-tests (awslabs#1212) * feat: add IMDSv2 support on AMI creation (awslabs#1215) --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: jane yu <118856243+janeyuaws@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: FernandoAranda <fernandoarandacarrillo@gmail.com> Co-authored-by: Fernando Aranda <farandac@amazon.com> Co-authored-by: Sanket Dharwadkar <sdharwad@amazon.com> Co-authored-by: Marianna Ghirardelli <43092418+maghirardelli@users.noreply.github.com> Co-authored-by: spensireli <spencerconklin92@gmail.com> Co-authored-by: Kevin Park <103979972+kpark277@users.noreply.github.com> Co-authored-by: Tyler Mikev <112508158+aws-tyler@users.noreply.github.com> Co-authored-by: Marianna Ghirardelli <ghirard@amazon.com> Co-authored-by: GitHub Action <action@github.com>

[chore] Add conditionals for TRE permission boundaries

1a5f253

aws-tyler requested a review from maghirardelli April 28, 2023 20:27

github-actions bot added the size/s label Apr 28, 2023

aws-tyler requested a review from kpark277 April 28, 2023 20:28

aws-tyler added 2 commits May 1, 2023 10:09

Updated cypress integration test configs

26b94a6

SanketD92 approved these changes May 2, 2023

View reviewed changes

aws-tyler merged commit 27980eb into develop May 2, 2023

aws-tyler deleted the atmikev/TRECheck branch May 2, 2023 19:27

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[chore] Add conditionals for TRE permission boundaries #1186

[chore] Add conditionals for TRE permission boundaries #1186

aws-tyler commented Apr 28, 2023 •

edited

Loading

codecov bot commented Apr 28, 2023 •

edited

Loading

SanketD92 left a comment

[chore] Add conditionals for TRE permission boundaries #1186

[chore] Add conditionals for TRE permission boundaries #1186

Conversation

aws-tyler commented Apr 28, 2023 • edited Loading

codecov bot commented Apr 28, 2023 • edited Loading

Codecov Report

SanketD92 left a comment

Choose a reason for hiding this comment

aws-tyler commented Apr 28, 2023 •

edited

Loading

codecov bot commented Apr 28, 2023 •

edited

Loading