-
-
Notifications
You must be signed in to change notification settings - Fork 4.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: Add ability to pass custom IAM policy to VPC endpoints #497
feat: Add ability to pass custom IAM policy to VPC endpoints #497
Conversation
923780d
to
bc92275
Compare
bc92275
to
2bce48a
Compare
default = "" | ||
} | ||
|
||
variable "dynamodb_endpoint_policy" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't see DynamoDB on the list of services that support endpoint policies - do we have any supporting evidence that states otherwise? https://docs.aws.amazon.com/vpc/latest/userguide/integrated-services-vpce-list.html
default = "" | ||
} | ||
|
||
variable "ecr_dkr_endpoint_policy" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
likewise, I see ECR supported but I don't know if that includes the Docker registry API endpoint https://docs.aws.amazon.com/vpc/latest/userguide/integrated-services-vpce-list.html
@@ -1,3 +1,17 @@ | |||
data "aws_iam_policy_document" "default" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we shouldn't need this, instead we can set the policy to null
most likely. see below
@@ -12,6 +26,7 @@ resource "aws_vpc_endpoint" "s3" { | |||
|
|||
vpc_id = local.vpc_id | |||
service_name = data.aws_vpc_endpoint_service.s3[0].service_name | |||
policy = var.s3_endpoint_policy == "" ? data.aws_iam_policy_document.default.json : var.s3_endpoint_policy |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I haven't tested myself yet, but I think something like this should work without requiring the default policy data source:
policy = var.s3_endpoint_policy == "" ? data.aws_iam_policy_document.default.json : var.s3_endpoint_policy | |
policy = var.s3_endpoint_policy == "" ? null : var.s3_endpoint_policy |
one other thing that might work as well (again, haven't tested this here) would be:
- Change the policy default value to
null
like:
variable "s3_endpoint_policy" {
description = "Custom IAM policy for S3 endpoint"
type = string
default = null
}
- Then simply do this:
policy = var.s3_endpoint_policy
again, it would need to be tested and validated on either approach but I think it might work and makes it cleaner. I don't know what the AWS provider or AWS API will provide when a null is provided (or no policy is provided)
default = "" | ||
} | ||
|
||
variable "workspaces_endpoint_policy" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
looks like workspaces endpoints do not support policies https://docs.aws.amazon.com/vpc/latest/userguide/integrated-services-vpce-list.html
default = "" | ||
} | ||
|
||
variable "access_analyzer_endpoint_policy" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't see anything for IAM access analyzer on this list https://docs.aws.amazon.com/vpc/latest/userguide/integrated-services-vpce-list.html
@kostyaplis could you update the |
Hi @bryantbiggs, thanks for your review!
DynamoDB: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints-ddb.html
variable "s3_endpoint_policy" {
description = "Custom IAM policy for S3 VPC endpoint"
type = string
default = null
}
resource "aws_vpc_endpoint" "s3" {
...
policy = var.s3_endpoint_policy
...
} Results:
So that was the reason I put default endpoint policy there. Seems that if declared it has to be valid JSON string and completely skipped if set to
|
Just came looking through this module repository as I noticed I couldn't set an S3 endpoint policy so I'm keen to see this PR merged so I can use this module instead of our homegrown version. FWIW I've set a DKR endpoint policy. |
I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further. |
Description
In order to fix #437
Inspired by #341
Added ability to pass custom IAM policy as JSON string to any VPC endpoint that supports it atm
Motivation and Context
Default
Full Access
endpoints policy is a security concern. At least, accordingly to ISO27001Breaking Changes
No breaking changes
Been tested with custom and default IAM policies.