Skip to content

Issue146 OIDC plan april #154

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Benettonkkb wants to merge 5 commits into
base: main
Choose a base branch
from
Open

Issue146 OIDC plan april #154

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
3c42848
Separate Terraform plan and apply roles for incubator
Benettonkkb Feb 5, 2026
ca2eae6
Applying recommended role detail changes for plan and apply
Benettonkkb Feb 26, 2026
d62db78
Removed Pull Request condition from incubator_tf_apply
Benettonkkb Mar 12, 2026
401f503
new TF Plan read policy for secrets manager and fixed lines
Benettonkkb Apr 2, 2026
dabde0c
Merge main into issue146-oidc-plan-april and resolve OIDC provider co…
Benettonkkb Apr 15, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions terraform/aws-custom-policies.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,5 +9,9 @@ module "aws_custom_policies" {
description = "Policy enforcing MFA for devops security users"
filename = "enforce-mfa-for-users-policy.json"
}
"IncubatorTfPlanSecretsRead" = {
description = "Allows incubator tf plan role to read specific Secrets Manager secrets needed for terraform plan"
filename = "incubator-tf-plan-secrets-read-policy.json"
}
Comment on lines +12 to +15
Copy link

Copilot AI Apr 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PR description mentions a new policy file incubator-tf-plan-secrets-read-policy.tf, but the change here references incubator-tf-plan-secrets-read-policy.json. If the PR description is outdated/typo, consider updating it to match the actual file name/type to avoid confusion for reviewers and future maintainers.

Copilot uses AI. Check for mistakes.
}
}
17 changes: 17 additions & 0 deletions terraform/aws-custom-policies/incubator-tf-plan-secrets-read-policy.json
View file
Open in desktop
Copy link
Copy Markdown
Member

@ale210 ale210 Apr 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the name of the file should not be specific to secrets, but all of the 'other' things that TF plan needs other than read only

Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowReadSpecificSecretsForTerraformPlan",
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:us-west-2:035866691871:secret:home-unite-us-cognito-client*",
Copy link
Copy Markdown
Member

@ale210 ale210 Apr 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should be:
arn:aws:secretsmanager:us-west-2:035866691871:secret:*

"arn:aws:secretsmanager:us-west-2:035866691871:secret:home-unite-us-google-clientid*",
"arn:aws:secretsmanager:us-west-2:035866691871:secret:home-unite-us-google-secret*"
]
}
]
}
8 changes: 6 additions & 2 deletions terraform/aws-gha-oidc-providers.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,13 +40,17 @@ resource "aws_iam_role" "incubator_tf_plan" {
}

resource "aws_iam_role_policy_attachment" "incubator_tf_plan_readonly" {
role = aws_iam_role.incubator_tf_plan.name
role = aws_iam_role.incubator_tf_plan.name
policy_arn = "arn:aws:iam::aws:policy/ReadOnlyAccess"
}
Comment on lines +42 to +45
Copy link

Copilot AI Apr 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Attaching only the AWS managed ReadOnlyAccess policy to the Terraform plan role is likely insufficient for a remote S3 backend with DynamoDB state locking (this repo configures dynamodb_table in prod.backend.tfvars). Terraform plan/init typically needs write permissions to the lock table (e.g., dynamodb:PutItem, DeleteItem, UpdateItem) and appropriate S3 backend access; otherwise CI plans will fail when locking the state. Consider adding a minimal backend-access policy (S3 state bucket + DynamoDB lock table) to this role, instead of (or in addition to) ReadOnlyAccess.

Copilot uses AI. Check for mistakes.

resource "aws_iam_role_policy_attachment" "incubator_tf_plan_secrets_read" {
role = aws_iam_role.incubator_tf_plan.name
policy_arn = module.aws_custom_policies.policy_arns["IncubatorTfPlanSecretsRead"]
}

resource "aws_iam_role" "incubator_tf_apply" {
name = "incubator-tf-apply"

assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [
Expand Down
Loading