From 9c4d956da4e3ac1c32455224671cdd98249f7f4b Mon Sep 17 00:00:00 2001 From: Benettonkkb Date: Thu, 5 Feb 2026 01:52:20 +0000 Subject: [PATCH 1/5] Separate Terraform plan and apply roles for incubator --- terraform/aws-gha-oidc-providers.tf | 43 +++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) diff --git a/terraform/aws-gha-oidc-providers.tf b/terraform/aws-gha-oidc-providers.tf index 534abe2..cc906ca 100644 --- a/terraform/aws-gha-oidc-providers.tf +++ b/terraform/aws-gha-oidc-providers.tf @@ -9,4 +9,47 @@ module "iam_oidc_gha_incubator" { policy_arns = [ "arn:aws:iam::aws:policy/AdministratorAccess" ] + +} +module "iam_oidc_incubator_tf_plan" { + source = "./modules/aws-gha-oidc-providers" + + role_name = "incubator-tf-plan" + use_wildcard = true + github_branch = "refs/heads/*" # concerning IAM audit, ok, as it is read-only + github_repo = "hackforla/incubator" + + policy_arns = [ + "arn:aws:iam::aws:policy/ReadOnlyAccess" + ] +} +resource "aws_iam_role" "incubator_tf_apply" { + name = "incubator-tf-apply" + + assume_role_policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Effect = "Allow" + Action = "sts:AssumeRoleWithWebIdentity" + Principal = { + Federated = module.iam_oidc_gha_incubator.provider_arn + } + Condition = { + StringEquals = { + "token.actions.githubusercontent.com:aud" = "sts.amazonaws.com" + } + StringLike = { + "token.actions.githubusercontent.com:sub" = "repo:hackforla/incubator:ref:refs/heads/main" + } + } + } + ] + }) } + +resource "aws_iam_role_policy_attachment" "incubator_tf_apply_admin" { + role = aws_iam_role.incubator_tf_apply.name + policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess" +} + From 3178e816b895c88d5e59c5036da17f13973df287 Mon Sep 17 00:00:00 2001 From: Benettonkkb Date: Thu, 26 Feb 2026 02:36:17 +0000 Subject: [PATCH 2/5] Applying recommended role detail changes for plan and apply --- terraform/aws-gha-oidc-providers.tf | 46 ++++++++++++++++++++++------- 1 file changed, 35 insertions(+), 11 deletions(-) diff --git a/terraform/aws-gha-oidc-providers.tf b/terraform/aws-gha-oidc-providers.tf index cc906ca..c537eff 100644 --- a/terraform/aws-gha-oidc-providers.tf +++ b/terraform/aws-gha-oidc-providers.tf @@ -11,18 +11,39 @@ module "iam_oidc_gha_incubator" { ] } -module "iam_oidc_incubator_tf_plan" { - source = "./modules/aws-gha-oidc-providers" +resource "aws_iam_role" "incubator_tf_plan" { + name = "incubator-tf-plan" - role_name = "incubator-tf-plan" - use_wildcard = true - github_branch = "refs/heads/*" # concerning IAM audit, ok, as it is read-only - github_repo = "hackforla/incubator" + assume_role_policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Effect = "Allow" + Action = "sts:AssumeRoleWithWebIdentity" + Principal = { + Federated = module.iam_oidc_gha_incubator.provider_arn + } + Condition = { + StringEquals = { + "token.actions.githubusercontent.com:aud" = "sts.amazonaws.com" + } + StringLike = { + "token.actions.githubusercontent.com:sub" = [ + "repo:hackforla/incubator:ref:refs/heads/*", + "repo:hackforla/incubator:pull_request" + ] + } + } + } + ] + }) +} - policy_arns = [ - "arn:aws:iam::aws:policy/ReadOnlyAccess" - ] +resource "aws_iam_role_policy_attachment" "incubator_tf_plan_readonly" { + role = aws_iam_role.incubator_tf_plan.name + policy_arn = "arn:aws:iam::aws:policy/ReadOnlyAccess" } + resource "aws_iam_role" "incubator_tf_apply" { name = "incubator-tf-apply" @@ -40,7 +61,10 @@ resource "aws_iam_role" "incubator_tf_apply" { "token.actions.githubusercontent.com:aud" = "sts.amazonaws.com" } StringLike = { - "token.actions.githubusercontent.com:sub" = "repo:hackforla/incubator:ref:refs/heads/main" + "token.actions.githubusercontent.com:sub" = [ + "repo:hackforla/incubator:ref:refs/heads/main", + "repo:hackforla/incubator:pull_request" + ] } } } @@ -50,6 +74,6 @@ resource "aws_iam_role" "incubator_tf_apply" { resource "aws_iam_role_policy_attachment" "incubator_tf_apply_admin" { role = aws_iam_role.incubator_tf_apply.name - policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess" + policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess" } From bb7db35564a3c6a681a781b7fcdb577765b208da Mon Sep 17 00:00:00 2001 From: Benettonkkb Date: Thu, 12 Mar 2026 01:17:20 +0000 Subject: [PATCH 3/5] Removed Pull Request condition from incubator_tf_apply --- terraform/aws-gha-oidc-providers.tf | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/terraform/aws-gha-oidc-providers.tf b/terraform/aws-gha-oidc-providers.tf index c537eff..f6ca3db 100644 --- a/terraform/aws-gha-oidc-providers.tf +++ b/terraform/aws-gha-oidc-providers.tf @@ -62,8 +62,7 @@ resource "aws_iam_role" "incubator_tf_apply" { } StringLike = { "token.actions.githubusercontent.com:sub" = [ - "repo:hackforla/incubator:ref:refs/heads/main", - "repo:hackforla/incubator:pull_request" + "repo:hackforla/incubator:ref:refs/heads/main" ] } } From 0db465109feb0f343b96eb86629dcc1e848e6a83 Mon Sep 17 00:00:00 2001 From: Benettonkkb Date: Thu, 12 Mar 2026 01:25:56 +0000 Subject: [PATCH 4/5] Removed Supervisors group reference in terraform/aws-groups.tf --- terraform/aws-groups.tf | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/terraform/aws-groups.tf b/terraform/aws-groups.tf index 778ec85..fc2c0a8 100644 --- a/terraform/aws-groups.tf +++ b/terraform/aws-groups.tf @@ -10,14 +10,3 @@ module "iam_read_only_group" { } } -// Create iam services admin group -module "iam_services_supervisor_group" { - source = "./modules/aws-groups" - - group_name = "iam-services-supervisor-group" - policy_arn = { - "IAMServicesSupervisor" = module.aws_custom_policies.policy_arns["IAMServicesSupervisor"], - "EnforceMFAForUsers" = module.aws_custom_policies.policy_arns["EnforceMFAForUsers"] - } -} - From 27f1c8c311a7729481d810574ba723d9fb43a7ab Mon Sep 17 00:00:00 2001 From: Benettonkkb Date: Thu, 12 Mar 2026 01:30:14 +0000 Subject: [PATCH 5/5] Removed iam-services-supervisor group from Chelseyb account --- terraform/aws-users.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/aws-users.tf b/terraform/aws-users.tf index d744c11..3aa3514 100644 --- a/terraform/aws-users.tf +++ b/terraform/aws-users.tf @@ -29,7 +29,7 @@ module "iam_user_chelseyb" { "Project" = "devops-security" "Access Level" = "1" } - user_groups = ["read-only-group", "iam-services-supervisor-group"] + user_groups = ["read-only-group"] } @@ -135,7 +135,7 @@ module "iam_user_raibarra" { module "iam_user_ezesalvatore4" { source = "./modules/aws-users" - user_name = "ezesalvatore" + user_name = "ezesalvatore" user_tags = { "Project" = "devops-security" "Access Level" = "1"