Skip to content

Latest commit

 

History

History
73 lines (49 loc) · 2.5 KB

File metadata and controls

73 lines (49 loc) · 2.5 KB

terraform-runtask-iam-access-analyzer

Use this module to integrate HCP Terraform Run Tasks with AWS IAM Access Analyzer for policy validation.

Diagram

Prerequisites

To use this module you need have the following:

  1. AWS account and credentials
  2. HCP Terraform with Run Task entitlement (Business subscription or higher)

Usage

  • Build and package the Lambda files

    make all
    
  • Refer to the module_workspace for steps to deploy this module in HCP Terraform.

  • After you deployed the module_workspace, navigate to your HCP Terraform organization, go to Organization Settings > Integrations > Run tasks to find the newly created Run Task.

  • You can use this run task in any workspace where you have standard IAM resource policy document. Refer to the demo_workspace for more details.

Limitations

  1. Does not provide verbose error / warning messages in Run Task console. In the future, we will explore possibility to provide verbose logging.

  2. Does not support Terraform computed resources.

For example, the tool will report no IAM policy found for the following Terraform template. The policy json string is a computed resource. The plan output doesn't contain information of IAM policy document.

resource "aws_s3_bucket" "b" {
  bucket = "my-tf-test-bucket"

  tags = {
    Name        = "My bucket"
    Environment = "Dev"
  }
}

resource "aws_iam_policy" "policy" {
  name        = "test-policy"
  description = "A test policy"

  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action = [
          "s3:GetObject",
        ]
        Effect   = "Allow"
        Resource = "${aws_s3_bucket.b.id}"
      }
    ]
  })
}

Best practice

  • Do not re-use the Run Tasks URL across different trust-boundary (organizations, accounts, team). We recommend you to deploy separate Run Task deployment per trust-boundary.

  • Do not use Run Tasks URL from untrusted party, remember that Run Tasks execution sent Terraform plan output to the Run Task endpoint. Only use trusted Run Tasks URL.

  • Enable the AWS WAF setup by setting variable deploy_waf to true (additional cost will apply). This will add WAF protection to the Run Tasks URL endpoint.

  • We recommend you to setup additional CloudWatch alarm to monitor Lambda concurrency and WAF rules.