Use this module to integrate HCP Terraform Run Tasks with AWS IAM Access Analyzer for policy validation.
To use this module you need have the following:
- AWS account and credentials
- HCP Terraform with Run Task entitlement (Business subscription or higher)
-
Build and package the Lambda files
make all
-
Refer to the module_workspace for steps to deploy this module in HCP Terraform.
-
After you deployed the module_workspace, navigate to your HCP Terraform organization, go to Organization Settings > Integrations > Run tasks to find the newly created Run Task.
-
You can use this run task in any workspace where you have standard IAM resource policy document. Refer to the demo_workspace for more details.
-
Does not provide verbose error / warning messages in Run Task console. In the future, we will explore possibility to provide verbose logging.
-
Does not support Terraform computed resources.
For example, the tool will report no IAM policy found for the following Terraform template. The policy json string is a computed resource. The plan output doesn't contain information of IAM policy document.
resource "aws_s3_bucket" "b" {
bucket = "my-tf-test-bucket"
tags = {
Name = "My bucket"
Environment = "Dev"
}
}
resource "aws_iam_policy" "policy" {
name = "test-policy"
description = "A test policy"
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = [
"s3:GetObject",
]
Effect = "Allow"
Resource = "${aws_s3_bucket.b.id}"
}
]
})
}
-
Do not re-use the Run Tasks URL across different trust-boundary (organizations, accounts, team). We recommend you to deploy separate Run Task deployment per trust-boundary.
-
Do not use Run Tasks URL from untrusted party, remember that Run Tasks execution sent Terraform plan output to the Run Task endpoint. Only use trusted Run Tasks URL.
-
Enable the AWS WAF setup by setting variable
deploy_waf
totrue
(additional cost will apply). This will add WAF protection to the Run Tasks URL endpoint. -
We recommend you to setup additional CloudWatch alarm to monitor Lambda concurrency and WAF rules.