Skip to content

Commit

Permalink
fix: allow use from new and old AWS org accounts (#224)
Browse files Browse the repository at this point in the history 
Update Scan Files to allow it to be used from accounts in both
the new and old AWS org.  Once all accounts are fully migrated
we can remove the `aws_org_id_old` variable and logic.
  • Loading branch information
@patheard
patheard authored Aug 17, 2022
1 parent 8e90404 commit 5224cfd
Show file tree
Hide file tree
Showing 7 changed files with 22 additions and 4 deletions.
1 change: 1 addition & 0 deletions .github/workflows/tf_apply_production.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ env:
TERRAGRUNT_VERSION: 0.38.4
TF_VAR_api_auth_token: ${{ secrets.PRODUCTION_API_AUTH_TOKEN }}
TF_VAR_aws_org_id: ${{ secrets.AWS_ORG_ID }}
TF_VAR_aws_org_id_old: ${{ secrets.AWS_ORG_ID_OLD }}
TF_VAR_rds_password: ${{ secrets.PRODUCTION_RDS_PASSWORD }}
TF_VAR_slack_webhook_url: ${{ secrets.SCAN_FILES_PROD_OPS_WEBHOOK }}
AWS_REGION: ca-central-1
Expand Down
1 change: 1 addition & 0 deletions .github/workflows/tf_apply_staging.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ env:
TERRAGRUNT_VERSION: 0.38.4
TF_VAR_api_auth_token: ${{ secrets.STAGING_API_AUTH_TOKEN }}
TF_VAR_aws_org_id: ${{ secrets.AWS_ORG_ID }}
TF_VAR_aws_org_id_old: ${{ secrets.AWS_ORG_ID_OLD }}
TF_VAR_rds_password: ${{ secrets.STAGING_RDS_PASSWORD }}
TF_VAR_slack_webhook_url: ${{ secrets.SCAN_FILES_STAGING_OPS_WEBHOOK }}
AWS_REGION: ca-central-1
Expand Down
1 change: 1 addition & 0 deletions .github/workflows/tf_plan_production.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ env:
CONFTEST_VERSION: 0.27.0
TF_VAR_api_auth_token: ${{ secrets.PRODUCTION_API_AUTH_TOKEN }}
TF_VAR_aws_org_id: ${{ secrets.AWS_ORG_ID }}
TF_VAR_aws_org_id_old: ${{ secrets.AWS_ORG_ID_OLD }}
TF_VAR_rds_password: ${{ secrets.PRODUCTION_RDS_PASSWORD }}
TF_VAR_slack_webhook_url: ${{ secrets.SCAN_FILES_PROD_OPS_WEBHOOK }}

Expand Down
1 change: 1 addition & 0 deletions .github/workflows/tf_plan_staging.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ env:
CONFTEST_VERSION: 0.27.0
TF_VAR_api_auth_token: ${{ secrets.STAGING_API_AUTH_TOKEN }}
TF_VAR_aws_org_id: ${{ secrets.AWS_ORG_ID }}
TF_VAR_aws_org_id_old: ${{ secrets.AWS_ORG_ID_OLD }}
TF_VAR_rds_password: ${{ secrets.STAGING_RDS_PASSWORD }}
TF_VAR_slack_webhook_url: ${{ secrets.SCAN_FILES_STAGING_OPS_WEBHOOK }}

Expand Down
4 changes: 2 additions & 2 deletions terragrunt/aws/api/iam.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -152,8 +152,8 @@ data "aws_iam_policy_document" "api_assume_cross_account" {
"arn:aws:iam::*:role/ScanFilesGetObjects"
]
condition {
test = "StringEquals"
values = [var.aws_org_id]
test = "ForAnyValue:StringEquals"
values = [var.aws_org_id, var.aws_org_id_old]
variable = "aws:PrincipalOrgID"
}
}
Expand Down
12 changes: 10 additions & 2 deletions terragrunt/aws/s3_scan_object/lambda.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -48,8 +48,8 @@ data "aws_iam_policy_document" "assume_cross_account" {
"arn:aws:iam::*:role/ScanFilesGetObjects"
]
condition {
test = "StringEquals"
values = [var.aws_org_id]
test = "ForAnyValue:StringEquals"
values = [var.aws_org_id, var.aws_org_id_old]
variable = "aws:PrincipalOrgID"
}
}
Expand All @@ -62,3 +62,11 @@ resource "aws_lambda_permission" "s3_scan_object_org_account_execute" {
principal = "*"
principal_org_id = var.aws_org_id
}

resource "aws_lambda_permission" "s3_scan_object_old_org_account_execute" {
statement_id = "AllowExecutionFromOldOrgAccounts"
action = "lambda:InvokeFunction"
function_name = module.s3_scan_object.function_name
principal = "*"
principal_org_id = var.aws_org_id_old
}
6 changes: 6 additions & 0 deletions terragrunt/env/common/common_variables.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,12 @@ variable "aws_org_id" {
sensitive = true
}

variable "aws_org_id_old" {
description = "(Required) The old AWS org account ID. Used to limit which roles the API can assume and will be removed once all accounts are migrated."
type = string
sensitive = true
}

variable "cbs_satellite_bucket_name" {
description = "(Required) Name of the Cloud Based Sensor S3 satellite bucket"
type = string
Expand Down

0 comments on commit 5224cfd

Please sign in to comment.