Giter VIP home page Giter VIP logo

Comments (3)

sylviamclaughlin avatar sylviamclaughlin commented on July 28, 2024

To accomplish the above, we will need to create an IAM role in the Canadian Digital Services AWS account. The IAM policy will need to have the following:

  1. Have ability to mange notification.canada.ca hosted zone records but NOT the hosted zone itself.
  2. Have a trust policy allowing the role to be asumed by the OIDC Github role running prod terraform apply.

from dns.

sylviamclaughlin avatar sylviamclaughlin commented on July 28, 2024

The policy code for part 1 will look similar to:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "route53:ListResourceRecordSets",
        "route53:ChangeResourceRecordSets",
        "route53:GetChange"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:route53:::hostedzone/HOSTED_ZONE_ID_FOR_NOTIFICATION_CANADA_CA"
    },
    {
      "Action": [
        "route53:ListHostedZones",
        "route53:GetHostedZoneCount",
        "route53:ListHostedZonesByName"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}

For the second part, we will need to modify the notification_apply_oidc role to contain the following:

data "aws_iam_policy_document" "assume_dns_manager" {
  statement {
    sid = "AssumeProdDNSManagerRoles"

    actions = [
      "sts:AssumeRole",
    ]

    resources = [
      "arn:aws:iam::CanadianDigitalServicesAWSAccountID:role/prod_dns_manager"
    ]
  }
}

resource "aws_iam_policy" "assume_prod_dns_manager" {
  name   = terrafrom_apply_oidc_role
  policy = data.aws_iam_policy_document.assume_dns_manager.json
}

resource "aws_iam_role_policy_attachment" "assume_prod_dns_manager" {
  role       = terrafrom_apply_oidc_role
  policy_arn = aws_iam_policy.assume_prod_dns_manager.arn
}

from dns.

sylviamclaughlin avatar sylviamclaughlin commented on July 28, 2024

PR has been created to address this issue here - #397

from dns.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.