Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Tidy up IAM policies for publishing components' S3 permissions. #1153

Merged
merged 3 commits into from
Feb 28, 2024
Merged

Tidy up IAM policies for publishing components' S3 permissions. #1153

merged 3 commits into from
Feb 28, 2024

Conversation

sengi
Copy link
Contributor

@sengi sengi commented Feb 28, 2024

  • Rename some resources to better reflect their use.
  • Get rid of an IAM policy that wasn't buying us anything by being separate.
  • Tidy up the HCL syntax to reduce the excessive verbosity a bit (because it's even harder to understand an AWS IAM policy when it doesn't fit on a screen 😅)

sengi added 3 commits February 28, 2024 17:08
@sengi
Trivial syntax cleanup in S3 IAM policies.
71d7156 
No functional change. Just minimise the excessive HCL verbosity to make
the policies slightly easier to read.
@sengi
Rename "CSVs" to "reports" to better reflect actual usage.
d94f102 
Several "publishing" (i.e. CMS) components write (non-sensitive) reports
to S3 buckets. Some of these happen to be in CSV format.

Currently, the permissions for writing to these report buckets are split
arbitrarily (for purely historical reasons) between a handful of
different IAM policies all attached to the node role.

It makes sense to consolidate these for now, at least so that it's
easier to see where to add/change stuff (for example recently in
dea2db5).
@sengi
Elide an unnecessarily separate IAM policy for pubapi.
0244cb3 
There's no benefit in having a separate, almost-identical IAM policy
for Publishing API to write event logs to S3 when both policies are
attached to the node role anyway.

If we were to someday split up the roles, assign them to serviceaccounts
and use pod identity (almost certainly overkill in this case) then it
would make sense to have separate policies. Until then, it's just
additional toil and potential for confusion (which itself is not good
for security).
@sengi sengi force-pushed the sengi/iam-cleanup branch from 7c7f4c8 to 0244cb3 Compare February 28, 2024 17:08
@sengi sengi merged commit b0dcc0d into main Feb 28, 2024
4 checks passed
@sengi sengi deleted the sengi/iam-cleanup branch February 28, 2024 18:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@theseanything theseanything theseanything approved these changes

@samsimpson1 samsimpson1 Awaiting requested review from samsimpson1

@KludgeKML KludgeKML Awaiting requested review from KludgeKML

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@sengi @theseanything