Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow API tasks to send messages to the arpa_audit_report SQS queue #1996

Merged
merged 4 commits into from
Sep 29, 2023
Merged

Allow API tasks to send messages to the arpa_audit_report SQS queue #1996

merged 4 commits into from
Sep 29, 2023

Conversation

TylerHendrickson
Copy link
Member

Follow-up for #1992

Description

This PR adds a missing permission to the ECS task role defined in the api Terraform module, which allows publishing of SQS messages to the queue defined by the arpa_audit_report module. Although the arpa_audit_report module configures the SQS queue policy to accept messages from API tasks, we still need to give the task's role permission to publish SQS messages. Although it seems redundant (IMO) it makes sense to think of the SQS resource policy as an ingress rule (i.e. defines the allowed principals from which messages may originate) and the task role policy as an egress rule (i.e. defines what the task is allowed to do).

In other words:

  • Problem:
    • Bob is allowed to have friends over after school. Bob is the SQS queue.
    • Alice doesn't have permission to go to a friend's house. Alice is the API task.
  • Solution: Give Alice permission to go to Bob's house after school.

In addition to implementing the fix, this PR also update's the sqs_consumer_task module's README with a note clarifying the need to add permissions on the producer side, as well as a corresponding code example.

Screenshots / Demo Video

Testing

See #1992 Testing instructions. Unfortunately, IAM policy enforcement is a "pro-only"/non-community-edition feature of LocalStack, which means this needs to be tested against an actual AWS environment.

Automated and Unit Tests

  • Added Unit tests

Manual tests for Reviewer

  • Added steps to test feature/functionality manually

Checklist

  • Provided ticket and description
  • Provided screenshots/demo
  • Provided testing information
  • Provided adequate test coverage for all new code
  • Added PR reviewers

@TylerHendrickson TylerHendrickson requested a review from a team as a code owner September 29, 2023 04:30
@TylerHendrickson TylerHendrickson self-assigned this Sep 29, 2023
@TylerHendrickson TylerHendrickson temporarily deployed to staging September 29, 2023 04:39 — with GitHub Actions Inactive
@github-actions
Copy link

Report for project: terraform

Terraform Initialization ⚙️success

Terraform Validation 🤖success

Validation Output 

Success! The configuration is valid.

Terraform Plan 📖success

Show Plan 
Note: Objects have changed outside of Terraform

Terraform detected the following changes made outside of Terraform since the
last "terraform apply" which may have affected this plan:

  # module.api.aws_ecs_task_definition.default[0] has changed
  ~ resource "aws_ecs_task_definition" "default" {
        id                       = "gost-staging-api"
+       tags                     = {}
        # (13 unchanged attributes hidden)

+       volume {
+           name = "data"

+           efs_volume_configuration {
+               file_system_id          = "fs-08f95063c1cdbe191"
+               root_directory          = "/"
+               transit_encryption      = "ENABLED"
+               transit_encryption_port = 0

+               authorization_config {
+                   access_point_id = "fsap-03bc0296928aade4f"
                }
            }
        }
-       volume {
-           name = "data" -> null

-           efs_volume_configuration {
-               file_system_id     = "fs-08f95063c1cdbe191" -> null
-               root_directory     = "/" -> null
-               transit_encryption = "ENABLED" -> null

-               authorization_config {
-                   access_point_id = "fsap-03bc0296928aade4f" -> null
                }
            }
        }

        # (1 unchanged block hidden)
    }

  # module.api.aws_iam_role.execution[0] has changed
  ~ resource "aws_iam_role" "execution" {
        id                    = "gost-staging-api-ECSTaskExecution-20230217010414321500000009"
        name                  = "gost-staging-api-ECSTaskExecution-20230217010414321500000009"
      ~ role_last_used        = [
          ~ {
              ~ last_used_date = "2023-09-29T02:08:56Z" -> "2023-09-29T03:14:19Z"
                # (1 unchanged element hidden)
            },
        ]
        tags                  = {}
        # (11 unchanged attributes hidden)

        # (2 unchanged blocks hidden)
    }

  # module.api.aws_iam_role.task[0] has changed
  ~ resource "aws_iam_role" "task" {
        id                    = "gost-staging-api-ECSTask-2023021701041477300000000a"
        name                  = "gost-staging-api-ECSTask-2023021701041477300000000a"
      ~ role_last_used        = [
          ~ {
              ~ last_used_date = "2023-09-29T02:08:31Z" -> "2023-09-29T03:17:01Z"
                # (1 unchanged element hidden)
            },
        ]
        tags                  = {}
        # (11 unchanged attributes hidden)

        # (4 unchanged blocks hidden)
    }


Unless you have made equivalent changes to your configuration, or ignored the
relevant attributes using ignore_changes, the following plan may include
actions to undo or respond to these changes.

─────────────────────────────────────────────────────────────────────────────

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
+   create
  ~ update in-place
+/- create replacement and then destroy

Terraform will perform the following actions:

  # aws_iam_role_policy.api_task-publish_to_arpa_audit_report_queue will be created
+   resource "aws_iam_role_policy" "api_task-publish_to_arpa_audit_report_queue" {
+       id          = (known after apply)
+       name        = (known after apply)
+       name_prefix = "send-arpa-audit-report-requests"
+       policy      = jsonencode(
            {
+               Statement = [
+                   {
+                       Action   = "sqs:SendMessage"
+                       Effect   = "Allow"
+                       Resource = "arn:aws:sqs:us-west-2:357150818708:gost-staging-arpa_audit_report-20230929024256614400000005"
+                       Sid      = "AllowPublishToQueue"
                    },
                ]
+               Version   = "2012-10-17"
            }
        )
+       role        = "gost-staging-api-ECSTask-2023021701041477300000000a"
    }

  # module.api.aws_ecs_service.default[0] will be updated in-place
  ~ resource "aws_ecs_service" "default" {
        id                                 = "arn:aws:ecs:us-west-2:357150818708:service/gost-staging/gost-staging-api"
        name                               = "gost-staging-api"
        tags                               = {}
      ~ task_definition                    = "arn:aws:ecs:us-west-2:357150818708:task-definition/gost-staging-api:32" -> (known after apply)
        # (15 unchanged attributes hidden)

        # (4 unchanged blocks hidden)
    }

  # module.api.aws_ecs_task_definition.default[0] must be replaced
+/- resource "aws_ecs_task_definition" "default" {
      ~ arn                      = "arn:aws:ecs:us-west-2:357150818708:task-definition/gost-staging-api:32" -> (known after apply)
      ~ arn_without_revision     = "arn:aws:ecs:us-west-2:357150818708:task-definition/gost-staging-api" -> (known after apply)
      ~ container_definitions    = jsonencode(
          ~ [ # forces replacement
              ~ {
                  ~ dockerLabels           = {
                      ~ "com.datadoghq.tags.version" = "e04008f5a777c4cf4995236e769b42075681d0a6" -> "7c6118027b58b31750f0a92abce2ea1799ac65da"
                        # (2 unchanged elements hidden)
                    }
                  ~ environment            = [
                        # (6 unchanged elements hidden)
                        {
                            name  = "DD_SERVICE"
                            value = "gost"
                        },
                      ~ {
                            name  = "DD_VERSION"
                          ~ value = "e04008f5a777c4cf4995236e769b42075681d0a6" -> "7c6118027b58b31750f0a92abce2ea1799ac65da"
                        },
                        {
                            name  = "ENABLE_GRANTS_DIGEST"
                            value = "false"
                        },
                        # (9 unchanged elements hidden)
                    ]
                    name                   = "api"
-                   volumesFrom            = [] -> null
                    # (10 unchanged elements hidden)
                } # forces replacement,
              ~ {
                  ~ dockerLabels           = {
                      ~ "com.datadoghq.tags.version" = "e04008f5a777c4cf4995236e769b42075681d0a6" -> "7c6118027b58b31750f0a92abce2ea1799ac65da"
                        # (2 unchanged elements hidden)
                    }
                  ~ environment            = [
                        # (3 unchanged elements hidden)
                        {
                            name  = "DD_SERVICE"
                            value = "gost"
                        },
                      ~ {
                            name  = "DD_VERSION"
                          ~ value = "e04008f5a777c4cf4995236e769b42075681d0a6" -> "7c6118027b58b31750f0a92abce2ea1799ac65da"
                        },
                        {
                            name  = "ECS_FARGATE"
                            value = "true"
                        },
                    ]
-                   mountPoints            = [] -> null
                    name                   = "datadog"
-                   portMappings           = [] -> null
-                   volumesFrom            = [] -> null
                    # (6 unchanged elements hidden)
                } # forces replacement,
            ]
        )
      ~ id                       = "gost-staging-api" -> (known after apply)
      ~ revision                 = 32 -> (known after apply)
-       tags                     = {} -> null
        # (9 unchanged attributes hidden)

-       volume {
-           name = "data" -> null

-           efs_volume_configuration {
-               file_system_id          = "fs-08f95063c1cdbe191" -> null
-               root_directory          = "/" -> null
-               transit_encryption      = "ENABLED" -> null
-               transit_encryption_port = 0 -> null

-               authorization_config {
-                   access_point_id = "fsap-03bc0296928aade4f" -> null
                }
            }
        }
+       volume {
+           name = "data"

+           efs_volume_configuration {
+               file_system_id     = "fs-08f95063c1cdbe191"
+               root_directory     = "/"
+               transit_encryption = "ENABLED"

+               authorization_config {
+                   access_point_id = "fsap-03bc0296928aade4f"
                }
            }
        }

        # (1 unchanged block hidden)
    }

  # module.arpa_audit_report.aws_ecs_service.default will be updated in-place
  ~ resource "aws_ecs_service" "default" {
        id                                 = "arn:aws:ecs:us-west-2:357150818708:service/gost-staging/gost-staging-arpa_audit_report"
        name                               = "gost-staging-arpa_audit_report"
        tags                               = {}
      ~ task_definition                    = "arn:aws:ecs:us-west-2:357150818708:task-definition/gost-staging-arpa_audit_report:1" -> (known after apply)
        # (15 unchanged attributes hidden)

        # (3 unchanged blocks hidden)
    }

  # module.arpa_audit_report.aws_ecs_task_definition.consumer must be replaced
+/- resource "aws_ecs_task_definition" "consumer" {
      ~ arn                      = "arn:aws:ecs:us-west-2:357150818708:task-definition/gost-staging-arpa_audit_report:1" -> (known after apply)
      ~ arn_without_revision     = "arn:aws:ecs:us-west-2:357150818708:task-definition/gost-staging-arpa_audit_report" -> (known after apply)
      ~ container_definitions    = (sensitive value) # forces replacement
      ~ id                       = "gost-staging-arpa_audit_report" -> (known after apply)
-       ipc_mode                 = "" -> null
-       pid_mode                 = "" -> null
      ~ revision                 = 1 -> (known after apply)
-       tags                     = {} -> null
        # (9 unchanged attributes hidden)

-       volume {
-           name = "data" -> null

-           efs_volume_configuration {
-               file_system_id          = "fs-08f95063c1cdbe191" -> null
-               root_directory          = "/" -> null
-               transit_encryption      = "ENABLED" -> null
-               transit_encryption_port = 0 -> null

-               authorization_config {
-                   access_point_id = "fsap-03bc0296928aade4f" -> null
                }
            }
        }
+       volume {
+           name = "data"

+           efs_volume_configuration {
+               file_system_id     = "fs-08f95063c1cdbe191"
+               root_directory     = "/"
+               transit_encryption = "ENABLED"

+               authorization_config {
+                   access_point_id = "fsap-03bc0296928aade4f"
                }
            }
        }

        # (1 unchanged block hidden)
    }

  # module.consume_grants.aws_ecs_service.default will be updated in-place
  ~ resource "aws_ecs_service" "default" {
        id                                 = "arn:aws:ecs:us-west-2:357150818708:service/gost-staging/gost-staging-consume_grants"
        name                               = "gost-staging-consume_grants"
        tags                               = {}
      ~ task_definition                    = "arn:aws:ecs:us-west-2:357150818708:task-definition/gost-staging-consume_grants:17" -> (known after apply)
        # (15 unchanged attributes hidden)

        # (3 unchanged blocks hidden)
    }

  # module.consume_grants.aws_ecs_task_definition.consume_grants must be replaced
+/- resource "aws_ecs_task_definition" "consume_grants" {
      ~ arn                      = "arn:aws:ecs:us-west-2:357150818708:task-definition/gost-staging-consume_grants:17" -> (known after apply)
      ~ arn_without_revision     = "arn:aws:ecs:us-west-2:357150818708:task-definition/gost-staging-consume_grants" -> (known after apply)
      ~ container_definitions    = (sensitive value) # forces replacement
      ~ id                       = "gost-staging-consume_grants" -> (known after apply)
-       ipc_mode                 = "" -> null
-       pid_mode                 = "" -> null
      ~ revision                 = 17 -> (known after apply)
-       tags                     = {} -> null
        # (9 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

Plan: 4 to add, 3 to change, 3 to destroy.

Pusher: @TylerHendrickson, Action: pull_request, Workflow: Terraform CI

@codeclimate
Copy link

codeclimate bot commented Sep 29, 2023

Code Climate has analyzed commit 9c014ee and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 55.8%.

View more on Code Climate.

@TylerHendrickson TylerHendrickson enabled auto-merge (squash) September 29, 2023 04:44
@TylerHendrickson TylerHendrickson merged commit 1e0c52a into _staging Sep 29, 2023
6 checks passed
@TylerHendrickson TylerHendrickson deleted the fix/allow-api-audit-report-permissions branch September 29, 2023 12:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@as1729 as1729 as1729 approved these changes

@tzinckgraf tzinckgraf Awaiting requested review from tzinckgraf

Assignees

@TylerHendrickson TylerHendrickson

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@TylerHendrickson @as1729