|
| 1 | +# This workflow uses actions that are not certified by GitHub. |
| 2 | +# They are provided by a third-party and are governed by |
| 3 | +# separate terms of service, privacy policy, and support |
| 4 | +# documentation. |
| 5 | + |
| 6 | +# This workflow will validate the IAM policies in the terraform (TF) templates with using the standard and custom checks in AWS IAM Access Analyzer |
| 7 | +# To use this workflow, you will need to complete the following set up steps before start using it: |
| 8 | +# 1. Configure an AWS IAM role to use the Access Analyzer's ValidatePolicy, CheckNoNewAccess and CheckAccessNotGranted. This IAM role must be configured to call from the GitHub Actions, use the following [doc](https://aws.amazon.com/blogs/security/use-iam-roles-to-connect-github-actions-to-actions-in-aws/) for steps. |
| 9 | +# 2. If you're using CHECK_NO_NEW_ACCESS policy-check-type, you need to create a reference policy. Use the guide [here](https://github.com/aws-samples/iam-access-analyzer-custom-policy-check-samples?tab=readme-ov-file#how-do-i-write-my-own-reference-policies) and store it your GitHub repo. |
| 10 | +# 3. If you're using the CHECK_ACCESS_NOT_GRANTED policy-check-type, identify the list of critical actions that shouldn't be granted access by the policies in the TF templates. |
| 11 | +# 4. Start using the GitHub actions by generating the GitHub events matching the defined criteria in your workflow. |
| 12 | + |
| 13 | +name: Validate AWS IAM policies in Terraform templates using Policy Validator |
| 14 | +on: |
| 15 | + push: |
| 16 | + branches: ["Nodoubtz" ] |
| 17 | + pull_request: |
| 18 | + # The branches below must be a subset of the branches above |
| 19 | + branches: ["Nodoubtz"] |
| 20 | +env: |
| 21 | + AWS_ROLE: MY_ROLE # set this with the role ARN which has permissions to invoke access-analyzer:ValidatePolicy,access-analyzer:CheckNoNewAccess, access-analyzer:CheckAccessNotGranted and can be used in GitHub actions |
| 22 | + REGION: MY_AWS_REGION # set this to your preferred AWS region where you plan to deploy your policies, e.g. us-west-1 |
| 23 | + TEMPLATE_PATH: FILE_PATH_TO_THE_TF_PLAN # set this to the file path to the terraform plan in JSON |
| 24 | + ACTIONS: MY_LIST_OF_ACTIONS # set to pass list of actions in the format action1, action2,.. One of `ACTIONS` or `RESOURCES` is required if you are using `CHECK_ACCESS_NOT_GRANTED` policy-check-type. |
| 25 | + RESOURCES: MY_LIST_OF_RESOURCES # set to pass list of resource ARNs in the format resource1, resource2,.. One of `ACTIONS` or `RESOURCES` is required if you are using `CHECK_ACCESS_NOT_GRANTED` policy-check-type. |
| 26 | + REFERENCE_POLICY: REFERENCE_POLICY # set to pass a JSON formatted file that specifies the path to the reference policy that is used for a permissions comparison. For example, if you stored such path in a GitHub secret with name REFERENCE_IDENTITY_POLICY , you can pass ${{ secrets.REFERENCE_IDENTITY_POLICY }}. If not you have the reference policy in the repository, you can directly pass it's path. This is required if you are using `CHECK_NO_NEW_ACCESS_CHECK` policy-check-type. |
| 27 | + REFERENCE_POLICY_TYPE: TYPE_OF_REFERENCE_POLICY # set to pass the policy type associated with the IAM policy under analysis and the reference policy. This is required if you are using `CHECK_NO_NEW_ACCESS_CHECK` policy-check-type. |
| 28 | + |
| 29 | +jobs: |
| 30 | + policy-validator: |
| 31 | + runs-on: ubuntu-latest # Virtual machine to run the workflow (configurable) |
| 32 | + #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#updating-your-github-actions-workflow |
| 33 | + #https://aws.amazon.com/blogs/security/use-iam-roles-to-connect-github-actions-to-actions-in-aws/ |
| 34 | + permissions: |
| 35 | + id-token: write # This is required for requesting the JWT |
| 36 | + contents: read # This is required for actions/checkout |
| 37 | + # https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners/about-github-hosted-runners |
| 38 | + name: Policy Validator checks for AWS IAM policies |
| 39 | + steps: |
| 40 | + # checkout the repo for workflow to access the contents |
| 41 | + - name: Checkout |
| 42 | + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 |
| 43 | + # Configure AWS Credentials. More configuration details here- https://github.com/aws-actions/configure-aws-credentials |
| 44 | + - name: Configure AWS Credentials |
| 45 | + uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 |
| 46 | + with: |
| 47 | + role-to-assume: ${{ env.AWS_ROLE }} |
| 48 | + aws-region: ${{ env.REGION }} |
| 49 | + # Run the VALIDATE_POLICY check. More configuration details here - https://github.com/aws-actions/terraform-aws-iam-policy-validator |
| 50 | + - name: Run AWS AccessAnalyzer ValidatePolicy check |
| 51 | + id: run-aws-validate-policy |
| 52 | + uses: aws-actions/terraform-aws-iam-policy-validator@26797c40250bf1ee50af8996a2475b9b5a8b8927 #v1.0.2 |
| 53 | + with: |
| 54 | + policy-check-type: "VALIDATE_POLICY" |
| 55 | + template-path: ${{ env.TEMPLATE_PATH }} |
| 56 | + region: ${{ env.REGION }} |
| 57 | + # Print result from VALIDATE_POLICY check |
| 58 | + - name: Print the result for ValidatePolicy check |
| 59 | + if: success() || failure() |
| 60 | + run: echo "${{ steps.run-aws-validate-policy.outputs.result }}" |
| 61 | + # Run the CHECK_ACCESS_NOT_GRANTED check. More configuration details here - https://github.com/aws-actions/terraform-aws-iam-policy-validator |
| 62 | + - name: Run AWS AccessAnalyzer CheckAccessNotGranted check |
| 63 | + id: run-aws-check-access-not-granted |
| 64 | + uses: aws-actions/terraform-aws-iam-policy-validator@26797c40250bf1ee50af8996a2475b9b5a8b8927 #v1.0.2 |
| 65 | + with: |
| 66 | + policy-check-type: "CHECK_ACCESS_NOT_GRANTED" |
| 67 | + template-path: ${{ env.TEMPLATE_PATH }} |
| 68 | + actions: ${{ env.ACTIONS }} |
| 69 | + resources: ${{ env.RESOURCES }} |
| 70 | + region: ${{ env.REGION }} |
| 71 | + # Print result from CHECK_ACCESS_NOT_GRANTED check |
| 72 | + - name: Print the result for CheckAccessNotGranted check |
| 73 | + if: success() || failure() |
| 74 | + run: echo "${{ steps.run-aws-check-access-not-granted.outputs.result }}" |
| 75 | + # Run the CHECK_NO_NEW_ACCESS check. More configuration details here - https://github.com/aws-actions/terraform-aws-iam-policy-validator |
| 76 | + # reference-policy is stored in GitHub secrets |
| 77 | + - name: Run AWS AccessAnalyzer CheckNoNewAccess check |
| 78 | + id: run-aws-check-no-new-access |
| 79 | + uses: aws-actions/terraform-aws-iam-policy-validator@26797c40250bf1ee50af8996a2475b9b5a8b8927 #v1.0.2 |
| 80 | + with: |
| 81 | + policy-check-type: "CHECK_NO_NEW_ACCESS" |
| 82 | + template-path: ${{ env.TEMPLATE_PATH }} |
| 83 | + reference-policy: ${{ env.REFERENCE_POLICY }} |
| 84 | + reference-policy-type: ${{ env.REFERENCE_POLICY_TYPE }} |
| 85 | + region: ${{ env.REGION }} |
| 86 | + # Print result from CHECK_NO_NEW_ACCESS check |
| 87 | + - name: Print the result CheckNoNewAccess check |
| 88 | + if: success() || failure() |
| 89 | + run: echo "${{ steps.run-aws-check-no-new-access.outputs.result }}" |
| 90 | + # Run the CHECK_NO_PUBLIC_ACCESS check. More configuration details here - https://github.com/aws-actions/terraform-aws-iam-policy-validator |
| 91 | + - name: Run AWS AccessAnalyzer CheckNoPublicAccess check |
| 92 | + id: run-aws-check-no-public-access |
| 93 | + uses: aws-actions/terraform-aws-iam-policy-validator@26797c40250bf1ee50af8996a2475b9b5a8b8927 #v1.0.2 |
| 94 | + with: |
| 95 | + policy-check-type: "CHECK_NO_PUBLIC_ACCESS" |
| 96 | + template-path: ${{ env.TEMPLATE_PATH }} |
| 97 | + region: ${{ env.REGION }} |
| 98 | + # Print result from CHECK_NO_PUBLIC_ACCESS check |
| 99 | + - name: Print the result for CheckNoPublicAccess check |
| 100 | + if: success() || failure() |
| 101 | + run: echo "${{ steps.run-aws-check-no-public-access.outputs.result }}" |
0 commit comments