Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

refactor: IAM Policy improvements on Prometheus Add-on for TFSec compliance rules compliance. #1364

Merged
merged 3 commits into from
Jan 27, 2023
Merged

refactor: IAM Policy improvements on Prometheus Add-on for TFSec compliance rules compliance. #1364

merged 3 commits into from
Jan 27, 2023

Conversation

rodrigobersa
Copy link
Contributor

@rodrigobersa rodrigobersa commented Jan 25, 2023
edited

What does this PR do?

Adjustments in data.aws_iam_policy_document.ingest, and data.aws_iam_policy_document.query, on modules/kubernetes-addons/prometheus/data,tf to implement least privilege access policies for IAM Roles for Service Accounts (IRSA).

Motivation

More

  • Yes, I have tested the PR using my local account setup (Provide any test evidence report under Additional Notes)
  • Yes, I have added a new example under examples to support my PR
  • Yes, I have created another PR for add-ons under add-ons repo (if applicable)
  • Yes, I have updated the docs for this feature
  • Yes, I ran pre-commit run -a with this PR

Note: Not all the PRs require a new example and/or doc page. In general:

  • Use an existing example when possible to demonstrate a new addons usage
  • A new docs page under docs/add-ons/* is required for new a new addon

For Moderators

  • E2E Test successfully complete before merge?

Additional Notes

Pre Commit & TFSec check

terraform-aws-eks-blueprints git:(2023-01-23-tfsec-kubernetes-addons-prometheus) pre-commit run --file modules/kubernetes-addons/prometheus/*
trim trailing whitespace.................................................Passed
fix end of files.........................................................Passed
check for merge conflicts................................................Passed
detect private key.......................................................Passed
detect aws credentials...................................................Passed
Terraform fmt............................................................Passed
Terraform docs...........................................................Passed
Terraform validate with tflint...........................................Passed
Terraform validate.......................................................Passed
Terraform validate with tfsec........................(no files to check)Skipped

terraform-aws-eks-blueprints git:(2023-01-23-tfsec-kubernetes-addons-prometheus) tfsec modules/kubernetes-addons/prometheus                       
  timings
  ──────────────────────────────────────────
  disk i/o             224.542µs
  parsing              6.126041ms
  adaptation           1.464333ms
  checks               3.542875ms
  total                11.357791ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    2
  blocks processed     35
  files read           9

  results
  ──────────────────────────────────────────
  passed               2
  ignored              0
  critical             0
  high                 0
  medium               0
  low                  0


No problems detected!

Prometheus validation

  • Integrated with modules/kubernetes-addons/grafana, and executed some tests via webUI.
    • Metrics were captured with success.
    • No errors shown on containers logs.

Screen Shot 2023-01-26 at 5 36 46 PM
Screen Shot 2023-01-19 at 8 47 21 PM

@rodrigobersa rodrigobersa temporarily deployed to EKS Blueprints Test January 25, 2023 01:31 — with GitHub Actions Inactive
@rodrigobersa rodrigobersa marked this pull request as ready for review January 26, 2023 22:38
@rodrigobersa rodrigobersa requested a review from a team as a code owner January 26, 2023 22:38
@bryantbiggs bryantbiggs merged commit c838424 into aws-ia:main Jan 27, 2023
vara-bonthu pushed a commit that referenced this pull request Feb 2, 2023
@rodrigobersa @vara-bonthu
refactor: IAM Policy improvements on Prometheus Add-on for TFSec comp…
fcfd4c2 
…liance rules compliance. (#1364)

Co-authored-by: Rodrigo Bersa <bersr@amazon.com>
resolves undefined
gminiba pushed a commit to gminiba/terraform-aws-eks-blueprints that referenced this pull request Mar 17, 2023
@rodrigobersa
refactor: IAM Policy improvements on Prometheus Add-on for TFSec comp…
7c5b3ff 
…liance rules compliance. (aws-ia#1364)

Co-authored-by: Rodrigo Bersa <bersr@amazon.com>
resolves undefined
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bryantbiggs bryantbiggs bryantbiggs approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Improve security contexts promoting TFSec integration and usage.
3 participants
@rodrigobersa @bryantbiggs @bersr-aws