Skip to content

Commit

Permalink
Tweak the lint workflow
Browse files Browse the repository at this point in the history
  • Loading branch information
@mponaws
mponaws committed Apr 14, 2024
1 parent 4e9dd5b commit fb7c4cf
Show file tree
Hide file tree
Showing 2 changed files with 28 additions and 28 deletions.
28 changes: 14 additions & 14 deletions code-scanning/policy-validator-cfn.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
# 2. Copy this workflow and add it under .github/workflows folder of your GitHub repository with name `policy-validator-iam-policies-cfn.yaml`
# 3. If you're using CheckNoNewAccess check, you need to create a reference policy. Use the guide [here](https://github.com/aws-samples/iam-access-analyzer-custom-policy-check-samples?tab=readme-ov-file#how-do-i-write-my-own-reference-policies)and store them in S3 bucket / GitHub secrets to compare them against the policies in the CFN templates. In below workflow, we are storing the reference policy in the GitHub secrets with name `REFERENCE_IDENTITY_POLICY`
# 4. If you're using the CheckAccessNotGranted check, identify the critical actions that shouldn't be granted access by the policies in the CFN templates. Store these actions in S3 bucket / GitHub secrets to compare them against the policies in the CFN templates. In the below workflow, we are storing the S3 bucket object containing the critical action in the GitHub secret with name `CRITICAL_ACTIONS`
# 5. Create a new workflow under ./github/workflows and refer this workflow. Configure the workflow with events to run and path to the CFN templates to be validated. Reference sample code:
# 5. Create a new workflow under ./github/workflows and refer this workflow. Configure the workflow with events to run and path to the CFN templates to be validated. Reference sample code:
# ```
# name: Policy Validator for AWS IAM policies in CloudFormation templates
# on:
Expand All @@ -22,9 +22,9 @@
# region: us-west-2
# ```
# 4. Start using the GitHub actions by generating the GitHub events matching the defined criteria in your workflow.
name: Re-usable workflow for Policy Validator for AWS IAM policies in CloudFormation templates
name: Re-usable workflow for Policy Validator for AWS IAM policies in CloudFormation templates
on:
workflow_call:
workflow_call:
inputs:
template-path:
required: true
Expand All @@ -36,10 +36,10 @@ on:
result:
value: string
push:
branches: [ $default-branch, $protected-branches ]
branches: [$default-branch, $protected-branches]
pull_request:
# The branches below must be a subset of the branches above
branches: [ $default-branch ]
branches: [$default-branch]
schedule:
- cron: $cron-weekly
jobs:
Expand All @@ -48,12 +48,12 @@ jobs:
# https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#updating-your-github-actions-workflow
# https://aws.amazon.com/blogs/security/use-iam-roles-to-connect-github-actions-to-actions-in-aws/
permissions:
id-token: write # This is required for requesting the JWT
contents: read # This is required for actions/checkout
id-token: write # This is required for requesting the JWT
contents: read # This is required for actions/checkout
name: Policy Validator checks for AWS IAM policies
steps:
# checkout the repo for workflow to access the contents
- name: Checkout
- name: Checkout
uses: actions/checkout@v4
# Configure AWS Credentials. More configuration details here - https://github.com/aws-actions/configure-aws-credentials
- name: Configure AWS Credentials
Expand All @@ -66,13 +66,13 @@ jobs:
id: run-aws-validate-policy
uses: aws-actions/cloudformation-aws-iam-policy-validator@v1
with:
policy-check-type: 'VALIDATE_POLICY'
policy-check-type: "VALIDATE_POLICY"
template-path: ${{ inputs.template-path }}
region: ${{ inputs.region }}
# Print result from VALIDATE_POLICY check
- name: Print the result for ValidatePolicy
run: echo "${{ steps.run-aws-validate-policy.outputs.result }}"
# Fetch the critial actions stored in S3, S3 URI is stored in GitHub secrets
# Fetch the critical actions stored in S3, S3 URI is stored in GitHub secrets
- name: Fetch critical actions from s3
id: getCriticalActions
run: |
Expand All @@ -83,7 +83,7 @@ jobs:
id: run-aws-check-access-not-granted
uses: aws-actions/cloudformation-aws-iam-policy-validator@v1
with:
policy-check-type: 'CHECK_ACCESS_NOT_GRANTED'
policy-check-type: "CHECK_ACCESS_NOT_GRANTED"
template-path: ${{ inputs.template-path }}
actions: ${{ steps.getCriticalActions.outputs.actionsLst }}
region: ${{ inputs.region }}
Expand All @@ -96,11 +96,11 @@ jobs:
id: run-aws-check-no-new-access
uses: aws-actions/cloudformation-aws-iam-policy-validator@v1
with:
policy-check-type: 'CHECK_NO_NEW_ACCESS'
policy-check-type: "CHECK_NO_NEW_ACCESS"
template-path: ${{ inputs.template-path }}
reference-policy: ${{ secrets.REFERENCE_IDENTITY_POLICY }}
reference-policy-type: "IDENTITY"
region: ${{inputs.region }}
# Print result from CHECK_NO_NEW_ACCESS check
- name: Print the result
run: echo "${{ steps.run-aws-check-no-new-access.outputs.result }}"
- name: Print the result
run: echo "${{ steps.run-aws-check-no-new-access.outputs.result }}"
28 changes: 14 additions & 14 deletions code-scanning/policy-validator-tf.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
# 2. Copy this workflow and add it under .github/workflows folder of your GitHub repository with name `policy-validator-iam-policies-tf.yaml`
# 3. If you're using CheckNoNewAccess check, you need to create a reference policy. Use the guide [here](https://github.com/aws-samples/iam-access-analyzer-custom-policy-check-samples?tab=readme-ov-file#how-do-i-write-my-own-reference-policies)and store them in S3 bucket / GitHub secrets to compare them against the policies in the TF templates. In below workflow, we are storing the reference policy in the GitHub secrets with name `REFERENCE_IDENTITY_POLICY`
# 4. If you're using the CheckAccessNotGranted check, identify the critical actions that shouldn't be granted access by the policies in the TF templates. Store these actions in S3 bucket / GitHub secrets to compare them against the policies in the TF templates. In the below workflow, we are storing the S3 bucket object containing the critical action in the GitHub secret with name `CRITICAL_ACTIONS`
# 5. Create a new workflow under ./github/workflows and refer this workflow. Configure the workflow with events to run and the path to the terraform plan to be validated. Reference sample code:
# 5. Create a new workflow under ./github/workflows and refer this workflow. Configure the workflow with events to run and the path to the terraform plan to be validated. Reference sample code:
# ```
# name: Policy Validator for AWS IAM policies in Terraform templates
# on:
Expand All @@ -23,9 +23,9 @@
# ```
# 4. Start using the GitHub actions by generating the GitHub events matching the defined criteria in your workflow.

name: Re-usable workflow for Policy Validator for AWS IAM policies in Terraform templates
name: Re-usable workflow for Policy Validator for AWS IAM policies in Terraform templates
on:
workflow_call:
workflow_call:
inputs:
template-path:
required: true
Expand All @@ -37,10 +37,10 @@ on:
result:
value: string
push:
branches: [ $default-branch, $protected-branches ]
branches: [$default-branch, $protected-branches]
pull_request:
# The branches below must be a subset of the branches above
branches: [ $default-branch ]
branches: [$default-branch]
schedule:
- cron: $cron-weekly
jobs:
Expand All @@ -49,13 +49,13 @@ jobs:
#https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#updating-your-github-actions-workflow
#https://aws.amazon.com/blogs/security/use-iam-roles-to-connect-github-actions-to-actions-in-aws/
permissions:
id-token: write # This is required for requesting the JWT
contents: read # This is required for actions/checkout
id-token: write # This is required for requesting the JWT
contents: read # This is required for actions/checkout
# https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners/about-github-hosted-runners
name: Policy Validator checks for AWS IAM policies
steps:
# checkout the repo for workflow to access the contents
- name: Checkout
- name: Checkout
uses: actions/checkout@v4
# Configure AWS Credentials. More configuration details here- https://github.com/aws-actions/configure-aws-credentials
- name: Configure AWS Credentials
Expand All @@ -64,11 +64,11 @@ jobs:
role-to-assume: ${{ secrets.POLICY_VALIDATOR_ROLE }}
aws-region: ${{ inputs.region }}
# Run the VALIDATE_POLICY check. More configuration details here - https://github.com/aws-actions/terraform-aws-iam-policy-validator
- name: Run AWS AccessAnalyzer ValidatePolicy check
- name: Run AWS AccessAnalyzer ValidatePolicy check
id: run-aws-validate-policy
uses: aws-actions/terraform-aws-iam-policy-validator@v1
with:
policy-check-type: 'VALIDATE_POLICY'
policy-check-type: "VALIDATE_POLICY"
template-path: ${{ inputs.template-path }}
region: ${{ inputs.region }}
# Print result from VALIDATE_POLICY check
Expand All @@ -85,7 +85,7 @@ jobs:
id: run-aws-check-access-not-granted
uses: aws-actions/terraform-aws-iam-policy-validator@v1
with:
policy-check-type: 'CHECK_ACCESS_NOT_GRANTED'
policy-check-type: "CHECK_ACCESS_NOT_GRANTED"
template-path: ${{ inputs.template-path }}
actions: ${{ steps.getCriticalActions.outputs.actionsLst }}
region: ${{ inputs.region }}
Expand All @@ -98,11 +98,11 @@ jobs:
id: run-aws-check-no-new-access
uses: aws-actions/terraform-aws-iam-policy-validator@v1
with:
policy-check-type: 'CHECK_NO_NEW_ACCESS'
policy-check-type: "CHECK_NO_NEW_ACCESS"
template-path: ${{ inputs.template-path }}
reference-policy: ${{ secrets.REFERENCE_IDENTITY_POLICY }}
reference-policy-type: "IDENTITY"
region: ${{ inputs.region }}
# Print result from CHECK_NO_NEW_ACCESS check
- name: Print the result
run: echo "${{ steps.run-aws-check-no-new-access.outputs.result }}"
- name: Print the result
run: echo "${{ steps.run-aws-check-no-new-access.outputs.result }}"

0 comments on commit fb7c4cf

Please sign in to comment.