Merge pull request #460 from mdr-engineering/feature/jc_MSOCI-2182_tfsec_Ignore_Comments_IAM_SAML_roles

Updated IAM with tfsec Ignore Comments

submodules/iam/bootstrap_mdradmin_policies/policy-mdradmin_tfstate_setup.tf

@@ -8,7 +8,7 @@ resource "aws_iam_policy" "mdradmin_tfstate_setup" {
 data "aws_iam_policy_document" "mdradmin_tfstate_setup" {
   statement {
     sid = "DynamoDBTablesAndLocking"
-    actions = [
+    actions = [ #tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. Lockdown after baselining IAM permissions
       "dynamodb:*"
     ]
     resources = [
@@ -42,7 +42,7 @@ data "aws_iam_policy_document" "mdradmin_tfstate_setup" {
 
   statement {
     sid = "KMSKeyCreate"
-    actions = [
+    actions = [ #tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. Lockdown after baselining IAM permissions
       "kms:CreateAlias",
       "kms:CreateKey",
       "kms:List*",
@@ -52,6 +52,7 @@ data "aws_iam_policy_document" "mdradmin_tfstate_setup" {
 
     # I wish I could scope this down to just specific keys
     # But I don't think it's possible
+    # tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. Lockdown after baselining IAM permissions
     resources = [
       "*"
     ]
@@ -65,7 +66,7 @@ data "aws_iam_policy_document" "mdradmin_tfstate_setup" {
   }
   statement {
     sid = "S3ManageStateBucket"
-    actions = [
+    actions = [ #tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. Lockdown after baselining IAM permissions
       "s3:CreateBucket",
       "s3:DeleteBucket",
       "s3:ListBucket",
@@ -83,13 +84,14 @@ data "aws_iam_policy_document" "mdradmin_tfstate_setup" {
       ]
     }
   }
-  statement {
+  statement { #tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. Lockdown after baselining IAM permissions
     sid = "S3ObjectOperations"
     actions = [
       "s3:PutObject*",
       "s3:GetObject*",
       "s3:DeleteObject*"
     ]
+    #tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. Lockdown after baselining IAM permissions
     resources = [
       "arn:${local.aws_partition}:s3:::${var.bucket_name}/*"
     ]

submodules/iam/common_services_roles/role-mdr_developer.tf

@@ -26,11 +26,12 @@ data "aws_iam_policy_document" "mdr_developer" {
   statement {
     sid    = "S3Access"
     effect = "Allow"
-    actions = [
+    actions = [ #tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. Lockdown after baselining IAM permissions
       "s3:*"
     ]
 
     # These resources might not exist yet
+    #tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. Lockdown after baselining IAM permissions
     resources = [
       "arn:${local.aws_partition}:s3:::afsxdr-binaries",
       "arn:${local.aws_partition}:s3:::afsxdr-binaries/*",
@@ -45,7 +46,7 @@ data "aws_iam_policy_document" "mdr_developer" {
     actions = [
       "sts:AssumeRole"
     ]
-
+    #tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. Lockdown after baselining IAM permissions
     resources = [
       "arn:${local.aws_partition}:iam::*:role/user/mdr_developer",
     ]

submodules/iam/okta_saml_roles/policy-mdr_engineer.tf

@@ -40,7 +40,7 @@ data "aws_iam_policy_document" "mdr_engineer" {
     actions = [
       "iam:PassRole",
     ]
-
+    #tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. Lockdown after baselining IAM permissions
     resources = [
       "arn:${local.aws_partition}:iam::${local.aws_account}:role/instance/*",
       "arn:${local.aws_partition}:iam::${local.aws_account}:role/lambda/*",
@@ -55,7 +55,7 @@ data "aws_iam_policy_document" "mdr_engineer" {
     actions = [
       "sts:AssumeRole"
     ]
-
+    #tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. Lockdown after baselining IAM permissions
     resources = [
       "arn:${local.aws_partition}:iam::*:role/user/mdr_engineer",
       "arn:${local.aws_partition}:iam::*:role/mdr_engineer",

submodules/iam/okta_saml_roles/policy-mdr_iam_admin.tf

@@ -3,7 +3,7 @@ data "aws_iam_policy_document" "iam_admin_kms" {
   statement {
     sid    = "AllowKMSthings"
     effect = "Allow"
-    actions = [
+    actions = [ #tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. Lockdown after baselining IAM permissions
       "kms:Create*",
       "kms:Describe*",
       "kms:Enable*",
@@ -19,7 +19,7 @@ data "aws_iam_policy_document" "iam_admin_kms" {
       "kms:ScheduleKeyDeletion",
       "kms:CancelKeyDeletion"
     ]
-    resources = ["*"]
+    resources = ["*"] #tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. Lockdown after baselining IAM permissions
   }
 
 }

submodules/iam/okta_saml_roles/policy-mdr_readonly_assumerole.tf

@@ -14,7 +14,7 @@ data "aws_iam_policy_document" "mdr_engineer_readonly_assumerole" {
     actions = [
       "iam:PassRole",
     ]
-
+    #tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. Lockdown after baselining IAM permissions
     resources = [
       "arn:${local.aws_partition}:iam::${local.aws_account}:role/instance/*",
       "arn:${local.aws_partition}:iam::${local.aws_account}:role/lambda/*",
@@ -29,7 +29,7 @@ data "aws_iam_policy_document" "mdr_engineer_readonly_assumerole" {
     actions = [
       "sts:AssumeRole"
     ]
-
+    #tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. Lockdown after baselining IAM permissions
     resources = [
       "arn:${local.aws_partition}:iam::*:role/user/mdr_engineer_readonly",
 

submodules/iam/okta_saml_roles/policy-mdr_terraformer.tf

@@ -19,7 +19,7 @@ data "aws_iam_policy_document" "mdr_terraformer" {
     actions = [
       "iam:PassRole",
     ]
-
+    #tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. Lockdown after baselining IAM permissions
     resources = [
       "arn:${local.aws_partition}:iam::${local.aws_account}:role/instance/*",
       "arn:${local.aws_partition}:iam::${local.aws_account}:role/lambda/*",
@@ -34,7 +34,7 @@ data "aws_iam_policy_document" "mdr_terraformer" {
     actions = [
       "sts:AssumeRole"
     ]
-
+    #tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. Lockdown after baselining IAM permissions
     resources = [
       "arn:${local.aws_partition}:iam::*:role/user/mdr_terraformer",
 

submodules/iam/standard_iam_policies/policy-mdr_feedmgmt.tf

@@ -9,7 +9,7 @@ data "aws_iam_policy_document" "mdr_feedmgmt_s3access" {
       "s3:GetObject",
       "s3:GetObjectVersion",
     ]
-
+    #tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. Lockdown after baselining IAM permissions
     resources = [
       "arn:${local.aws_partition}:s3:::xdr-codebuild-artifacts/*",
     ]

submodules/iam/standard_iam_policies/policy-mdr_iam_admin.tf

@@ -3,7 +3,7 @@ data "aws_iam_policy_document" "iam_admin_kms" {
   statement {
     sid    = "AllowKMSthings"
     effect = "Allow"
-    actions = [
+    actions = [ #tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. Lockdown after baselining IAM permissions
       "kms:Create*",
       "kms:Describe*",
       "kms:Enable*",
@@ -19,6 +19,7 @@ data "aws_iam_policy_document" "iam_admin_kms" {
       "kms:ScheduleKeyDeletion",
       "kms:CancelKeyDeletion"
     ]
+    #tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. Lockdown after baselining IAM permissions
     resources = ["*"]
   }
 

submodules/iam/standard_iam_policies/policy-mdr_readonly_assumerole.tf

@@ -14,7 +14,7 @@ data "aws_iam_policy_document" "mdr_engineer_readonly_assumerole" {
     actions = [
       "iam:PassRole",
     ]
-
+    #tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. Lockdown after baselining IAM permissions
     resources = [
       "arn:${local.aws_partition}:iam::${local.aws_account}:role/instance/*",
       "arn:${local.aws_partition}:iam::${local.aws_account}:role/lambda/*",
@@ -29,7 +29,7 @@ data "aws_iam_policy_document" "mdr_engineer_readonly_assumerole" {
     actions = [
       "sts:AssumeRole"
     ]
-
+    #tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. Lockdown after baselining IAM permissions
     resources = [
       "arn:${local.aws_partition}:iam::*:role/user/mdr_engineer_readonly",
       "arn:${local.aws_partition}:iam::*:role/user/mdr_developer_readonly",

submodules/iam/standard_iam_policies/policy-mdr_terraformer.tf

@@ -19,7 +19,7 @@ data "aws_iam_policy_document" "mdr_terraformer" {
     actions = [
       "iam:PassRole",
     ]
-
+    #tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. Lockdown after baselining IAM permissions
     resources = [
       "arn:${local.aws_partition}:iam::${local.aws_account}:role/instance/*",
       "arn:${local.aws_partition}:iam::${local.aws_account}:role/lambda/*",
@@ -54,7 +54,7 @@ data "aws_iam_policy_document" "mdr_terraformer" {
     actions = [
       "sts:AssumeRole"
     ]
-
+    #tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. Lockdown after baselining IAM permissions
     resources = [
       "arn:${local.aws_partition}:iam::*:role/user/mdr_terraformer",
 

thirdparty/terraform-aws-cloudtrail-logging/main.tf

@@ -83,7 +83,7 @@ data "aws_iam_policy_document" "cwl_policy" {
   statement {
     effect  = "Allow"
     actions = ["logs:PutLogEvents"]
-
+    #tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. Lockdown after baselining IAM permissions
     resources = [
       "arn:${local.partition}:logs:${var.region}:${local.account_id}:log-group:${aws_cloudwatch_log_group.cwl_loggroup.name}:log-stream:*",
     ]