You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It would be nice to create a submodule with a boolean to create a least privilege github actions oidc iam role
Something like this. I'm unsure which permissions are needed just yet.
module"github_role" {
source="terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"version="~> 5.2.0"create_role=truerole_name="github-actions-securityhub-suppressor"role_description="Used by Github Actions to suppress securityhub rules"provider_url="https://token.actions.githubusercontent.com"oidc_fully_qualified_subjects=[
"https://github.com/<org>/<repo>",
]
oidc_fully_qualified_audiences=[
"sts.amazonaws.com",
]
}
data"aws_iam_policy_document""dynamodb" {
statement {
sid="AllowDynamoDBReadAndWrite"actions=[
# This may be more than required. The module does not state the permissions required.# This will give it read and write permissions. In order to run the python script, it's# possible only Scan, PutItem, and DeleteItem are needed. This is a good start and can# be reduced with the help of AccessAnalyzer."dynamodb:BatchGetItem",
"dynamodb:BatchWriteItem",
"dynamodb:ConditionCheckItem",
"dynamodb:DeleteItem",
"dynamodb:DescribeTable",
"dynamodb:GetItem",
"dynamodb:List*",
"dynamodb:PutItem",
"dynamodb:Query",
"dynamodb:Scan",
]
effect="Allow"resources=[
module.mcaf_securityhub_findings_manager.dynamodb_arn,
]
}
}
resource"aws_iam_role_policy""github_dynamodb" {
name="dynamodb"role=module.github_role.iam_role_namepolicy=data.aws_iam_policy_document.dynamodb.json
}
The text was updated successfully, but these errors were encountered:
It would be nice to create a submodule with a boolean to create a least privilege github actions oidc iam role
Something like this. I'm unsure which permissions are needed just yet.
The text was updated successfully, but these errors were encountered: