Skip to content

Commit 6d21955

Browse files
authored
Merge pull request #28 from ONS-Innovation/KEH-2171-Assume-Service-Role-SSO
KEH-2171: Assume Service Role via SSO
2 parents 0317d11 + 01c0b52 commit 6d21955

6 files changed

Lines changed: 60 additions & 90 deletions

File tree

Makefile

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -22,10 +22,15 @@ format: ## Format the code.
2222
poetry run black src
2323
poetry run ruff check src --fix
2424

25+
.PHONY: md-fix
26+
md-fix: ## Run markdown linting with Markdownlint and fix issues.
27+
sh ./shell_scripts/md_fix.sh
28+
2529
.PHONY: lint
26-
lint: ## Run all linters (black/ruff/pylint/mypy).
30+
lint: ## Run all linters (black/ruff/pylint/mypy/markdownlint).
2731
poetry run black --check src
2832
poetry run ruff check src
33+
make md-fix
2934
make mypy
3035

3136
.PHONY: test

README.md

Lines changed: 31 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -128,18 +128,26 @@ Before the doing the following, make sure your Daemon is running. If using Colim
128128
github-repository-archive-script latest b4a1e32ce51b 12 minutes ago 840MB
129129
```
130130

131-
3. Run the image.
131+
3. Sign in with AWS SSO:
132+
133+
```bash
134+
aws sso login
135+
```
136+
137+
**Note:** See the Developer Onboarding Guide on the "Using AWS SSO for Local Development" page on Confluence to set up service profile selection on your local machine. This is essential as the `~/.aws` directory is mounted to the container, so it can use the SSO session for AWS authentication.
138+
139+
4. Run the image.
132140

133141
```bash
134142
docker run --platform linux/amd64 -p 9000:8080 \
135-
-e AWS_ACCESS_KEY_ID=<access_key_id> \
136-
-e AWS_SECRET_ACCESS_KEY=<secret_access_key> \
137-
-e AWS_DEFAULT_REGION=<region> \
143+
-v ~/.aws:/root/.aws \
144+
-e AWS_PROFILE=github-repository-archive-script \
145+
-e AWS_DEFAULT_REGION=eu-west-2 \
138146
-e AWS_SECRET_NAME=<secret_name> \
139147
-e GITHUB_ORG=<org> \
140148
-e GITHUB_APP_CLIENT_ID=<client_id> \
141-
-e S3_BUCKET_NAME=<bucket_name>\
142-
-e AWS_LAMBDA_FUNCTION_TIMEOUT=300
149+
-e S3_BUCKET_NAME=<bucket_name> \
150+
-e AWS_LAMBDA_FUNCTION_TIMEOUT=300 \
143151
github-repository-archive-script
144152
```
145153

@@ -156,7 +164,7 @@ Before the doing the following, make sure your Daemon is running. If using Colim
156164

157165
Once the container is running, a local endpoint is created at `localhost:9000/2015-03-31/functions/function/invocations`.
158166

159-
4. Check the container is running (Optional).
167+
5. Check the container is running (Optional).
160168

161169
```bash
162170
docker ps
@@ -169,15 +177,15 @@ Before the doing the following, make sure your Daemon is running. If using Colim
169177
ca890d30e24d github-repository-archive-script "/lambda-entrypoint.…" 5 seconds ago Up 4 seconds 0.0.0.0:9000->8080/tcp, :::9000->8080/tcp recursing_bartik
170178
```
171179

172-
5. Post to the endpoint (`localhost:9000/2015-03-31/functions/function/invocations`).
180+
6. Post to the endpoint (`localhost:9000/2015-03-31/functions/function/invocations`).
173181

174182
```bash
175183
curl "http://localhost:9000/2015-03-31/functions/function/invocations" -d '{}'
176184
```
177185

178186
This will run the Lambda function and, once complete, will return a success message.
179187

180-
6. After testing stop the container.
188+
7. After testing stop the container.
181189

182190
```bash
183191
docker stop <container_id>
@@ -198,11 +206,21 @@ To run the Lambda function outside of a container, we need to execute the `handl
198206
199207
**Please Note:** If uncommenting the above in `main.py`, make sure you re-comment the code _before_ pushing back to GitHub.
200208
201-
2. Export the required environment variables:
209+
2. Sign in with AWS SSO, and export the correct profile for this service:
210+
211+
```bash
212+
aws sso login
213+
214+
export AWS_PROFILE=github-repository-archive-script
215+
```
216+
217+
This allows you to assume the AWS IAM role for the service, enabling the most secure development experience. This also means you will have limited permissions until you exit out of the profile.
218+
219+
**Note:** See the Developer Onboarding Guide on the "Using AWS SSO for Local Development" page on Confluence to set up service profile selection on your local machine.
220+
221+
3. Export the required environment variables:
202222
203223
```bash
204-
export AWS_ACCESS_KEY_ID=<access_key_id>
205-
export AWS_SECRET_ACCESS_KEY=<secret_access_key>
206224
export AWS_DEFAULT_REGION=eu-west-2
207225
export AWS_SECRET_NAME=<secret_name>
208226
export S3_BUCKET_NAME=<bucket_name>
@@ -212,7 +230,7 @@ To run the Lambda function outside of a container, we need to execute the `handl
212230
213231
An explanation of each variable is available within the [containerised instructions](#containerised-recommended).
214232
215-
3. Run the script.
233+
4. Run the script.
216234
217235
```bash
218236
python3 src/main.py

poetry.lock

Lines changed: 6 additions & 6 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

shell_scripts/md_fix.sh

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,3 @@
1+
#!/bin/bash
2+
3+
docker run -v "$PWD:/workdir" ghcr.io/igorshubovych/markdownlint-cli:latest "**/*.md" --fix

terraform/service/main.tf

Lines changed: 14 additions & 56 deletions
Original file line numberDiff line numberDiff line change
@@ -73,6 +73,20 @@ resource "aws_iam_role" "lambda_function_role" {
7373
Principal = {
7474
Service = "lambda.amazonaws.com"
7575
}
76+
},
77+
{
78+
Action = "sts:AssumeRole"
79+
Effect = "Allow"
80+
Principal = {
81+
AWS = "arn:aws:iam::${var.aws_account_id}:root"
82+
}
83+
Condition = {
84+
ArnLike = {
85+
"aws:PrincipalArn" = [
86+
"arn:aws:iam::${var.aws_account_id}:role/aws-reserved/sso.amazonaws.com/eu-west-2/AWSReservedSSO_Standard_Administrator_Access_*"
87+
]
88+
}
89+
}
7690
}
7791
]
7892
})
@@ -138,59 +152,3 @@ resource "aws_cloudwatch_log_group" "loggroup" {
138152
name = "/aws/lambda/${aws_lambda_function.lambda_function.function_name}"
139153
retention_in_days = var.log_retention_days
140154
}
141-
142-
# IAM User Group
143-
resource "aws_iam_group" "group" {
144-
name = "${var.env_name}-${var.lambda_name}-user-group"
145-
path = "/"
146-
}
147-
148-
resource "aws_iam_group_policy_attachment" "group_vpc_permissions_attachment" {
149-
group = aws_iam_group.group.name
150-
policy_arn = aws_iam_policy.vpc_permissions.arn
151-
}
152-
153-
resource "aws_iam_group_policy_attachment" "group_lambda_logging_attachment" {
154-
group = aws_iam_group.group.name
155-
policy_arn = aws_iam_policy.lambda_logging.arn
156-
}
157-
158-
resource "aws_iam_group_policy_attachment" "group_lambda_s3_policy_attachment" {
159-
group = aws_iam_group.group.name
160-
policy_arn = aws_iam_policy.lambda_s3_policy.arn
161-
}
162-
163-
resource "aws_iam_group_policy_attachment" "group_lambda_secret_manager_policy_attachment" {
164-
group = aws_iam_group.group.name
165-
policy_arn = aws_iam_policy.lambda_secret_manager_policy.arn
166-
}
167-
168-
resource "aws_iam_group_policy_attachment" "group_lambda_eventbridge_policy_attachment" {
169-
group = aws_iam_group.group.name
170-
policy_arn = aws_iam_policy.lambda_eventbridge_policy.arn
171-
}
172-
173-
# IAM User
174-
resource "aws_iam_user" "user" {
175-
name = "${var.env_name}-${var.lambda_name}"
176-
path = "/"
177-
}
178-
179-
# Assign IAM User to group
180-
resource "aws_iam_user_group_membership" "user_group_attach" {
181-
user = aws_iam_user.user.name
182-
183-
groups = [
184-
aws_iam_group.group.name
185-
]
186-
}
187-
188-
# IAM Key Rotation Module
189-
module "iam_key_rotation" {
190-
source = "git::https://github.com/ONS-Innovation/keh-aws-iam-key-rotation.git?ref=v0.1.1"
191-
192-
iam_username = aws_iam_user.user.name
193-
access_key_secret_arn = aws_secretsmanager_secret.access_key.arn
194-
secret_key_secret_arn = aws_secretsmanager_secret.secret_key.arn
195-
rotation_in_days = 45
196-
}

terraform/service/secrets.tf

Lines changed: 0 additions & 14 deletions
This file was deleted.

0 commit comments

Comments
 (0)