From 53e27c65ac7c42851077d7ea4d3492057dd23c05 Mon Sep 17 00:00:00 2001 From: Leandro Damascena Date: Mon, 13 Jan 2025 17:01:56 +0000 Subject: [PATCH 1/2] Improving security --- .github/workflows/layer_govcloud_python313.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.github/workflows/layer_govcloud_python313.yml b/.github/workflows/layer_govcloud_python313.yml index 5854f8c9860..40a25eac2e9 100644 --- a/.github/workflows/layer_govcloud_python313.yml +++ b/.github/workflows/layer_govcloud_python313.yml @@ -1,3 +1,5 @@ +name: Layer Deployment (GovCloud) - Temporary for Python 3.13 + # GovCloud Layer Publish # --- # This workflow publishes a specific layer version in an AWS account based on the environment input. @@ -32,9 +34,11 @@ on: type: string required: true -name: Layer Deployment (GovCloud) - Temporary for Python 3.13 run-name: Layer Deployment (GovCloud) - ${{ inputs.environment }} +permissions: + contents: read + jobs: download: runs-on: ubuntu-latest From 1cf4aa39e54844d069810416c85f6efb1822062c Mon Sep 17 00:00:00 2001 From: Leandro Damascena Date: Mon, 13 Jan 2025 17:21:22 +0000 Subject: [PATCH 2/2] Improving security --- .github/workflows/dispatch_analytics.yml | 5 +++-- .../reusable_deploy_v2_layer_stack.yml | 5 +++-- .github/workflows/reusable_deploy_v2_sar.yml | 18 ++++++++++-------- .github/workflows/reusable_deploy_v3_sar.yml | 3 ++- 4 files changed, 18 insertions(+), 13 deletions(-) diff --git a/.github/workflows/dispatch_analytics.yml b/.github/workflows/dispatch_analytics.yml index 3f4d75a0249..ddc4294b262 100644 --- a/.github/workflows/dispatch_analytics.yml +++ b/.github/workflows/dispatch_analytics.yml @@ -43,10 +43,11 @@ jobs: statuses: read steps: - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 # v2.2.0 + uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 with: aws-region: eu-central-1 - role-to-assume: ${{ secrets.AWS_ANALYTICS_ROLE_ARN }} + role-to-assume: ${{ secrets.AWS_LAYERS_ROLE_ARN }} + mask-aws-account-id: true - name: Invoke Lambda function run: | diff --git a/.github/workflows/reusable_deploy_v2_layer_stack.yml b/.github/workflows/reusable_deploy_v2_layer_stack.yml index f74acecefeb..1ccea4ac980 100644 --- a/.github/workflows/reusable_deploy_v2_layer_stack.yml +++ b/.github/workflows/reusable_deploy_v2_layer_stack.yml @@ -152,11 +152,12 @@ jobs: - name: Install poetry run: pipx install git+https://github.com/python-poetry/poetry@68b88e5390720a3dd84f02940ec5200bfce39ac6 # v1.5.0 - - name: aws credentials - uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 # v2.2.0 + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 with: aws-region: ${{ matrix.region }} role-to-assume: ${{ secrets.AWS_LAYERS_ROLE_ARN }} + mask-aws-account-id: true - name: Setup Node.js uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 with: diff --git a/.github/workflows/reusable_deploy_v2_sar.yml b/.github/workflows/reusable_deploy_v2_sar.yml index f40d87434a9..0f4a3f3e231 100644 --- a/.github/workflows/reusable_deploy_v2_sar.yml +++ b/.github/workflows/reusable_deploy_v2_sar.yml @@ -89,19 +89,19 @@ jobs: integrity_hash: ${{ inputs.source_code_integrity_hash }} artifact_name: ${{ inputs.source_code_artifact_name }} - - - name: AWS credentials - uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 # v2.2.0 + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 with: aws-region: ${{ env.AWS_REGION }} role-to-assume: ${{ secrets.AWS_LAYERS_ROLE_ARN }} + mask-aws-account-id: true - # NOTE - # We connect to Layers account to log our intent to publish a SAR Layer - # we then jump to our specific SAR Account with the correctly scoped IAM Role - # this allows us to have a single trail when a release occurs for a given layer (beta+prod+SAR beta+SAR prod) + # NOTE + # We connect to Layers account to log our intent to publish a SAR Layer + # we then jump to our specific SAR Account with the correctly scoped IAM Role + # this allows us to have a single trail when a release occurs for a given layer (beta+prod+SAR beta+SAR prod) - name: AWS credentials SAR role - uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 # v2.2.0 + uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 id: aws-credentials-sar-role with: aws-access-key-id: ${{ env.AWS_ACCESS_KEY_ID }} @@ -110,6 +110,8 @@ jobs: role-duration-seconds: 1200 aws-region: ${{ env.AWS_REGION }} role-to-assume: ${{ secrets.AWS_SAR_V2_ROLE_ARN }} + mask-aws-account-id: true + - name: Setup Node.js uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 with: diff --git a/.github/workflows/reusable_deploy_v3_sar.yml b/.github/workflows/reusable_deploy_v3_sar.yml index b39096e46ca..8c319d0b695 100644 --- a/.github/workflows/reusable_deploy_v3_sar.yml +++ b/.github/workflows/reusable_deploy_v3_sar.yml @@ -98,7 +98,7 @@ jobs: # we then jump to our specific SAR Account with the correctly scoped IAM Role # this allows us to have a single trail when a release occurs for a given layer (beta+prod+SAR beta+SAR prod) - name: AWS credentials SAR role - uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 # v2.2.0 + uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 id: aws-credentials-sar-role with: aws-access-key-id: ${{ env.AWS_ACCESS_KEY_ID }} @@ -107,6 +107,7 @@ jobs: role-duration-seconds: 1200 aws-region: ${{ env.AWS_REGION }} role-to-assume: ${{ secrets.AWS_SAR_V2_ROLE_ARN }} + mask-aws-account-id: true - name: Setup Node.js uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 with: