Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create Matomo scan user using infra_ops lambda #789

Merged
merged 7 commits into from
Feb 7, 2025
Merged

Create Matomo scan user using infra_ops lambda #789

merged 7 commits into from
Feb 7, 2025

Conversation

aloftus23
Copy link
Contributor

🗣 Description

Create infraOps lambda to take care of all infrastructure tasks that cannot be completed in Terraform or serverless framework.

Add "Create Matomo scan user" to infraOps lambda so the vulnerability scanners can access our matomo schema.

The user will only be created if it doesn't already exist and the name/password are protected in the AWS Systems Manager parameter store.

The user is limited to these permissions:

Database Access:

  • The user can connect to the database.

Schema Access:

  • The user can access the public schema but cannot modify it.

Table Access:

  • The user can query (read) all existing tables in the public schema.
  • The user will also automatically have read access to any new tables created in the public schema in the future.

💭 Motivation and context

Allow scanners to access the database schema.

🧪 Testing

Created the user locally.
Passes pre-commit and github checks.

✅ Pre-approval checklist

  • This PR has an informative and human-readable title.
  • Changes are limited to a single goal - eschew scope creep!
  • All future TODOs are captured in issues, which are referenced
    in code comments.
  • All relevant type-of-change labels have been added.
  • I have read the CONTRIBUTING document.
  • These code changes follow cisagov code standards.
  • All relevant repo and/or project documentation has been updated
    to reflect the changes in this PR.
  • Tests have been added and/or modified to cover the changes in this PR.
  • All new and existing tests pass.

✅ Pre-merge checklist

  • Revert dependencies to default branches.
  • Finalize version.

✅ Post-merge checklist

  • Create a release.

@aloftus23 aloftus23 self-assigned this Feb 6, 2025
@aloftus23 aloftus23 marked this pull request as ready for review February 7, 2025 17:05
cduhn17
cduhn17 approved these changes Feb 7, 2025
View reviewed changes
Copy link
Collaborator

@cduhn17 cduhn17 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM - review done during PR review meeting

rapidray12
rapidray12 approved these changes Feb 7, 2025
View reviewed changes
Copy link
Collaborator

@rapidray12 rapidray12 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

@rapidray12 rapidray12 merged commit cae9ef8 into develop Feb 7, 2025
15 checks passed
@rapidray12 rapidray12 deleted the AL-add-matomo-scan-user branch February 7, 2025 20:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cduhn17 cduhn17 cduhn17 approved these changes

@rapidray12 rapidray12 rapidray12 approved these changes

@Matthew-Grayson Matthew-Grayson Awaiting requested review from Matthew-Grayson Matthew-Grayson is a code owner

@nickviola nickviola Awaiting requested review from nickviola nickviola is a code owner

@schmelz21 schmelz21 Awaiting requested review from schmelz21 schmelz21 is a code owner

Assignees

@aloftus23 aloftus23

Labels
backend
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@aloftus23 @cduhn17 @rapidray12