🚀 Enhancements
feat: custom policy + hardened trust relationship @bt-macole (#132)
what
Updated trust policy so only the codebuild project in this module can use the iam role.
Added ability to toggle on/off default permissions
Added support for attaching a custom policy
Fully backward compatible
why
adding a condition on the trust policy for the codebuild project arn ensures
the iam role can not be used by any other codebuild project.
codebuild projects could be extremely permissive, even when least privileged
so enforcing the role can only be used by the intended codebuild project
limits to ability for a threat actor to quietly take control of a powerful
role and do threat actory things.
the default permissions are good for getting up and running, however, they are far more
permissive than any least privileged policy would like, being `*` for all resources for
anything in the default list + any and all additional_permissions.
this allows users to still utilize the quick up and running policy, while also being able
to disable it and replace it with a least privileged custom policy.
the lifecycle rule ensure that users don't get confused by additional permissions and custom
policy variables, failing on a plan if they attempt to use additional_permissions with
default_permissions_enabled set to `false`.
Test Output:
--- PASS: TestExamplesCustom (62.77s)
--- PASS: TestExamplesComplete (62.87s)
--- PASS: TestExamplesVPC (78.32s)
PASS
ok github.com/cloudposse/terraform-aws-codebuild 78.790sreferences
resolves: #131