Automate IAM User Role Policies

.github/workflows/run-ci-cd.yaml

@@ -476,6 +476,11 @@ jobs:
           aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
           aws-region: ${{ vars.AWS_REGION }}
           aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          role-duration-seconds: 3600
+          role-external-id: ${{ secrets.AWS_ROLE_EXTERNAL_ID }}
+          role-session-name: GitHubActions-BuildStagingImages
+          role-skip-session-tagging: true
+          role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/nest-staging-terraform
 
       - name: Login to Amazon ECR
         uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076
@@ -618,6 +623,87 @@ jobs:
             frontend-sbom-${{ env.RELEASE_VERSION }}.cdx.json
     timeout-minutes: 5
 
+  bootstrap-staging-nest:
+    name: Bootstrap Nest Staging
+    env:
+      TF_INPUT: false
+      TF_IN_AUTOMATION: true
+    environment: staging
+    if: |
+      github.repository == 'OWASP/Nest' &&
+      github.ref == 'refs/heads/main'
+    needs:
+      - scan-staging-images
+    permissions:
+      contents: read
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708
+        with:
+          aws-access-key-id: ${{ secrets.BOOTSTRAP_AWS_ACCESS_KEY_ID }}
+          aws-region: ${{ vars.AWS_REGION }}
+          aws-secret-access-key: ${{ secrets.BOOTSTRAP_AWS_SECRET_ACCESS_KEY }}
+
+      - name: Install Terraform
+        uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd
+        with:
+          terraform_version: 1.14.0
+
+      - name: Prepare terraform backend
+        env:
+          AWS_REGION: ${{ vars.AWS_REGION }}
+          TF_STATE_BUCKET_NAME: ${{ secrets.BOOTSTRAP_TF_STATE_BUCKET_NAME }}
+          TF_STATE_DYNAMODB_TABLE_NAME: ${{ secrets.BOOTSTRAP_TF_STATE_DYNAMODB_TABLE_NAME }}
+        run: |
+          umask 377
+          cat > infrastructure/bootstrap/terraform.tfbackend <<-EOF
+          bucket="$TF_STATE_BUCKET_NAME"
+          dynamodb_table="$TF_STATE_DYNAMODB_TABLE_NAME"
+          region="$AWS_REGION"
+          EOF
+
+      - name: Prepare terraform variables
+        env:
+          AWS_REGION: ${{ vars.AWS_REGION }}
+          PROJECT_NAME: 'nest'
+          AWS_ROLE_EXTERNAL_ID: ${{ secrets.AWS_ROLE_EXTERNAL_ID }}
+        run: |
+          umask 377
+          cat > infrastructure/bootstrap/terraform.tfvars <<-EOF
+          aws_region="$AWS_REGION"
+          project_name="$PROJECT_NAME"
+          aws_role_external_id="$AWS_ROLE_EXTERNAL_ID"
+          EOF
+
+      - name: Terraform Init
+        working-directory: infrastructure/bootstrap
+        run: terraform init -backend-config=terraform.tfbackend
+
+      - name: Terraform Validate
+        working-directory: infrastructure/bootstrap
+        run: terraform validate
+
+      - name: Terraform Plan
+        working-directory: infrastructure/bootstrap
+        run: terraform plan -out=tfplan
+
+      - name: Show plan in summary
+        working-directory: infrastructure/bootstrap
+        run: |
+          echo "## Bootstrap Terraform Plan Output" >> $GITHUB_STEP_SUMMARY
+          echo '```' >> $GITHUB_STEP_SUMMARY
+          terraform show -no-color tfplan >> $GITHUB_STEP_SUMMARY
+          echo '```' >> $GITHUB_STEP_SUMMARY
+
+      - name: Terraform Apply
+        working-directory: infrastructure/bootstrap
+        run: terraform apply -auto-approve tfplan
+    timeout-minutes: 10
+
   plan-staging-nest:
     name: Plan Nest Staging
     env:
@@ -628,6 +714,7 @@ jobs:
       github.repository == 'OWASP/Nest' &&
       github.ref == 'refs/heads/main'
     needs:
+      - bootstrap-staging-nest
       - scan-staging-images
       - set-release-version
     permissions:
@@ -643,6 +730,11 @@ jobs:
           aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
           aws-region: ${{ vars.AWS_REGION }}
           aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          role-duration-seconds: 3600
+          role-external-id: ${{ secrets.AWS_ROLE_EXTERNAL_ID }}
+          role-session-name: GitHubActions-StagingPlan
+          role-skip-session-tagging: true
+          role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/nest-staging-terraform
 
       - name: Install Terraform
         uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd
@@ -671,7 +763,7 @@ jobs:
           ECS_USE_FARGATE_SPOT: true
           ENVIRONMENT: 'staging'
           FRONTEND_USE_FARGATE_SPOT: true
-          LAMBDA_FUNCTION_NAME: ${{ secrets.ZAPPA_LAMBDA_FUNCTION_NAME }}
+          LAMBDA_FUNCTION_NAME: 'nest-staging'
           PROJECT_NAME: 'nest'
         run: |
           umask 377
@@ -740,6 +832,11 @@ jobs:
           aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
           aws-region: ${{ vars.AWS_REGION }}
           aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          role-duration-seconds: 3600
+          role-external-id: ${{ secrets.AWS_ROLE_EXTERNAL_ID }}
+          role-session-name: GitHubActions-StagingDeploy
+          role-skip-session-tagging: true
+          role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/nest-staging-terraform
 
       - name: Install Terraform
         uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd
@@ -800,7 +897,7 @@ jobs:
 
       - name: Install backend dependencies
         working-directory: backend
-        run: poetry sync --no-root --without dev --without test --without video
+        run: poetry sync --no-root --without test --without video
 
       - name: Prepare Zappa settings
         env:

.gitignore

@@ -38,10 +38,10 @@ backend/fuzzing_results/
 !*.tfvars.example
 **/.terraform/
 backend-sbom-local.cdx.json
-backend/*nest-backend-dev*.tar.gz
-backend/*nest-backend-dev*.zip
-backend/*nest-backend-staging*.tar.gz
-backend/*nest-backend-staging*.zip
+backend/*nest-dev*.tar.gz
+backend/*nest-dev*.zip
+backend/*nest-staging*.tar.gz
+backend/*nest-staging*.zip
 backend/data/backup*
 backend/generated_videos/
 backend/staticfiles

backend/zappa_settings.template.json

@@ -25,7 +25,7 @@
     ],
     "manage_roles": true,
     "memory_size": 3008,
-    "project_name": "nest-backend",
+    "project_name": "nest",
     "regex_excludes": [
       "/boto3/",
       "/boto3-",

cspell/custom-dict.txt

@@ -169,6 +169,7 @@ pyyaml
 quasis
 rediss
 relativedelta
+replicationgroup
 repositorycontributor
 requirepass
 rqworker
@@ -184,6 +185,7 @@ skillstruck
 slackbot
 slideshare
 speakerdeck
+subgrp
 superfences
 tfbackend
 tgz

infrastructure/README.md

@@ -9,13 +9,15 @@ Ensure you have the following setup/installed:
 - Setup Project: [CONTRIBUTING.md](https://github.com/OWASP/Nest/blob/main/CONTRIBUTING.md)
 - Terraform: [Terraform Documentation](https://developer.hashicorp.com/terraform/docs)
 - AWS CLI: [AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html)
-- An AWS account with credentials configured locally.
+- An AWS account.
+Note: Refer to the respective `README.md` files for more information.
 
 ## Setting up the infrastructure
 
 Follow these steps to set up the infrastructure:
 
 1. **Setup Backend (one-time setup)**:
+  - Prerequisite: Create a `nest-backend` IAM user with the policies defined in `infrastructure/backend/README.md`.
 
   - Navigate to the backend directory:
 
@@ -44,7 +46,56 @@ Follow these steps to set up the infrastructure:
   > [!NOTE]
   > It is recommended to not destroy the backend resources unless absolutely necessary.
 
-2. **Setup Main Infrastructure (staging)**:
+2. **Bootstrap IAM Role**:
+  - Prerequisite: Create a `nest-bootstrap` IAM user with the policies defined in `infrastructure/bootstrap/README.md`.
+
+  - Navigate to the bootstrap directory:
+
+    ```bash
+    cd infrastructure/bootstrap/
+    ```
+
+  - Create a local terraform variables file:
+
+    ```bash
+    touch terraform.tfvars
+    ```
+
+  - Copy the contents from the example file:
+
+    ```bash
+    cat terraform.tfvars.example > terraform.tfvars
+    ```
+
+  - Create a local backend configuration file:
+
+    ```bash
+    touch terraform.tfbackend
+    ```
+
+  - Copy the contents from the example file:
+
+    ```bash
+    cat terraform.tfbackend.example > terraform.tfbackend
+    ```
+
+  > [!NOTE]
+  > Update the state bucket name in `terraform.tfbackend` with the name of the state bucket (bootstrap) created in the previous step.
+
+  - Initialize Terraform if needed:
+
+    ```bash
+    terraform init -backend-config=terraform.tfbackend
+    ```
+
+  - Apply the changes to create the bootstrap resources:
+
+    ```bash
+    terraform apply
+    ```
+
+3. **Setup Main Infrastructure (staging)**:
+  - Prerequisite: Create a `nest-staging` IAM user with the policies defined in `infrastructure/staging/README.md`
 
   - Navigate to the main infrastructure directory. If you are in `infrastructure/backend`, you can use:
 
@@ -94,7 +145,7 @@ Follow these steps to set up the infrastructure:
     terraform apply
     ```
 
-3. **Populate Secrets**
+4. **Populate Secrets**
 
   - Visit the AWS Console > Systems Manager > Parameter Store.
   - Populate all `DJANGO_*` secrets that have `to-be-set-in-aws-console` value.
@@ -156,7 +207,7 @@ The Django backend deployment is managed by Zappa. This includes the IAM roles,
   - Update `terraform.tfvars` with the Lambda details:
 
     ```hcl
-    lambda_function_name = "nest-backend-staging"
+    lambda_function_name = "nest-staging"
     ```
 
   - Apply the changes to create ALB routing:
@@ -299,8 +350,8 @@ Migrate and load data into the new database.
 
     ```bash
     aws ecs update-service \
-        --cluster owasp-nest-staging-frontend-cluster \
-        --service owasp-nest-staging-frontend-service \
+        --cluster nest-staging-frontend-cluster \
+        --service nest-staging-frontend-service \
         --force-new-deployment \
         --region us-east-2
     ```

infrastructure/backend/README.md

@@ -0,0 +1,99 @@
+## Inline Permissions
+Use the following inline permissions for the `nest-backend` IAM User
+*Note*: replace ${AWS_ACCOUNT_ID} and ${AWS_BACKEND_KMS_KEY_ARN} with appropriate values.
+*Note*: use "*" instead of `AWS_BACKEND_KMS_KEY_ARN` on first `terraform apply`.
+
+```json
+{
+	"Version": "2012-10-17",
+	"Statement": [
+		{
+			"Sid": "S3Management",
+			"Effect": "Allow",
+			"Action": [
+				"s3:CreateBucket",
+				"s3:DeleteBucket",
+				"s3:DeleteBucketPolicy",
+				"s3:GetAccelerateConfiguration",
+				"s3:GetBucketAcl",
+				"s3:GetBucketCors",
+				"s3:GetBucketLogging",
+				"s3:GetBucketObjectLockConfiguration",
+				"s3:GetBucketPolicy",
+				"s3:GetBucketPublicAccessBlock",
+				"s3:GetBucketRequestPayment",
+				"s3:GetBucketTagging",
+				"s3:GetBucketVersioning",
+				"s3:GetBucketWebsite",
+				"s3:GetEncryptionConfiguration",
+				"s3:GetLifecycleConfiguration",
+				"s3:GetObject",
+				"s3:GetReplicationConfiguration",
+				"s3:ListBucket",
+				"s3:PutBucketLogging",
+				"s3:PutBucketObjectLockConfiguration",
+				"s3:PutBucketPolicy",
+				"s3:PutBucketPublicAccessBlock",
+				"s3:PutBucketTagging",
+				"s3:PutBucketVersioning",
+				"s3:PutEncryptionConfiguration",
+				"s3:PutLifecycleConfiguration",
+				"s3:PutObject"
+			],
+			"Resource": [
+				"arn:aws:s3:::nest-*-terraform-state*",
+				"arn:aws:s3:::nest-*-terraform-state*/*"
+			]
+		},
+		{
+			"Sid": "DynamoDBManagement",
+			"Effect": "Allow",
+			"Action": [
+				"dynamodb:CreateTable",
+				"dynamodb:DeleteTable",
+				"dynamodb:DescribeContinuousBackups",
+				"dynamodb:DescribeTable",
+				"dynamodb:DescribeTimeToLive",
+				"dynamodb:ListTagsOfResource",
+				"dynamodb:TagResource",
+				"dynamodb:UntagResource",
+				"dynamodb:UpdateContinuousBackups",
+				"dynamodb:UpdateTable"
+			],
+			"Resource": "arn:aws:dynamodb:*:${AWS_ACCOUNT_ID}:table/nest-*-terraform-state-lock"
+		},
+		{
+			"Sid": "KMSCreateManagement",
+			"Effect": "Allow",
+			"Action": [
+				"kms:CreateKey",
+				"kms:ListAliases",
+				"kms:ListKeys"
+			],
+			"Resource": "*"
+		},
+		{
+			"Sid": "KMSManagement",
+			"Effect": "Allow",
+			"Action": [
+				"kms:CreateAlias",
+				"kms:CreateGrant",
+				"kms:DeleteAlias",
+				"kms:DescribeKey",
+				"kms:DisableKeyRotation",
+				"kms:EnableKeyRotation",
+				"kms:GetKeyPolicy",
+				"kms:GetKeyRotationStatus",
+				"kms:ListResourceTags",
+				"kms:PutKeyPolicy",
+				"kms:ScheduleKeyDeletion",
+				"kms:TagResource",
+				"kms:UntagResource",
+				"kms:UpdateAlias",
+				"kms:UpdateKeyDescription"
+			],
+			"Resource": "${AWS_BACKEND_KMS_KEY_ARN}"
+		}
+	]
+}
+```