From bb01ea8250981dbee3f730393d33c26a7feb1189 Mon Sep 17 00:00:00 2001
From: Ryan Causey <ryan.causey@munipal.io>
Date: Tue, 7 May 2024 18:41:12 -0700
Subject: [PATCH 1/4] fix: use a valid policy for ssm access

This resolves an issue where the previous policy template did not
specify a valid resource argument for the second policy statement. The
modified template should now apply without error.
---
 main.tf                                             |  2 +-
 policies/instance-secure-parameter-role-policy.json | 10 ++--------
 2 files changed, 3 insertions(+), 9 deletions(-)

diff --git a/main.tf b/main.tf
index 809b6d0bb..684910a29 100644
--- a/main.tf
+++ b/main.tf
@@ -598,7 +598,7 @@ resource "aws_iam_policy" "ssm" {
   name        = "${local.name_iam_objects}-ssm"
   path        = "/"
   description = "Policy for runner token param access via SSM"
-  policy      = templatefile("${path.module}/policies/instance-secure-parameter-role-policy.json", { partition = data.aws_partition.current.partition })
+  policy      = file("${path.module}/policies/instance-secure-parameter-role-policy.json")
 
   tags = local.tags
 }
diff --git a/policies/instance-secure-parameter-role-policy.json b/policies/instance-secure-parameter-role-policy.json
index f7dd120ae..909a54ab6 100644
--- a/policies/instance-secure-parameter-role-policy.json
+++ b/policies/instance-secure-parameter-role-policy.json
@@ -4,17 +4,11 @@
         {
             "Effect": "Allow",
             "Action": [
-                "ssm:PutParameter"
-            ],
-            "Resource": "*"
-        },
-        {
-            "Effect": "Allow",
-            "Action": [
+                "ssm:PutParameter",
                 "ssm:GetParameter",
                 "ssm:GetParameters"
             ],
-            "Resource": "arn:${partition}:ssm:*"
+            "Resource": "*"
         }
     ]
 }

From 72c41f57e5f1de84cbfd93385f5132466ad5b10d Mon Sep 17 00:00:00 2001
From: Matthias Kay <matthias.kay@hlag.com>
Date: Wed, 8 May 2024 19:06:03 +0200
Subject: [PATCH 2/4] use least privilege

---
 main.tf                                       | 15 ++++++++++++-
 ...instance-secure-parameter-role-policy.json | 14 ------------
 ...nstance-secure-parameter-role-policy.tftpl | 22 +++++++++++++++++++
 3 files changed, 36 insertions(+), 15 deletions(-)
 delete mode 100644 policies/instance-secure-parameter-role-policy.json
 create mode 100644 policies/instance-secure-parameter-role-policy.tftpl

diff --git a/main.tf b/main.tf
index 684910a29..3437338bc 100644
--- a/main.tf
+++ b/main.tf
@@ -598,7 +598,20 @@ resource "aws_iam_policy" "ssm" {
   name        = "${local.name_iam_objects}-ssm"
   path        = "/"
   description = "Policy for runner token param access via SSM"
-  policy      = file("${path.module}/policies/instance-secure-parameter-role-policy.json")
+  policy      = templatefile("${path.module}/policies/instance-secure-parameter-role-policy.tftpl", {
+    read_resource_arns = compact([
+      aws_ssm_parameter.runner_sentry_dsn.name,
+      var.runner_gitlab_registration_token_secure_parameter_store_name,
+      var.runner_gitlab.access_token_secure_parameter_store_name,
+      var.runner_gitlab.preregistered_runner_token_ssm_parameter_name,
+      aws_ssm_parameter.runner_registration_token.name
+    ])
+    write_resource_arns = [aws_ssm_parameter.runner_registration_token.arn]
+
+    account_id = data.aws_caller_identity.current.account_id
+    partition = data.aws_partition.current.partition
+    region = data.aws_region.current.name
+  })
 
   tags = local.tags
 }
diff --git a/policies/instance-secure-parameter-role-policy.json b/policies/instance-secure-parameter-role-policy.json
deleted file mode 100644
index 909a54ab6..000000000
--- a/policies/instance-secure-parameter-role-policy.json
+++ /dev/null
@@ -1,14 +0,0 @@
-{
-    "Version": "2012-10-17",
-    "Statement": [
-        {
-            "Effect": "Allow",
-            "Action": [
-                "ssm:PutParameter",
-                "ssm:GetParameter",
-                "ssm:GetParameters"
-            ],
-            "Resource": "*"
-        }
-    ]
-}
diff --git a/policies/instance-secure-parameter-role-policy.tftpl b/policies/instance-secure-parameter-role-policy.tftpl
new file mode 100644
index 000000000..926bcc1c5
--- /dev/null
+++ b/policies/instance-secure-parameter-role-policy.tftpl
@@ -0,0 +1,22 @@
+${jsonencode(
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": [
+                "ssm:GetParameter",
+                "ssm:GetParameters"
+            ],
+            "Resource": [for name in read_resource_arns: "arn:${partition}:ssm:${region}:${account_id}:parameter/${name}"]
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "ssm:PutParameter",
+            ],
+            "Resource": [for name in write_resource_arns: "arn:${partition}:ssm:${region}:${account_id}:parameter/${name}"]
+        }
+    ]
+}
+)}

From 35e5461c06bb868d66235a800277403f37a51108 Mon Sep 17 00:00:00 2001
From: Matthias Kay <matthias.kay@hlag.com>
Date: Wed, 8 May 2024 19:10:47 +0200
Subject: [PATCH 3/4] use name instead of ARN

---
 main.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/main.tf b/main.tf
index 3437338bc..2a21f7621 100644
--- a/main.tf
+++ b/main.tf
@@ -606,7 +606,7 @@ resource "aws_iam_policy" "ssm" {
       var.runner_gitlab.preregistered_runner_token_ssm_parameter_name,
       aws_ssm_parameter.runner_registration_token.name
     ])
-    write_resource_arns = [aws_ssm_parameter.runner_registration_token.arn]
+    write_resource_arns = [aws_ssm_parameter.runner_registration_token.name]
 
     account_id = data.aws_caller_identity.current.account_id
     partition = data.aws_partition.current.partition

From bcb8dc7dc6546fcab1c742b153a995ae8508e8c9 Mon Sep 17 00:00:00 2001
From: Matthias Kay <matthias.kay@hlag.com>
Date: Fri, 10 May 2024 10:57:33 +0200
Subject: [PATCH 4/4] move policy into data statement

---
 main.tf                                       | 42 ++++++++++++-------
 ...nstance-secure-parameter-role-policy.tftpl | 22 ----------
 2 files changed, 28 insertions(+), 36 deletions(-)
 delete mode 100644 policies/instance-secure-parameter-role-policy.tftpl

diff --git a/main.tf b/main.tf
index 2a21f7621..69c0f67fb 100644
--- a/main.tf
+++ b/main.tf
@@ -594,24 +594,38 @@ resource "aws_eip" "gitlab_runner" {
 ################################################################################
 ### AWS Systems Manager access to store runner token once registered
 ################################################################################
+data "aws_iam_policy_document" "ssm" {
+  statement {
+    actions = [
+      "ssm:GetParameter",
+      "ssm:GetParameters",
+    ]
+    resources = [
+      for name in compact(
+        [
+          aws_ssm_parameter.runner_sentry_dsn.name,
+          var.runner_gitlab_registration_token_secure_parameter_store_name,
+          var.runner_gitlab.access_token_secure_parameter_store_name,
+          var.runner_gitlab.preregistered_runner_token_ssm_parameter_name,
+          aws_ssm_parameter.runner_registration_token.name
+        ]
+      ) : "arn:${data.aws_partition.current.partition}:ssm:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:parameter/${name}"
+    ]
+  }
+
+  statement {
+    actions = ["ssm:PutParameter"]
+    resources = [
+      "arn:${data.aws_partition.current.partition}:ssm:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:parameter/${aws_ssm_parameter.runner_registration_token.name}"
+    ]
+  }
+}
+
 resource "aws_iam_policy" "ssm" {
   name        = "${local.name_iam_objects}-ssm"
   path        = "/"
   description = "Policy for runner token param access via SSM"
-  policy      = templatefile("${path.module}/policies/instance-secure-parameter-role-policy.tftpl", {
-    read_resource_arns = compact([
-      aws_ssm_parameter.runner_sentry_dsn.name,
-      var.runner_gitlab_registration_token_secure_parameter_store_name,
-      var.runner_gitlab.access_token_secure_parameter_store_name,
-      var.runner_gitlab.preregistered_runner_token_ssm_parameter_name,
-      aws_ssm_parameter.runner_registration_token.name
-    ])
-    write_resource_arns = [aws_ssm_parameter.runner_registration_token.name]
-
-    account_id = data.aws_caller_identity.current.account_id
-    partition = data.aws_partition.current.partition
-    region = data.aws_region.current.name
-  })
+  policy      = data.aws_iam_policy_document.ssm.json
 
   tags = local.tags
 }
diff --git a/policies/instance-secure-parameter-role-policy.tftpl b/policies/instance-secure-parameter-role-policy.tftpl
deleted file mode 100644
index 926bcc1c5..000000000
--- a/policies/instance-secure-parameter-role-policy.tftpl
+++ /dev/null
@@ -1,22 +0,0 @@
-${jsonencode(
-{
-    "Version": "2012-10-17",
-    "Statement": [
-        {
-            "Effect": "Allow",
-            "Action": [
-                "ssm:GetParameter",
-                "ssm:GetParameters"
-            ],
-            "Resource": [for name in read_resource_arns: "arn:${partition}:ssm:${region}:${account_id}:parameter/${name}"]
-        },
-        {
-            "Effect": "Allow",
-            "Action": [
-                "ssm:PutParameter",
-            ],
-            "Resource": [for name in write_resource_arns: "arn:${partition}:ssm:${region}:${account_id}:parameter/${name}"]
-        }
-    ]
-}
-)}