Merge branch 'main' of github.com:noqdev/iambic

* 'main' of github.com:noqdev/iambic: (32 commits)
  Bump version
  EN-1798: Unbound parenthesis fix
  Bump version
  Disbale itest image build
  Bump version
  Update registry
  Update registry
  Update registry
  Point to new registry
  Added a hidden git aware flag on plan.
  Bump version
  Change comment
  revert launch.json change
  EN-1796: Sanitize account name
  Bump version
  Fix AWS PROFILE and CWS env var ref in alias
  Bump version
  Change to use dash versus _
  Use ECR_PATH variable so ecr path only mentioned in one place
  Ensure the shell selector works to write the correct alias
  ...

Signed-off-by: Matt Daue <[email protected]>

.github/workflows/build-container.yml

@@ -50,10 +50,12 @@ jobs:
       - name: Configure AWS Credentials
         uses: aws-actions/configure-aws-credentials@v1
         with:
-          role-to-assume: arn:aws:iam::759357822767:role/iambic_image_builder
+          role-to-assume: arn:aws:iam::242345320040:role/iambic_image_builder
           aws-region: us-east-1
       - name: build container
         id: build-container
         run: |
-          aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws/l1s5s8m2
-          . build-env/bin/activate && make build_docker upload_docker
+          aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws/o4z3c2v2
+          . build-env/bin/activate && make build_docker upload_docker
+          docker logout public.ecr.aws/o4z3c2v2
+          docker buildx prune --filter=until=96h -f

.github/workflows/run-test.yml

@@ -36,11 +36,12 @@ jobs:
         with:
           role-to-assume: arn:aws:iam::442632209887:role/iambic_image_builder
           aws-region: us-east-1
-      - name: build-itest-image
-        id: build-itest-image
-        run: |
-          aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws/l1s5s8m2
-          . env/bin/activate && make -f Makefile.itest build_docker_itest upload_docker_itest
+      # Disable image builder for now since we are not using it
+      #- name: build-itest-image
+      #  id: build-itest-image
+      #  run: |
+      #    aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws/l1s5s8m2
+      #    . env/bin/activate && make -f Makefile.itest build_docker_itest upload_docker_itest
       - name: Configure AWS Credentials
         uses: aws-actions/configure-aws-credentials@v1
         with:

Makefile

@@ -1,13 +1,13 @@
 BUILD_VERSION := $(shell python build_utils/tag_and_build_container.py print-current-version)
-IAMBIC_PUBLIC_ECR_ALIAS := "s2p9s3r8"
+IAMBIC_PUBLIC_ECR_ALIAS := "o4z3c2v2"
 
 .PHONY: prepare_for_dist
 prepare_for_dist:
 	rm -f proposed_changes.yaml # especially important if this is run locally
 
 .PHONY: auth_to_ecr
 auth_to_ecr:
-	bash -c "AWS_PROFILE=development/iambic_image_builder aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws/s2p9s3r"
+	bash -c "AWS_PROFILE=iambic_open_source/iambic_image_builder aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws/o4z3c2v2"
 
 docker_buildx := docker buildx build \
 	--platform=linux/amd64 \
@@ -63,4 +63,4 @@ build_docker_base_image:
 .PHONY: upload_docker_base_image
 upload_docker_base_image:
 	@echo "--> Uploading Iambic Docker base container image"
-	$(docker_base_image_buildx) --push .
+	$(docker_base_image_buildx) --push .

deployment/github_app/main.tf

@@ -5,7 +5,6 @@ terraform {
       version = "~> 4.16"
     }
   }
-
   required_version = ">= 1.2.0"
 }
 
@@ -18,33 +17,47 @@ data "aws_caller_identity" "current" {}
 locals {
   account_id    = data.aws_caller_identity.current.account_id
   ecr_image_tag = "latest"
-  iambic_public_repo = "public.ecr.aws/s2p9s3r8/iambic"
-  iambic_image_tag = "latest"
 }
 
-resource "aws_ecr_repository" "iambic_private_ecr" {
-  name                 = "iambic_private_ecr"
-  image_tag_mutability = "MUTABLE"
+resource "null_resource" "iambic_public_repo" {
 
-  image_scanning_configuration {
-    scan_on_push = true
+  triggers = {
+    always_run = "${timestamp()}"
   }
 
-/*
+  depends_on = [
+    aws_ecr_repository.iambic_private_ecr,
+  ]
+
   provisioner "local-exec" {
     command = <<EOF
-        aws ecr get-login-password --region ${var.aws_region} | docker login --username AWS --password-stdin ${local.account_id}.dkr.ecr.${var.aws_region}.amazonaws.com
-        docker pull ${local.iambic_public_repo}:${local.iambic_image_tag}
-        docker tag ${local.iambic_public_repo}:${local.iambic_image_tag} ${aws_ecr_repository.iambic_private_ecr.repository_url}:${local.ecr_image_tag}
+        docker logout ${var.iambic_public_repo_url}
+        docker pull ${var.iambic_public_repo_url}/${var.iambic_image_name}:${var.iambic_image_tag}
+        aws --profile ${var.aws_profile} ecr get-login-password --region ${var.aws_region} | docker login --username AWS --password-stdin ${local.account_id}.dkr.ecr.${var.aws_region}.amazonaws.com
+        docker tag ${var.iambic_public_repo_url}/${var.iambic_image_name}:${var.iambic_image_tag} ${aws_ecr_repository.iambic_private_ecr.repository_url}:${local.ecr_image_tag}
         docker push ${aws_ecr_repository.iambic_private_ecr.repository_url}:${local.ecr_image_tag}
 
     EOF
-  }*/
+  }
+}
+
+resource "aws_ecr_repository" "iambic_private_ecr" { #tfsec:ignore:aws-ecr-repository-customer-key
+  name                 = "iambic_private_ecr"
+  image_tag_mutability = "MUTABLE" #tfsec:ignore:aws-ecr-enforce-immutable-repository
+
+  image_scanning_configuration {
+    scan_on_push = true
+  }
 }
 
 data "aws_ecr_image" "iambic_private_ecr" {
   repository_name = aws_ecr_repository.iambic_private_ecr.name
-  image_tag       = "${local.ecr_image_tag}"
+  image_tag       = local.ecr_image_tag
+
+  depends_on = [
+    null_resource.iambic_public_repo,
+  ]
+
 }
 
 data "aws_iam_role" "iambic_github_app_lambda_execution" {
@@ -53,11 +66,11 @@ data "aws_iam_role" "iambic_github_app_lambda_execution" {
 
 
 resource "aws_lambda_function" "iambic_github_app" {
-  image_uri     = "${aws_ecr_repository.iambic_private_ecr.repository_url}:latest"  # repo and tag
+  image_uri     = "${aws_ecr_repository.iambic_private_ecr.repository_url}:latest" # repo and tag
   package_type  = "Image"
   function_name = "iambic_github_app_webhook"
   role          = data.aws_iam_role.iambic_github_app_lambda_execution.arn
-  memory_size   = 512
+  memory_size   = 2048
   timeout       = 900
 
   source_code_hash = trimprefix(data.aws_ecr_image.iambic_private_ecr.id, "sha256:")
@@ -68,14 +81,19 @@ resource "aws_lambda_function" "iambic_github_app" {
 
   environment {
     variables = {
-      GITHUB_APP_SECRET_KEY_SECRET_ID = var.github_app_private_key_secret_id
+      GITHUB_APP_SECRET_KEY_SECRET_ID     = var.github_app_private_key_secret_id
       GITHUB_APP_WEBHOOK_SECRET_SECRET_ID = var.github_webhook_secret_secret_id
     }
   }
 
+  tracing_config {
+    mode = "Active"
+  }
+
   depends_on = [
     data.aws_iam_role.iambic_github_app_lambda_execution,
     aws_ecr_repository.iambic_private_ecr,
+    null_resource.iambic_public_repo,
   ]
 }
 

deployment/github_app/vars.tf

@@ -1,20 +1,41 @@
 variable "aws_region" {
-  type = string
+  type        = string
   description = "The aws region in which the lambda function will be deployed"
 
   default = "us-west-2"
 }
 
 variable "github_app_private_key_secret_id" {
-  type = string
+  type        = string
   description = "AWS Secret ID that contains the Github App private key"
 
-  default = "dev/test-github-app-private-key"
+  default = "dev/github-app-private-key"
 }
 
 variable "github_webhook_secret_secret_id" {
-  type = string
+  type        = string
   description = "AWS Secret ID that contains the Github App webhook secret"
 
-  default = "dev/test-github-app-webhook-secret"
-}
+  default = "dev/github-app-webhook-secret"
+}
+
+variable "iambic_public_repo_url" {
+  type        = string
+  description = "Iambic Public Repo URL"
+
+  default = "public.ecr.aws/o4z3c2v2"
+}
+
+variable "iambic_image_name" {
+  type        = string
+  description = "Iambic Image Repo"
+
+  default = "iambic"
+}
+
+variable "iambic_image_tag" {
+  type        = string
+  description = "Iambic Image Tag"
+
+  default = "latest"
+}

docker-compose-cicd.yaml

@@ -3,7 +3,7 @@ services:
   iambic-cicd:
     # NOTE: This compose file loads the image from ECR, not from what you are running
     # locally.
-    image: public.ecr.aws/s2p9s3r8/iambic:latest
+    image: public.ecr.aws/o4z3c2v2/iambic:latest
     environment:
       - IAMBIC_CONFIG=arn:aws:secretsmanager:us-west-2:759357822767:secret:dev/iambic-full
       - IAMBIC_CONFIG_ASSUME_ROLE=arn:aws:iam::759357822767:role/IambicSpokeRole

docs/web/docs/1-getting_started/5-github.mdx

@@ -215,6 +215,7 @@ By installing Iambic Github App, the app can integrate with the pull-request and
 5. Uncheck "Active" for "Webhook"
 6. Select "Read and Write" for "Content" Under "Permissions"
 7. Select "Read and Write" for "Pull requests" Under "Permissions"
+7. Select "Read and Write" for "Issues" Under "Permissions"
 8. Leave default "Only on this account" for "Where can this Github App bed installed?"
 9. Click "Create Github App"
 10. Scroll down to "Private Keys"

functional_tests/aws/group/test_update_template.py

@@ -140,3 +140,64 @@ async def test_create_update_group_all_accounts(self):
         )
         r = await self.template.apply(IAMBIC_TEST_DETAILS.config.aws, ctx)
         self.assertEqual(len(r.proposed_changes), 1)
+
+
+class UpdateGroupBadInputTestCase(IsolatedAsyncioTestCase):
+    @classmethod
+    def setUpClass(cls):
+        cls.template = asyncio.run(
+            generate_group_template_from_base(IAMBIC_TEST_DETAILS.template_dir_path)
+        )
+        cls.group_name = cls.template.properties.group_name
+        cls.all_account_ids = [
+            account.account_id for account in IAMBIC_TEST_DETAILS.config.aws.accounts
+        ]
+        # Only include the template in half the accounts
+        # Make the accounts explicit so it's easier to validate account scoped tests
+        cls.template.included_accounts = cls.all_account_ids[
+            : len(cls.all_account_ids) // 2
+        ]
+        asyncio.run(cls.template.apply(IAMBIC_TEST_DETAILS.config.aws, ctx))
+
+    @classmethod
+    def tearDownClass(cls):
+        cls.template.deleted = True
+        asyncio.run(cls.template.apply(IAMBIC_TEST_DETAILS.config.aws, ctx))
+
+    async def test_bad_input(self):
+        self.template.included_accounts = ["*"]
+        self.template.excluded_accounts = []
+
+        await self.template.apply(IAMBIC_TEST_DETAILS.config.aws, ctx)
+
+        account_group_mapping = await get_group_across_accounts(
+            IAMBIC_TEST_DETAILS.config.aws.accounts, self.group_name, False
+        )
+        group_account_ids = [
+            account_id for account_id, group in account_group_mapping.items() if group
+        ]
+
+        self.template.properties.inline_policies.append(
+            PolicyDocument(
+                included_accounts=[group_account_ids[0], group_account_ids[1]],
+                expires_at="tomorrow",
+                policy_name="test_policy",
+                statement=[
+                    {
+                        "action": ["s3:NotARealAction"],
+                        "effect": "BAD_INPUT",
+                        "resource": ["*"],
+                        "expires_at": "tomorrow",
+                        "included_accounts": [group_account_ids[0]],
+                    },
+                    {
+                        "action": ["s3:AlsoNotARealAction"],
+                        "effect": "BAD_INPUT",
+                        "resource": ["*"],
+                        "expires_at": "tomorrow",
+                    },
+                ],
+            )
+        )
+        r = await self.template.apply(IAMBIC_TEST_DETAILS.config.aws, ctx)
+        self.assertEqual(len(r.exceptions_seen), 2)

functional_tests/aws/role/test_update_template.py

@@ -4,7 +4,6 @@
 from unittest import IsolatedAsyncioTestCase
 
 import dateparser
-
 from functional_tests.aws.role.utils import generate_role_template_from_base
 from functional_tests.conftest import IAMBIC_TEST_DETAILS
 from iambic.core.context import ctx

functional_tests/aws/user/test_update_template.py

@@ -4,7 +4,6 @@
 from unittest import IsolatedAsyncioTestCase
 
 import dateparser
-
 from functional_tests.aws.user.utils import generate_user_template_from_base
 from functional_tests.conftest import IAMBIC_TEST_DETAILS
 from iambic.core.context import ctx

functional_tests/conftest.py

@@ -10,7 +10,6 @@
 from iambic.config.dynamic_config import Config, load_config
 from iambic.core.context import ctx
 from iambic.core.logger import log
-from iambic.main import run_import
 from iambic.plugins.v0_1_0.aws.models import AWSAccount
 
 if not os.environ.get("GITHUB_ACTIONS", None):
@@ -104,18 +103,17 @@ def generate_templates_fixture(request):
     with open(IAMBIC_TEST_DETAILS.config_path, "w") as temp_file:
         temp_file.write(all_config)
 
-    if not FUNCTIONAL_TEST_TEMPLATE_DIR:
-        run_import(
-            IAMBIC_TEST_DETAILS.template_dir_path,
-            IAMBIC_TEST_DETAILS.config_path,
-        )
-        log.info("Finished generating templates for testing")
-
     log.info("Setting up config for testing")
     IAMBIC_TEST_DETAILS.config = asyncio.run(
         load_config(IAMBIC_TEST_DETAILS.config_path)
     )
 
+    if not FUNCTIONAL_TEST_TEMPLATE_DIR:
+        asyncio.run(
+            IAMBIC_TEST_DETAILS.config.run_import(IAMBIC_TEST_DETAILS.template_dir_path)
+        )
+        log.info("Finished generating templates for testing")
+
     for aws_account in IAMBIC_TEST_DETAILS.config.aws.accounts:
         if aws_account.identity_center_details:
             IAMBIC_TEST_DETAILS.identity_center_account = aws_account