Add Confused Deputy Prevention #1503
Conversation
dricross
force-pushed
the
dricross/confused-deputy
branch
6 times, most recently
from
818dbd6 to
a45a647
Compare
dricross
force-pushed
the
dricross/confused-deputy
branch
2 times, most recently
from
82ece88 to
5e816a4
Compare
There was a problem hiding this comment.
These are all formatting changes right?
There was a problem hiding this comment.
Everything in terraform apply is formatting. The changes in the Terraform destroy step are actually important. The step would fail with an error that effectively says "you need to run terraform init first". So whenever my integ test run would fail, it would leave behind a bunch of resources
There was a problem hiding this comment.
We shouldn't need to call terraform init before the destroy. The working directory should already be initialized before we call apply.
There was a problem hiding this comment.
🤷 it wasn't working. Here's an example: https://github.com/aws/amazon-cloudwatch-agent/actions/runs/12770930135/job/35606848743
There was a problem hiding this comment.
It looks like that's because it was already destroyed by the terraform apply.
There was a problem hiding this comment.
Hm... so maybe it's failing because the destroy step always cds into ${{inputs.test_dir}} whereas the apply step cds into ${{ matrix.arrays.terraform_dir }} if its defined, so ${{inputs.test_dir}} may not be init'd. And the real fix should be to cd into ${{ matrix.arrays.terraform_dir }} if it's defined and we shouldn't need the extra terraform init
There was a problem hiding this comment.
Can you bring the same if statement to the destroy?
if [ "${{ matrix.arrays.terraform_dir }}" != "" ]; then
cd "${{ matrix.arrays.terraform_dir }}"
else
cd ${{inputs.test_dir}}
fi
We need to make sure to destroy the correct environment.
There was a problem hiding this comment.
Yeah I think that's right.
dricross
force-pushed
the
dricross/confused-deputy
branch
2 times, most recently
from
866274c to
20257af
Compare
Description of the issue
To support confused deputy prevention, the CloudWatch Agent needs to be able to pass confused deputy context keys in the headers of STS AssumeRole calls so that dependent service teams can allow their customers to use confused deputy context keys in their role policies.
For background on the confused deputy problem, see: https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html
Description of changes
Enable the CloudWatch Agent to resource confused deputy context keys from environment variables and include the key values in the STS AssumeRole request headers.
I noticed while testing my new integration test that the destroy step was always failing because terraform wasn't initialized. Example: https://github.com/aws/amazon-cloudwatch-agent/actions/runs/13013756921/job/36303755191. This wound up leaving a ton of resources behind that didn't get cleaned up automatically. Added a
terraform initstep to the terraform destroy step to fix thisLicense
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.
Tests
New
assume_roleintegration test created in test repo. Example run: https://github.com/aws/amazon-cloudwatch-agent/actions/runs/13020191778. Seeassume_roletest, e.g. https://github.com/aws/amazon-cloudwatch-agent/actions/runs/13065824342/job/36483181515. See PR for amazon-cloudwatch-agent-test for more details: aws/amazon-cloudwatch-agent-test#449Requirements
Before commit the code, please do the following steps.
make fmtandmake fmt-shmake lint