Fix: Alarm api_unauthorized for HeadBucket/Object from SSM agent (#6141)

[dsotirho-ucsc]

Connected issues: #6141

Checklist

Author

• PR is a draft
• Target branch is develop
• Name of PR branch matches issues/<GitHub handle of author>/<issue#>-<slug>
• On ZenHub, PR is connected to all issues it (partially) resolves
• PR description links to connected issues
• PR title matches¹ that of a connected issue _{or comment in PR explains why they're different}
• PR title references all connected issues
• For each connected issue, there is at least one commit whose title references that issue

Author (partiality)

• Added p tag to titles of partial commits
• This PR is labeled partial _{or completely resolves all connected issues}
• This PR partially resolves each of the connected issues _{or does not have the partial label}

¹ when the issue title describes a problem, the corresponding PR
title is Fix: followed by the issue title

Author (chains)

• This PR is blocked by previous PR in the chain _{or is not chained to another PR}
• The blocking PR is labeled base _{or this PR is not chained to another PR}
• This PR is labeled chained _{or is not chained to another PR}

Author (reindex, API changes)

• Added r tag to commit title _{or this PR does not require reindexing}
• This PR is labeled reindex:dev _{or does not require reindexing dev}
• This PR is labeled reindex:anvildev _{or does not require reindexing anvildev}
• This PR is labeled reindex:anvilprod _{or does not require reindexing anvilprod}
• This PR is labeled reindex:partial and its description documents the specific reindexing procedure for dev, anvildev, anvilprod and prod _{or requires a full reindex or carries none of the labels reindex:dev, reindex:anvildev, reindex:anvilprod and reindex:prod}
• This PR and its connected issues are labeled API _{or this PR does not modify a REST API}
• Added a (A) tag to commit title for backwards (in)compatible changes _{or this PR does not modify a REST API}
• Updated REST API version number in app.py _{or this PR does not modify a REST API}

Author (upgrading deployments)

• Documented upgrading of deployments in UPGRADING.rst _{or this PR does not require upgrading deployments}
• Added u tag to commit title _{or this PR does not require upgrading deployments}
• Ran make image_manifests.json and committed the resulting changes _{or this PR does not modify azul_docker_images, or any other variables referenced in the definition of that variable}
• This PR is labeled upgrade _{or does not require upgrading deployments}
• This PR is labeled deploy:shared _{or does not modify image_manifests.json, and does not require deploying the shared component for any other reason}
• This PR is labeled deploy:gitlab _{or does not require deploying the gitlab component}
• This PR is labeled deploy:runner _{or does not require deploying the runner image}

Author (operator tasks)

• Added checklist items for additional operator tasks _{or this PR does not require additional tasks}

Author (hotfixes)

• Added F tag to main commit title _{or this PR does not include permanent fix for a temporary hotfix}
• Reverted the temporary hotfixes for any connected issues _{or the prod branch has no temporary hotfixes for any connected issues}

Author (before every review)

• Rebased PR branch on develop, squashed old fixups
• Ran make requirements_update _{or this PR does not modify requirements*.txt, common.mk, Makefile and Dockerfile}
• Added R tag to commit title _{or this PR does not modify requirements*.txt}
• This PR is labeled reqs _{or does not modify requirements*.txt}
• make integration_test passes in personal deployment _{or this PR does not modify functionality that could affect the IT outcome}

Peer reviewer (after requesting changes)

Uncheck the Author (before every review) checklists.

Peer reviewer (after approval)

• PR is not a draft
• Ticket is in Review requested column
• Requested review from system administrator
• PR is assigned to only the system administrator

System administrator (after requesting changes)

Uncheck the before every review checklists. Update the N reviews label.

System administrator (after approval)

• Actually approved the PR
• Labeled connected issues as demo or no demo
• Commented on connected issues about demo expectations _{or all connected issues are labeled no demo}
• Decided if PR can be labeled no sandbox
• A comment to this PR details the completed security design review _{or this PR is a promotion or a backport}
• PR title is appropriate as title of merge commit
• N reviews label is accurate
• Moved ticket to Approved column
• PR is assigned to only the operator

Operator (before pushing merge the commit)

• Checked reindex:… labels and r commit title tag
• Checked that demo expectations are clear _{or all connected issues are labeled no demo}
• PR has checklist items for upgrading instructions _{or PR is not labeled upgrade}
• Squashed PR branch and rebased onto develop
• Sanity-checked history
• Pushed PR branch to GitHub
• Ran _select dev.shared && CI_COMMIT_REF_NAME=develop make -C terraform/shared apply_keep_unused _{or this PR is not labeled deploy:shared}
• Ran _select dev.gitlab && CI_COMMIT_REF_NAME=develop make -C terraform/gitlab apply _{or this PR is not labeled deploy:gitlab}
• Ran _select anvildev.shared && CI_COMMIT_REF_NAME=develop make -C terraform/shared apply_keep_unused _{or this PR is not labeled deploy:shared}
• Ran _select anvildev.gitlab && CI_COMMIT_REF_NAME=develop make -C terraform/gitlab apply _{or this PR is not labeled deploy:gitlab}
• Ran _select anvilprod.shared && CI_COMMIT_REF_NAME=develop make -C terraform/shared apply_keep_unused _{or this PR is not labeled deploy:shared}
• Ran _select anvilprod.gitlab && CI_COMMIT_REF_NAME=develop make -C terraform/gitlab apply _{or this PR is not labeled deploy:gitlab}
• Checked the items in the next section _{or this PR is labeled deploy:gitlab}
• Assigned system administrator _{or this PR is not labeled deploy:gitlab}

System administrator

• Background migrations for dev.gitlab are complete _{or this PR is not labeled deploy:gitlab}
• Background migrations for anvildev.gitlab are complete _{or this PR is not labeled deploy:gitlab}
• Background migrations for anvilprod.gitlab are complete _{or this PR is not labeled deploy:gitlab}
• PR is assigned to only the operator

Operator (before pushing merge the commit)

• Ran _select dev.gitlab && make -C terraform/gitlab/runner _{or this PR is not labeled deploy:runner}
• Ran _select anvildev.gitlab && make -C terraform/gitlab/runner _{or this PR is not labeled deploy:runner}
• Ran _select anvilprod.gitlab && make -C terraform/gitlab/runner _{or this PR is not labeled deploy:runner}
• Added sandbox label _{or PR is labeled no sandbox}
• Pushed PR branch to GitLab dev _{or PR is labeled no sandbox}
• Pushed PR branch to GitLab anvildev _{or PR is labeled no sandbox}
• Pushed PR branch to GitLab anvilprod _{or PR is labeled no sandbox}
• Build passes in sandbox deployment _{or PR is labeled no sandbox}
• Build passes in anvilbox deployment _{or PR is labeled no sandbox}
• Build passes in hammerbox deployment _{or PR is labeled no sandbox}
• Reviewed build logs for anomalies in sandbox deployment _{or PR is labeled no sandbox}
• Reviewed build logs for anomalies in anvilbox deployment _{or PR is labeled no sandbox}
• Reviewed build logs for anomalies in hammerbox deployment _{or PR is labeled no sandbox}
• Deleted unreferenced indices in sandbox _{or this PR does not remove catalogs or otherwise causes unreferenced indices in dev}
• Deleted unreferenced indices in anvilbox _{or this PR does not remove catalogs or otherwise causes unreferenced indices in anvildev}
• Deleted unreferenced indices in hammerbox _{or this PR does not remove catalogs or otherwise causes unreferenced indices in anvilprod}
• Started reindex in sandbox _{or this PR is not labeled reindex:dev}
• Started reindex in anvilbox _{or this PR is not labeled reindex:anvildev}
• Started reindex in hammerbox _{or this PR is not labeled reindex:anvilprod}
• Checked for failures in sandbox _{or this PR is not labeled reindex:dev}
• Checked for failures in anvilbox _{or this PR is not labeled reindex:anvildev}
• Checked for failures in hammerbox _{or this PR is not labeled reindex:anvilprod}
• The title of the merge commit starts with the title of this PR
• Added PR # reference to merge commit title
• Collected commit title tags in merge commit title _{but only included p if the PR is also labeled partial}
• Moved connected issues to Merged column in ZenHub
• Pushed merge commit to GitHub

Operator (chain shortening)

• Changed the target branch of the blocked PR to develop _{or this PR is not labeled base}
• Removed the chained label from the blocked PR _{or this PR is not labeled base}
• Removed the blocking relationship from the blocked PR _{or this PR is not labeled base}
• Removed the base label from this PR _{or this PR is not labeled base}

Operator (after pushing the merge commit)

• Pushed merge commit to GitLab dev _{or PR is labeled no sandbox}
• Pushed merge commit to GitLab anvildev _{or PR is labeled no sandbox}
• Pushed merge commit to GitLab anvilprod _{or PR is labeled no sandbox}
• Build passes on GitLab dev¹
• Reviewed build logs for anomalies on GitLab dev¹
• Build passes on GitLab anvildev¹
• Reviewed build logs for anomalies on GitLab anvildev¹
• Build passes on GitLab anvilprod¹
• Reviewed build logs for anomalies on GitLab anvilprod¹
• Ran _select dev.shared && make -C terraform/shared apply _{or this PR is not labeled deploy:shared}
• Ran _select anvildev.shared && make -C terraform/shared apply _{or this PR is not labeled deploy:shared}
• Ran _select anvilprod.shared && make -C terraform/shared apply _{or this PR is not labeled deploy:shared}
• Deleted PR branch from GitHub
• Deleted PR branch from GitLab dev
• Deleted PR branch from GitLab anvildev
• Deleted PR branch from GitLab anvilprod

¹ When pushing the merge commit is skipped due to the PR being
labelled no sandbox, the next build triggered by a PR whose merge commit is
pushed determines this checklist item.

Operator (reindex)

• Deindexed all unreferenced catalogs in dev _{or this PR is neither labeled reindex:partial nor reindex:dev}
• Deindexed all unreferenced catalogs in anvildev _{or this PR is neither labeled reindex:partial nor reindex:anvildev}
• Deindexed all unreferenced catalogs in anvilprod _{or this PR is neither labeled reindex:partial nor reindex:anvilprod}
• Deindexed specific sources in dev _{or this PR is neither labeled reindex:partial nor reindex:dev}
• Deindexed specific sources in anvildev _{or this PR is neither labeled reindex:partial nor reindex:anvildev}
• Deindexed specific sources in anvilprod _{or this PR is neither labeled reindex:partial nor reindex:anvilprod}
• Indexed specific sources in dev _{or this PR is neither labeled reindex:partial nor reindex:dev}
• Indexed specific sources in anvildev _{or this PR is neither labeled reindex:partial nor reindex:anvildev}
• Indexed specific sources in anvilprod _{or this PR is neither labeled reindex:partial nor reindex:anvilprod}
• Started reindex in dev _{or this PR does not require reindexing dev}
• Started reindex in anvildev _{or this PR does not require reindexing anvildev}
• Started reindex in anvilprod _{or this PR does not require reindexing anvilprod}
• Checked for, triaged and possibly requeued messages in both fail queues in dev _{or this PR does not require reindexing dev}
• Checked for, triaged and possibly requeued messages in both fail queues in anvildev _{or this PR does not require reindexing anvildev}
• Checked for, triaged and possibly requeued messages in both fail queues in anvilprod _{or this PR does not require reindexing anvilprod}
• Emptied fail queues in dev _{or this PR does not require reindexing dev}
• Emptied fail queues in anvildev _{or this PR does not require reindexing anvildev}
• Emptied fail queues in anvilprod _{or this PR does not require reindexing anvilprod}

Operator

• Propagated the deploy:shared, deploy:gitlab, deploy:runner, reindex:partial and reindex:prod labels to the next promotion PR _{or this PR carries none of these labels}
• Propagated any specific instructions related to the deploy:shared, deploy:gitlab, deploy:runner, reindex:partial and reindex:prod labels from the description of this PR to that of the next promotion PR _{or this PR carries none of these labels}
• PR is assigned to no one

Shorthand for review comments

• L line is too long
• W line wrapping is wrong
• Q bad quotes
• F other formatting problem

[dsotirho-ucsc]

With this change, the gitlab_boundary policy (on anvilprod) would increase from 5,306 to 5,528 characters.

Terraform will perform the following actions:

  # aws_iam_policy.gitlab_boundary will be updated in-place
  ~ resource "aws_iam_policy" "gitlab_boundary" {
        id        = "arn:aws:iam::122796619775:policy/azul-boundary"
        name      = "azul-boundary"
      ~ policy    = jsonencode(
          ~ {
              ~ Statement = [
                    {
                        Action   = [
                            "s3:ListAllMyBuckets",
                            "s3:HeadBucket",
                            "s3:GetAccountPublicAccessBlock",
                        ]
                        Effect   = "Allow"
                        Resource = "*"
                    },
                  ~ {
                      ~ Resource = [
                            # (3 unchanged elements hidden)
                            "arn:aws:s3:::edu-ucsc-gi-platform-hca-dev-*",
                          + "arn:aws:s3:::aws-ssm-document-attachments-us-east-1/*",
                          + "arn:aws:s3:::aws-ssm-document-attachments-us-east-1",
                          + "arn:aws:s3:::amazon-ssm-packages-us-east-1/*",
                          + "arn:aws:s3:::amazon-ssm-packages-us-east-1",
                        ]
                        # (2 unchanged attributes hidden)
                    },
                    {
                        Action   = [
                            "kms:ListKeys",
                            "kms:ListAliases",
                        ]
                        Effect   = "Allow"
                        Resource = "*"
                    },
                    # (28 unchanged elements hidden)
                ]
                # (1 unchanged attribute hidden)
            }
        )
        tags      = {
            "Name"                = "azul-gitlab_boundary"
            "billing"             = "hca"
            "component"           = "azul-gitlab_boundary"
            "deployment"          = "dev"
            "owner"               = "[email protected]"
            "service"             = "azul"
            "terraform_component" = "gitlab"
        }
        # (4 unchanged attributes hidden)
    }

  # aws_iam_policy.gitlab_iam will be updated in-place
  ~ resource "aws_iam_policy" "gitlab_iam" {
        id        = "arn:aws:iam::122796619775:policy/azul-gitlab-iam"
        name      = "azul-gitlab-iam"
      ~ policy    = jsonencode(
          ~ {
              ~ Statement = [
                    # (13 unchanged elements hidden)
                    {
                        Action   = [
                            "kms:UpdateKeyDescription",
                            "kms:UpdateAlias",
                            "kms:UntagResource",
                            "kms:TagResource",
                            "kms:ScheduleKeyDeletion",
                            "kms:DeleteAlias",
                            "kms:CreateAlias",
                        ]
                        Effect   = "Allow"
                        Resource = [
                            "arn:aws:kms:us-east-1:122796619775:key/*",
                            "arn:aws:kms:us-east-1:122796619775:alias/*",
                        ]
                    },
                  ~ {
                      ~ Resource = [
                            "arn:aws:s3:::aws-ssm-document-attachments-us-east-1/*",
                          + "arn:aws:s3:::aws-ssm-document-attachments-us-east-1",
                            "arn:aws:s3:::amazon-ssm-packages-us-east-1/*",
                          + "arn:aws:s3:::amazon-ssm-packages-us-east-1",
                        ]
                        # (2 unchanged attributes hidden)
                    },
                ]
                # (1 unchanged attribute hidden)
            }
        )
        tags      = {
            "Name"                = "azul-gitlab_iam"
            "billing"             = "hca"
            "component"           = "azul-gitlab_iam"
            "deployment"          = "dev"
            "owner"               = "[email protected]"
            "service"             = "azul"
            "terraform_component" = "gitlab"
        }
        # (4 unchanged attributes hidden)
    }

Plan: 0 to add, 2 to change, 0 to destroy.

[coveralls]

coverage: 85.342% (-0.005%) from 85.347%
when pulling 2a3e350 on issues/dsotirho-ucsc/6141-api-unauthorized-assumedrole
into 8e79850 on develop.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 85.32%. Comparing base (8e79850) to head (2a3e350).

Additional details and impacted files

@@             Coverage Diff             @@
##           develop    #6151      +/-   ##
===========================================
- Coverage    85.32%   85.32%   -0.01%     
===========================================
  Files          154      154              
  Lines        20129    20129              
===========================================
- Hits         17176    17175       -1     
- Misses        2953     2954       +1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[hannes-ucsc]

Security design review

• Security design review completed; this PR does not …
  • … affect authentication; for example:
    • OAuth 2.0 with the application (API or Swagger UI)
    • Authentication of developers with Google Cloud APIs
    • Authentication of developers with AWS APIs
    • Authentication with a GitLab instance in the system
    • Password and 2FA authentication with GitHub
    • API access token authentication with GitHub
    • Authentication with Terra
  • … affect the permissions of internal users like access to Fix: Alarm api_unauthorized for HeadBucket/Object from SSM agent (#6141) #6151 (comment)
    • Cloud resources on AWS and GCP
    • GitLab repositories, projects and groups, administration
    • an EC2 instance via SSH
    • GitHub issues, pull requests, commits, commit statuses, wikis, repositories, organizations
  • … affect the permissions of external users like access to
    • TDR snapshots
  • … affect permissions of service or bot accounts
    • Cloud resources on AWS and GCP
  • … affect audit logging in the system, like
    • adding, removing or changing a log message that represents an auditable event
    • changing the routing of log messages through the system
  • … affect monitoring of the system Fix: Alarm api_unauthorized for HeadBucket/Object from SSM agent (#6141) #6151 (comment)
  • … introduce a new software dependency like
    • Python packages on PYPI
    • Command-line utilities
    • Docker images
    • Terraform providers
  • … add an interface that exposes sensitive or confidential data at the security boundary
  • … affect the encryption of data at rest
  • … require persistence of sensitive or confidential data that might require encryption at rest
  • … require unencrypted transmission of data within the security boundary
  • … affect the network security layer; for example by
    • modifying, adding or removing firewall rules
    • modifying, adding or removing security groups
    • changing or adding a port a service, proxy or load balancer listens on
• Documentation on any unchecked boxes is provided in comments below

[hannes-ucsc]

Security design review: This PR grants the required permissions to SSM agent running on the GitLab instance. A previous PR attempted to grant the same permissions but failed to do so correctly. This PR addresses that. It affects the monitoring of the system in that it will cause fewer false positive alarms to be triaged.

[hannes-ucsc]

1 review because PR was still a draft and peer review checklist was incomplete.