diff --git a/.github/workflows/policy-validator-cfn.yaml b/.github/workflows/policy-validator-cfn.yaml index 0e7de2d..b304b80 100644 --- a/.github/workflows/policy-validator-cfn.yaml +++ b/.github/workflows/policy-validator-cfn.yaml @@ -43,45 +43,45 @@ jobs: role-to-assume: ${{ env.AWS_ROLE }} aws-region: ${{ env.REGION }} # Run the VALIDATE_POLICY check. More configuration details here - https://github.com/aws-actions/cloudformation-aws-iam-policy-validator - # - name: Run AWS AccessAnalyzer ValidatePolicy check - # id: run-aws-validate-policy - # uses: aws-actions/cloudformation-aws-iam-policy-validator@v1.0.3 - # with: - # policy-check-type: "VALIDATE_POLICY" - # template-path: ${{ env.TEMPLATE_PATH}} - # region: ${{ env.REGION }} - # # Print result from VALIDATE_POLICY check - # - name: Print the result for ValidatePolicy check - # if: success() || failure() - # run: echo "${{ steps.run-aws-validate-policy.outputs.result }}" - # # Run the CHECK_ACCESS_NOT_GRANTED check. More configuration details here - https://github.com/aws-actions/cloudformation-aws-iam-policy-validator - # - name: Run AWS AccessAnalyzer CheckAccessNotGranted check - # id: run-aws-check-access-not-granted - # uses: aws-actions/cloudformation-aws-iam-policy-validator@v1.0.3 - # with: - # policy-check-type: "CHECK_ACCESS_NOT_GRANTED" - # template-path: ${{ env.TEMPLATE_PATH}} - # actions: ${{ env.ACTIONS }} - # region: ${{ env.REGION }} - # # Print result from CHECK_ACCESS_NOT_GRANTED check - # - name: Print the result for CheckAccessNotGranted check - # if: success() || failure() - # run: echo "${{ steps.run-aws-check-access-not-granted.outputs.result }}" + - name: Run AWS AccessAnalyzer ValidatePolicy check + id: run-aws-validate-policy + uses: aws-actions/cloudformation-aws-iam-policy-validator@v1.0.3 + with: + policy-check-type: "VALIDATE_POLICY" + template-path: ${{ env.TEMPLATE_PATH}} + region: ${{ env.REGION }} + # Print result from VALIDATE_POLICY check + - name: Print the result for ValidatePolicy check + if: success() || failure() + run: echo "${{ steps.run-aws-validate-policy.outputs.result }}" + # Run the CHECK_ACCESS_NOT_GRANTED check. More configuration details here - https://github.com/aws-actions/cloudformation-aws-iam-policy-validator + - name: Run AWS AccessAnalyzer CheckAccessNotGranted check + id: run-aws-check-access-not-granted + uses: aws-actions/cloudformation-aws-iam-policy-validator@v1.0.3 + with: + policy-check-type: "CHECK_ACCESS_NOT_GRANTED" + template-path: ${{ env.TEMPLATE_PATH}} + actions: ${{ env.ACTIONS }} + region: ${{ env.REGION }} + # Print result from CHECK_ACCESS_NOT_GRANTED check + - name: Print the result for CheckAccessNotGranted check + if: success() || failure() + run: echo "${{ steps.run-aws-check-access-not-granted.outputs.result }}" # Run the CHECK_NO_NEW_ACCESS check. More configuration details here - https://github.com/aws-actions/cloudformation-aws-iam-policy-validator # reference-policy is stored in GitHub secrets - # - name: Run AWS AccessAnalyzer CheckNoNewAccess check - # id: run-aws-check-no-new-access - # uses: aws-actions/cloudformation-aws-iam-policy-validator@v1.0.3 - # with: - # policy-check-type: "CHECK_NO_NEW_ACCESS" - # template-path: 'test/check-no-new-access/cfn/sample-role.yaml' - # reference-policy: 'test/check-no-new-access/cfn/reference-resource-policy.json' - # reference-policy-type: 'RESOURCE' - # region: ${{env.REGION }} - # # Print result from CHECK_NO_NEW_ACCESS check - # - name: Print the result for CheckNoNewAccess check - # if: success() || failure() - # run: echo "${{ steps.run-aws-check-no-new-access.outputs.result }}" + - name: Run AWS AccessAnalyzer CheckNoNewAccess check + id: run-aws-check-no-new-access + uses: aws-actions/cloudformation-aws-iam-policy-validator@v1.0.3 + with: + policy-check-type: "CHECK_NO_NEW_ACCESS" + template-path: 'test/check-no-new-access/cfn/sample-role.yaml' + reference-policy: 'test/check-no-new-access/cfn/reference-resource-policy.json' + reference-policy-type: 'RESOURCE' + region: ${{env.REGION }} + # Print result from CHECK_NO_NEW_ACCESS check + - name: Print the result for CheckNoNewAccess check + if: success() || failure() + run: echo "${{ steps.run-aws-check-no-new-access.outputs.result }}" - name: Run AWS AccessAnalyzer CheckNoPublicAccess check id: run-aws-check-no-public-access uses: aws-actions/cloudformation-aws-iam-policy-validator@v1.0.3