Conversation
eddalmond1
left a comment
eddalmond1
left a comment
There was a problem hiding this comment.
All looks good - have hit Copilot review as I've never deployed code signing, so it might flag something specific i don't know about!
There was a problem hiding this comment.
Pull request overview
This PR introduces AWS Lambda code-signing prerequisites (AWS Signer signing profile + Lambda code signing config), exposes the signing profile name via Terraform outputs, and grants GitHub Actions IAM permissions to manage code-signing resources as a precursor to upcoming CI/CD workflow changes.
Changes:
- Add an AWS Signer signing profile and a Lambda code signing config in the shared Lambda module.
- Expose the signing profile name as Terraform outputs for consumption by GitHub Actions workflows.
- Add and attach a new GitHub Actions IAM policy for managing Lambda code signing configs and Signer jobs.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| infrastructure/stacks/iams-developer-roles/locals.tf | Adds locals for signing profile name/ARN used by IAM policy resources. |
| infrastructure/stacks/iams-developer-roles/github_actions_policies.tf | Adds a new code_signing_management IAM policy and attaches it to the GitHub Actions role. |
| infrastructure/stacks/api-layer/lambda.tf | Adds a Terraform output for the signing profile name from the Lambda module. |
| infrastructure/modules/lambda/signing.tf | Creates the AWS Signer signing profile and Lambda code signing config resources. |
| infrastructure/modules/lambda/outputs.tf | Exposes the signing profile name from the Lambda module. |
| "lambda:ListTags", | ||
| "lambda:DeleteFunctionCodeSigningConfig", | ||
| "lambda:PutFunctionCodeSigningConfig" | ||
| ], | ||
| Resource = "*" |
There was a problem hiding this comment.
This statement allows lambda:PutFunctionCodeSigningConfig / lambda:DeleteFunctionCodeSigningConfig against Resource = "*", which lets GitHub Actions attach/detach code-signing configs on any Lambda in the account. These actions support function ARN scoping; consider splitting them into a separate statement with the same function ARNs already used in aws_iam_policy.lambda_management in this file, keeping Resource="*" only for actions that truly require it (e.g., listing/creating configs).
eddalmond1
left a comment
eddalmond1
left a comment
There was a problem hiding this comment.
you still need to remove?
Description
Adds the required code signing resources, tf outputs and creates and attached the relevant policies to be used in the ci/cd workflows in a further pr
Context
This pr must come first before we actually make changes to our workflows that will use these resources to escape a chicken and egg scenario
Type of changes
Checklist
Sensitive Information Declaration
To ensure the utmost confidentiality and protect your and others privacy, we kindly ask you to NOT including PII (Personal Identifiable Information) / PID (Personal Identifiable Data) or any other sensitive data in this PR (Pull Request) and the codebase changes. We will remove any PR that do contain any sensitive information. We really appreciate your cooperation in this matter.