🛂 Extend route table permissions

[jacobwoffenden]

A reference to the issue / Description of it

ministryofjustice/analytical-platform#5175

│ Error: updating Route Table Association (rtbassoc-0e84eae427d434413): operation error EC2: ReplaceRouteTableAssociation, https response error StatusCode: 403, RequestID: a769dd0c-1987-488b-a77f-7c4a1db3ff2f, api error UnauthorizedOperation: You are not authorized to perform this operation. User: arn:aws:sts::***:assumed-role/MemberInfrastructureAccess/aws-go-sdk-1730886794723493693 is not authorized to perform: ec2:ReplaceRouteTableAssociation on resource: arn:aws:ec2:eu-west-2:***:route-table/rtb-04a899403876e96dc because no identity-based policy allows the ec2:ReplaceRouteTableAssociation action. Encoded authorization failure message: othgy3IfTv1t1LxQoMuhwdD8GL8LPXd1kk6Qp1PQ2ZfoqepBTTw_VjndndmTOOdVWWGzHRJcl2MEjp9EN9fyHvmA0WhVdyY2trj1vRRW1hOJtBqDQ26adj-irZ4JXS96bs4VlU8lfNCslEoNfySz3vKo7b88PLcgHMgO5LxMjimBkQ59PmH9P4P6wvnIPUKCd1RCvly6U8SHF_KzqyZarRB30mkzunRAWhZ9AIZaRIk5uZ5oDs50ShtPq7mVLtXU-ji1dzX6tXl-WJP1df7vJyO1BP6eP_kB326sx4aBwVCmMgew9aXeC498Sk1R0VyJqRC3rbJ5oXT5zEM607P4yFJiM2H7S93l9D-CUc3RLok7VTBhf1t2fed6RfExS7cfpNXbpgKw0vsPEEnozao0JK25M4_6Okgz8RCFtRqxp9UcoUPwVskwYc_N4sMHqXeaoATqRGlWkjL68lxiDxOoEN2QA9ZEJnVNNTYytsdnl4QB8yx7vKLP2qEhIr2RiRnDwY4HtqY5LaWLHdeLBx9pm5WITD6Is7IrldHspQRlY2MKC1PnCxOOn0_cKHwwhwk_sw16spFLRganGZZhe11ZEesSN_vJghqPgkVkt2tGLK_uyX_oNe7FuSyzr1DUhmuISUEaB1KQSDSf_PhBYe5fJ6T4gSzipoK8PNn2osH0ENWDLuxHQpcCQLGFeKiYgrCQpXtID4uFTyRn-tabk7gGbSVj9WA9kLKrNEwhN-MpxPabyRVybi3yS9DIq_1781ucvBmNkJQakknpjSfjPhBJhraj-NYokuwMj0_V8gc47vSPM7NAO_y42rC_EzZIi_Mu8KfxjwHTrcZrmOkwOH4eNhvX4WrahiBWzGmq9xgmuQt5Vx1EjNpHzWVgb1qFVroE3dc_tyLN5zcwpQ_ycEb3GePlQns2bdMZNhEMaSGdKPNHJ7siVi7xlorixQBVQN82ij0X56wqrWmwD08UtxLuWqtSbBCAbsclcgpj45HCjGiHuhKP7GoQwMbDut9C
│ 
│   with module.connected_vpc.aws_route_table_association.private[2],
│   on .terraform/modules/connected_vpc/main.tf line 280, in resource "aws_route_table_association" "private":
│  280: resource "aws_route_table_association" "private" {
│ 
╵

https://github.com/ministryofjustice/modernisation-platform-environments/actions/runs/11687338652/job/32586532954?pr=8496#step:10:30

How does this PR fix the problem?

Hopefully this will cover all route table permissions going forward

How has this been tested?

It hasn't

Deployment Plan / Instructions

Will this deployment impact the platform and / or services on it?

No, it's additional permissions

Checklist (check x in [ ] of list items)

• I have performed a self-review of my own code
• All checks have passed
• I have made corresponding changes to the documentation
• Plan and discussed how it should be deployed to PROD (If needed)

Additional comments (if any)

Signed-off-by: Jacob Woffenden jacob.woffenden@justice.gov.uk

[github-actions]

Trivy Scan Success

Show Output

```hcl

---

Trivy will check the following folders:
terraform/environments/bootstrap/member-bootstrap

---

Running Trivy in terraform/environments/bootstrap/member-bootstrap
2024-11-06T10:07:39Z INFO [vulndb] Need to update DB
2024-11-06T10:07:39Z INFO [vulndb] Downloading vulnerability DB...
2024-11-06T10:07:39Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-06T10:07:41Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-06T10:07:41Z INFO [vuln] Vulnerability scanning is enabled
2024-11-06T10:07:41Z INFO [misconfig] Misconfiguration scanning is enabled
2024-11-06T10:07:41Z INFO [misconfig] Need to update the built-in checks
2024-11-06T10:07:41Z INFO [misconfig] Downloading the built-in checks...
2024-11-06T10:07:42Z ERROR [misconfig] Falling back to embedded checks err="failed to download built-in policies: download error: OCI repository error: 1 error occurred:\n\t* GET https://ghcr.io/v2/aquasecurity/trivy-checks/manifests/1: TOOMANYREQUESTS: retry-after: 681.877µs, allowed: 44000/minute\n\n"
2024-11-06T10:07:42Z INFO [secret] Secret scanning is enabled
2024-11-06T10:07:42Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-06T10:07:42Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-11-06T10:07:42Z INFO [terraform scanner] Scanning root module file_path="."
2024-11-06T10:07:43Z ERROR [terraform evaluator] Failed to load module. Maybe try 'terraform init'? err="open modules/iam-assumable-role: no such file or directory"
2024-11-06T10:07:44Z ERROR [terraform evaluator] Failed to load module. Maybe try 'terraform init'? err="open modules/iam-assumable-role: no such file or directory"
2024-11-06T10:07:44Z ERROR [terraform evaluator] Failed to load module. Maybe try 'terraform init'? err="open modules/iam-assumable-role: no such file or directory"
2024-11-06T10:07:44Z ERROR [terraform evaluator] Failed to load module. Maybe try 'terraform init'? err="open modules/iam-assumable-role: no such file or directory"
2024-11-06T10:07:44Z ERROR [terraform evaluator] Failed to load module. Maybe try 'terraform init'? err="open modules/iam-assumable-role: no such file or directory"
2024-11-06T10:07:44Z ERROR [terraform evaluator] Failed to load module. Maybe try 'terraform init'? err="open modules/iam-assumable-role: no such file or directory"
2024-11-06T10:07:44Z ERROR [terraform evaluator] Failed to load module. Maybe try 'terraform init'? err="open modules/iam-assumable-roles: no such file or directory"
2024-11-06T10:07:44Z ERROR [terraform evaluator] Failed to load module. Maybe try 'terraform init'? err="open modules/iam-assumable-role: no such file or directory"
2024-11-06T10:07:44Z ERROR [terraform evaluator] Failed to load module. Maybe try 'terraform init'? err="open modules/iam-assumable-role: no such file or directory"
2024-11-06T10:07:44Z ERROR [terraform evaluator] Failed to load module. Maybe try 'terraform init'? err="open modules/iam-assumable-role: no such file or directory"
2024-11-06T10:07:46Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.pagerduty_core_alerts[0].data.aws_sns_topic.alarm_topics" value="cty.NilVal"
2024-11-06T10:07:46Z INFO Number of language-specific files num=0
2024-11-06T10:07:46Z INFO Detected config files num=3
trivy_exitcode=0

</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/bootstrap/member-bootstrap

*****************************

Running Checkov in terraform/environments/bootstrap/member-bootstrap
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-11-06 10:07:49,583 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-cross-account-access?ref=6819b090bce6d3068d55c7c7b9b3fd18c9dca648:None (for external modules, the --download-external-modules flag is required)
2024-11-06 10:07:49,584 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=0179859e6fafc567843cd55c0b05d325d5012dc4:None (for external modules, the --download-external-modules flag is required)
2024-11-06 10:07:49,584 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-github-oidc-role?ref=62b8a16c73d8e4422cd81923e46948e8f4b5cf48:None (for external modules, the --download-external-modules flag is required)
2024-11-06 10:07:49,584 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-github-oidc-provider?ref=82f546bd5f002674138a2ccdade7d7618c6758b3:None (for external modules, the --download-external-modules flag is required)
2024-11-06 10:07:49,584 [MainThread  ] [WARNI]  Failed to download module github.com/terraform-aws-modules/terraform-aws-iam//modules/iam-assumable-role?ref=de95e21a3bc51cd3a44b3b95a4c2f61000649ebb:None (for external modules, the --download-external-modules flag is required)
2024-11-06 10:07:49,584 [MainThread  ] [WARNI]  Failed to download module github.com/terraform-aws-modules/terraform-aws-iam//modules/iam-assumable-roles?ref=de95e21a3bc51cd3a44b3b95a4c2f61000649ebb:None (for external modules, the --download-external-modules flag is required)
2024-11-06 10:07:49,595 [MainThread  ] [WARNI]  [ArmLocalGraph] created 0 vertices
2024-11-06 10:07:49,595 [MainThread  ] [WARNI]  [ArmLocalGraph] created 0 edges
terraform scan results:

Passed checks: 151, Failed checks: 0, Skipped checks: 52


checkov_exitcode=0

CTFLint Scan Success

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/bootstrap/member-bootstrap

*****************************

Running tflint in terraform/environments/bootstrap/member-bootstrap
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

Trivy Scan Success

Show Output

*****************************

Trivy will check the following folders:
terraform/environments/bootstrap/member-bootstrap

*****************************

Running Trivy in terraform/environments/bootstrap/member-bootstrap
2024-11-06T10:07:39Z	INFO	[vulndb] Need to update DB
2024-11-06T10:07:39Z	INFO	[vulndb] Downloading vulnerability DB...
2024-11-06T10:07:39Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-06T10:07:41Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-06T10:07:41Z	INFO	[vuln] Vulnerability scanning is enabled
2024-11-06T10:07:41Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-11-06T10:07:41Z	INFO	[misconfig] Need to update the built-in checks
2024-11-06T10:07:41Z	INFO	[misconfig] Downloading the built-in checks...
2024-11-06T10:07:42Z	ERROR	[misconfig] Falling back to embedded checks	err="failed to download built-in policies: download error: OCI repository error: 1 error occurred:\n\t* GET https://ghcr.io/v2/aquasecurity/trivy-checks/manifests/1: TOOMANYREQUESTS: retry-after: 681.877µs, allowed: 44000/minute\n\n"
2024-11-06T10:07:42Z	INFO	[secret] Secret scanning is enabled
2024-11-06T10:07:42Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-06T10:07:42Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-11-06T10:07:42Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-11-06T10:07:43Z	ERROR	[terraform evaluator] Failed to load module. Maybe try 'terraform init'?	err="open modules/iam-assumable-role: no such file or directory"
2024-11-06T10:07:44Z	ERROR	[terraform evaluator] Failed to load module. Maybe try 'terraform init'?	err="open modules/iam-assumable-role: no such file or directory"
2024-11-06T10:07:44Z	ERROR	[terraform evaluator] Failed to load module. Maybe try 'terraform init'?	err="open modules/iam-assumable-role: no such file or directory"
2024-11-06T10:07:44Z	ERROR	[terraform evaluator] Failed to load module. Maybe try 'terraform init'?	err="open modules/iam-assumable-role: no such file or directory"
2024-11-06T10:07:44Z	ERROR	[terraform evaluator] Failed to load module. Maybe try 'terraform init'?	err="open modules/iam-assumable-role: no such file or directory"
2024-11-06T10:07:44Z	ERROR	[terraform evaluator] Failed to load module. Maybe try 'terraform init'?	err="open modules/iam-assumable-role: no such file or directory"
2024-11-06T10:07:44Z	ERROR	[terraform evaluator] Failed to load module. Maybe try 'terraform init'?	err="open modules/iam-assumable-roles: no such file or directory"
2024-11-06T10:07:44Z	ERROR	[terraform evaluator] Failed to load module. Maybe try 'terraform init'?	err="open modules/iam-assumable-role: no such file or directory"
2024-11-06T10:07:44Z	ERROR	[terraform evaluator] Failed to load module. Maybe try 'terraform init'?	err="open modules/iam-assumable-role: no such file or directory"
2024-11-06T10:07:44Z	ERROR	[terraform evaluator] Failed to load module. Maybe try 'terraform init'?	err="open modules/iam-assumable-role: no such file or directory"
2024-11-06T10:07:46Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.pagerduty_core_alerts[0].data.aws_sns_topic.alarm_topics" value="cty.NilVal"
2024-11-06T10:07:46Z	INFO	Number of language-specific files	num=0
2024-11-06T10:07:46Z	INFO	Detected config files	num=3
trivy_exitcode=0