Remove duplicated permissions from custom policy

* The custom IAM policy used by the GitHub workflows contains very fine-granular permissions. Whenever a new resource is added, it is quite cumbersome to find out all the detailed permissions that are required to manage this resource.
* For this reason, two AWS-managed policies were added to the role that grant generic read-only permission as well as permissions to tag and untag resources. Some fine-granular permissions in the custom policy are now no longer needed.

Author: bogsi17

docs/disaster-recovery.md

@@ -195,3 +195,14 @@ RAILS_ENV=staging bin/bundle exec \
 EXPORT_PASSWORD=secure \
   node ./script/encrypt_xlsx.mjs <filename>
 ```
+
+
+## Set up a new AWS account from scratch
+
+### Create a new IAM role for GitHub workflows
+
+In the AWS IAM console, create a new role for the GitHub workflows. Create a custom policy from `terraform/resources/github_actions_policy.json`. Also, attach the managed policies
+- `ReadOnlyAccess`
+- `ResourceGroupsTaggingAPITagUntagSupportedResources`
+
+to the role.

terraform/resources/github_actions_policy.json

@@ -5,32 +5,16 @@
       "Sid": "Statement1",
       "Effect": "Allow",
       "Action": [
-        "acm:AddTagsToCertificate",
         "acm:DeleteCertificate",
-        "acm:DescribeCertificate",
-        "acm:ListTagsForCertificate",
         "acm:RequestCertificate",
-        "cloudformation:DescribeStacks",
-        "cloudformation:GetTemplateSummary",
-        "cloudformation:ListStackInstances",
         "codedeploy:CreateApplication",
         "codedeploy:CreateDeployment",
         "codedeploy:CreateDeploymentGroup",
         "codedeploy:DeleteApplication",
         "codedeploy:DeleteDeploymentGroup",
-        "codedeploy:GetApplication",
-        "codedeploy:GetApplicationRevision",
-        "codedeploy:GetDeployment",
-        "codedeploy:GetDeploymentConfig",
-        "codedeploy:GetDeploymentGroup",
-        "codedeploy:ListDeployments",
-        "codedeploy:ListTagsForResource",
         "codedeploy:RegisterApplicationRevision",
         "codedeploy:UpdateDeploymentGroup",
-        "codedeploy:TagResource",
-        "codedeploy:UntagResource",
         "codedeploy:UpdateApplication",
-        "dynamodb:GetItem",
         "dynamodb:PutItem",
         "dynamodb:DeleteItem",
         "ec2:AllocateAddress",
@@ -45,7 +29,6 @@
         "ec2:CreateRouteTable",
         "ec2:CreateSecurityGroup",
         "ec2:CreateSubnet",
-        "ec2:CreateTags",
         "ec2:CreateVpc",
         "ec2:DeleteFlowLogs",
         "ec2:DeleteInternetGateway",
@@ -55,36 +38,15 @@
         "ec2:DeleteSecurityGroup",
         "ec2:DeleteSubnet",
         "ec2:DeleteVpc",
-        "ec2:DescribeAccountAttributes",
-        "ec2:DescribeAddresses",
-        "ec2:DescribeAddressesAttribute",
-        "ec2:DescribeAvailabilityZones",
-        "ec2:DescribeFlowLogs",
-        "ec2:DescribeInternetGateways",
-        "ec2:DescribeNatGateways",
-        "ec2:DescribeNetworkAcls",
-        "ec2:DescribeNetworkInterfaces",
-        "ec2:DescribeRouteTables",
-        "ec2:DescribeSecurityGroupRules",
-        "ec2:DescribeSecurityGroups",
-        "ec2:DescribeSubnets",
-        "ec2:DescribeVpcAttribute",
-        "ec2:DescribeVpcs",
         "ec2:DetachInternetGateway",
         "ec2:DetachNetworkInterface",
         "ec2:DisassociateAddress",
         "ec2:DisassociateRouteTable",
-        "ec2:GetSecurityGroupsForVpc",
         "ec2:ModifyVpcAttribute",
         "ec2:ReleaseAddress",
         "ec2:RevokeSecurityGroupEgress",
         "ec2:RevokeSecurityGroupIngress",
-        "ecr:BatchCheckLayerAvailability",
-        "ecr:BatchGetImage",
         "ecr:CompleteLayerUpload",
-        "ecr:DescribeImages",
-        "ecr:GetAuthorizationToken",
-        "ecr:GetDownloadUrlForLayer",
         "ecr:InitiateLayerUpload",
         "ecr:PutImage",
         "ecr:UploadLayerPart",
@@ -93,14 +55,8 @@
         "ecs:DeleteCluster",
         "ecs:DeleteService",
         "ecs:DeregisterTaskDefinition",
-        "ecs:DescribeClusters",
-        "ecs:DescribeServices",
-        "ecs:DescribeTaskDefinition",
         "ecs:RegisterTaskDefinition",
         "ecs:UpdateService",
-        "ecs:TagResource",
-        "ecs:UntagResource",
-        "elasticloadbalancing:AddTags",
         "elasticloadbalancing:CreateListener",
         "elasticloadbalancing:CreateLoadBalancer",
         "elasticloadbalancing:CreateRule",
@@ -109,122 +65,53 @@
         "elasticloadbalancing:DeleteLoadBalancer",
         "elasticloadbalancing:DeleteRule",
         "elasticloadbalancing:DeleteTargetGroup",
-        "elasticloadbalancing:DescribeListenerAttributes",
-        "elasticloadbalancing:DescribeListeners",
-        "elasticloadbalancing:DescribeListenerCertificates",
-        "elasticloadbalancing:DescribeLoadBalancerAttributes",
-        "elasticloadbalancing:DescribeLoadBalancers",
-        "elasticloadbalancing:DescribeRules",
-        "elasticloadbalancing:DescribeTags",
-        "elasticloadbalancing:DescribeTargetGroupAttributes",
-        "elasticloadbalancing:DescribeTargetGroups",
         "elasticloadbalancing:ModifyListener",
         "elasticloadbalancing:ModifyListenerAttributes",
         "elasticloadbalancing:ModifyLoadBalancerAttributes",
         "elasticloadbalancing:ModifyRule",
         "elasticloadbalancing:ModifyTargetGroupAttributes",
         "iam:AttachRolePolicy",
         "iam:CreatePolicyVersion",
-        "iam:GetRole",
         "iam:PassRole",
-        "iam:ListRolePolicies",
-        "iam:ListAttachedRolePolicies",
-        "iam:ListInstanceProfilesForRole",
-        "iam:ListPolicyVersions",
-        "iam:GetPolicy",
         "iam:CreateRole",
         "iam:CreatePolicy",
         "iam:DeleteRole",
         "iam:DeletePolicy",
-        "iam:GetPolicyVersion",
         "iam:DetachRolePolicy",
-        "iam:TagPolicy",
-        "iam:TagRole",
         "kms:CreateGrant",
         "kms:Decrypt",
-        "kms:DescribeKey",
         "logs:CreateLogGroup",
         "logs:DeleteLogGroup",
-        "logs:DescribeLogGroups",
-        "logs:ListTagsForResource",
         "logs:PutRetentionPolicy",
         "rds:CreateDBCluster",
         "rds:CreateDBInstance",
         "rds:CreateDBSubnetGroup",
         "rds:DeleteDBCluster",
         "rds:DeleteDBInstance",
         "rds:DeleteDBSubnetGroup",
-        "rds:DescribeDBClusters",
-        "rds:DescribeDBInstances",
-        "rds:DescribeDBSubnetGroups",
-        "rds:DescribeGlobalClusters",
-        "rds:ListTagsForResource",
-        "rds:AddTagsToResource",
         "rds:ModifyDBCluster",
         "rds:ModifyCurrentDBClusterCapacity",
         "rds:ModifyDBInstance",
-        "rds:RemoveTagsFromResource",
         "resource-groups:CreateGroup",
         "resource-groups:DeleteGroup",
-        "resource-groups:GetGroup",
-        "resource-groups:GetGroupConfiguration",
-        "resource-groups:GetGroupQuery",
-        "resource-groups:GetTags",
-        "resource-groups:Tag",
         "route53:ChangeResourceRecordSets",
         "route53:CreateHostedZone",
-        "route53:GetChange",
-        "route53:GetHostedZone",
-        "route53:ListHostedZones",
-        "route53:ListResourceRecordSets",
-        "route53:ListTagsForResource",
         "s3:CreateBucket",
         "s3:DeleteBucket",
         "s3:DeleteBucketPolicy",
         "s3:DeleteObject",
         "s3:DeleteObjectVersion",
-        "s3:GetAccelerateConfiguration",
-        "s3:GetBucketAcl",
-        "s3:GetBucketCors",
-        "s3:GetBucketCORS",
-        "s3:GetBucketLogging",
-        "s3:GetBucketObjectLockConfiguration",
-        "s3:GetBucketPolicy",
-        "s3:GetBucketPublicAccessBlock",
-        "s3:GetBucketRequestPayment",
-        "s3:GetBucketTagging",
-        "s3:GetBucketVersioning",
-        "s3:GetBucketWebsite",
-        "s3:GetEncryptionConfiguration",
-        "s3:GetObject",
-        "s3:GetObjectTagging",
-        "s3:GetLifecycleConfiguration",
-        "s3:ListBucket",
-        "s3:ListBucketVersions",
         "s3:PutBucketLogging",
         "s3:PutBucketPolicy",
         "s3:PutBucketPublicAccessBlock",
-        "s3:PutBucketTagging",
         "s3:PutBucketVersioning",
         "s3:PutObject",
-        "s3:PutObjectTagging",
-        "s3:GetReplicationConfiguration",
-        "s3:TagResource",
-        "s3:UntagResource",
         "secretsmanager:CreateSecret",
         "secretsmanager:PutSecretValue",
         "secretsmanager:UpdateSecret",
-        "secretsmanager:TagResource",
-        "secretsmanager:UntagResource",
-        "ssm:AddTagsToResource",
         "ssm:DeleteParameter",
         "ssm:DeleteParameters",
-        "ssm:DescribeParameters",
-        "ssm:GetParameter",
-        "ssm:GetParameters",
-        "ssm:ListTagsForResource",
-        "ssm:PutParameter",
-        "sts:GetCallerIdentity"
+        "ssm:PutParameter"
       ],
       "Resource": ["*"]
     }