Skip to content
Merged
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 4 additions & 5 deletions azure/components/aws-assume-role.yml
Original file line number Diff line number Diff line change
Expand Up @@ -34,9 +34,9 @@
aws_role="$(ROLE)"
echo "assume role: '${aws_role}'"

if [[ "$AWS_ACCOUNT" =~ ^(prod|dev)$ ]]; then
echo "account is $AWS_ACCOUNT"
account_id="$(aws ssm get-parameter --name /account-ids/$AWS_ACCOUNT --query Parameter.Value --output text)"
if [[ "${{ parameters.aws_account }}" =~ ^(prod|dev)$ ]]; then # NOSONAR

Check failure on line 37 in azure/components/aws-assume-role.yml

View check run for this annotation

SonarQubeCloud / SonarCloud Code Analysis

Change this pipeline to not use user-controlled data directly in a script block

See more on https://sonarcloud.io/project/issues?id=NHSDigital_api-management-utils&issues=AZ9LsiRF8NEtWbVX9TDd&open=AZ9LsiRF8NEtWbVX9TDd&pullRequest=627

Check failure

Code scanning / SonarCloud

Azure Pipelines should not be vulnerable to script injections High

Change this pipeline to not use user-controlled data directly in a script block See more on SonarQube Cloud
Comment thread
sathiya-nhs marked this conversation as resolved.
Fixed
echo "account is ${{ parameters.aws_account }}"

Check failure on line 38 in azure/components/aws-assume-role.yml

View check run for this annotation

SonarQubeCloud / SonarCloud Code Analysis

Change this pipeline to not use user-controlled data directly in a script block

See more on https://sonarcloud.io/project/issues?id=NHSDigital_api-management-utils&issues=AZ9LsiRF8NEtWbVX9TDe&open=AZ9LsiRF8NEtWbVX9TDe&pullRequest=627

Check failure

Code scanning / SonarCloud

Azure Pipelines should not be vulnerable to script injections High

Change this pipeline to not use user-controlled data directly in a script block See more on SonarQube Cloud
Comment thread
github-advanced-security[bot] marked this conversation as resolved.
Fixed
account_id="$(aws ssm get-parameter --name /account-ids/${{ parameters.aws_account }} --query Parameter.Value --output text)"

Check failure on line 39 in azure/components/aws-assume-role.yml

View check run for this annotation

SonarQubeCloud / SonarCloud Code Analysis

Change this pipeline to not use user-controlled data directly in a script block

See more on https://sonarcloud.io/project/issues?id=NHSDigital_api-management-utils&issues=AZ9LsiRF8NEtWbVX9TDf&open=AZ9LsiRF8NEtWbVX9TDf&pullRequest=627

Check failure

Code scanning / SonarCloud

Azure Pipelines should not be vulnerable to script injections High

Change this pipeline to not use user-controlled data directly in a script block See more on SonarQube Cloud
Comment thread
github-advanced-security[bot] marked this conversation as resolved.
Fixed
if [[ "${aws_role}" != arn:aws:iam:* ]]; then
aws_role="arn:aws:iam::${account_id}:role/${aws_role}"
fi
Expand All @@ -46,7 +46,7 @@
echo "check if role exists"
# iam synchronisation issues can take a few to make the role appear
for i in {1..15}; do
if aws iam get-role --role-name ${aws_role} > /dev/null; then
if aws iam get-role --role-name "${aws_role}" > /dev/null; then
echo role exists
sleep 2
break
Expand Down Expand Up @@ -94,7 +94,6 @@
sed -i "s#\[default\]#\[profile ${profile}\]#" ~/.aws/config
fi
env:
AWS_ACCOUNT: ${{ parameters.aws_account }}
PROFILE: ${{ parameters.profile }}
displayName: assume role
condition: and(succeeded(), eq(variables['ROLE_EXISTS'], 'true'))