def test_create_access_to_reports(buckets_same_account_mapping, config):
# With existing mapping:
role_policies = create_s3_role_policies(
collect_policies(buckets_same_account_mapping))
assert len(role_policies["012345678910"]["Statement"]) == 4
create_access_to_reports(role_policies, "012345678910")
assert len(role_policies["012345678910"]["Statement"]) == 5
assert role_policies["012345678910"]["Statement"][4][
"Sid"] == "HistoricalS3Reports"
assert role_policies["012345678910"]["Statement"][4]["Effect"] == "Allow"
assert role_policies["012345678910"]["Statement"][4][
"Action"] == "s3:GetObject"
assert role_policies["012345678910"]["Statement"][4]["Resource"] == \
["arn:aws:s3:::historical-reports/historical-s3-report.json"]
# And without:
role_policies = {}
create_access_to_reports(role_policies, "012345678910")
assert len(role_policies["012345678910"]["Statement"]) == 1
assert role_policies["012345678910"]["Statement"][0][
"Sid"] == "HistoricalS3Reports"
assert role_policies["012345678910"]["Statement"][0]["Effect"] == "Allow"
assert role_policies["012345678910"]["Statement"][0][
"Action"] == "s3:GetObject"
assert role_policies["012345678910"]["Statement"][0]["Resource"] == \
["arn:aws:s3:::historical-reports/historical-s3-report.json"]
def test_create_s3_role_policies(buckets_same_account_mapping):
role_policies = create_s3_role_policies(
collect_policies(buckets_same_account_mapping))
test_arns = {
"list":
["arn:aws:s3:::test-bucket-one", "arn:aws:s3:::test-bucket-two"],
"get": [
"arn:aws:s3:::test-bucket-one/some/path/*",
"arn:aws:s3:::test-bucket-two/*"
],
"put": ["arn:aws:s3:::test-bucket-one/some/path/*"],
"delete": ["arn:aws:s3:::test-bucket-one/some/path/*"]
}
assert len(role_policies) == 1
assert len(role_policies["012345678910"]["Statement"]) == 4
for s in role_policies["012345678910"]["Statement"]:
# Verify that the Sid is correct:
perm = s["Sid"].lower()
assert test_arns.get(perm)
# Verify all the correct S3 permissions are present for the given policy
assert len(s["Action"]) == len(S3_PERMISSIONS[perm])
for p in S3_PERMISSIONS[perm]:
assert p in s["Action"]
# Verify all the ARNs are present:
assert len(s["Resource"]) == len(test_arns[perm])
for a in test_arns[perm]:
assert a in s["Resource"]
def test_collect_policies(buckets_same_account_mapping):
collected_policies = collect_policies(buckets_same_account_mapping)
list_arns = [
"arn:aws:s3:::test-bucket-one", "arn:aws:s3:::test-bucket-two"
]
get_arns = [
"arn:aws:s3:::test-bucket-one/some/path/*",
"arn:aws:s3:::test-bucket-two/*"
]
put_delete_arn = "arn:aws:s3:::test-bucket-one/some/path/*"
assert len(collected_policies["012345678910"]) == 4
assert len(collected_policies["012345678910"]["list"]) == len(list_arns)
for list_arn in list_arns:
assert list_arn in collected_policies["012345678910"]["list"]
assert len(collected_policies["012345678910"]["get"]) == len(get_arns)
for get_arn in get_arns:
assert get_arn in collected_policies["012345678910"]["get"]
assert len(collected_policies["012345678910"]["put"]) == 1
assert collected_policies["012345678910"]["put"].pop() == put_delete_arn
assert len(collected_policies["012345678910"]["delete"]) == 1
assert collected_policies["012345678910"]["delete"].pop() == put_delete_arn
def test_update_source_assume_role_policy(iam, sts, existing_role, config,
buckets_cross_account_mapping):
role_policies = create_s3_role_policies(
collect_policies(buckets_cross_account_mapping))
update_source_assume_role_policy(role_policies, "someApp",
"someAppInstanceProfile", "012345678910")
# Verify:
policies = iam.get_role_policy(RoleName="someAppInstanceProfile",
PolicyName=CONFIG.sts_policy_name)
assert len(policies["PolicyDocument"]["Statement"]) == 1
assert policies["PolicyDocument"]["Statement"][0]["Resource"][0] == "arn:aws:iam::012345678911" \
":role/someApp-012345678910"
def test_update_instance_profile_s3_permissions(iam, sts, existing_role,
buckets_same_account_mapping,
config):
role_policies = create_s3_role_policies(
collect_policies(buckets_same_account_mapping))
update_instance_profile_s3_permissions(role_policies, "someApp",
"someAppInstanceProfile",
"012345678910")
# Verify:
policies = iam.get_role_policy(RoleName="someAppInstanceProfile",
PolicyName=CONFIG.bucket_snake_policy_name)
assert len(policies["PolicyDocument"]["Statement"]) == 4
def test_create_destination_roles(iam, sts, config,
buckets_cross_account_mapping):
role_policies = create_s3_role_policies(
collect_policies(buckets_cross_account_mapping))
create_destination_roles(role_policies, "someApp",
"someAppInstanceProfile", "012345678910")
# Verify:
role = iam.get_role(RoleName="someApp-012345678910")
assert role
assert role["Role"]["AssumeRolePolicyDocument"]["Statement"][0] \
["Principal"]["AWS"] == format_role_arn("someAppInstanceProfile", "012345678910")
policies = iam.get_role_policy(RoleName="someApp-012345678910",
PolicyName=CONFIG.bucket_snake_policy_name)
assert len(policies["PolicyDocument"]["Statement"]) == 2
def main_logic(request_data):
"""
The main logic for the Lambda. This assumes that the input request has been properly validated.
This means that all buckets requested exist and are properly permissible.
:param request_data:
:return:
"""
# STEP 1: VERIFY THAT SOURCE IAM ROLES EXISTS #
log.debug("[~] Checking if the source IAM role: {} exists in {}...".format(
request_data["role_name"], request_data["account_number"]))
iam_client = get_iam_client(request_data["account_number"])
if not check_for_role(request_data["role_name"], iam_client):
log.debug(
"[X] Source IAM role does NOT exist. That must be created first before this lambda is called."
)
raise SourceRoleDoesNotExistException(
"Source IAM Role: {} does not exist. This must exist before running "
"this script.".format(request_data["role_name"]))
# STEP 2: BUILD THE S3 PERMISSIONS MATRIX #
# Need to determine which buckets are in the same account, and which are not
log.debug("[~] Building the account->bucket mapping...")
buckets_same, buckets_cross = build_bucket_account_mapping(request_data)
log.debug("[+] Completed the account->bucket mapping.")
# Calculate the S3 permissions that are required:
log.debug("[~] Calculating the same account S3 permissions required...")
policies_same_account = create_s3_role_policies(
collect_policies(buckets_same))
log.debug("[+] Completed calculation of same account S3 permissions.")
log.debug(
"[~] Determining the permissions for access to the historical S3 reports..."
)
create_access_to_reports(policies_same_account,
request_data["account_number"])
log.debug(
"[+] Completed calculation of permissions for historical S3 reports.")
log.debug("[~] Calculating the cross-account S3 permissions required...")
policies_cross_account = create_s3_role_policies(
collect_policies(buckets_cross))
log.debug("[+] Completed calculation of cross-account S3 permissions.")
# STEP 3: CREATE ROLES AND GRANT THE PERMISSIONS #
# Grant the same-account access:
log.debug("[~] Updating the source role ({source_role})'s S3 permissions "
"(in account: {source_account})...".format(
source_role=request_data["app_name"],
source_account=request_data["account_number"]))
update_instance_profile_s3_permissions(policies_same_account,
request_data["app_name"],
request_data["role_name"],
request_data["account_number"])
log.debug("[+] Updated the source role ({})'s S3 Permissions.".format(
request_data["app_name"]))
# Create the cross-account roles:
log.debug("[~] Creating the destination roles...")
create_destination_roles(policies_cross_account, request_data["app_name"],
request_data["role_name"],
request_data["account_number"])
log.debug("[+] Completed destination role creation...")
# Update the assume role permissions:
log.debug("[~] Updating the source role's role assumption permissions...")
update_source_assume_role_policy(policies_cross_account,
request_data["app_name"],
request_data["role_name"],
request_data["account_number"])
log.debug(
"[+] Completed updating the source role's role assumption permissions..."
)
# DONE!
log.info(
"[+] Permissionsss fixed for sssource role: {source}, app: {app}, account: {account}!"
.format(source=request_data["role_name"],
app=request_data["app_name"],
account=request_data["account_number"]))