def create_iam_group(stack, group_name, managed_policies=()): """Add IAM group resource.""" managed_policy_arns = ['arn:aws:iam::aws:policy/{0}'.format(policy) for policy in managed_policies] return stack.stack.add_resource(Group(group_name, GroupName=group_name, ManagedPolicyArns=managed_policy_arns))
def add_group(c, GroupName, model, named=False): cfn_name = scrub_name(GroupName + "Group") kw_args = { "Path": "/", "ManagedPolicyArns": [], "Policies": [] } if named: kw_args["GroupName"] = GroupName if "managed_policies" in model: kw_args["ManagedPolicyArns"] = parse_managed_policies( c, model["managed_policies"], GroupName ) if "retain_on_delete" in model: if model["retain_on_delete"] is True: kw_args["DeletionPolicy"] = "Retain" c.template[c.current_account].add_resource(Group( scrub_name(cfn_name), **kw_args )) if c.config['global']['template_outputs'] == "enabled": c.template[c.current_account].add_output([ Output( cfn_name + "Arn", Description="Group " + GroupName + " ARN", Value=GetAtt(cfn_name, "Arn"), Export=Export(Sub("${AWS::StackName}-" + cfn_name + "Arn")) ) ])
def __init__(self, affiliatename, defaulttemplate=False): if defaulttemplate == False: self.template = Template() ## Update the template to accept serverless functions. self.template.set_transform('AWS::Serverless-2016-10-31') self.affiliatename = affiliatename ## TODO: Check that the affiliate name is all lowercase ## Declare the logical name for the bucket resource. self.bucket_logname = 'UserBucket' + affiliatename bucket = Bucket(self.bucket_logname, AccessControl='Private', BucketName=affiliatename) self.bucket = self.template.add_resource(bucket) ## Now define a new user policy: policy = Policy(PolicyDocument=self.customize_userpolicy(), PolicyName=self.affiliatename + 'policy') ## Now define an iam user group to which we can attach this policy: self.group_logname = 'UserGroup' + affiliatename self.groupname = self.affiliatename + 'group' usergroup = Group(self.group_logname, GroupName=self.groupname, Policies=[policy]) self.usergroup = self.template.add_resource(usergroup) self.users = [] self.usercount = 0 else: 'Implement me! and remember to implement getting of resources as attributes!'
def generate_usergroup(self, affiliatedict): affiliatename = affiliatedict["AffiliateName"] policy = Policy( PolicyDocument=self.customize_userpolicy(affiliatedict), PolicyName=affiliatename + 'policy') usergroup = Group("UserGroup" + affiliatename, GroupName=affiliatename + "group", Policies=[policy]) usergroup_attached = self.template.add_resource(usergroup) return usergroup_attached
Group( "ClientGroup", Policies=[{ "PolicyName": "ClientGroupPolicy", "PolicyDocument": { "Statement": [{ "Action": "*", "Resource": "*", "Effect": "Allow", "Sid": "AllowAll" }, { "Action": ["aws-portal:ViewBilling", "aws-portal:ViewUsage"], "Resource": "*", "Effect": "Deny", "Sid": "DenyBilling" }, { "Action": ["ec2:PurchaseReservedInstancesOffering"], "Resource": "*", "Effect": "Deny", "Sid": "DenyPurchaseReservedInstancesOffering" }, { "Action": ["rds:PurchaseReservedDBInstancesOffering"], "Resource": "*", "Effect": "Deny", "Sid": "DenyPurchaseReservedDBInstancesOffering" }, { "Action": ["redshift:PurchaseReservedNodeOffering"], "Resource": "*", "Effect": "Deny", "Sid": "DenyPurchaseReservedNodeOffering" }, { "Action": "cloudtrail:*", "Resource": "*", "Effect": "Deny", "Sid": "DenyCloudtrail" }, { "Action": [ "iam:AddRoleToInstanceProfile", "iam:AddUserToGroup", "iam:CreateAccessKey", "iam:CreateAccountAlias", "iam:CreateGroup", "iam:CreateInstanceProfile", "iam:CreateLoginProfile", "iam:CreateSAMLProvider", "iam:CreateUser", "iam:DeleteAccessKey", "iam:DeleteAccountAlias", "iam:DeleteAccountPasswordPolicy", "iam:DeleteGroup", "iam:DeleteGroupPolicy", "iam:DeleteInstanceProfile", "iam:DeleteLoginProfile", "iam:DeleteRole", "iam:DeleteRolePolicy", "iam:DeleteSAMLProvider", "iam:DeleteServerCertificate", "iam:DeleteSigningCertificate", "iam:DeleteUser", "iam:DeleteUserPolicy", "iam:DeleteVirtualMFADevice", "iam:GetAccountPasswordPolicy", "iam:GetAccountSummary", "iam:GetGroup", "iam:GetGroupPolicy", "iam:GetInstanceProfile", "iam:GetLoginProfile", "iam:GetSAMLProvider", "iam:GetServerCertificate", "iam:GetUser", "iam:GetUserPolicy", "iam:ListAccessKeys", "iam:ListAccountAliases", "iam:ListGroupPolicies", "iam:ListGroups", "iam:ListGroupsForUser", "iam:ListInstanceProfiles", "iam:ListInstanceProfilesForRole", "iam:ListSAMLProviders", "iam:ListServerCertificates", "iam:ListSigningCertificates", "iam:ListUserPolicies", "iam:PutGroupPolicy", "iam:PutRolePolicy", "iam:PutUserPolicy", "iam:RemoveRoleFromInstanceProfile", "iam:RemoveUserFromGroup", "iam:UpdateAccessKey", "iam:UpdateAccountPasswordPolicy", "iam:UpdateAssumeRolePolicy", "iam:UpdateGroup", "iam:UpdateLoginProfile", "iam:UpdateSAMLProvider", "iam:UpdateServerCertificate", "iam:UpdateSigningCertificate", "iam:UpdateUser", "iam:UploadServerCertificate", "iam:UploadSigningCertificate" ], "Resource": ["*"], "Effect": "Deny", "Sid": "DenyIAM" }, { "Action": "s3:*", "Resource": "arn:aws:s3:::shelter-mutual-cloudtrail-us-east-1", "Effect": "Deny", "Sid": "DenyS3CloudtrailBucket" }, { "Action": "s3:*", "Resource": Join("", [ "arn:aws:s3:::shelter-mutual-cloudtrail-us-east-1", "/*" ]), "Effect": "Deny", "Sid": "DenyS3CloudtrailObjects" }] } }], ))
Parameter( "GroupParam", Type="String", Description="New IAM Group Name", )) RegionParam = t.add_parameter( Parameter( "RegionParam", Type="String", Description="Region Constraint for IAM", )) ### -- Resources IAMGroup = t.add_resource(Group( "IAMGroup", GroupName=Ref(GroupParam), )) IAMPolicies = t.add_resource( PolicyType( "IAMPolicies", PolicyName=Ref(RoleParam), Groups=[Ref(GroupParam)], PolicyDocument={ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "ec2:*", "s3:*", "rds:*", "elasticsearch:*", "sqs:*",
"""Generating CloudFormation template.""" from troposphere import ( Template, ) from troposphere.iam import ( Group, ) t = Template() t.add_description("Effective DevOps in AWS: User Groups") t.add_resource( Group( "Admins", GroupName="Admins", ManagedPolicyArns=["arn:aws:iam::aws:policy/AdministratorAccess"], )) print t.to_json()
Group, LoginProfile, PolicyType, User, UserToGroupAddition, ) t = Template() t.set_description("AWS CloudFormation Sample Template: This template " "demonstrates the creation of IAM User/Group.") cfnuser = t.add_resource( User("CFNUser", LoginProfile=LoginProfile(Password="******"))) cfnusergroup = t.add_resource(Group("CFNUserGroup")) cfnadmingroup = t.add_resource(Group("CFNAdminGroup")) cfnkeys = t.add_resource( AccessKey("CFNKeys", Status="Active", UserName=Ref(cfnuser))) users = t.add_resource( UserToGroupAddition( "Users", GroupName=Ref(cfnusergroup), Users=[Ref(cfnuser)], )) admins = t.add_resource( UserToGroupAddition( "Admins",
#!/usr/bin/env python """Generating CloudFormation template.""" from troposphere import ( Template ) from troposphere.iam import ( Group ) t = Template() t.add_description("Effective DevOps in AWS: User Groups") t.add_resource(Group( "Admins", GroupName="Admins", ManagedPolicyArns=[ "arn:aws:iam::aws:policy/AdministratorAccess" ] )) print t.to_json()
Queue("OutboundDev", QueueName="OutboundDev.fifo", ReceiveMessageWaitTimeSeconds=20, FifoQueue=True)) addqueue = t.add_resource( Queue("Adding", QueueName="AddingDev.fifo", ReceiveMessageWaitTimeSeconds=20, FifoQueue=True)) mirrorqueue = t.add_resource( Queue("Mirroring", QueueName="MirroringDev.fifo", ReceiveMessageWaitTimeSeconds=20, FifoQueue=True)) queue_dev_group = t.add_resource(Group("QueueDevGroup")) t.add_resource( PolicyType("QueueDevPolicies", PolicyName="QueueDevUsers", Groups=[Ref(queue_dev_group)], PolicyDocument={ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sqs:SendMessage", "sqs:DeleteMessage", "sqs:PurgeQueue",
"Resource": ["*"], "Condition": { "StringLike": { "iam:PassedToService": "ecs-tasks.amazonaws.com" } } }] }) ])) # Build Account Permissions # It's useful for the CI to be able to update services upon build, there # is a service account with keys that will be exposed to CI for allowing # redeployment of services. ksp_builder_group = t.add_resource(Group("KspCkanBuilderGroup")) builder_services = [] for service in ['Indexer', 'Inflator', 'Webhooks', 'Adder', 'Mirrorer']: builder_services.append( Sub( 'arn:aws:ecs:${AWS::Region}:${AWS::AccountId}:service/NetKANCluster/${service}', service=GetAtt('{}Service'.format(service), 'Name'), )) t.add_resource( PolicyType("KspCkanBuilderRole", PolicyName="KspCkanBuilder", Groups=[Ref(ksp_builder_group)], PolicyDocument={ "Version": "2012-10-17", "Statement": [
Condition, NumericGreaterThan, Deny, Null, Policy, Statement, ) t = Template() t.add_description("Effective DevOps in AWS: User Groups") t.add_resource( Group( "Admins", GroupName="Admins", ManagedPolicyArns=["arn:aws:iam::aws:policy/AdministratorAccess"], )) t.add_resource( ManagedPolicy( "CommonIamPolicy", Description="Common policy to manage IAM resources", PolicyDocument=Policy( Version="2012-10-17", Statement=[ Statement(Effect=Allow, Action=[ Action("iam", "GetAccountPasswordPolicy"), Action("iam", "ListUsers"), Action("iam", "ListMFADevices"),
def create_template(self): if self.template_type == 'project_role': template = Template() namespace_param = template.add_parameter( Parameter( "IAMNamespace", Description="Namespace for IAM users, policies, etc.", Type="String", Default="/")) uppercase_env_prefix_param = template.add_parameter( Parameter( "UppercaseAwsEnvironmentPrefix", Description= "Uppercase abbreviation for AWS account (i.e. DEV,QA,PROD)", Type="String")) lowercase_env_prefix_param = template.add_parameter( Parameter( "LowercaseAwsEnvironmentPrefix", Description= "Lowercase abbreviation for AWS account (i.e. dev,qa,prod)", Type="String")) aws_account_number_param = template.add_parameter( Parameter("AccountNumber", Description="AWS Account Number", Type="String")) uppercase_project_name_param = template.add_parameter( Parameter("UppercaseProjectName", Description="Uppercase Project Name", Type="String")) lowercase_project_name_param = template.add_parameter( Parameter("LowercaseProjectName", Description="Lowercase Project Name", Type="String")) pd = PolicyDocument(Version="2012-10-17", Id="Account-Permissions", Statement=self.create_policy_document()) iam_group = template.add_resource( Group( 'IamGroup', #Join('-', [Ref(uppercase_env_prefix_param),Ref(uppercase_project_name_param)]) Path=Ref(namespace_param), GroupName=Join('-', [ Ref(uppercase_env_prefix_param), Ref(uppercase_project_name_param) ]) #'ManagedPolicyArns': ([basestring], False), #Policies'= ([Policy], False) )) iam_managed_policy = template.add_resource( ManagedPolicy("ManagedPolicy", Description=Join('-', [ Ref(uppercase_env_prefix_param), Ref(uppercase_project_name_param), 'project' ]), Groups=[ Join('-', [ Ref(uppercase_env_prefix_param), Ref(uppercase_project_name_param) ]) ], ManagedPolicyName=Join('-', [ Ref(uppercase_env_prefix_param), Ref(uppercase_project_name_param) ]), Path=Ref(namespace_param), PolicyDocument=pd)) if self.debug: print(template.to_json()) with tempfile.NamedTemporaryFile(mode='w', suffix='.rdr', delete=False) as tmp: tmp.write(template.to_json()) self._config.pop('meta-parameters', None) if (not os.path.exists(self.cwd + '/template.json') and not self._config['environment']['template']): with open(self.cwd + '/template.json', 'w') as file: file.write(template.to_json()) file.close() else: if self.debug: print('Not creating template.json') return tmp.name elif self.template_type == 'project_role_jump_account': self._config['parameters'].pop('Resources', None) template = Template() namespace_param = template.add_parameter( Parameter( "IAMNamespace", Description="Namespace for IAM users, policies, etc.", Type="String", Default="/")) uppercase_env_prefix_param = template.add_parameter( Parameter( "UppercaseAwsEnvironmentPrefix", Description= "Uppercase abbreviation for AWS account (i.e. DEV,QA,PROD)", Type="String")) lowercase_env_prefix_param = template.add_parameter( Parameter( "LowercaseAwsEnvironmentPrefix", Description= "Lowercase abbreviation for AWS account (i.e. dev,qa,prod)", Type="String")) aws_account_number_param = template.add_parameter( Parameter("AccountNumber", Description="AWS Account Number", Type="String")) uppercase_project_name_param = template.add_parameter( Parameter("UppercaseProjectName", Description="Uppercase Project Name", Type="String")) lowercase_project_name_param = template.add_parameter( Parameter("LowercaseProjectName", Description="Lowercase Project Name", Type="String")) pd = PolicyDocument(Version="2012-10-17", Statement=self.create_policy_document()) iam_policy = template.add_resource( ManagedPolicy('ManagedPolicy', Description=Join('-', [ Ref(uppercase_env_prefix_param), Ref(uppercase_project_name_param), 'project' ]), PolicyDocument=pd, ManagedPolicyName=Join('-', [ Ref(uppercase_env_prefix_param), Ref(uppercase_project_name_param) ]), Path=Ref(namespace_param))) iam_group = template.add_resource( Group("Group", GroupName=Join('-', [ Ref(uppercase_env_prefix_param), Ref(uppercase_project_name_param) ]))) if self.debug: print(template.to_json()) with tempfile.NamedTemporaryFile(mode='w', suffix='.rdr', delete=False) as tmp: tmp.write(template.to_json()) self._config.pop('meta-parameters', None) if (not os.path.exists(self.cwd + '/template.json') and not self._config['environment']['template']): with open(self.cwd + '/template.json', 'w') as file: file.write(template.to_json()) file.close() else: if self.debug: print('Not creating template.json') if self.debug: print('template file is: ' + str(tmp.name)) return tmp.name else: print('incorrect template type') sys.exit(1)
from troposphere import Template from troposphere.iam import Group t = Template() view_group = t.add_resource( Group("ViewOnlyGroup", ManagedPolicyArns=[ "arn:aws:iam::aws:policy/job-function/ViewOnlyAccess" ])) print(t.to_json())