Example #1
0
 def update_iam(self):
     aws = self.model.aws
     if self.model.okta.users:
         policy = iam.Policy(
             "sari",
             name="SARIPolicy",
             description=MANAGED_BY_SARI_NOTICE,
             policy=_aws_make_policy(
                 [{
                     "Effect": "Allow",
                     "Action": "rds-db:connect",
                     "Resource":
                     f"arn:aws:rds-db:*:{aws.account}:dbuser:*/{login}",
                     "Condition": {
                         "StringEquals": {
                             "aws:PrincipalTag/User": login
                         }
                     },
                 } for login, user in self.model.okta.users.items()
                  if user.status == "ACTIVE" and user.permissions]))
         iam.RolePolicyAttachment("sari",
                                  role=SARI_ROLE_NAME,
                                  policy_arn=policy.arn)
Example #2
0
                    "2012-10-17",
                    "Statement": [{
                        "Action": "sts:AssumeRole",
                        "Principal": {
                            "Service": "appsync.amazonaws.com"
                        },
                        "Effect": "Allow",
                    }]
                }))

policy = iam.Policy(
    "iam-policy",
    policy=table.arn.apply(lambda arn: json.dumps({
        "Version":
        "2012-10-17",
        "Statement": [{
            "Action": ["dynamodb:PutItem", "dynamodb:GetItem"],
            "Effect": "Allow",
            "Resource": [arn]
        }]
    })))

attachment = iam.RolePolicyAttachment("iam-policy-attachment",
                                      role=role,
                                      policy_arn=policy.arn)

## GraphQL Schema
schema = """
type Query {
        getTenantById(id: ID!): Tenant
    }
Example #3
0
                     scripts_bucket=infra.scripts_bucket,
                     scripts_version=SCRIPTS_VERSION,
                     datalake_bucket=infra.datalake_bucket,
                     dist_dir=dist_dir,
                     tags=tags)

# get job dependencies for building iam policies
with open(os.path.join(glue_notification_dist_dir,
                       'job_dependencies.json')) as f:
    job_dependencies = json.load(f)

# create iam policy for glue etl jobs
etl_job_policy = iam.Policy(
    'etl-job-policy',
    description=f"",
    path='/glue/',
    policy=pulumi.Output.all(
        infra.datalake_bucket.arn, infra.scripts_bucket.arn).apply(
            lambda buckets: etljob_policy(buckets[0], buckets[1])))

# create etljobs, map by job name
gluejobs: Dict[str, GlueEtlJob] = {}
for importer, modname, ispkg in pkgutil.walk_packages(path=jobsdir.__path__,
                                                      prefix='jobs.'):
    if not ispkg:
        jobname = '.'.join(modname.split('.')[1:-1])

        job_dependency = job_dependencies[
            jobname] if jobname in job_dependencies else None
        if not job_dependency:
            raise Exception(
Example #4
0
from storage import bucket

env = pulumi.get_stack()

# Create a policy with r/w permissions to our data bucket
jsonPolicy = bucket.arn.apply(lambda arn: json.dumps({
    "Version":
    "2012-10-17",
    "Statement": [{
        "Effect": "Allow",
        "Action": ["s3:GetBucketLocation", "s3:ListAllMyBuckets"],
        "Resource": "arn:aws:s3:::*"
    }, {
        "Effect": "Allow",
        "Action": "s3:*",
        "Resource": [f"{arn}", f"{arn}/*"]
    }]
}))

policy = iam.Policy(f"nextcloud-policy-{env}", policy=jsonPolicy)

# Create a user
user = iam.User(f"nextcloud-S3-user-{env}", name=f"nextcloud-s3-user-{env}")

userAccessKey = iam.AccessKey(f"nextcloud-user-access-key-{env}", user=user.id)

# Attach the policy to the user
iam.PolicyAttachment(f"nextcloud-policy-attachment-{env}",
                     policy_arn=policy.arn,
                     users=[user.id])
Example #5
0
    def __init__(
        self,
        name,
        vpc_environment: VPC,
        efs_environment: EFS,
        github_repo_name: Input[str],
        github_version_name: Input[str] = None,
        opts=None,
    ):
        super().__init__("nuage:aws:DevelopmentEnvironment:CodeBuild",
                         f"{name}CodebuildEnvironment", None, opts)

        # TODO pass this in - with a default?
        def get_codebuild_serice_role_policy():
            return {
                "Version": "2012-10-17",
                "Statement": [{
                    "Action": "*",
                    "Effect": "Allow",
                    "Resource": "*"
                }]
            }

        account_id = get_caller_identity().account_id

        #TODO add random chars on the end of default name to prevent conflicts
        project_name = f"{name}BuildDeploy"

        pulumi_token_param = ssm.Parameter(f"{name}PulumiAccessToken",
                                           type="SecureString",
                                           value="none")

        codebuild_vpc_policy = iam.Policy(
            f"{name}CodeBuildVpcPolicy",
            policy=get_codebuild_vpc_policy(
                account_id,
                vpc_environment.private_subnet.id).apply(json.dumps))

        codebuild_base_policy = iam.Policy(f"{name}CodeBuildBasePolicy",
                                           policy=json.dumps(
                                               get_codebuild_base_policy(
                                                   account_id, project_name)))

        codebuild_service_role_policy = iam.Policy(
            f"{name}CodeBuildServiceRolePolicy",
            policy=json.dumps(get_codebuild_serice_role_policy()))

        codebuild_service_role = iam.Role(f"{name}CodeBuildRole",
                                          assume_role_policy="""{
        "Version": "2012-10-17",
        "Statement": [
            {
            "Effect": "Allow",
            "Principal": {
                "Service": "codebuild.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
            }
        ]
        }""")

        codebuild_vpn_policy_attach = iam.PolicyAttachment(
            f"{name}CodeBuildVpnAttachment",
            policy_arn=codebuild_vpc_policy.arn,
            roles=[codebuild_service_role.name])

        codebuild_base_policy_attach = iam.PolicyAttachment(
            f"{name}CodeBuildBaseAttachment",
            policy_arn=codebuild_base_policy.arn,
            roles=[codebuild_service_role.name])

        codebuild_service_role_policy_attach = iam.PolicyAttachment(
            f"{name}CodeBuildServiceRoleAttachment",
            policy_arn=codebuild_service_role_policy.arn,
            roles=[codebuild_service_role.name])

        codebuild_project = codebuild.Project(
            f"{name}CodeBuildProject",
            description="Builds and deploys the stack",
            name=project_name,
            vpc_config={
                "vpc_id": vpc_environment.vpc.id,
                "subnets": [vpc_environment.private_subnet],
                "security_group_ids": [vpc_environment.security_group.id]
            },
            source={
                "type": "GITHUB",
                "location": github_repo_name
            },
            source_version=github_version_name,
            artifacts={"type": "NO_ARTIFACTS"},
            environment={
                "image":
                "aws/codebuild/amazonlinux2-x86_64-standard:2.0",
                "privileged_mode":
                True,
                "type":
                "LINUX_CONTAINER",
                "compute_type":
                "BUILD_GENERAL1_SMALL",
                "environment_variables": [{
                    "name": "PULUMI_ACCESS_TOKEN",
                    "type": "PARAMETER_STORE",
                    "value": pulumi_token_param.name
                }, {
                    "name":
                    "FILESYSTEM_ID",
                    "type":
                    "PLAINTEXT",
                    "value":
                    efs_environment.file_system_id
                }]
            },
            service_role=codebuild_service_role.arn,
            opts=ResourceOptions(depends_on=[vpc_environment]))

        outputs = {"pulumi_token_param_name": pulumi_token_param.name}

        self.set_outputs(outputs)
Example #6
0
import pulumi
from pulumi_aws import secretsmanager, iam

from iam.policy import get_identity_policy_document, get_assume_role_policy_document, \
    get_secret_resource_policy_document

noaccess_role = iam.Role("noaccess-role",
                         name="NoAccessRole",
                         assume_role_policy=get_assume_role_policy_document())

trusted_role = iam.Role("trusted-role",
                        name="TrustedRole",
                        assume_role_policy=get_assume_role_policy_document())

identity_policy = iam.Policy("identity-policy",
                             name="IdentityPolicy",
                             policy=get_identity_policy_document())

noaccess_role_attachment = iam.RolePolicyAttachment(
    "noaccess-role-attachment",
    role=noaccess_role,
    policy_arn=identity_policy.arn)

trusted_role_attachment = iam.RolePolicyAttachment(
    "trusted-role-attachment",
    role=trusted_role,
    policy_arn=identity_policy.arn)

secret_resource_policy_document = trusted_role.unique_id.apply(
    lambda it: get_secret_resource_policy_document(it))
Example #7
0
                             role=role.id,
                             policy=json.dumps({
                                 "Version":
                                 "2012-10-17",
                                 "Statement": [{
                                     "Action": ["ec2:Describe*"],
                                     "Effect": "Allow",
                                     "Resource": "*"
                                 }]
                             }))

policy = iam.Policy("mypolicy",
                    policy=json.dumps({
                        "Version":
                        "2012-10-17",
                        "Statement": [{
                            "Action": ["ec2:Describe*"],
                            "Effect": "Allow",
                            "Resource": "*"
                        }]
                    }))

role_policy_attachment = iam.RolePolicyAttachment("myrolepolicyattachment",
                                                  role=role.id,
                                                  policy_arn=policy.arn)

user = iam.User("myuser")

group = iam.Group("mygroup")

## Kinesis
stream = kinesis.Stream("mystream", shard_count=1)
Example #8
0
    "Statement": [
        {
            "Sid": "cwTrust",
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Principal": {
                "Service": "vpc-flow-logs.amazonaws.com"
            }
        }
    ]
}
"""

policy = iam.Policy(
    f"{APP}-flowlog-policy",
    name=f"{APP}-flowlog",
    path="/",
    policy=policy_doc
)

role = iam.Role(
    f"{APP}-flowlog-role",
    assume_role_policy=assume_role_policy_doc,
    name=f"{APP}-flowlog-role",
    path="/",
    tags={
        'Name': f"{APP}-flowlog-role",
        'Environment': _env
    }
)

attach_info = Output.all(role.name, policy.arn)
Example #9
0
    def __init__(self,
                 name,
                 tags: Dict[str, str] = None,
                 opts: pulumi.ResourceOptions = None):
        super().__init__('hca:DatalakeInfra', name, None, opts)

        aws_region = pulumi.Config('aws').get('region')

        self.tags = tags if tags is None else {}

        identity = get_caller_identity()
        self.kms_key = kms.Key(
            f"{name}-kms-key",
            description="kms key for encryption of datalake",
            policy=key_policy(identity.account_id, aws_region),
            tags=self.tags,
            opts=pulumi.ResourceOptions(parent=self))

        alias = kms.Alias(f"{name}-kms-key-alias",
                          target_key_id=self.kms_key.id,
                          name=f"alias/hca/{name}",
                          opts=pulumi.ResourceOptions(
                              parent=self, delete_before_replace=True))

        # create datalake bucket
        self.datalake_bucket = s3.Bucket(
            f"{name}-bucket",
            lifecycle_rules=datalake_lifecycle_rules(),
            server_side_encryption_configuration={
                'rule': {
                    'applyServerSideEncryptionByDefault': {
                        'kmsMasterKeyId': self.kms_key.arn,
                        'sseAlgorithm': 'aws:kms'
                    }
                }
            },
            versioning={'enabled': True},
            tags=self.tags,
            opts=pulumi.ResourceOptions(parent=self))

        s3.BucketPolicy(
            f"{name}-bucket-policy",
            bucket=self.datalake_bucket,
            policy=pulumi.Output.all(
                self.datalake_bucket.bucket,
                self.kms_key.arn).apply(lambda p: bucket_policy(p[0], p[1])),
            opts=pulumi.ResourceOptions(parent=self))

        s3.BucketPublicAccessBlock(f"{name}-access-block",
                                   bucket=self.datalake_bucket,
                                   block_public_acls=True,
                                   block_public_policy=True,
                                   ignore_public_acls=True,
                                   restrict_public_buckets=True,
                                   opts=pulumi.ResourceOptions(parent=self))

        # define folder paths for datalake bucket
        self.raw_location = self.datalake_bucket.bucket.apply(
            lambda b: f"s3://{b}/raw")
        self.mart_location = self.datalake_bucket.bucket.apply(
            lambda b: f"s3://{b}/mart")
        self.archive_location = self.datalake_bucket.bucket.apply(
            lambda b: f"s3://{b}/archive")
        self.delta_location = self.datalake_bucket.bucket.apply(
            lambda b: f"s3://{b}/delta")

        # create fileproc bucket
        self.fileproc_bucket = s3.Bucket(
            f"{name}-fileproc-bucket",
            lifecycle_rules=fileproc_lifecycle_rules(),
            server_side_encryption_configuration={
                'rule': {
                    'applyServerSideEncryptionByDefault': {
                        'kmsMasterKeyId': self.kms_key.arn,
                        'sseAlgorithm': 'aws:kms'
                    }
                }
            },
            versioning={'enabled': True},
            tags=self.tags,
            opts=pulumi.ResourceOptions(parent=self))

        s3.BucketPolicy(f"{name}-fileproc-bucket-policy",
                        bucket=self.fileproc_bucket,
                        policy=pulumi.Output.all(
                            self.fileproc_bucket.bucket,
                            self.kms_key.arn).apply(
                                lambda p: fileproc_bucket_policy(p[0], p[1])),
                        opts=pulumi.ResourceOptions(parent=self))

        s3.BucketPublicAccessBlock(f"{name}-fileproc-access-block",
                                   bucket=self.fileproc_bucket,
                                   block_public_acls=True,
                                   block_public_policy=True,
                                   ignore_public_acls=True,
                                   restrict_public_buckets=False,
                                   opts=pulumi.ResourceOptions(parent=self))

        # create scripts bucket
        self.scripts_bucket = s3.Bucket(
            f"{name}-script-bucket",
            server_side_encryption_configuration={
                'rule': {
                    'applyServerSideEncryptionByDefault': {
                        'kmsMasterKeyId': self.kms_key.arn,
                        'sseAlgorithm': 'aws:kms'
                    }
                }
            },
            versioning={'enabled': True},
            tags=self.tags,
            opts=pulumi.ResourceOptions(parent=self))

        s3.BucketPolicy(f"{name}-script-bucket-policy",
                        bucket=self.scripts_bucket,
                        policy=pulumi.Output.all(
                            self.scripts_bucket.bucket,
                            self.kms_key.arn).apply(
                                lambda p: scripts_bucket_policy(p[0], p[1])),
                        opts=pulumi.ResourceOptions(parent=self))

        s3.BucketPublicAccessBlock(f"{name}-script-access-block",
                                   bucket=self.scripts_bucket,
                                   block_public_acls=True,
                                   block_public_policy=True,
                                   ignore_public_acls=True,
                                   restrict_public_buckets=False,
                                   opts=pulumi.ResourceOptions(parent=self))

        # create dataclassification policies for getobject
        dataclassifications = ['pii', 'confidential', 'nonsensitive']

        self.policy_get_object_pii = iam.Policy(
            f"{name}-pii-policy",
            description="allow get access to pii data",
            policy=self.datalake_bucket.id.apply(
                lambda b: dataclassification_policy(b, dataclassifications)),
            path='/',
            opts=pulumi.ResourceOptions(parent=self))

        self.policy_get_object_confidential = iam.Policy(
            f"{name}-confidential-policy",
            description="allow get access to confidential data",
            policy=self.datalake_bucket.id.apply(
                lambda b: dataclassification_policy(b, dataclassifications[1:]
                                                    )),
            path='/',
            opts=pulumi.ResourceOptions(parent=self))

        self.policy_get_object_nonsensitive = iam.Policy(
            f"{name}-nonsensitive-policy",
            description="allow get access to nonsensitive data",
            policy=self.datalake_bucket.id.apply(
                lambda b: dataclassification_policy(b, dataclassifications[2:]
                                                    )),
            path='/',
            opts=pulumi.ResourceOptions(parent=self))

        # create kms policies
        self.policy_kms_full_usage = iam.Policy(
            f"{name}-iam-key-full-usage",
            description="allow encrypt/decrypt with datalake kms key",
            policy=self.kms_key.arn.apply(kms_usage_policy),
            path='/',
            opts=pulumi.ResourceOptions(parent=self))

        self.policy_kms_encrypt_only = iam.Policy(
            f"{name}-iam-key-encrypt-only",
            description="allow encrypt only with datalake kms key",
            policy=self.kms_key.arn.apply(kms_encrypt_policy),
            path='/',
            opts=pulumi.ResourceOptions(parent=self))

        # create policy for getting scripts
        self.policy_get_scripts = iam.Policy(
            f"{name}-get-scripts",
            description="allow get access glue scripts bucket",
            policy=self.scripts_bucket.bucket.apply(get_scripts_policy),
            path='/',
            opts=pulumi.ResourceOptions(parent=self))

        # get glue service policy (create custom one later)
        self.policy_glue_service = iam.Policy.get(
            f"{name}-glue-service",
            'arn:aws:iam::aws:policy/service-role/AWSGlueServiceRole',
            opts=pulumi.ResourceOptions(parent=self))

        # create glue security config
        # use specific name as any changes will trigger replacement of resource
        self.glue_security_config = glue.SecurityConfiguration(
            f"{name}-security-config",
            name=name,
            encryption_configuration={
                'cloudwatchEncryption': {
                    'cloudwatchEncryptionMode': 'SSE-KMS',
                    'kms_key_arn': self.kms_key.arn
                },
                's3Encryption': {
                    's3EncryptionMode': 'SSE-KMS',
                    'kms_key_arn': self.kms_key.arn
                },
                'jobBookmarksEncryption': {
                    'jobBookmarksEncryptionMode': 'DISABLED'
                }
            },
            opts=pulumi.ResourceOptions(parent=self))