def _get_instance_profile(self, chain_context):
s3readPolicy = iam.Policy(
PolicyName='S3ReadArtifactBucket',
PolicyDocument=Policy(Statement=[
Statement(Effect=Allow,
Action=[
awacs.s3.GetObject,
],
Resource=[s3.ARN(self.bucket_name + "/*")]),
Statement(Effect=Allow,
Action=[
awacs.s3.ListBucket,
],
Resource=[s3.ARN(self.bucket_name)])
]))
cfnrole = chain_context.template.add_resource(
Role(EC2_ROLE_NAME,
AssumeRolePolicyDocument=Policy(Statement=[
Statement(Effect=Allow,
Action=[AssumeRole],
Principal=Principal("Service",
["ec2.amazonaws.com"]))
]),
Policies=[s3readPolicy]))
instance_profile = InstanceProfile(INSTANCE_PROFILE_NAME,
Roles=[Ref(cfnrole)])
return instance_profile
def test_for_all_values(self):
c = aws.Condition(
aws.ForAllValuesStringLike("dynamodb:requestedAttributes",
["PostDateTime", "Message", "Tags"]))
pd = aws.Policy(Statement=[
aws.Statement(
Action=[s3.ListBucket],
Effect=aws.Allow,
Resource=[s3.ARN("myBucket")],
Condition=c,
)
])
self.assertEqual(
{
u'Statement': [{
u'Action': [u's3:ListBucket'],
u'Condition': {
u'ForAllValues:StringLike': {
u'dynamodb:requestedAttributes':
[u'PostDateTime', u'Message', u'Tags']
}
},
u'Effect': u'Allow',
u'Resource': [u'arn:aws:s3:::myBucket']
}]
}, json.loads(pd.to_json()))
def test_for_all_values(self):
c = aws.Condition(
aws.ForAllValuesStringLike("dynamodb:requestedAttributes",
["PostDateTime", "Message", "Tags"]))
pd = aws.PolicyDocument(Statement=[
aws.Statement(
Action=[s3.ListBucket],
Effect=aws.Allow,
Resource=[s3.ARN("myBucket")],
Condition=c,
)
])
self.assertEqual(
{
"Statement": [{
"Action": ["s3:ListBucket"],
"Condition": {
"ForAllValues:StringLike": {
"dynamodb:requestedAttributes": [
"PostDateTime",
"Message",
"Tags",
]
}
},
"Effect": "Allow",
"Resource": ["arn:aws:s3:::myBucket"],
}]
},
json.loads(pd.to_json()),
)
def test_arn_equality(self):
self.assertEqualWithHash(
s3.ARN("myBucket"), s3.ARN("myBucket"))
self.assertNotEqualWithHash(
s3.ARN("myBucket"), s3.ARN("myOtherBucket"))
self.assertEqualWithHash(
ec2.ARN("some-resource", "some-region", "some-account"),
ec2.ARN("some-resource", "some-region", "some-account"))
self.assertNotEqualWithHash(
ec2.ARN("some-resource", "some-region", "some-account"),
ec2.ARN("some-resource", "some-other-region", "some-account"))
self.assertNotEqualWithHash(
ec2.ARN("some-resource", "some-region", "some-account"),
iam.ARN("some-resource", "some-region", "some-account"))
def _create_code_build_role(self):
code_build_role = iam.Role(
'CodeBuildRole',
AssumeRolePolicyDocument=Policy(
Version='2012-10-17',
Statement=[
Statement(
Effect=Allow,
Action=[
_sts.AssumeRole,
],
Principal=Principal(
'Service', 'codebuild.amazonaws.com'
)
)
]
)
)
self._t.add_resource(code_build_role)
code_build_policy = iam.PolicyType(
'CodeBuildPolicy',
PolicyName='CodeBuildPolicy',
PolicyDocument=Policy(
Version='2012-10-17',
Statement=[
Statement(
Action=[
_logs.CreateLogGroup,
_logs.CreateLogStream,
_logs.PutLogEvents,
],
Effect=Allow,
Resource=['*'],
),
Statement(
Effect=Allow,
Action=[
_s3.GetObject,
_s3.GetObjectVersion,
_s3.PutObject,
],
Resource=[_s3.ARN('*')],
),
]
),
Roles=[Ref(code_build_role)],
)
self._t.add_resource(code_build_policy)
return code_build_role
Description='Subnet to use for Redshift',
))
security_group = template.add_parameter(
Parameter(
'SecurityGroup',
Type='String',
Description='Security Group to use for Redshift',
))
policy_doc = Policy(Statement=[
Statement(Sid='ReadAccessS3',
Effect=Allow,
Action=[Action('s3', 'List*'),
Action('s3', 'Get*')],
Resource=[s3_doc.ARN('nicor-data'),
s3_doc.ARN('nicor-data/*')]),
])
redshift_role = template.add_resource(
iam.Role('RedshiftRole',
RoleName='RedshiftRole',
AssumeRolePolicyDocument={
"Statement": [{
"Effect": "Allow",
"Principal": {
"Service": ["redshift.amazonaws.com"]
},
"Action": ["sts:AssumeRole"]
}]
},
Statement(Sid='KinesisAccess',
Effect=Allow,
Action=[Action('kinesis', '*')],
Resource=[
'arn:aws:kinesis:eu-west-1:749785218022:stream/DevStreamES'
]),
Statement(Sid='LogsAccess',
Effect=Allow,
Action=[Action('logs', '*')],
Resource=['*']),
Statement(Sid='ReadS3DeploymentBucket',
Effect=Allow,
Action=[Action('s3', 'Get*'),
Action('s3', 'List*')],
Resource=[
s3.ARN('nicor-dev'),
s3.ARN('nicor-dev/*'),
])
])
instance_role = template.add_resource(
iam.Role('InstanceRole',
RoleName='TweetProducerRole',
AssumeRolePolicyDocument={
"Statement": [{
"Effect": "Allow",
"Principal": {
"Service": ["ec2.amazonaws.com"]
},
"Action": ["sts:AssumeRole"]
}]
def generate_template(service_name):
t = Template()
t.add_version('2010-09-09')
t.add_description("""\
AWS CloudFormation Template for AWS Exploitation Lab """)
t.add_mapping("PublicRegionMap", ami_public_mapping)
t.add_mapping("PrivateRegionMap", ami_private_mapping)
keyname_param = t.add_parameter(
Parameter(
'KeyName',
ConstraintDescription=
'must be the name of an existing EC2 KeyPair.',
Description=
'Name of an existing EC2 KeyPair to enable SSH access to \
the instance',
Type='AWS::EC2::KeyPair::KeyName',
))
sshlocation_param = t.add_parameter(
Parameter(
'SSHLocation',
Description=
' The IP address range that can be used to SSH to the EC2 \
instances',
Type='String',
MinLength='9',
MaxLength='18',
Default='0.0.0.0/32',
AllowedPattern=
"(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2})",
ConstraintDescription=(
"must be a valid IP CIDR range of the form x.x.x.x/x."),
))
instanceType_param = t.add_parameter(
Parameter(
'InstanceType',
Type='String',
Description='WebServer EC2 instance type',
Default='t2.micro',
AllowedValues=[
't2.micro',
't2.small',
't2.medium',
'm3.medium',
'm3.large',
'm3.xlarge',
'm3.2xlarge',
],
ConstraintDescription='must be a valid EC2 instance type.',
))
ref_stack_id = Ref('AWS::StackId')
ec2_role = t.add_resource(
Role("%sEC2Role" % service_name,
AssumeRolePolicyDocument=awacs.aws.Policy(Statement=[
awacs.aws.Statement(
Effect=awacs.aws.Allow,
Action=[awacs.aws.Action("sts", "AssumeRole")],
Principal=awacs.aws.Principal("Service",
["ec2.amazonaws.com"]))
])))
ec2_role.ManagedPolicyArns = ["arn:aws:iam::aws:policy/ReadOnlyAccess"]
ec2_snapshot_policy_document = awacs.aws.Policy(Statement=[
awacs.aws.Statement(Sid="PermitEC2Snapshots",
Effect=awacs.aws.Allow,
Action=[
awacs.aws.Action("ec2", "CreateSnapshot"),
awacs.aws.Action("ec2",
"ModifySnapshotAttribute"),
],
Resource=["*"])
])
ec2_snapshot_policy = Policy(PolicyName="EC2SnapshotPermissions",
PolicyDocument=ec2_snapshot_policy_document)
priv_ec2_role = t.add_resource(
Role("%sPrivEC2Role" % service_name,
AssumeRolePolicyDocument=awacs.aws.Policy(Statement=[
awacs.aws.Statement(
Effect=awacs.aws.Allow,
Action=[awacs.aws.Action("sts", "AssumeRole")],
Principal=awacs.aws.Principal("Service",
["ec2.amazonaws.com"]))
]),
Policies=[ec2_snapshot_policy]))
priv_ec2_role.ManagedPolicyArns = [
"arn:aws:iam::aws:policy/ReadOnlyAccess"
]
VPC_ref = t.add_resource(
VPC('VPC',
CidrBlock='10.0.0.0/16',
Tags=Tags(Application=ref_stack_id)))
instanceProfile = t.add_resource(
InstanceProfile("InstanceProfile",
InstanceProfileName="%sInstanceRole" % (service_name),
Roles=[Ref(ec2_role)]))
privInstanceProfile = t.add_resource(
InstanceProfile("PrivInstanceProfile",
InstanceProfileName="%sPrivInstanceRole" %
(service_name),
Roles=[Ref(priv_ec2_role)]))
public_subnet = t.add_resource(
Subnet('%sSubnetPublic' % service_name,
MapPublicIpOnLaunch=True,
CidrBlock='10.0.1.0/24',
VpcId=Ref(VPC_ref),
Tags=Tags(Application=ref_stack_id,
Name="%sSubnet_public" % (service_name))))
private_subnet = t.add_resource(
Subnet('%sSubnetPrivate' % service_name,
MapPublicIpOnLaunch=False,
CidrBlock='10.0.2.0/24',
VpcId=Ref(VPC_ref),
Tags=Tags(Application=ref_stack_id,
Name="%sSubnet_private" % (service_name))))
internetGateway = t.add_resource(
InternetGateway('InternetGateway',
Tags=Tags(Application=ref_stack_id,
Name="%sInternetGateway" % service_name)))
gatewayAttachment = t.add_resource(
VPCGatewayAttachment('AttachGateway',
VpcId=Ref(VPC_ref),
InternetGatewayId=Ref(internetGateway)))
routeTable = t.add_resource(
RouteTable('RouteTable',
VpcId=Ref(VPC_ref),
Tags=Tags(Application=ref_stack_id,
Name="%sRouteTable" % service_name)))
route = t.add_resource(
Route(
'Route',
DependsOn='AttachGateway',
GatewayId=Ref('InternetGateway'),
DestinationCidrBlock='0.0.0.0/0',
RouteTableId=Ref(routeTable),
))
# Only associate this Route Table with the public subnet
subnetRouteTableAssociation = t.add_resource(
SubnetRouteTableAssociation(
'SubnetRouteTableAssociation',
SubnetId=Ref(public_subnet),
RouteTableId=Ref(routeTable),
))
instanceSecurityGroup = t.add_resource(
SecurityGroup(
'InstanceSecurityGroup',
GroupDescription='%sSecurityGroup' % service_name,
SecurityGroupIngress=[
SecurityGroupRule(IpProtocol='tcp',
FromPort='22',
ToPort='22',
CidrIp=Ref(sshlocation_param)),
SecurityGroupRule(IpProtocol='tcp',
FromPort='80',
ToPort='80',
CidrIp='0.0.0.0/0'),
SecurityGroupRule(IpProtocol='tcp',
FromPort='443',
ToPort='443',
CidrIp='0.0.0.0/0'),
SecurityGroupRule(IpProtocol='tcp',
FromPort='0',
ToPort='65535',
CidrIp="10.0.0.0/8"),
],
VpcId=Ref(VPC_ref),
))
public_instance = t.add_resource(
Instance(
"Public%sInstance" % service_name,
ImageId=FindInMap("PublicRegionMap", Ref("AWS::Region"), "AMI"),
InstanceType=Ref(instanceType_param),
KeyName=Ref(keyname_param),
NetworkInterfaces=[
NetworkInterfaceProperty(GroupSet=[Ref(instanceSecurityGroup)],
AssociatePublicIpAddress='true',
DeviceIndex='0',
DeleteOnTermination='true',
SubnetId=Ref(public_subnet))
],
UserData=Base64(public_instance_userdata),
Tags=Tags(Application=ref_stack_id,
Name='%sPublicInstance' % (service_name))))
private_instance = t.add_resource(
Instance(
"Private%sInstance" % service_name,
ImageId=FindInMap("PrivateRegionMap", Ref("AWS::Region"), "AMI"),
InstanceType=Ref(instanceType_param),
KeyName=Ref(keyname_param),
NetworkInterfaces=[
NetworkInterfaceProperty(GroupSet=[Ref(instanceSecurityGroup)],
DeviceIndex='0',
DeleteOnTermination='true',
SubnetId=Ref(private_subnet))
],
UserData=Base64(private_instance_userdata),
Tags=Tags(Application=ref_stack_id,
Name='%sPrivateInstance' % (service_name)),
IamInstanceProfile="%sPrivInstanceRole" % (service_name)))
outputs = []
outputs.append(
Output(
"PublicIP",
Description="IP Address of Public Instance",
Value=GetAtt(public_instance, "PublicIp"),
))
t.add_output(outputs)
# Set up S3 Bucket and CloudTrail
S3Bucket = t.add_resource(Bucket("S3Bucket", DeletionPolicy="Retain"))
S3PolicyDocument = awacs.aws.PolicyDocument(
Id='EnforceServersideEncryption',
Version='2012-10-17',
Statement=[
awacs.aws.Statement(
Sid='PermitCTBucketPut',
Action=[s3.PutObject],
Effect=awacs.aws.Allow,
Principal=awacs.aws.Principal("Service",
["cloudtrail.amazonaws.com"]),
Resource=[Join('',
[s3.ARN(''), Ref(S3Bucket), "/*"])],
),
awacs.aws.Statement(
Sid='PermitCTBucketACLRead',
Action=[s3.GetBucketAcl],
Effect=awacs.aws.Allow,
Principal=awacs.aws.Principal("Service",
["cloudtrail.amazonaws.com"]),
Resource=[Join('', [s3.ARN(''), Ref(S3Bucket)])],
)
])
S3BucketPolicy = t.add_resource(
BucketPolicy("BucketPolicy",
PolicyDocument=S3PolicyDocument,
Bucket=Ref(S3Bucket),
DependsOn=[S3Bucket]))
myTrail = t.add_resource(
Trail(
"CloudTrail",
IsLogging=True,
S3BucketName=Ref(S3Bucket),
DependsOn=["BucketPolicy"],
))
myTrail.IsMultiRegionTrail = True
myTrail.IncludeGlobalServiceEvents = True
return t.to_json()
# Example taken from AWS docs:
# http://docs.aws.amazon.com/IAM/latest/UserGuide/
# ExampleIAMPolicies.html#iampolicy-example-s3homedir
from awacs.aws import Action, Allow, Condition
from awacs.aws import Policy, Statement
from awacs.aws import StringEquals, StringLike
import awacs.s3 as s3
pd = Policy(Statement=[
Statement(
Action=[s3.ListAllMyBuckets, s3.GetBucketLocation],
Effect=Allow,
Resource=[
s3.ARN("*"),
],
),
Statement(
Action=[s3.ListBucket],
Effect=Allow,
Resource=[s3.ARN("myBucket")],
Condition=Condition(
StringEquals({
's3:prefix': ['', 'home/'],
's3:delimiter': ['/'],
}), ),
),
Statement(
Action=[s3.ListBucket],
Effect=Allow,
Resource=[s3.ARN("myBucket")],
def create_template():
t = Template()
t.add_description("The individual CodeBuild stack for CBuildCI.")
p_build_description = t.add_parameter(
Parameter(
"BuildDescription",
Description="Used for the CodeBuild project description.",
Type="String",
))
p_api_lambda_role = t.add_parameter(
Parameter(
"ApiLambdaRole",
Description=
"The IAM role used by the API lambda function, which will receive permission to monitor builds.",
Type="String",
))
p_step_lambda_role = t.add_parameter(
Parameter(
"StepLambdaRole",
Description=
"The IAM role used by the lambda function, which will receive permission to start, stop and monitor builds.",
Type="String",
))
p_source_bucket = t.add_parameter(
Parameter(
"SourceBucket",
Type="String",
))
p_source_key_prefix = t.add_parameter(
Parameter(
"SourceKeyPrefix",
Type="String",
Default="github-source/",
))
p_artifact_bucket = t.add_parameter(
Parameter(
"ArtifactBucket",
Type="String",
))
p_artifact_key_prefix = t.add_parameter(
Parameter(
"ArtifactKeyPrefix",
Type="String",
Default="github-artifacts/",
))
p_cache_bucket = t.add_parameter(Parameter(
"CacheBucket",
Type="String",
))
p_cache_key_prefix = t.add_parameter(
Parameter(
"CacheKeyPrefix",
Type="String",
Default="github-cache/",
))
p_logs_retention_days = t.add_parameter(
Parameter(
"LogsRetentionDays",
Description=
"Number of days to keep CloudWatch logs for this stack's lambda function.",
Type="Number",
Default="30",
))
p_code_build_role_policy_arns = t.add_parameter(
Parameter(
"CodeBuildRolePolicyArns",
Description=
"Optional list of IAM managed policy ARNs to attach to the CodeBuild role.",
Type="String",
Default="-NONE-",
))
p_read_ecr_arns = t.add_parameter(
Parameter(
"ReadECRArns",
Description=
"ECS Repository ARNs to give CodeBuild permission to pull images from.",
Type="String",
Default="-NONE-",
))
p_read_s3_arns = t.add_parameter(
Parameter(
"ReadS3Arns",
Description="S3 ARNs to give CodeBuild permission to S3.",
Type="String",
Default="-NONE-",
))
p_read_ssm_param_arns = t.add_parameter(
Parameter(
"ReadSSMParamArns",
Description="SSM parameters to give CodeBuild permission to read.",
Type="String",
Default="-NONE-",
))
p_read_kms_arns = t.add_parameter(
Parameter(
"ReadKMSArns",
Description="KMS keys to give CodeBuild permission to decrypt.",
Type="String",
Default="-NONE-",
))
p_vpc = t.add_parameter(
Parameter(
"VPC",
Description="Optional VPC to use for CodeBuild.",
Type="String",
Default="-NONE-",
))
p_security_groups = t.add_parameter(
Parameter(
"SecurityGroups",
Description="Security groups to use for CodeBuild.",
Type="String",
Default="-NONE-",
))
p_subnets = t.add_parameter(
Parameter(
"Subnets",
Description="Subnets to use for CodeBuild.",
Type="String",
Default="-NONE-",
))
t.add_condition(
"HasCodeBuildRolePolicyArns",
Not(Equals(Ref(p_code_build_role_policy_arns), "-NONE-")),
)
t.add_condition(
"HasReadECRArns",
Not(Equals(Ref(p_read_ecr_arns), "-NONE-")),
)
t.add_condition(
"HasReadS3Arns",
Not(Equals(Ref(p_read_s3_arns), "-NONE-")),
)
t.add_condition(
"HasReadSSMParamArns",
Not(Equals(Ref(p_read_ssm_param_arns), "-NONE-")),
)
t.add_condition(
"HasReadKMSArns",
Not(Equals(Ref(p_read_kms_arns), "-NONE-")),
)
t.add_condition(
"HasVPC",
Not(Equals(Ref(p_vpc), "-NONE-")),
)
# Replace with custom tags if desired.
tags = build_tags_list(t)
r_log_group = t.add_resource(
LogGroup(
"CodeBuildLogGroup",
LogGroupName=Sub("/aws/codebuild/${AWS::StackName}"),
RetentionInDays=Ref(p_logs_retention_days),
))
r_code_build_role = t.add_resource(
Role(
"CodeBuildRole",
AssumeRolePolicyDocument=PolicyDocument(
Version="2012-10-17",
Statement=[
Statement(
Effect=Allow,
Action=[ac_sts.AssumeRole],
Principal=Principal("Service",
["codebuild.amazonaws.com"]),
),
],
),
ManagedPolicyArns=If(
"HasCodeBuildRolePolicyArns",
Split(",", Ref(p_code_build_role_policy_arns)),
NoValue,
),
Policies=[
Policy(
PolicyName="code-build-policy",
PolicyDocument={
"Statement": [
Statement(
Effect=Allow,
Resource=[
GetAtt(r_log_group, "Arn"),
],
Action=[
ac_logs.CreateLogGroup,
ac_logs.CreateLogStream,
ac_logs.PutLogEvents,
],
),
Statement(
Effect=Allow,
Resource=[
Sub(
ac_s3.ARN(resource="${%s}/${%s}*" % (
p_source_bucket.title,
p_source_key_prefix.title,
), )),
],
Action=[
ac_s3.GetObject,
ac_s3.GetObjectVersion,
],
),
Statement(
Effect=Allow,
Resource=[
Sub(
ac_s3.ARN(resource="${%s}/${%s}*" % (
p_artifact_bucket.title,
p_artifact_key_prefix.title,
), )),
Sub(
ac_s3.ARN(resource="${%s}/${%s}*" % (
p_cache_bucket.title,
p_cache_key_prefix.title,
), )),
],
Action=[
ac_s3.GetObject,
ac_s3.GetObjectVersion,
ac_s3.PutObject,
],
),
If(
"HasReadECRArns",
{
"Effect":
Allow,
"Resource":
Split(",", Ref(p_read_ecr_arns)),
"Action": [
ac_ecr.BatchCheckLayerAvailability,
ac_ecr.BatchGetImage,
ac_ecr.GetDownloadUrlForLayer,
],
},
NoValue,
),
If(
"HasReadS3Arns",
{
"Effect":
Allow,
"Resource":
Split(",", Ref(p_read_s3_arns)),
"Action": [
ac_s3.ListBucket,
ac_s3.GetObject,
ac_s3.GetObject,
ac_s3.GetObjectVersion,
],
},
NoValue,
),
If(
"HasReadSSMParamArns",
{
"Effect":
Allow,
"Resource":
Split(",", Ref(p_read_ssm_param_arns)),
"Action": [
ac_ssm.GetParameter,
],
},
NoValue,
),
If(
"HasReadKMSArns",
{
"Effect": Allow,
"Resource": Split(",",
Ref(p_read_kms_arns)),
"Action": [
ac_kms.Decrypt,
],
},
NoValue,
),
]
},
),
],
))
r_code_build = t.add_resource(
Project(
"CodeBuild",
Name=Ref("AWS::StackName"),
Description=Ref(p_build_description),
ServiceRole=Ref(r_code_build_role),
Source=Source(Type="CODEPIPELINE", ),
Artifacts=Artifacts(Type="CODEPIPELINE", ),
VpcConfig=If(
"HasVPC",
VpcConfig(
VpcId=Ref(p_vpc),
Subnets=Ref(p_subnets),
SecurityGroupIds=Ref(p_security_groups),
),
NoValue,
),
Environment=CodeBuildEnvironment(
Type="LINUX_CONTAINER",
ComputeType="BUILD_GENERAL1_SMALL",
Image="aws/codebuild/ubuntu-base:14.04",
),
Tags=tags,
))
t.add_resource(
PolicyType(
"ApiLambdaRolePolicy",
Roles=[
Ref(p_api_lambda_role),
],
PolicyName=Sub("${AWS::StackName}-policy"),
PolicyDocument=PolicyDocument(Statement=[
Statement(
Effect=Allow,
Resource=[GetAtt(r_code_build, "Arn")],
Action=[
ac_codebuild.BatchGetBuilds,
],
),
Statement(
Effect=Allow,
Resource=[
GetAtt(r_log_group, "Arn"),
],
Action=[
ac_logs.GetLogEvents,
],
),
], ),
))
t.add_resource(
PolicyType(
"StepLambdaRolePolicy",
Roles=[
Ref(p_step_lambda_role),
],
PolicyName=Sub("${AWS::StackName}-policy"),
PolicyDocument=PolicyDocument(Statement=[
Statement(
Effect=Allow,
Resource=[GetAtt(r_code_build, "Arn")],
Action=[
ac_codebuild.StartBuild,
ac_codebuild.StopBuild,
ac_codebuild.BatchGetBuilds,
],
),
], ),
))
t.add_output(Output(
"CodeBuildProjectName",
Value=Ref(r_code_build),
))
t.add_output(Output(
"CodeBuildArn",
Value=GetAtt(r_code_build, "Arn"),
))
return t