def create_iam_group(stack, group_name, managed_policies=()):
"""Add IAM group resource."""
managed_policy_arns = ['arn:aws:iam::aws:policy/{0}'.format(policy)
for policy in managed_policies]
return stack.stack.add_resource(Group(group_name,
GroupName=group_name,
ManagedPolicyArns=managed_policy_arns))
def add_group(c, GroupName, model, named=False):
cfn_name = scrub_name(GroupName + "Group")
kw_args = {
"Path": "/",
"ManagedPolicyArns": [],
"Policies": []
}
if named:
kw_args["GroupName"] = GroupName
if "managed_policies" in model:
kw_args["ManagedPolicyArns"] = parse_managed_policies(
c,
model["managed_policies"], GroupName
)
if "retain_on_delete" in model:
if model["retain_on_delete"] is True:
kw_args["DeletionPolicy"] = "Retain"
c.template[c.current_account].add_resource(Group(
scrub_name(cfn_name),
**kw_args
))
if c.config['global']['template_outputs'] == "enabled":
c.template[c.current_account].add_output([
Output(
cfn_name + "Arn",
Description="Group " + GroupName + " ARN",
Value=GetAtt(cfn_name, "Arn"),
Export=Export(Sub("${AWS::StackName}-" + cfn_name + "Arn"))
)
])
def __init__(self, affiliatename, defaulttemplate=False):
if defaulttemplate == False:
self.template = Template()
## Update the template to accept serverless functions.
self.template.set_transform('AWS::Serverless-2016-10-31')
self.affiliatename = affiliatename
## TODO: Check that the affiliate name is all lowercase
## Declare the logical name for the bucket resource.
self.bucket_logname = 'UserBucket' + affiliatename
bucket = Bucket(self.bucket_logname,
AccessControl='Private',
BucketName=affiliatename)
self.bucket = self.template.add_resource(bucket)
## Now define a new user policy:
policy = Policy(PolicyDocument=self.customize_userpolicy(),
PolicyName=self.affiliatename + 'policy')
## Now define an iam user group to which we can attach this policy:
self.group_logname = 'UserGroup' + affiliatename
self.groupname = self.affiliatename + 'group'
usergroup = Group(self.group_logname,
GroupName=self.groupname,
Policies=[policy])
self.usergroup = self.template.add_resource(usergroup)
self.users = []
self.usercount = 0
else:
'Implement me! and remember to implement getting of resources as attributes!'
def generate_usergroup(self, affiliatedict):
affiliatename = affiliatedict["AffiliateName"]
policy = Policy(
PolicyDocument=self.customize_userpolicy(affiliatedict),
PolicyName=affiliatename + 'policy')
usergroup = Group("UserGroup" + affiliatename,
GroupName=affiliatename + "group",
Policies=[policy])
usergroup_attached = self.template.add_resource(usergroup)
return usergroup_attached
Group(
"ClientGroup",
Policies=[{
"PolicyName": "ClientGroupPolicy",
"PolicyDocument": {
"Statement": [{
"Action": "*",
"Resource": "*",
"Effect": "Allow",
"Sid": "AllowAll"
}, {
"Action":
["aws-portal:ViewBilling", "aws-portal:ViewUsage"],
"Resource":
"*",
"Effect":
"Deny",
"Sid":
"DenyBilling"
}, {
"Action": ["ec2:PurchaseReservedInstancesOffering"],
"Resource":
"*",
"Effect":
"Deny",
"Sid":
"DenyPurchaseReservedInstancesOffering"
}, {
"Action": ["rds:PurchaseReservedDBInstancesOffering"],
"Resource":
"*",
"Effect":
"Deny",
"Sid":
"DenyPurchaseReservedDBInstancesOffering"
}, {
"Action": ["redshift:PurchaseReservedNodeOffering"],
"Resource":
"*",
"Effect":
"Deny",
"Sid":
"DenyPurchaseReservedNodeOffering"
}, {
"Action": "cloudtrail:*",
"Resource": "*",
"Effect": "Deny",
"Sid": "DenyCloudtrail"
}, {
"Action": [
"iam:AddRoleToInstanceProfile", "iam:AddUserToGroup",
"iam:CreateAccessKey", "iam:CreateAccountAlias",
"iam:CreateGroup", "iam:CreateInstanceProfile",
"iam:CreateLoginProfile", "iam:CreateSAMLProvider",
"iam:CreateUser", "iam:DeleteAccessKey",
"iam:DeleteAccountAlias",
"iam:DeleteAccountPasswordPolicy", "iam:DeleteGroup",
"iam:DeleteGroupPolicy", "iam:DeleteInstanceProfile",
"iam:DeleteLoginProfile", "iam:DeleteRole",
"iam:DeleteRolePolicy", "iam:DeleteSAMLProvider",
"iam:DeleteServerCertificate",
"iam:DeleteSigningCertificate", "iam:DeleteUser",
"iam:DeleteUserPolicy", "iam:DeleteVirtualMFADevice",
"iam:GetAccountPasswordPolicy",
"iam:GetAccountSummary", "iam:GetGroup",
"iam:GetGroupPolicy", "iam:GetInstanceProfile",
"iam:GetLoginProfile", "iam:GetSAMLProvider",
"iam:GetServerCertificate", "iam:GetUser",
"iam:GetUserPolicy", "iam:ListAccessKeys",
"iam:ListAccountAliases", "iam:ListGroupPolicies",
"iam:ListGroups", "iam:ListGroupsForUser",
"iam:ListInstanceProfiles",
"iam:ListInstanceProfilesForRole",
"iam:ListSAMLProviders", "iam:ListServerCertificates",
"iam:ListSigningCertificates", "iam:ListUserPolicies",
"iam:PutGroupPolicy", "iam:PutRolePolicy",
"iam:PutUserPolicy",
"iam:RemoveRoleFromInstanceProfile",
"iam:RemoveUserFromGroup", "iam:UpdateAccessKey",
"iam:UpdateAccountPasswordPolicy",
"iam:UpdateAssumeRolePolicy", "iam:UpdateGroup",
"iam:UpdateLoginProfile", "iam:UpdateSAMLProvider",
"iam:UpdateServerCertificate",
"iam:UpdateSigningCertificate", "iam:UpdateUser",
"iam:UploadServerCertificate",
"iam:UploadSigningCertificate"
],
"Resource": ["*"],
"Effect":
"Deny",
"Sid":
"DenyIAM"
}, {
"Action": "s3:*",
"Resource":
"arn:aws:s3:::shelter-mutual-cloudtrail-us-east-1",
"Effect": "Deny",
"Sid": "DenyS3CloudtrailBucket"
}, {
"Action":
"s3:*",
"Resource":
Join("", [
"arn:aws:s3:::shelter-mutual-cloudtrail-us-east-1",
"/*"
]),
"Effect":
"Deny",
"Sid":
"DenyS3CloudtrailObjects"
}]
}
}],
))
Parameter(
"GroupParam",
Type="String",
Description="New IAM Group Name",
))
RegionParam = t.add_parameter(
Parameter(
"RegionParam",
Type="String",
Description="Region Constraint for IAM",
))
### -- Resources
IAMGroup = t.add_resource(Group(
"IAMGroup",
GroupName=Ref(GroupParam),
))
IAMPolicies = t.add_resource(
PolicyType(
"IAMPolicies",
PolicyName=Ref(RoleParam),
Groups=[Ref(GroupParam)],
PolicyDocument={
"Version":
"2012-10-17",
"Statement": [{
"Effect":
"Allow",
"Action": [
"ec2:*", "s3:*", "rds:*", "elasticsearch:*", "sqs:*",
"""Generating CloudFormation template."""
from troposphere import (
Template, )
from troposphere.iam import (
Group, )
t = Template()
t.add_description("Effective DevOps in AWS: User Groups")
t.add_resource(
Group(
"Admins",
GroupName="Admins",
ManagedPolicyArns=["arn:aws:iam::aws:policy/AdministratorAccess"],
))
print t.to_json()
Group,
LoginProfile,
PolicyType,
User,
UserToGroupAddition,
)
t = Template()
t.set_description("AWS CloudFormation Sample Template: This template "
"demonstrates the creation of IAM User/Group.")
cfnuser = t.add_resource(
User("CFNUser", LoginProfile=LoginProfile(Password="******")))
cfnusergroup = t.add_resource(Group("CFNUserGroup"))
cfnadmingroup = t.add_resource(Group("CFNAdminGroup"))
cfnkeys = t.add_resource(
AccessKey("CFNKeys", Status="Active", UserName=Ref(cfnuser)))
users = t.add_resource(
UserToGroupAddition(
"Users",
GroupName=Ref(cfnusergroup),
Users=[Ref(cfnuser)],
))
admins = t.add_resource(
UserToGroupAddition(
"Admins",
#!/usr/bin/env python
"""Generating CloudFormation template."""
from troposphere import (
Template
)
from troposphere.iam import (
Group
)
t = Template()
t.add_description("Effective DevOps in AWS: User Groups")
t.add_resource(Group(
"Admins",
GroupName="Admins",
ManagedPolicyArns=[
"arn:aws:iam::aws:policy/AdministratorAccess"
]
))
print t.to_json()
Queue("OutboundDev",
QueueName="OutboundDev.fifo",
ReceiveMessageWaitTimeSeconds=20,
FifoQueue=True))
addqueue = t.add_resource(
Queue("Adding",
QueueName="AddingDev.fifo",
ReceiveMessageWaitTimeSeconds=20,
FifoQueue=True))
mirrorqueue = t.add_resource(
Queue("Mirroring",
QueueName="MirroringDev.fifo",
ReceiveMessageWaitTimeSeconds=20,
FifoQueue=True))
queue_dev_group = t.add_resource(Group("QueueDevGroup"))
t.add_resource(
PolicyType("QueueDevPolicies",
PolicyName="QueueDevUsers",
Groups=[Ref(queue_dev_group)],
PolicyDocument={
"Version":
"2012-10-17",
"Statement": [
{
"Effect":
"Allow",
"Action": [
"sqs:SendMessage",
"sqs:DeleteMessage",
"sqs:PurgeQueue",
"Resource": ["*"],
"Condition": {
"StringLike": {
"iam:PassedToService":
"ecs-tasks.amazonaws.com"
}
}
}]
})
]))
# Build Account Permissions
# It's useful for the CI to be able to update services upon build, there
# is a service account with keys that will be exposed to CI for allowing
# redeployment of services.
ksp_builder_group = t.add_resource(Group("KspCkanBuilderGroup"))
builder_services = []
for service in ['Indexer', 'Inflator', 'Webhooks', 'Adder', 'Mirrorer']:
builder_services.append(
Sub(
'arn:aws:ecs:${AWS::Region}:${AWS::AccountId}:service/NetKANCluster/${service}',
service=GetAtt('{}Service'.format(service), 'Name'),
))
t.add_resource(
PolicyType("KspCkanBuilderRole",
PolicyName="KspCkanBuilder",
Groups=[Ref(ksp_builder_group)],
PolicyDocument={
"Version":
"2012-10-17",
"Statement": [
Condition,
NumericGreaterThan,
Deny,
Null,
Policy,
Statement,
)
t = Template()
t.add_description("Effective DevOps in AWS: User Groups")
t.add_resource(
Group(
"Admins",
GroupName="Admins",
ManagedPolicyArns=["arn:aws:iam::aws:policy/AdministratorAccess"],
))
t.add_resource(
ManagedPolicy(
"CommonIamPolicy",
Description="Common policy to manage IAM resources",
PolicyDocument=Policy(
Version="2012-10-17",
Statement=[
Statement(Effect=Allow,
Action=[
Action("iam", "GetAccountPasswordPolicy"),
Action("iam", "ListUsers"),
Action("iam", "ListMFADevices"),
def create_template(self):
if self.template_type == 'project_role':
template = Template()
namespace_param = template.add_parameter(
Parameter(
"IAMNamespace",
Description="Namespace for IAM users, policies, etc.",
Type="String",
Default="/"))
uppercase_env_prefix_param = template.add_parameter(
Parameter(
"UppercaseAwsEnvironmentPrefix",
Description=
"Uppercase abbreviation for AWS account (i.e. DEV,QA,PROD)",
Type="String"))
lowercase_env_prefix_param = template.add_parameter(
Parameter(
"LowercaseAwsEnvironmentPrefix",
Description=
"Lowercase abbreviation for AWS account (i.e. dev,qa,prod)",
Type="String"))
aws_account_number_param = template.add_parameter(
Parameter("AccountNumber",
Description="AWS Account Number",
Type="String"))
uppercase_project_name_param = template.add_parameter(
Parameter("UppercaseProjectName",
Description="Uppercase Project Name",
Type="String"))
lowercase_project_name_param = template.add_parameter(
Parameter("LowercaseProjectName",
Description="Lowercase Project Name",
Type="String"))
pd = PolicyDocument(Version="2012-10-17",
Id="Account-Permissions",
Statement=self.create_policy_document())
iam_group = template.add_resource(
Group(
'IamGroup',
#Join('-', [Ref(uppercase_env_prefix_param),Ref(uppercase_project_name_param)])
Path=Ref(namespace_param),
GroupName=Join('-', [
Ref(uppercase_env_prefix_param),
Ref(uppercase_project_name_param)
])
#'ManagedPolicyArns': ([basestring], False),
#Policies'= ([Policy], False)
))
iam_managed_policy = template.add_resource(
ManagedPolicy("ManagedPolicy",
Description=Join('-', [
Ref(uppercase_env_prefix_param),
Ref(uppercase_project_name_param), 'project'
]),
Groups=[
Join('-', [
Ref(uppercase_env_prefix_param),
Ref(uppercase_project_name_param)
])
],
ManagedPolicyName=Join('-', [
Ref(uppercase_env_prefix_param),
Ref(uppercase_project_name_param)
]),
Path=Ref(namespace_param),
PolicyDocument=pd))
if self.debug:
print(template.to_json())
with tempfile.NamedTemporaryFile(mode='w',
suffix='.rdr',
delete=False) as tmp:
tmp.write(template.to_json())
self._config.pop('meta-parameters', None)
if (not os.path.exists(self.cwd + '/template.json')
and not self._config['environment']['template']):
with open(self.cwd + '/template.json', 'w') as file:
file.write(template.to_json())
file.close()
else:
if self.debug:
print('Not creating template.json')
return tmp.name
elif self.template_type == 'project_role_jump_account':
self._config['parameters'].pop('Resources', None)
template = Template()
namespace_param = template.add_parameter(
Parameter(
"IAMNamespace",
Description="Namespace for IAM users, policies, etc.",
Type="String",
Default="/"))
uppercase_env_prefix_param = template.add_parameter(
Parameter(
"UppercaseAwsEnvironmentPrefix",
Description=
"Uppercase abbreviation for AWS account (i.e. DEV,QA,PROD)",
Type="String"))
lowercase_env_prefix_param = template.add_parameter(
Parameter(
"LowercaseAwsEnvironmentPrefix",
Description=
"Lowercase abbreviation for AWS account (i.e. dev,qa,prod)",
Type="String"))
aws_account_number_param = template.add_parameter(
Parameter("AccountNumber",
Description="AWS Account Number",
Type="String"))
uppercase_project_name_param = template.add_parameter(
Parameter("UppercaseProjectName",
Description="Uppercase Project Name",
Type="String"))
lowercase_project_name_param = template.add_parameter(
Parameter("LowercaseProjectName",
Description="Lowercase Project Name",
Type="String"))
pd = PolicyDocument(Version="2012-10-17",
Statement=self.create_policy_document())
iam_policy = template.add_resource(
ManagedPolicy('ManagedPolicy',
Description=Join('-', [
Ref(uppercase_env_prefix_param),
Ref(uppercase_project_name_param), 'project'
]),
PolicyDocument=pd,
ManagedPolicyName=Join('-', [
Ref(uppercase_env_prefix_param),
Ref(uppercase_project_name_param)
]),
Path=Ref(namespace_param)))
iam_group = template.add_resource(
Group("Group",
GroupName=Join('-', [
Ref(uppercase_env_prefix_param),
Ref(uppercase_project_name_param)
])))
if self.debug:
print(template.to_json())
with tempfile.NamedTemporaryFile(mode='w',
suffix='.rdr',
delete=False) as tmp:
tmp.write(template.to_json())
self._config.pop('meta-parameters', None)
if (not os.path.exists(self.cwd + '/template.json')
and not self._config['environment']['template']):
with open(self.cwd + '/template.json', 'w') as file:
file.write(template.to_json())
file.close()
else:
if self.debug:
print('Not creating template.json')
if self.debug:
print('template file is: ' + str(tmp.name))
return tmp.name
else:
print('incorrect template type')
sys.exit(1)
from troposphere import Template
from troposphere.iam import Group
t = Template()
view_group = t.add_resource(
Group("ViewOnlyGroup",
ManagedPolicyArns=[
"arn:aws:iam::aws:policy/job-function/ViewOnlyAccess"
]))
print(t.to_json())
