From 1579d489e1c1b661df1970f8784b1dfebb8c112d Mon Sep 17 00:00:00 2001 From: Dusty Mabe Date: Sep 27 2019 14:56:59 +0000 Subject: Add in documentation for managing AWS IAM policies for AMI uploading --- diff --git a/docs/aws-iam-policies/README.md b/docs/aws-iam-policies/README.md new file mode 100644 index 0000000..7f72768 --- /dev/null +++ b/docs/aws-iam-policies/README.md @@ -0,0 +1,36 @@ +## Dev/Community Account + +### To add the existing policies/user: + +``` +./manage-policies.sh --add --environment dev ./community-account/fedora-cloud-plume-ami-* +``` + +The last snippet of output will show the Access key id/secret to be +used for the user. + +### To tear down the existing policies/user: + +``` +./manage-policies.sh --remove --environment dev ./community-account/fedora-cloud-plume-ami-* +``` + +## Prod Account + +### To add the existing policies/user: + +``` +./manage-policies.sh --add --environment prod ./prod-account/fedora-cloud-plume-ami-* +``` + +The last snippet of output will show the Access key id/secret to be +used for the user. + +### To tear down the existing policies/user: + +``` +./manage-policies.sh --remove --environment prod ./prod-account/fedora-cloud-plume-ami-* +``` + + + diff --git a/docs/aws-iam-policies/community-account/fedora-cloud-plume-ami-upload b/docs/aws-iam-policies/community-account/fedora-cloud-plume-ami-upload new file mode 100644 index 0000000..40b5889 --- /dev/null +++ b/docs/aws-iam-policies/community-account/fedora-cloud-plume-ami-upload @@ -0,0 +1,13 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "s3:*", + "Resource": [ + "arn:aws:s3:::prod-account-match-fedora-cloud-plume-ami-vmimport", + "arn:aws:s3:::prod-account-match-fedora-cloud-plume-ami-vmimport/*" + ] + } + ] +} diff --git a/docs/aws-iam-policies/community-account/fedora-cloud-plume-ami-vmimport b/docs/aws-iam-policies/community-account/fedora-cloud-plume-ami-vmimport new file mode 100644 index 0000000..9507fce --- /dev/null +++ b/docs/aws-iam-policies/community-account/fedora-cloud-plume-ami-vmimport @@ -0,0 +1,35 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "ec2:ImportVolume", + "ec2:RegisterImage", + "ec2:CancelConversionTask", + "ec2:ImportSnapshot", + "ec2:CopyImage", + "ec2:ModifyImageAttribute", + "ec2:DescribeImageAttribute", + "ec2:DescribeSnapshots", + "ec2:DescribeImportSnapshotTasks", + "ec2:DescribeImages", + "ec2:DeleteVolume", + "ec2:ModifySnapshotAttribute", + "ec2:DescribeAvailabilityZones", + "ec2:DescribeVolumes", + "ec2:CreateSnapshot", + "ec2:DescribeConversionTasks" + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": "ec2:CreateTags", + "Resource": [ + "arn:aws:ec2:*::snapshot/*", + "arn:aws:ec2:*::image/*" + ] + } + ] +} diff --git a/docs/aws-iam-policies/manage-policies.sh b/docs/aws-iam-policies/manage-policies.sh new file mode 100755 index 0000000..eeb7895 --- /dev/null +++ b/docs/aws-iam-policies/manage-policies.sh @@ -0,0 +1,182 @@ +#!/bin/bash +set -eu -o pipefail + +SCRIPTDIR=$(dirname $0) + +add_policy() { + local policy_file=$1 + local policy_basename=$(basename $policy_file) + local policy_name="${PREFIX}${policy_basename}" + local policy_arn="arn:aws:iam::${ACCOUNT}:policy/${policy_name}" + local group="${policy_name}" + + set -x + aws iam create-policy --policy-name "${policy_name}" \ + --policy-document "file://${policy_file}" \ + --output json + + aws iam create-group --group-name "${group}" --output json + + aws iam attach-group-policy --group-name "${group}" \ + --policy-arn "${policy_arn}" \ + --output json + + aws iam add-user-to-group --group-name "${group}" \ + --user-name "${USER}" \ + --output json + set +x +} + +remove_policy() { + local policy_file=$1 + local policy_basename=$(basename $policy_file) + local policy_name="${PREFIX}${policy_basename}" + local policy_arn="arn:aws:iam::${ACCOUNT}:policy/${policy_name}" + local group="${policy_name}" + + set -x + aws iam remove-user-from-group --group-name "${group}" \ + --user-name "${USER}" \ + --output json || : + aws iam detach-group-policy --group-name "${group}" \ + --policy-arn "${policy_arn}" \ + --output json || : + aws iam delete-group --group-name "${group}" --output json || : + aws iam delete-policy --policy-arn "${policy_arn}" --output json || : + set +x + +} + +add_policies(){ + set -x + aws s3 mb "s3://${BUCKET}" --region us-east-1 --output json + aws iam create-user --user-name "${USER}" --output json + set +x + for policy_file in $@; do + add_policy $policy_file + done + +# aws iam create-policy --policy-name "${POLICY}" \ +# --policy-document "file://$(readlink -f ${SCRIPTDIR}/prod-account/ami-vmimport)" \ +# --description "Allows one to import AMIs from files that have been uploaded to s3." \ +# --output json + +# aws iam create-group --group-name "${GROUP}" --output json + +# aws iam attach-group-policy --group-name "${GROUP}" \ +# --policy-arn "${POLICYARN}" \ +# --output json + + +# aws iam add-user-to-group --group-name "${GROUP}" \ +# --user-name "${USER}" \ +# --output json + + set -x + aws iam create-access-key --user-name "${USER}" --output json + set +x + + #aws iam get-role-policy --role-name vmimport --policy-name vmimport | grep "${BUCKET}" + #if [ $? -ne 0 ]; then + # echo "You'll need to update your vmimport role to support uploading to the bucket" + #fi +} + +remove_policies(){ + set -x + aws s3 rb "s3://${BUCKET}" --force --region us-east-1 --output json || : + set +x + for policy_file in $@; do + remove_policy $policy_file + done + set -x + for key in $(aws iam list-access-keys --user-name "${USER}" | cut -f 2); do + aws iam delete-access-key --access-key-id "${key}" --user-name "${USER}" --output json + done + aws iam delete-user --user-name "${USER}" --output json || : + set +x + +# aws iam remove-user-from-group --group-name "${GROUP}" \ +# --user-name "${USER}" \ +# --output json || : +# aws iam detach-group-policy --group-name "${GROUP}" \ +# --policy-arn "${POLICYARN}" \ +# --output json || : +# aws iam delete-group --group-name "${GROUP}" --output json || : +# aws iam delete-policy --policy-arn "${POLICYARN}" --output json || : +} + + +main() { + + # Call getopt to validate the provided input. + options=$(getopt -o a,r,e: --longoptions add,remove,environment: -- "$@") + [ $? -eq 0 ] || { + echo "Incorrect options provided" + return 1 + } + eval set -- "$options" + while true; do + case "$1" in + -a|--add) + ADD=1 + ;; + -r|--remove) + REMOVE=1 + ;; + -e|--environment) + shift; # The arg is next in position args + ENVIRONMENT=$1 + if [[ ! $ENVIRONMENT =~ prod|dev ]]; then + echo '--environment must be "dev" or "prod"' 1>&2 + return 1 + fi + ;; + --) + shift + break + ;; + esac + shift + done + + # Verify a proper environment option was provided + if [ "${ENVIRONMENT-}" == "prod" ] ;then + PREFIX='' + elif [ "${ENVIRONMENT-}" == "dev" ] ;then + PREFIX='prod-account-match-' + else + echo 'Must provide --environment=' 1>&2 + return 1 + fi + + # Verify the provided policy files exist + for policy_file in $@; do + if [ ! -f $policy_file ]; then + echo 'Must provide paths to json policy definition files' 1>&2 + return 1 + fi + done + + ACCOUNT=$(aws sts get-caller-identity | cut -f 1) + BUCKET="${PREFIX}fedora-cloud-plume-ami-vmimport" + USER="${PREFIX}fedora-cloud-plume" + +#GROUP="${PREFIX}ami-vmimport" +#POLICY="${PREFIX}ami-vmimport" +#POLICYARN="arn:aws:iam::${ACCOUNT}:policy/${PREFIX}ami-vmimport" + + VMIMPORTPOLICYARN=arn:aws:iam::${ACCOUNT}:role/vmimport + + if [ "${ADD-}" == "1" ] ;then + add_policies $@ + elif [ "${REMOVE-}" == "1" ] ;then + remove_policies $@ + else + echo 'Must provide --add or --remove' 1>&2 + return 1 + fi +} + +main $@ || exit 1 + diff --git a/docs/aws-iam-policies/prod-account/fedora-cloud-plume-ami-upload b/docs/aws-iam-policies/prod-account/fedora-cloud-plume-ami-upload new file mode 100644 index 0000000..ee47f25 --- /dev/null +++ b/docs/aws-iam-policies/prod-account/fedora-cloud-plume-ami-upload @@ -0,0 +1,13 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "s3:*", + "Resource": [ + "arn:aws:s3:::fedora-cloud-plume-ami-vmimport", + "arn:aws:s3:::fedora-cloud-plume-ami-vmimport/*" + ] + } + ] +} diff --git a/docs/aws-iam-policies/prod-account/fedora-cloud-plume-ami-vmimport b/docs/aws-iam-policies/prod-account/fedora-cloud-plume-ami-vmimport new file mode 100644 index 0000000..9507fce --- /dev/null +++ b/docs/aws-iam-policies/prod-account/fedora-cloud-plume-ami-vmimport @@ -0,0 +1,35 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "ec2:ImportVolume", + "ec2:RegisterImage", + "ec2:CancelConversionTask", + "ec2:ImportSnapshot", + "ec2:CopyImage", + "ec2:ModifyImageAttribute", + "ec2:DescribeImageAttribute", + "ec2:DescribeSnapshots", + "ec2:DescribeImportSnapshotTasks", + "ec2:DescribeImages", + "ec2:DeleteVolume", + "ec2:ModifySnapshotAttribute", + "ec2:DescribeAvailabilityZones", + "ec2:DescribeVolumes", + "ec2:CreateSnapshot", + "ec2:DescribeConversionTasks" + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": "ec2:CreateTags", + "Resource": [ + "arn:aws:ec2:*::snapshot/*", + "arn:aws:ec2:*::image/*" + ] + } + ] +}