-
Notifications
You must be signed in to change notification settings - Fork 1
/
infra.yml
289 lines (289 loc) · 8.98 KB
/
infra.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
AWSTemplateFormatVersion: "2010-09-09"
Transform: [AWS::Serverless-2016-10-31, SFNYAML]
Parameters:
DefaultRegions:
Type: List<String>
Default: ""
KmsKeyArn:
Type: String
Default: ""
OutputBucket:
Type: String
Default: ""
OutputKeyPattern:
Type: String
Default: StepEverywhere/{{ .Function }}/{{ .FunctionQualifier }}/{{ .ExecutionId }}/{{ .AccountId }}/{{ .Region }}.json
Conditions:
CreateBucket: !Equals [!Ref OutputBucket, ""]
CreateKey: !Equals [!Ref KmsKeyArn, ""]
Resources:
Bucket:
Type: AWS::S3::Bucket
Condition: CreateBucket
DeletionPolicy: Retain
Key:
Type: AWS::KMS::Key
Condition: CreateKey
Properties:
PendingWindowInDays: 7
KeyPolicy:
Version: "2012-10-17"
Id: key-policy
Statement:
- Sid: Enable IAM User Permissions
Effect: Allow
Action: kms:*
Resource: "*"
Principal:
AWS: !Sub arn:aws:iam::${AWS::AccountId}:root
- Sid: Allow encrypt only to role assumer
Effect: Deny
Action: kms:Encrypt
Resource: "*"
Principal: "*"
Condition:
StringNotEquals:
aws:PrincipalArn: !GetAtt AssumeRoleFunctionRole.Arn
- Sid: Deny decrypt to cheeky people
Effect: Deny
Action: kms:Decrypt
Resource: "*"
Principal: "*"
Condition:
StringNotEquals:
kms:EncryptionContext:Recipient: "${aws:PrincipalArn}"
StepRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action: sts:AssumeRole
Principal:
Service: !Sub states.${AWS::Region}.amazonaws.com
Policies:
- PolicyName: StatesExecutionPolicy
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action: lambda:InvokeFunction
Resource:
- !GetAtt GrantCreatorFunction.Arn
- !GetAtt CollectorFunction.Arn
- !GetAtt AssumeRoleFunction.Arn
- !GetAtt GrantRevokerFunction.Arn
- Effect: Allow
Action: lambda:InvokeFunction
# it would be nice if we could use resource tags instead of a name prefix,
# but this isn't possible as at the time of writing.
Resource: arn:aws:lambda:*:*:function:StepEverywhere_*
StateMachine:
Type: AWS::StepFunctions::StateMachine
Properties:
RoleArn: !GetAtt StepRole.Arn
DefinitionString:
StartAt: Create grant
States:
Create grant:
Type: Task
Resource: arn:aws:states:::lambda:invoke
Parameters:
FunctionName: !GetAtt GrantCreatorFunction.Arn
Payload:
Function.$: $$.Execution.Input.Function
ExecutionId.$: $$.Execution.Id
ResultPath: $.Grant
Next: Collect account ids
Collect account ids:
Type: Task
Resource: !GetAtt CollectorFunction.Arn
ResultPath: $.Contexts
Next: For each account
Catch:
- Next: Revoke grant
ResultPath: $.Error
ErrorEquals: [States.ALL]
For each account:
Type: Map
ItemsPath: $.Contexts.Contexts
ResultPath: null
Next: Revoke grant
Catch:
- Next: Revoke grant
ResultPath: $.Error
ErrorEquals: [States.ALL]
Parameters:
Context.$: $$.Map.Item.Value
ExecutionId.$: $$.Execution.Id
Function.$: $$.Execution.Input.Function
Grant.$: $.Grant.Payload.GrantToken
Grantee.$: $.Grant.Payload.Grantee
Iterator:
StartAt: Assume role
States:
Assume role:
Type: Task
Resource: !GetAtt AssumeRoleFunction.Arn
Next: Worker
Worker:
Type: Task
Resource: arn:aws:states:::lambda:invoke
Parameters:
FunctionName.$: $$.Execution.Input.Function
Payload:
Context.$: $.Context
Credentials.$: $.Credentials
Payload.$: $$.Execution.Input.Payload
ResultPath: null
End: true
Revoke grant:
Type: Task
Resource: !GetAtt GrantRevokerFunction.Arn
Parameters:
GrantId.$: $.Grant.Payload.GrantId
ResultPath: null
End: true
CollectorFunction:
Type: AWS::Serverless::Function
Properties:
Runtime: go1.x
Handler: step-everywhere
CodeUri: ./step-everywhere
MemorySize: 128
Timeout: 30
AutoPublishAlias: live
Environment:
Variables:
Mode: Collector
DefaultRegionsCsv: !Join [",", !Ref DefaultRegions]
Policies:
- Version: '2012-10-17'
Statement:
- Effect: Allow
Resource: "*"
Action: organizations:ListAccounts
AssumeRoleFunction:
Type: AWS::Serverless::Function
Properties:
Runtime: go1.x
Handler: step-everywhere
CodeUri: ./step-everywhere
MemorySize: 128
Timeout: 30
AutoPublishAlias: live
Role: !GetAtt AssumeRoleFunctionRole.Arn
Environment:
Variables:
Mode: AssumeRole
KmsKeyId: !If
- CreateKey
- !GetAtt Key.Arn
- !Ref KmsKeyArn
OutputKeyPattern: !Ref OutputKeyPattern
RoleSessionPattern: StepEverywhere-{{ .ExecutionId }}
OutputBucket: !If
- CreateBucket
- !Ref Bucket
- !Ref OutputBucket
AssumeRoleFunctionRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action: sts:AssumeRole
Principal:
Service: lambda.amazonaws.com
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
Policies:
- PolicyName: AllowThings
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action: s3:PutObject
Resource: !Sub
- arn:aws:s3:::${OutputBucket}/*
- OutputBucket: !If
- CreateBucket
- !Ref Bucket
- !Ref OutputBucket
- Effect: Allow
Action: sts:AssumeRole
Resource: "*"
Condition:
StringEquals:
iam:ResourceTag/stepeverywhere:assumable: true
RoleAssumerKmsPolicy:
Type: AWS::IAM::Policy
Properties:
Roles: [!Ref AssumeRoleFunctionRole]
PolicyName: AllowKms
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action: kms:Encrypt
Resource: !If
- CreateKey
- !GetAtt Key.Arn
- !Ref KmsKeyArn
GrantRevokerFunction:
Type: AWS::Serverless::Function
Properties:
Runtime: go1.x
Handler: step-everywhere
CodeUri: ./step-everywhere
MemorySize: 128
Timeout: 30
AutoPublishAlias: live
Environment:
Variables:
Mode: GrantRevoker
KmsKeyId: !If
- CreateKey
- !GetAtt Key.Arn
- !Ref KmsKeyArn
Policies:
- Version: '2012-10-17'
Statement:
- Effect: Allow
Action: kms:RevokeGrant
Resource: !If
- CreateKey
- !GetAtt Key.Arn
- !Ref KmsKeyArn
GrantCreatorFunction:
Type: AWS::Serverless::Function
Properties:
Runtime: go1.x
Handler: step-everywhere
CodeUri: ./step-everywhere
MemorySize: 128
Timeout: 30
AutoPublishAlias: live
Environment:
Variables:
Mode: GrantCreator
KmsKeyId: !If
- CreateKey
- !GetAtt Key.Arn
- !Ref KmsKeyArn
Policies:
- Version: '2012-10-17'
Statement:
- Effect: Allow
Action: kms:CreateGrant
Resource: !If
- CreateKey
- !GetAtt Key.Arn
- !Ref KmsKeyArn
- Effect: Allow
Action: lambda:GetFunction
# (as above) it would be nice if we could use resource tags instead of a
# name prefix, but this isn't possible as at the time of writing.
Resource: arn:aws:lambda:*:*:function:StepEverywhere_*