Utilities package for pynamodb.
Project description
AWS IAM Generator
Cross-account IAM resources made easier
Introduction
During my work as a cloud engineer, I often needed to deploy some IAM resources tangled together with some parameters. I had to do it so often I decided to wrap it all in a feasible and easy to use the library.
Generates AWS IAM Managed Policies and Roles for multiple accounts using the easy templating language. Example cross-account template and deployment execution shown below.
Installation
- Run
pip install pynamodb-utilsor executepython setup.py installin the source directory - Add
aws_iam_generatorto yourINSTALLED_APPS
Example
from iam_aws_generator import AWSIAMGenerator
example_roles_specification = {
'Regions': {
'PipelineRegion': {},
'AppsRegion': {}
},
'Accounts': {
'PipelineAccount': {
'Description': 'Account where deployment pipeline will be created',
'AccessRoleName': 'DefaultAccessRole'
},
'AppsAccount': {
'Description': 'Account where apps will be deployed',
'AccessRoleName': 'DefaultAccessRole'
},
'MaintenanceAccount': {
'Id': '123456789002',
'Description': 'Remote account owned by Workload Provider that will be performing maintenance tasks'
}
},
'Variables': {
'HostedZoneID': {
'Type': 'string',
'Description': 'Hosted Zone ID of workload domain'
},
'TrustRolesArns': {
'Type': 'list(string)',
'Description': 'Operations Account of Workload Provider and customer.'
}
},
'Policies': {
'Route53Policy': {
'Description': 'Policy that enables a user to perform actions on Route53',
'PolicyDocument': {
'Version': '2012-10-17',
'Statement': [
{
'Action': ['route53:*'],
'Resource': [
'arn:aws:route53:::hostedzone/{{Variables.HostedZoneID.Value}}',
'arn:aws:route53:::healthcheck/{{Variables.HostedZoneID.Value}}'
],
'Effect': 'Allow'
}
]
}
},
'DeployPipelinePolicy': {
'Description': 'Policy that enables to deploy pipeline',
'PolicyDocument': {
'Version': '2012-10-17',
'Statement': [
{
'Action': [
'cloudformation:CreateStack',
'cloudformation:DescribeStackEvents',
'cloudformation:DescribeStacks',
'cloudformation:UpdateStack'
],
'Effect': 'Allow',
'Resource': [
'arn:aws:cloudformation:{{Regions.PipelineRegion.Id}}:{{Accounts.PipelineAccount.Id}}:stack/deployment-pipeline/*'
]
},
{
'Action': [
's3:CreateBucket',
's3:GetObject',
's3:ListBucket',
's3:PutObject'
],
'Effect': 'Allow',
'Resource': 'arn:aws:s3:::{{Regions.PipelineRegion.Id}}-pipeline-bucket'
}
]
}
},
'DeployAppPolicy': {
'Description': 'Policy that enables to deploy pipeline',
'PolicyDocument': {
'Version': '2012-10-17',
'Statement': [
{
'Action': [
's3:CreateBucket',
's3:GetObject',
's3:ListBucket',
's3:PutObject'
],
'Effect': 'Allow',
'Resource': 'arn:aws:s3:::{{Accounts.AppsAccount.Id}}-{{Regions.AppsRegion.Id}}-app-bucket'
}
]
}
}
},
'Roles': {
'DNSRole': {
'Trusts': [
'Variables.TrustRolesArns.Value',
'Accounts.MaintenanceAccount.Id',
'Roles.DeployAppRole.Arn'
],
'ManagedPolicies': ['Policies.Route53Policy'],
'InAccounts': ['Accounts.AppsAccount.Id']
},
'DeployPipelineRole': {
'Trusts': ['Accounts.MaintenanceAccount.Id'],
'ManagedPolicies': ['Policies.DeployPipelinePolicy'],
'InAccounts': ['Accounts.PipelineAccount.Id']},
'DeployAppRole': {
'Trusts': ['Accounts.PipelineAccount.Id'],
'ManagedPolicies': ['Policies.DeployAppPolicy'],
'InAccounts': ['Accounts.AppsAccount.Id']
},
'APIGatewayCloudWatchLogRole': {
'Trusts': ['apigateway.amazonaws.com'],
'ManagedPolicies': ['arn:aws:iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs'],
'InAccounts': ['Accounts.AppsAccount.Id']
}
},
'ServiceLinkedRoles': {
'AWSServiceRoleForECS': {
'ServiceName': 'ecs.amazonaws.com',
'InAccounts': [
'Accounts.PipelineAccount.Id',
'Accounts.AppsAccount.Id'
]
}
}
}
generator = AWSIAMGenerator(reference_name='test')
generator.load_spec(spec=example_roles_specification)
generator.set_parameters(
Accounts={
'AppsAccount': {
"Id": '112345678901'
},
'PipelineAccount': {
"Id": '212345678901'
}
},
Regions={
'PipelineRegion': {
"Id": "us-east-1"
},
'AppsRegion': {
"Id": "us-east-1"
}
},
Variables={
"HostedZoneID": {
"Value": "*"
},
"TrustRolesArns": {
"Value": ["arn:aws:iam::123456789011:role/ExternalAccessRole"]
}
}
)
generator.deploy()
Links
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
aws-iam-generator-0.9.2.tar.gz
(13.6 kB
view details)
Built Distribution
File details
Details for the file aws-iam-generator-0.9.2.tar.gz.
File metadata
- Download URL: aws-iam-generator-0.9.2.tar.gz
- Upload date:
- Size: 13.6 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/3.3.0 pkginfo/1.7.0 requests/2.25.1 setuptools/47.1.0 requests-toolbelt/0.9.1 tqdm/4.56.2 CPython/3.7.9
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | d142ac79ad644d91cfbd5b97c5e30e70adfeb3248827a3a3390fc20cc8cf3b47 |
|
| MD5 | daf73e1b21801e225e5fa44d95472b8f |
|
| BLAKE2b-256 | d2577fbc902e0d5829f53d664ec1dab4595da0e80e01bdfdae387cb61dbc2983 |
File details
Details for the file aws_iam_generator-0.9.2-py3-none-any.whl.
File metadata
- Download URL: aws_iam_generator-0.9.2-py3-none-any.whl
- Upload date:
- Size: 19.5 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/3.3.0 pkginfo/1.7.0 requests/2.25.1 setuptools/47.1.0 requests-toolbelt/0.9.1 tqdm/4.56.2 CPython/3.7.9
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 2a90a209667a9c226e6d841049e71ca53f2fb57cd06b95fff6bdac0d662965d1 |
|
| MD5 | b9ff8e8043dc8cb1df844a50e4dddbb7 |
|
| BLAKE2b-256 | 6ddb2543ad4899873c8a52ea7aca99886fc0603a09c27d1ca1994ce3c2958776 |
