Utilities package for pynamodb.
Project description
AWS IAM Generator
Cross-account IAM resources made easier
Introduction
During my work as a cloud engineer, I often needed to deploy some IAM resources tangled together with some parameters. I had to do it so often I decided to wrap it all in a feasible and easy to use the library.
Generates AWS IAM Managed Policies and Roles for multiple accounts using the easy templating language. Example cross-account template and deployment execution shown below.
Underneath python code reads JSON template and compiles it into cloudformation templates which next will be deployed. Library serializes and validates input to prevent users from making any mistakes.
Installation
- Run
pip install pynamodb-utilsor executepython setup.py installin the source directory - Add
aws_iam_generatorto yourINSTALLED_APPS
Example
from iam_aws_generator import AWSIAMGenerator
example_roles_specification = {
'Regions': {
'PipelineRegion': {},
'AppsRegion': {}
},
'Accounts': {
'PipelineAccount': {
'Description': 'Account where deployment pipeline will be created',
'AccessRoleName': 'DefaultAccessRole'
},
'AppsAccount': {
'Description': 'Account where apps will be deployed',
'AccessRoleName': 'DefaultAccessRole'
},
'MaintenanceAccount': {
'Id': '123456789002',
'Description': 'Remote account owned by Workload Provider that will be performing maintenance tasks'
}
},
'Variables': {
'HostedZoneID': {
'Type': 'string',
'Description': 'Hosted Zone ID of workload domain'
},
'TrustRolesArns': {
'Type': 'list(string)',
'Description': 'Operations Account of Workload Provider and customer.'
}
},
'Policies': {
'Route53Policy': {
'Description': 'Policy that enables a user to perform actions on Route53',
'PolicyDocument': {
'Version': '2012-10-17',
'Statement': [
{
'Action': ['route53:*'],
'Resource': [
'arn:aws:route53:::hostedzone/{{Variables.HostedZoneID.Value}}',
'arn:aws:route53:::healthcheck/{{Variables.HostedZoneID.Value}}'
],
'Effect': 'Allow'
}
]
}
},
'DeployPipelinePolicy': {
'Description': 'Policy that enables to deploy pipeline',
'PolicyDocument': {
'Version': '2012-10-17',
'Statement': [
{
'Action': [
'cloudformation:CreateStack',
'cloudformation:DescribeStackEvents',
'cloudformation:DescribeStacks',
'cloudformation:UpdateStack'
],
'Effect': 'Allow',
'Resource': [
'arn:aws:cloudformation:{{Regions.PipelineRegion.Id}}:{{Accounts.PipelineAccount.Id}}:stack/deployment-pipeline/*'
]
},
{
'Action': [
's3:CreateBucket',
's3:GetObject',
's3:ListBucket',
's3:PutObject'
],
'Effect': 'Allow',
'Resource': 'arn:aws:s3:::{{Regions.PipelineRegion.Id}}-pipeline-bucket'
}
]
}
},
'DeployAppPolicy': {
'Description': 'Policy that enables to deploy pipeline',
'PolicyDocument': {
'Version': '2012-10-17',
'Statement': [
{
'Action': [
's3:CreateBucket',
's3:GetObject',
's3:ListBucket',
's3:PutObject'
],
'Effect': 'Allow',
'Resource': 'arn:aws:s3:::{{Accounts.AppsAccount.Id}}-{{Regions.AppsRegion.Id}}-app-bucket'
}
]
}
}
},
'Roles': {
'DNSRole': {
'Trusts': [
'Variables.TrustRolesArns.Value',
'Accounts.MaintenanceAccount.Id',
'Roles.DeployAppRole.Arn'
],
'ManagedPolicies': ['Policies.Route53Policy'],
'InAccounts': ['Accounts.AppsAccount.Id']
},
'DeployPipelineRole': {
'Trusts': ['Accounts.MaintenanceAccount.Id'],
'ManagedPolicies': ['Policies.DeployPipelinePolicy'],
'InAccounts': ['Accounts.PipelineAccount.Id']},
'DeployAppRole': {
'Trusts': ['Accounts.PipelineAccount.Id'],
'ManagedPolicies': ['Policies.DeployAppPolicy'],
'InAccounts': ['Accounts.AppsAccount.Id']
},
'APIGatewayCloudWatchLogRole': {
'Trusts': ['apigateway.amazonaws.com'],
'ManagedPolicies': ['arn:aws:iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs'],
'InAccounts': ['Accounts.AppsAccount.Id']
}
},
'ServiceLinkedRoles': {
'AWSServiceRoleForECS': {
'ServiceName': 'ecs.amazonaws.com',
'InAccounts': [
'Accounts.PipelineAccount.Id',
'Accounts.AppsAccount.Id'
]
}
}
}
generator = AWSIAMGenerator(reference_name='test')
generator.load_spec(spec=example_roles_specification)
generator.set_parameters(
Accounts={
'AppsAccount': {
"Id": '112345678901'
},
'PipelineAccount': {
"Id": '212345678901'
}
},
Regions={
'PipelineRegion': {
"Id": "us-east-1"
},
'AppsRegion': {
"Id": "us-east-1"
}
},
Variables={
"HostedZoneID": {
"Value": "*"
},
"TrustRolesArns": {
"Value": ["arn:aws:iam::123456789011:role/ExternalAccessRole"]
}
}
)
generator.deploy()
Links
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
aws-iam-generator-0.9.3.tar.gz
(13.8 kB
view details)
Built Distribution
File details
Details for the file aws-iam-generator-0.9.3.tar.gz.
File metadata
- Download URL: aws-iam-generator-0.9.3.tar.gz
- Upload date:
- Size: 13.8 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/3.3.0 pkginfo/1.7.0 requests/2.25.1 setuptools/47.1.0 requests-toolbelt/0.9.1 tqdm/4.56.2 CPython/3.7.10
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | c2139cdf13c51fb30814f258e08b7890271e8eded2e76e7e7a8d2bfea62269d0 |
|
| MD5 | d8519fcf20a4b39f279431f5f83d19d4 |
|
| BLAKE2b-256 | 56078dc9b9e16a9d0bdaf58c27ee877754a5de9ec45e8a0287925e6b0c43ba75 |
File details
Details for the file aws_iam_generator-0.9.3-py3-none-any.whl.
File metadata
- Download URL: aws_iam_generator-0.9.3-py3-none-any.whl
- Upload date:
- Size: 19.6 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/3.3.0 pkginfo/1.7.0 requests/2.25.1 setuptools/47.1.0 requests-toolbelt/0.9.1 tqdm/4.56.2 CPython/3.7.10
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | deca0c5e6d2eb9db3346ac098f032b6d7fbe0dc3e35c66e37d9289ac43505442 |
|
| MD5 | f7a1cd54163046cb1caa4044bbb13e0c |
|
| BLAKE2b-256 | 9deca3f4278591c6c31079cf7bcac9f0d4770aab88b82c9ab3a48934d9e69034 |
