-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add a new template for setting up an IAM role to be assumed by poller.
- Loading branch information
Showing
5 changed files
with
182 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
# External Role | ||
|
||
[docs/externalrole.md](../docs/externalrole.md) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,86 @@ | ||
--- | ||
AWSTemplateFormatVersion: '2010-09-09' | ||
Transform: AWS::Serverless-2016-10-31 | ||
Description: 'Allow external entity to execute AWS actions.' | ||
Metadata: | ||
AWS::ServerlessRepo::Application: | ||
Name: observe-poller | ||
Description: Allow external entity to execute AWS actions. | ||
Author: Observe Inc | ||
SpdxLicenseId: Apache-2.0 | ||
ReadmeUrl: README.md | ||
HomePageUrl: https://github.com/observeinc/aws-sam-apps | ||
SemanticVersion: '0.0.5' | ||
SourceCodeUrl: https://github.com/observeinc/aws-sam-apps | ||
|
||
AWS::CloudFormation::Interface: | ||
ParameterGroups: | ||
- Label: | ||
default: Role Configuration | ||
Parameters: | ||
- ObserveAwsAccountId | ||
- AllowedActions | ||
- DatastreamIds | ||
- NameOverride | ||
Parameters: | ||
ObserveAwsAccountId: | ||
Type: String | ||
Description: >- | ||
Observe AWS Account ID which will be allowed to assume role. | ||
AllowedPattern: '\d+' | ||
AllowedActions: | ||
Type: CommaDelimitedList | ||
Description: >- | ||
IAM actions that Observe account is allowed to execute. | ||
DatastreamIds: | ||
Type: CommaDelimitedList | ||
Description: >- | ||
Datastream IDs where data will be ingested to. This ensures Observe | ||
cannot assume this role outside of this context. | ||
AllowedPattern: '\d+' | ||
NameOverride: | ||
Type: String | ||
Description: >- | ||
Name of IAM role expected by Poller. In the absence of a value, the stack | ||
name will be used. | ||
Default: '' | ||
MaxLength: 64 | ||
Conditions: | ||
UseStackName: !Equals | ||
- !Ref NameOverride | ||
- '' | ||
|
||
Resources: | ||
Role: | ||
Type: 'AWS::IAM::Role' | ||
Properties: | ||
RoleName: !If | ||
- UseStackName | ||
- !Ref AWS::StackName | ||
- !Ref NameOverride | ||
AssumeRolePolicyDocument: | ||
Version: 2012-10-17 | ||
Statement: | ||
- Effect: Allow | ||
Principal: | ||
AWS: | ||
- !Sub "arn:aws:iam::${ObserveAwsAccountId}:root" | ||
Action: | ||
- 'sts:AssumeRole' | ||
Condition: | ||
StringEquals: | ||
sts:ExternalId: !Ref DatastreamIds | ||
Path: / | ||
Policies: | ||
- PolicyName: AllowedActions | ||
PolicyDocument: | ||
Version: 2012-10-17 | ||
Statement: | ||
- Effect: Allow | ||
Action: !Ref AllowedActions | ||
Resource: '*' | ||
Outputs: | ||
RoleArn: | ||
Description: >- | ||
IAM Role ARN. This role will be assumed by Observe in order to pull data. | ||
Value: !GetAtt Role.Arn |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
# Observe External Role | ||
|
||
The External Role template sets up an IAM role that can be assumed by Observe in order to collect metrics and API data. | ||
|
||
## Template Configuration | ||
|
||
### Parameters | ||
|
||
The stack supports the following parameters: | ||
|
||
| Parameter | Type | Description | | ||
|-----------------|---------|-------------| | ||
| **`ObserveAwsAccountId`** | String | Observe AWS Account ID which will be allowed to assume role. | | ||
| **`AllowedActions`** | CommaDelimitedList | IAM actions that Observe account is allowed to execute. | | ||
| **`DatastreamIds`** | CommaDelimitedList | Datastream IDs where data will be ingested to. This ensures Observe cannot assume this role outside of this context. | | ||
| `NameOverride` | String | Name of IAM role expected by Poller. In the absence of a value, the stack name will be used. | | ||
|
||
### Outputs | ||
|
||
| Output | Description | | ||
|-----------------|-------------| | ||
| RoleArn | IAM Role ARN. This role will be assumed by Observe in order to pull data. | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,68 @@ | ||
variables { | ||
install_policy_json = <<-EOF | ||
{ | ||
"Version": "2012-10-17", | ||
"Statement": [ | ||
{ | ||
"Effect": "Allow", | ||
"Action": [ | ||
"cloudformation:CreateChangeSet", | ||
"cloudformation:CreateStack", | ||
"cloudformation:DeleteChangeSet", | ||
"cloudformation:DeleteStack", | ||
"cloudformation:DescribeStacks", | ||
"iam:AttachRolePolicy", | ||
"iam:CreateRole", | ||
"iam:DeleteRole", | ||
"iam:DeleteRolePolicy", | ||
"iam:DetachRolePolicy", | ||
"iam:GetRole", | ||
"iam:GetRolePolicy", | ||
"iam:ListAttachedRolePolicies", | ||
"iam:ListRolePolicies", | ||
"iam:PutRolePolicy", | ||
"iam:TagRole", | ||
"iam:UpdateRole" | ||
], | ||
"Resource": "*" | ||
} | ||
] | ||
} | ||
EOF | ||
} | ||
|
||
run "setup" { | ||
module { | ||
source = "observeinc/collection/aws//modules/testing/setup" | ||
version = "2.9.0" | ||
} | ||
} | ||
|
||
run "create_bucket" { | ||
module { | ||
source = "observeinc/collection/aws//modules/testing/s3_bucket" | ||
version = "2.9.0" | ||
} | ||
|
||
variables { | ||
setup = run.setup | ||
} | ||
} | ||
|
||
run "install" { | ||
variables { | ||
setup = run.setup | ||
app = "externalrole" | ||
parameters = { | ||
ObserveAwsAccountId = "158067661102" | ||
AllowedActions = "cloudwatch:GetMetricsData,cloudwatch:ListMetrics" | ||
DatastreamIds = "411000001" | ||
NameOverride = run.setup.id | ||
} | ||
capabilities = [ | ||
"CAPABILITY_IAM", | ||
"CAPABILITY_NAMED_IAM", | ||
"CAPABILITY_AUTO_EXPAND", | ||
] | ||
} | ||
} |