feat: add external role app (#329)

Add a new template for setting up an IAM role to be assumed by poller.

Makefile

@@ -301,14 +301,14 @@ version:
 	echo "$(VERSION)"
 
 .PHONY: parameters
-parameters-%:
+parameters-%: # @HELP generate parameters list for documentation purposes.
 	@echo "| Parameter       | Type    | Description |"
 	@echo "|-----------------|---------|-------------|"
 	@python3 -c 'import sys, yaml, json; y=yaml.safe_load(sys.stdin.read()); print(json.dumps(y))' < $(SAM_BUILD_DIR)/regions/$(AWS_REGION)/$(lastword $(subst -, , $@)).yaml | jq -r '.Parameters | to_entries[] | "| \(if .value.Default then "" else "**" end)`\(.key)`\(if .value.Default then "" else "**" end) | \(.value.Type) | \(.value.Description |  gsub("[\\n\\t]"; " ")) |"'
 
 
-.PHONY: parameters
-outputs-%:
+.PHONY: outputs
+outputs-%: # @HELP generate outputs list for documentation purposes.
 	@echo "| Output       |  Description |"
 	@echo "|-----------------|-------------|"
 	@python3 -c 'import sys, yaml, json; y=yaml.safe_load(sys.stdin.read()); print(json.dumps(y))' < $(SAM_BUILD_DIR)/regions/$(AWS_REGION)/$(lastword $(subst -, , $@)).yaml | jq -r '.Outputs | to_entries[] | "| \(.key) | \(.value.Description |  gsub("[\\n\\t]"; " ")) |"'

apps/externalrole/README.md

@@ -0,0 +1,3 @@
+# External Role
+
+[docs/externalrole.md](../docs/externalrole.md)

apps/externalrole/template.yaml

@@ -0,0 +1,86 @@
+---
+AWSTemplateFormatVersion: '2010-09-09'
+Transform: AWS::Serverless-2016-10-31
+Description: 'Allow external entity to execute AWS actions.'
+Metadata:
+  AWS::ServerlessRepo::Application:
+    Name: observe-poller
+    Description: Allow external entity to execute AWS actions.
+    Author: Observe Inc
+    SpdxLicenseId: Apache-2.0
+    ReadmeUrl: README.md
+    HomePageUrl: https://github.com/observeinc/aws-sam-apps
+    SemanticVersion: '0.0.5'
+    SourceCodeUrl: https://github.com/observeinc/aws-sam-apps
+
+  AWS::CloudFormation::Interface:
+    ParameterGroups:
+      - Label:
+          default: Role Configuration
+        Parameters:
+          - ObserveAwsAccountId
+          - AllowedActions
+          - DatastreamIds
+          - NameOverride
+Parameters:
+  ObserveAwsAccountId:
+    Type: String
+    Description: >-
+      Observe AWS Account ID which will be allowed to assume role.
+    AllowedPattern: '\d+'
+  AllowedActions:
+    Type: CommaDelimitedList
+    Description: >-
+      IAM actions that Observe account is allowed to execute.
+  DatastreamIds:
+    Type: CommaDelimitedList
+    Description: >-
+      Datastream IDs where data will be ingested to. This ensures Observe
+      cannot assume this role outside of this context.
+    AllowedPattern: '\d+'
+  NameOverride:
+    Type: String
+    Description: >-
+      Name of IAM role expected by Poller. In the absence of a value, the stack
+      name will be used.
+    Default: ''
+    MaxLength: 64
+Conditions:
+  UseStackName: !Equals
+    - !Ref NameOverride
+    - ''
+
+Resources:
+  Role:
+    Type: 'AWS::IAM::Role'
+    Properties:
+      RoleName: !If
+        - UseStackName
+        - !Ref AWS::StackName
+        - !Ref NameOverride
+      AssumeRolePolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Principal:
+              AWS:
+                - !Sub "arn:aws:iam::${ObserveAwsAccountId}:root"
+            Action:
+              - 'sts:AssumeRole'
+            Condition:
+              StringEquals:
+                sts:ExternalId: !Ref DatastreamIds
+      Path: /
+      Policies:
+        - PolicyName: AllowedActions
+          PolicyDocument:
+            Version: 2012-10-17
+            Statement:
+              - Effect: Allow
+                Action: !Ref AllowedActions
+                Resource: '*'
+Outputs:
+  RoleArn:
+    Description: >-
+      IAM Role ARN. This role will be assumed by Observe in order to pull data.
+    Value: !GetAtt Role.Arn

docs/externalrole.md

@@ -0,0 +1,22 @@
+# Observe External Role
+
+The External Role template sets up an IAM role that can be assumed by Observe in order to collect metrics and API data.
+
+## Template Configuration
+
+### Parameters
+
+The stack supports the following parameters:
+
+| Parameter       | Type    | Description |
+|-----------------|---------|-------------|
+| **`ObserveAwsAccountId`** | String | Observe AWS Account ID which will be allowed to assume role. |
+| **`AllowedActions`** | CommaDelimitedList | IAM actions that Observe account is allowed to execute. |
+| **`DatastreamIds`** | CommaDelimitedList | Datastream IDs where data will be ingested to. This ensures Observe cannot assume this role outside of this context. |
+| `NameOverride` | String | Name of IAM role expected by Poller. In the absence of a value, the stack name will be used. |
+
+### Outputs
+
+| Output       |  Description |
+|-----------------|-------------|
+| RoleArn | IAM Role ARN. This role will be assumed by Observe in order to pull data. |

integration/tests/externalrole.tftest.hcl

@@ -0,0 +1,68 @@
+variables {
+  install_policy_json = <<-EOF
+  {
+    "Version": "2012-10-17",
+    "Statement": [
+      {
+        "Effect": "Allow",
+        "Action": [
+          "cloudformation:CreateChangeSet",
+          "cloudformation:CreateStack",
+          "cloudformation:DeleteChangeSet",
+          "cloudformation:DeleteStack",
+          "cloudformation:DescribeStacks",
+          "iam:AttachRolePolicy",
+          "iam:CreateRole",
+          "iam:DeleteRole",
+          "iam:DeleteRolePolicy",
+          "iam:DetachRolePolicy",
+          "iam:GetRole",
+          "iam:GetRolePolicy",
+          "iam:ListAttachedRolePolicies",
+          "iam:ListRolePolicies",
+          "iam:PutRolePolicy",
+          "iam:TagRole",
+          "iam:UpdateRole"
+        ],
+        "Resource": "*"
+      }
+    ]
+  }
+EOF
+}
+
+run "setup" {
+  module {
+    source  = "observeinc/collection/aws//modules/testing/setup"
+    version = "2.9.0"
+  }
+}
+
+run "create_bucket" {
+  module {
+    source  = "observeinc/collection/aws//modules/testing/s3_bucket"
+    version = "2.9.0"
+  }
+
+  variables {
+    setup = run.setup
+  }
+}
+
+run "install" {
+  variables {
+    setup = run.setup
+    app   = "externalrole"
+    parameters = {
+      ObserveAwsAccountId = "158067661102"
+      AllowedActions      = "cloudwatch:GetMetricsData,cloudwatch:ListMetrics"
+      DatastreamIds       = "411000001"
+      NameOverride        = run.setup.id
+    }
+    capabilities = [
+      "CAPABILITY_IAM",
+      "CAPABILITY_NAMED_IAM",
+      "CAPABILITY_AUTO_EXPAND",
+    ]
+  }
+}