Skip to content

Instantly share code, notes, and snippets.

@n0ts
Created June 19, 2017 14:04
Show Gist options
  • Save n0ts/c847f3d13142ab092043400a92e3df50 to your computer and use it in GitHub Desktop.
Save n0ts/c847f3d13142ab092043400a92e3df50 to your computer and use it in GitHub Desktop.
kumogata-tempate exanple
#
# iam-and-s3
#
require 'aws-sdk'
$: << File.dirname(__FILE__)
### common local library
require 'meta'
require 'aws'
AWSTemplateFormatVersion "2010-09-09"
Description (<<-EOS).undent
iam-user,
included all IAM users and S3
EOS
Parameters do
# このファイルのスタック名(複数の環境を同じコードで作っているため、--parameter で渡しているスタック名)
_parameter "stack name", default: "", description: "the name of this stack"
# 任意に読み込みたいパラメータファイル
_include "parameter.rb", name: "iam-and-s3", stage: ""
# S3 バケット名、具体的には `infra` と `infra-dev` という名前のバケットが作成される
_parameter "bucket name", default: "infra", description: "infra bucket name"
_parameter "dev bucket name", default: "infra-dev", description: "infra-dev bucket name"
end
Mappings do
end
Resources do
# 複数の IAM ユーザとそのポリシー定義、ポリシー自体は Ruby Hash で meta.rb で記述されている
USERS.each do |user|
_iam_user user
_iam_access_key user, ref_user: user
const_name = user.gsub(" ", "_").upcase
policy = eval("#{const_name}_POLICY")
next if policy.empty?
_iam_policy user, policy: "v7-#{user}", policy_document: policy, ref_users: user
end
# 複数の IAM ロールの定義
ROLES.each do |role|
const_name = role.gsub(" ", "_").upcase
policy = eval("#{const_name}_POLICY")
# ここでは Datadog の Role を参照していたりする
_iam_role role, aws: { account_id: DATADOG_ACCOUNT_ID, root: true },
external_id: DATADOG_AWS_EXTERNAL_ID
_iam_policy role, policy: role,
policy_document: policy,
ref_roles: role
end
# AWS ウェブコンソールへログインできる `Administrator` 権限をもった MFA ユーザ
ADMIN_USERS.each do |user|
_iam_user user, login_profile: { password: user }
_iam_access_key user, ref_user: user
end
ADMIN_GROUPS.each do |group, prop|
_iam_group group, managed_policies: prop[:managed_policies]
_iam_user_to_group_addition group, ref_group: "#{group} group",
ref_users: ADMIN_USERS.map{|user| "#{user} user" }
end
# AWS ウェブコンソールへログインできる `ReadOnly` ユーザ
READONLY_USERS.each do |user|
_iam_user user, login_profile: { password: user, reset_required: false }
_iam_access_key user, ref_user: user
end
READONLY_GROPUS.each do |group, prop|
_iam_group group, managed_policies: prop[:managed_policies]
_iam_user_to_group_addition group, ref_group: "#{group} group",
ref_users: READONLY_USERS.map{|user| "#{user} user" }
end
# 複数の S3 バケット
BUCKETS.each do |bucket, value|
_s3_bucket bucket, value
end
# 共通の EC2 IAM Instance Profile
_iam_role 'ec2 infra', service: "ec2"
_iam_policy 'ec2 infra', policy: 'infra',
policy_document: EC2_INFRA_EC2_POLICY,
ref_roles: 'ec2 infra'
_iam_instance_profile "ec2 infra", ref_roles: 'ec2 infra'
end
Outputs do
# 作成した IAM ユーザ情報を出力して、外部から利用できるようにする
(USERS + ADMIN_USERS + READONLY_USERS).each do |user|
_output_name "#{user} user"
_output_access_key "#{user} access key"
end
(ADMIN_GROUPS.merge(READONLY_GROPUS)).each do |group, _|
_output_name "#{group} group"
end
ROLES.each do |role|
_output_iam_role role
end
BUCKETS.each do |bucket, value|
_output_s3 bucket
end
_output_iam_instance_profile 'ec2 infra'
end
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment