aurelijusbanelis/README.md Secret

## README.md

      
    Raw
  

              README.md
            
          
Create CloudFormation template automation-cf.yaml
Update test-create-changeset.sh: AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY from Output of created stack
Run test-create-changeset.sh: There should be ChangeSet visible via AWS Web Console

References:

https://docs.aws.amazon.com/cli/latest/reference/cloudformation/create-change-set.html
https://aws.amazon.com/about-aws/whats-new/2019/11/aws-managed-services-ams-now-supports-aws-cloudformation-stack-update/


## automation-cf.yaml
Description: |
  Example to automate infrastructure changes without Root
  Used as a demo during talk "How AWS handles security" at ŠiauliaiPHP v17

Parameters:
  # Parameters for deployed version
  BuildPath:
    Type: String
    Description: "Something that differs between deployments"

Resources:
  # Place for resources using AppVersion
  MyFunction:
    Type: AWS::Lambda::Function
    Properties:
      Code:
        ZipFile: |
          import json, os
          def handler(event, context):
              print("Event: %s" % json.dumps(event))
              print("BuildPath: %s" % os.getenv('BUILD_PATH'))
      Handler: "index.handler"
      Role:
        "Fn::GetAtt": [MyFunctionRole, Arn]
      Runtime: "python3.7"
      Environment:
        Variables:
          BUILD_PATH:
            Ref: BuildPath

  MyFunctionRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
        - Effect: Allow
          Principal:
            Service:
              - lambda.amazonaws.com
          Action:
          - sts:AssumeRole
      Path: "/"
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole

  # Deployment configuration
  DeployerUser:
    Type: AWS::IAM::User
    Properties:
      Policies:
      - PolicyName: AllowToDeployNewVersion
        PolicyDocument:
          Version: "2012-10-17"
          Statement:
          - Effect: "Allow"
            Action:
              - "cloudformation:CreateChangeSet"
            Resource:
              "Fn::Sub": "arn:${AWS::Partition}:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/${AWS::StackName}/*"

  DeployerLogins:
    Type: AWS::IAM::AccessKey
    Properties:
      UserName:
        Ref: DeployerUser

Outputs:
  AccessKeyId:
    Description: "AWS_ACCESS_KEY_ID environment variable"
    Value:
      Ref: DeployerLogins
  SecretAccessKey:
    Description: "AWS_SECRET_ACCESS_KEY environment variable"
    Value:
      "Fn::GetAtt": [DeployerLogins, SecretAccessKey]

## test-create-changeset.sh
#!/bin/bash

export AWS_ACCESS_KEY_ID="AAAAAAAAAAAAAAAAAAAAA" # Change here from output of a stack
export AWS_SECRET_ACCESS_KEY="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" # Change here from output of a stack
export AWS_DEFAULT_REGION="eu-west-1"

aws sts get-caller-identity

DATE=$(date --iso-8601=seconds | tr ':' '-' | tr '+' '--')

aws cloudformation create-change-set \
    --stack-name siauliaiphp-automation \
    --template-body=file://automation-cf.yaml \
    --parameters "ParameterKey=BuildPath,ParameterValue=/custom/$DATE" \
    --change-set-name="siauliai-test-$DATE" \
    --capabilities CAPABILITY_IAM
	Description: \|
	Example to automate infrastructure changes without Root
	Used as a demo during talk "How AWS handles security" at ŠiauliaiPHP v17

	Parameters:
	# Parameters for deployed version
	BuildPath:
	Type: String
	Description: "Something that differs between deployments"

	Resources:
	# Place for resources using AppVersion
	MyFunction:
	Type: AWS::Lambda::Function
	Properties:
	Code:
	ZipFile: \|
	import json, os
	def handler(event, context):
	print("Event: %s" % json.dumps(event))
	print("BuildPath: %s" % os.getenv('BUILD_PATH'))
	Handler: "index.handler"
	Role:
	"Fn::GetAtt": [MyFunctionRole, Arn]
	Runtime: "python3.7"
	Environment:
	Variables:
	BUILD_PATH:
	Ref: BuildPath

	MyFunctionRole:
	Type: AWS::IAM::Role
	Properties:
	AssumeRolePolicyDocument:
	Version: "2012-10-17"
	Statement:
	- Effect: Allow
	Principal:
	Service:
	- lambda.amazonaws.com
	Action:
	- sts:AssumeRole
	Path: "/"
	ManagedPolicyArns:
	- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole

	# Deployment configuration
	DeployerUser:
	Type: AWS::IAM::User
	Properties:
	Policies:
	- PolicyName: AllowToDeployNewVersion
	PolicyDocument:
	Version: "2012-10-17"
	Statement:
	- Effect: "Allow"
	Action:
	- "cloudformation:CreateChangeSet"
	Resource:
	"Fn::Sub": "arn:${AWS::Partition}:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/${AWS::StackName}/*"

	DeployerLogins:
	Type: AWS::IAM::AccessKey
	Properties:
	UserName:
	Ref: DeployerUser

	Outputs:
	AccessKeyId:
	Description: "AWS_ACCESS_KEY_ID environment variable"
	Value:
	Ref: DeployerLogins
	SecretAccessKey:
	Description: "AWS_SECRET_ACCESS_KEY environment variable"
	Value:
	"Fn::GetAtt": [DeployerLogins, SecretAccessKey]
	#!/bin/bash

	export AWS_ACCESS_KEY_ID="AAAAAAAAAAAAAAAAAAAAA" # Change here from output of a stack
	export AWS_SECRET_ACCESS_KEY="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" # Change here from output of a stack
	export AWS_DEFAULT_REGION="eu-west-1"

	aws sts get-caller-identity

	DATE=$(date --iso-8601=seconds \| tr ':' '-' \| tr '+' '--')

	aws cloudformation create-change-set \
	--stack-name siauliaiphp-automation \
	--template-body=file://automation-cf.yaml \
	--parameters "ParameterKey=BuildPath,ParameterValue=/custom/$DATE" \
	--change-set-name="siauliai-test-$DATE" \
	--capabilities CAPABILITY_IAM