-
-
Save rkrol/bd1e1e747d2308ce93d235037c9a4e9b to your computer and use it in GitHub Desktop.
AWS workshop - account preparation scripts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
PASSWORD=ContainersImmersionDay! | |
PROFILE=workshop1 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"AWSTemplateFormatVersion": "2010-09-09", | |
"Description": "This template creates a cross account role with admin access.", | |
"Outputs": { | |
"RoleARN": { | |
"Description": "The ARN of the role that can be assumed by the other account.", | |
"Value": { | |
"Fn::GetAtt": [ | |
"CrossAccountRole", | |
"Arn" | |
] | |
} | |
} | |
}, | |
"Parameters": { | |
"OtherAccountNumber": { | |
"AllowedPattern": "[0-9]+", | |
"Description": "The 12 digit AWS account number to grant access to.", | |
"Default": "398142600061", | |
"MaxLength": "12", | |
"MinLength": "12", | |
"Type": "String" | |
} | |
}, | |
"Resources": { | |
"CrossAccountRole": { | |
"Properties": { | |
"RoleName": "CrossAccountRole", | |
"AssumeRolePolicyDocument": { | |
"Statement": [ | |
{ | |
"Action": "sts:AssumeRole", | |
"Effect": "Allow", | |
"Principal": { | |
"AWS": { | |
"Fn::Join": [ | |
"", | |
[ | |
"arn:aws:iam::", | |
{ | |
"Ref": "OtherAccountNumber" | |
}, | |
":root" | |
] | |
] | |
} | |
}, | |
"Sid": "" | |
} | |
], | |
"Version": "2012-10-17" | |
}, | |
"Path": "/", | |
"Policies": [ | |
{ | |
"PolicyDocument": { | |
"Statement": [ | |
{ | |
"Action": "*", | |
"Effect": "Allow", | |
"Resource": "*", | |
"Sid": "Stmt1434989080227" | |
} | |
], | |
"Version": "2012-10-17" | |
}, | |
"PolicyName": "All-access" | |
} | |
] | |
}, | |
"Type": "AWS::IAM::Role" | |
} | |
} | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"AWSTemplateFormatVersion" : "2010-09-09", | |
"Description" : "Wild Rydes Workshop Prep", | |
"Parameters" : { | |
"Password": { | |
"NoEcho": "true", | |
"Type": "String", | |
"Description" : "New account password", | |
"MinLength": "1", | |
"MaxLength": "41", | |
"AllowedPattern" : "[a-zA-Z0-9]*", | |
"ConstraintDescription" : "must contain only alphanumeric characters." | |
} | |
}, | |
"Resources" : { | |
"CFNUser" : { | |
"Type" : "AWS::IAM::User", | |
"Properties" : { | |
"LoginProfile": { | |
"Password": { "Ref" : "Password" } | |
} | |
} | |
}, | |
"CFNCodeStarServiceRole": { | |
"Type": "AWS::IAM::Role", | |
"Properties": { | |
"RoleName":"aws-codestar-service-role", | |
"AssumeRolePolicyDocument": { | |
"Statement": [ | |
{ | |
"Effect": "Allow", | |
"Principal": { | |
"Service": [ "codestar.amazonaws.com" ] | |
}, | |
"Action": [ "sts:AssumeRole" ] | |
} | |
] | |
}, | |
"Path": "/service-role/", | |
"ManagedPolicyArns": [ | |
"arn:aws:iam::aws:policy/service-role/AWSCodeStarServiceRole" | |
] | |
} | |
}, | |
"CFNUserGroup" : { | |
"Type" : "AWS::IAM::Group", | |
"Properties": { | |
"ManagedPolicyArns": [ | |
"arn:aws:iam::aws:policy/job-function/ViewOnlyAccess", | |
"arn:aws:iam::aws:policy/AWSCodeCommitFullAccess", | |
"arn:aws:iam::aws:policy/IAMSelfManageServiceSpecificCredentials", | |
"arn:aws:iam::aws:policy/AWSCloud9User" | |
] | |
} | |
}, | |
"Users" : { | |
"Type" : "AWS::IAM::UserToGroupAddition", | |
"Properties" : { | |
"GroupName": { "Ref" : "CFNUserGroup" }, | |
"Users" : [ { "Ref" : "CFNUser" } ] | |
} | |
}, | |
"CFNCodeStarFullAccessPolicies" : { | |
"Type" : "AWS::IAM::Policy", | |
"Properties" : { | |
"PolicyName" : "CFNCodeStarFullAccess", | |
"PolicyDocument" : { | |
"Version": "2012-10-17", | |
"Statement": [ | |
{ | |
"Sid": "CodeStarEC2", | |
"Effect": "Allow", | |
"Action": [ | |
"codestar:*", | |
"ec2:DescribeKeyPairs", | |
"ec2:DescribeVpcs", | |
"ec2:DescribeSubnets" | |
], | |
"Resource": "*" | |
}, | |
{ | |
"Sid": "CodeStarCF", | |
"Effect": "Allow", | |
"Action": [ | |
"cloudformation:DescribeStack*", | |
"cloudformation:GetTemplateSummary" | |
], | |
"Resource": [ | |
"arn:aws:cloudformation:*:*:stack/awscodestar-*" | |
] | |
} | |
] | |
}, | |
"Groups" : [{ "Ref" : "CFNUserGroup" }] | |
} | |
}, | |
"CFNUserPolicies" : { | |
"Type" : "AWS::IAM::Policy", | |
"Properties" : { | |
"PolicyName" : "CFNUsers", | |
"PolicyDocument" : { | |
"Statement": [{ | |
"Effect" : "Allow", | |
"Action" : [ | |
"apigateway:*", | |
"athena:*", | |
"budgets:*", | |
"cloudformation:*", | |
"cloudfront:*", | |
"cloudtrail:*", | |
"cloudwatch:*", | |
"cloud9:*", | |
"codebuild:*", | |
"codecommit:*", | |
"codedeploy:*", | |
"codepipeline:*", | |
"codestar:*", | |
"cur:describe*", | |
"cognito-identity:*", | |
"cognito-idp:*", | |
"deploy:*", | |
"dynamodb:*", | |
"glue:*", | |
"health:*", | |
"kinesis:*", | |
"kinesisanalytics:*", | |
"lambda:*", | |
"logs:*", | |
"mobile:*", | |
"rekognition:*", | |
"route53:*", | |
"sns:*", | |
"sqs:*", | |
"xray:*", | |
"s3:*", | |
"iam:CreateRole", | |
"iam:PutRolePolicy", | |
"iam:PassRole", | |
"iam:AttachRolePolicy", | |
"iam:Get*", | |
"states:*" | |
], | |
"Resource" : "*" | |
}] | |
}, | |
"Groups" : [{ "Ref" : "CFNUserGroup" }] | |
} | |
}, | |
"CFNKeys" : { | |
"Type" : "AWS::IAM::AccessKey", | |
"Properties" : { | |
"UserName" : { "Ref": "CFNUser" } | |
} | |
} | |
}, | |
"Outputs" : { | |
"AccessKey" : { | |
"Value" : { "Ref" : "CFNKeys" }, | |
"Description" : "AWSAccessKeyId of new user" | |
}, | |
"SecretKey" : { | |
"Value" : { "Fn::GetAtt" : ["CFNKeys", "SecretAccessKey"]}, | |
"Description" : "AWSSecretKey of new user" | |
}, | |
"UserName" : { | |
"Value" : { "Ref" : "CFNUser" }, | |
"Description" : "AWSUserName of new user" | |
} | |
} | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
SHELL := /bin/bash | |
include .env | |
STACK_NAME?=ContainersImmersionDay-DoNotDelete | |
GIT_FQDN?= $(shell git config --get remote.origin.url | sed 's@\(.*\):\(.*\).git@\2@g') | |
GIT_REF_NAME?= $(shell git rev-parse --abbrev-ref HEAD | tr '/' '-' ) | |
GIT_REF_SHORT?= $(shell git log -1|head -n1|cut -d ' ' -f2- | head -c 8) | |
CFN_CHANGE_SET?= $(GIT_REF_NAME)-$(GIT_REF_SHORT) | |
PROFILE?= default | |
help: ## prints help | |
@cat $(MAKEFILE_LIST) | grep -e "^[a-zA-Z_\-]*: *.*## *" | awk 'BEGIN {FS = ":.*?## "}; {printf " > \033[36m%-20s\033[0m %s\n", $$1, $$2}' | |
info: ## env info | |
@echo CFN_CHANGE_SET = $(CFN_CHANGE_SET) | |
@echo GIT_FQDN = $(GIT_FQDN) | |
@echo GIT_REF_NAME = $(GIT_REF_NAME) | |
@echo GIT_REF_SHORT = $(GIT_REF_SHORT) | |
@echo STACK_NAME = $(STACK_NAME) | |
@echo PROFILE = $(PROFILE) | |
validate-stack: ## cfn validate template | |
aws cloudformation validate-template --template-body file://./iam.template --profile ${PROFILE} | |
create-stack: ## cfn create stack | |
aws cloudformation create-stack --stack-name ${STACK_NAME} --profile ${PROFILE} --capabilities CAPABILITY_NAMED_IAM --template-body file://./iam.template --parameters=ParameterKey=Password,ParameterValue=${PASSWORD} | |
delete-stack: ## cfn delete stack | |
aws cloudformation delete-stack --stack-name ${STACK_NAME} --profile ${PROFILE} | |
update-stack: ## update cfn template | |
aws cloudformation create-change-set --change-set-name ${CFN_CHANGE_SET} --stack-name ${STACK_NAME} --capabilities CAPABILITY_NAMED_IAM --template-body file://./iam.template --parameters=ParameterKey=Password,ParameterValue=${PASSWORD} --profile ${PROFILE} | |
aws cloudformation describe-change-set --change-set-name ${CFN_CHANGE_SET} --stack-name ${STACK_NAME} --profile ${PROFILE} | |
sleep 10 | |
aws cloudformation execute-change-set --change-set-name ${CFN_CHANGE_SET} --stack-name ${STACK_NAME} --profile ${PROFILE} | |
output-stack: ## cfn output | |
aws cloudformation describe-stacks --stack-name ${STACK_NAME} --profile ${PROFILE} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment