Document deployment requirements, especially around security

[lyricnz]

• what permissions the Revolver lambda needs directly
• what permissions is needed in each target-account
  • include sample IAC for the Role, and binding that Role to the source account
• requirements around memory, maximum runtime, node runtime selection, etc
• other

[simon-anz]

Current AWS-client commands used by the code, which in turn will require IAM permissions:

egrep -R '^import.*Command[, ]' actions lib drivers | sort

drivers/ec2.ts

• autoscaling.ResumeProcessesCommand
• autoscaling.SuspendProcessesCommand
• ec2.CreateVolumeCommandOutput Fixed in https://github.com/Innablr/revolver/pull/103
• ec2.StartInstancesCommand
• ec2.StopInstancesCommand

drivers/rdsCluster.ts

• rds.DescribeDBClustersCommand
• rds.DescribeDBInstancesCommand
• rds.StartDBClusterCommand
• rds.StopDBClusterCommand

drivers/rdsInstance.ts

• rds.DescribeDBInstancesCommand
• rds.ListTagsForResourceCommand
• rds.StartDBInstanceCommand
• rds.StopDBInstanceCommand

drivers/redshiftCluster.ts

• redshift.CreateTagsCommand (in cluster snapshot)
• redshift.CreateTagsCommand (in cluster)
• redshift.DeleteClusterCommand
• redshift.DeleteTagsCommand
• redshift.DescribeClustersCommand

drivers/redshiftClusterSnapshot.ts

• redshift.CreateTagsCommand
• redshift.DeleteClusterSnapshotCommand
• redshift.DeleteTagsCommand
• redshift.DescribeClustersCommand
• redshift.DescribeClusterSnapshotsCommand
• redshift.DescribeTagsCommand

drivers/tags.ts

• ec2.CreateTagsCommand
• ec2.DeleteTagsCommand
• rds.AddTagsToResourceCommand
• rds.RemoveTagsFromResourceCommand

lib/config.ts

• s3.GetObjectCommand

[simon-anz]

Plus:

• ec2.paginateDescribeAutoScalingGroups
• ec2.paginateDescribeInstances
• ec2.paginateDescribeSnapshots
• ec2.paginateDescribeVolumes
• organizations.paginateListAccounts

[simon-anz]

Implemented with:

  managed_policy_arns = [
    "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole",
    "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess",
    "arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess",
    "arn:aws:iam::aws:policy/AmazonRDSReadOnlyAccess",
  ]

(could make do with less - see above), plus

  policy_statements = [
    {
      Action = [
        "autoscaling:ResumeProcesses",
        "autoscaling:SuspendProcesses",
        "ec2:CreateTags",
        "ec2:DeleteTags",
        "ec2:StartInstances",
        "ec2:StopInstances",
        "rds:AddTagsToResource",
        "rds:RemoveTagsFromResource",
        "rds:StartDBCluster",
        "rds:StartDBInstance",
        "rds:StopDBCluster",
        "rds:StopDBInstance",
      ]
      Effect   = "Allow"
      Resource = "*"
    },
  ]

[lyricnz]

TODO: redshift

[alutman-innablr]

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "RevolverPermissionsRDS",
      "Effect": "Allow",
      "Action": [
        "rds:ListTagsForResource",
        "rds:AddTagsToResource",
        "rds:RemoveTagsFromResource",
        "rds:DescribeDBInstances",
        "rds:DescribeDBClusters",
        "rds:StartDBInstance",
        "rds:StopDBInstance",
        "rds:StartDBCluster",
        "rds:StopDBCluster"
      ],
      "Resource": "*"
    },
    {
      "Sid": "RevolverPermissionsEC2",
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeTags",
        "ec2:CreateTags",
        "ec2:DeleteTags",
        "ec2:DescribeInstances",
        "ec2:DescribeSnapshots",
        "ec2:DescribeVolumes",
        "ec2:StartInstances",
        "ec2:StopInstances",
        "autoscaling:DescribeAutoScalingGroups",
        "autoscaling:ResumeProcesses",
        "autoscaling:SuspendProcesses"
      ],
      "Resource": "*"
    },
    {
      "Sid": "RevolverPermissionsRedshift",
      "Effect": "Allow",
      "Action": [
        "redshift:DescribeTags",
        "redshift:CreateTags",
        "redshift:DeleteTags",
        "redshift:DescribeClusters",
        "redshift:DescribeClusterSnapshots",
        "redshift:DeleteCluster",
        "redshift:DeleteClusterSnapshot"
      ],
      "Resource": "*"
    }
  ]
}