search

awslabs / aws-iam-generator

Generate Multi-Account IAM users/groups/roles/policies from a simple YAML configuration file and Jinja2 templates.
Apache License 2.0
240 stars 57 forks source link

Handling of "DependsOn" statement #18

Open dtvo2005 opened 5 years ago

dtvo2005 commented 5 years ago

Does this script handle "DependsOn" statement? I am trying to create a template for kmsSecurity policy but keeps on getting the "Template validation error: Template format error: Unresolved resource dependencies [kmsSecurityKey] in the Resources block of the template" error.

apmclean commented 5 years ago

CloudFormation normally does a good job handling these dependancies. Can you paste the relevant sections of the config.yaml and template to reproduce?

dtvo2005 commented 5 years ago

Sure, please see below:

global: names: policies: True roles: True users: False groups: False template_outputs: True

accounts: Test-master: id: 111111111111 parent: true saml_provider: ssoprod Test-infosec: id: 222222222222

policies: Test_flowlogs1: description: Test flowlogs policy_file: Test_flowlogs1.j2 Test_splunkP1: description: Test splunkP policy_file: Test_splunkP1.j2 kmsStorage: description: KMS Storage policy_file: kmsStorage.j2

Template: { "AWSTemplateFormatVersion": "2010-09-09", "Description": "Build 2019-01-07Z21:21:14 - IAM Users, Groups, Roles, and Policies for account Test-infosec (222222222222)", "Outputs": { "TemplateBuild": { "Description": "CloudFormation Template Build Number", "Export": { "Name": { "Fn::Sub": "${AWS::StackName}-TemplateBuild" } }, "Value": "2019-01-07Z21:21:14" } }, "Resources": { "kmsStorage": { "Properties": { "Description": "KMS Storage", "Groups": [], "ManagedPolicyName": "kmsStorage", "PolicyDocument": { "kmsStorageKey": { "Properties": { "Description": "kms for storage", "EnableKeyRotation": "true", "KeyPolicy": { "Id": "key-storage-1", "Statement": [ { "Action": "kms:", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:aws:iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } }, "Resource": "", "Sid": "Enable IAM User Permissions" }, { "Action": [ "kms:Create", "kms:Describe", "kms:Enable", "kms:List", "kms:Put", "kms:Update", "kms:Revoke", "kms:Disable", "kms:Get", "kms:Delete", "kms:TagResource", "kms:UntagResource", "kms:ScheduleKeyDeletion", "kms:CancelKeyDeletion" ], "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:aws:iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } }, "Resource": "", "Sid": "Allow access for Key Administrators" }, { "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt", "kms:GenerateDataKey", "kms:DescribeKey" ], "Effect": "Allow", "Principal": { "AWS": [ { "Fn::Join": [ "", [ "arn:aws:iam::", { "Ref": "AWS::AccountId" }, ":role/Test-sa-splunkP" ] ] }, { "Fn::Join": [ "", [ "arn:aws:iam::", { "Ref": "AWS::AccountId" }, ":role/Test-flowLogs" ] ] } ] }, "Resource": "", "Sid": "Allow use of the key" }, { "Action": [ "kms:CreateGrant", "kms:ListGrants", "kms:RevokeGrant" ], "Condition": { "Bool": { "kms:GrantIsForAWSResource": "true" } }, "Effect": "Allow", "Principal": { "AWS": [ { "Fn::Join": [ "", [ "arn:aws:iam::", { "Ref": "AWS::AccountId" }, ":role/Test-sa-splunkP" ] ] }, { "Fn::Join": [ "", [ "arn:aws:iam::", { "Ref": "AWS::AccountId" }, ":role/Test-flowLogs" ] ] } ] }, "Resource": "", "Sid": "Allow attachment of persistent resources" } ], "Version": "2012-10-17" } }, "Type": "AWS::KMS::Key" }, "kmsStorageKeyAlias": { "Properties": { "AliasName": "alias/kmsStorage", "TargetKeyId": { "Ref": "kmsStorageKey" } }, "Type": "AWS::KMS::Alias" } }, "Roles": [], "Users": [] }, "Type": "AWS::IAM::ManagedPolicy" }, "Testflowlogs1": { "Properties": { "Description": "Test flowlogs", "Groups": [], "ManagedPolicyName": "Test_flowlogs1", "PolicyDocument": { "Statement": [ { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", "logs:DescribeLogGroups", "logs:DescribeLogStreams" ], "Effect": "Allow", "Resource": "", "Sid": "20180606mjhFlowLogsAccess" } ], "Version": "2012-10-17" }, "Roles": [], "Users": [] }, "Type": "AWS::IAM::ManagedPolicy" }, "TestsplunkP1": { "Properties": { "Description": "Test splunkP", "Groups": [], "ManagedPolicyName": "Test_splunkP1", "PolicyDocument": { "Statement": [ { "Action": [ "autoscaling:Describe", "cloudfront:ListDistributions", "cloudtrail:Describe", "cloudtrail:Get", "cloudtrail:List", "cloudtrail:Lookup", "cloudwatch:Describe", "cloudwatch:Get", "cloudwatch:List", "config:DeliverConfigSnapshot", "config:DescribeConfigRules", "config:DescribeConfigRuleEvaluationStatus", "config:GetComplianceDetailsByConfigRule", "config:GetComplianceSummaryByConfigRule", "ec2:DescribeAddresses", "ec2:DescribeImages", "ec2:DescribeInstances", "ec2:DescribeKeyPairs", "ec2:DescribeNetworkAcls", "ec2:DescribeRegions", "ec2:DescribeReservedInstances", "ec2:DescribeSecurityGroups", "ec2:DescribeSnapshots", "ec2:DescribeSubnets", "ec2:DescribeVolumes", "ec2:DescribeVpcs", "elasticloadbalancing:DescribeInstanceHealth", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeTags", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetHealth", "iam:GetAccountPasswordPolicy", "iam:GetAccessKeyLastUsed", "iam:GetUser", "iam:ListAccessKeys", "iam:ListUsers", "inspector:Describe", "inspector:List", "lambda:ListFunctions", "kinesis:DescribeStream", "kinesis:Get", "kinesis:ListStreams", "kms:Decrypt", "lambda:ListFunctions", "logs:DescribeLogGroups", "logs:DescribeLogStreams", "logs:GetLogEvents", "s3:HeadBucket", "s3:GetAccelerateConfiguration", "s3:GetBucketCORS", "s3:GetBucketLocation", "s3:GetBucketLogging", "s3:GetBucketTagging", "s3:GetLifecycleConfiguration", "s3:GetObject", "s3:ListAllMyBuckets", "s3:ListBucket", "sns:Get", "sns:List", "sns:Publish", "sqs:DeleteMessage", "sqs:GetQueueAttributes", "sqs:GetQueueUrl", "sqs:ListQueues", "sqs:ReceiveMessage", "sqs:SendMessage" ], "Effect": "Allow", "Resource": "", "Sid": "20180628mjhAccessForSplunk" } ], "Version": "2012-10-17" }, "Roles": [], "Users": [] }, "Type": "AWS::IAM::ManagedPolicy" } } }

Thank you in advance for all your help.

apmclean commented 5 years ago

The template you attached doesn't appear to be generated entirely by iam_generator. Is it modified? We have no mechanics for creating KMS Keys etc. The contents of the /policies/ (eg: kmsStorage.j2) should be IAM policies, not general CloudFormation snippets.

The problem is coming up because you've got:

              "TargetKeyId": {
                "Ref": "kmsStorageKey"
              }

However there is nothing called kmsStorageKey in the template in the resources section.

This particular GitHub project is aimed at managing IAM resources versus doing anything with KMS policies, aliases etc.

dtvo2005 commented 5 years ago

That makes sense. I will revisit the policy itself and see.