add permissions for setup lambda

part of #23
mantil-io · Nov 11, 2021 · 966ad27 · 966ad27
1 parent 51d4968
commit 966ad27
Show file tree

Hide file tree

Showing 7 changed files with 239 additions and 52 deletions.
diff --git a/aws/iam.go b/aws/iam.go
@@ -2,6 +2,7 @@ package aws
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"strings"
 	"time"
@@ -32,6 +33,18 @@ func (a *AWS) Role(name string) (string, error) {
 	return "", err
 }
 
+func (a *AWS) RoleExists(name string) (bool, error) {
+	_, err := a.Role(name)
+	if err == nil {
+		return true, nil
+	}
+	var rne *RoleNotExistsError
+	if errors.As(err, &rne) {
+		return false, nil
+	}
+	return false, err
+}
+
 func (a *AWS) CreateRole(name, assumeRolePolicy, policy string) (string, error) {
 	cri := &iam.CreateRoleInput{
 		RoleName:                 aws.String(name),

diff --git a/cli/controller/setup.go b/cli/controller/setup.go
@@ -21,6 +21,7 @@ var setupStackTemplate string
 
 const (
 	stackResourceCount = 4
+	APIGatewayLogsRole = "APIGatewayPushToCloudWatchLogsRole"
 )
 
 type Setup struct {
@@ -35,10 +36,12 @@ type Setup struct {
 }
 
 type stackTemplateData struct {
-	Name   string
-	Bucket string
-	S3Key  string
-	Region string
+	Name               string
+	Bucket             string
+	S3Key              string
+	Region             string
+	Suffix             string
+	APIGatewayLogsRole string
 }
 
 func NewSetup(a *SetupArgs) (*Setup, error) {
@@ -86,7 +89,7 @@ func (c *Setup) create(n *domain.Node) error {
 	tmr := timerFn()
 	term.HideCursor()
 	defer term.ShowCursor()
-	if err := c.createSetupStack(n.Functions); err != nil {
+	if err := c.createSetupStack(n.Functions, n.ResourceSuffix()); err != nil {
 		return log.Wrap(err)
 	}
 	stackDuration := tmr()
@@ -98,11 +101,12 @@ func (c *Setup) create(n *domain.Node) error {
 			ExpirePrefix: domain.FunctionsBucketPrefix,
 			ExpireDays:   domain.FunctionsBucketExpireDays,
 		},
-		FunctionsBucket: n.Functions.Bucket,
-		FunctionsPath:   n.Functions.Path,
-		AuthEnv:         n.AuthEnv(),
-		ResourceSuffix:  n.ResourceSuffix(),
-		ResourceTags:    c.resourceTags,
+		FunctionsBucket:    n.Functions.Bucket,
+		FunctionsPath:      n.Functions.Path,
+		AuthEnv:            n.AuthEnv(),
+		ResourceSuffix:     n.ResourceSuffix(),
+		APIGatewayLogsRole: APIGatewayLogsRole,
+		ResourceTags:       c.resourceTags,
 	}
 	rsp := &dto.SetupResponse{}
 	if err := invoke.Lambda(c.aws.Lambda(), c.lambdaName, ui.NodeLogsSink).Do("create", req, rsp); err != nil {
@@ -135,12 +139,14 @@ func (c *Setup) backendExists() (bool, error) {
 	return c.aws.LambdaExists(c.lambdaName)
 }
 
-func (c *Setup) createSetupStack(acf domain.NodeFunctions) error {
+func (c *Setup) createSetupStack(acf domain.NodeFunctions, suffix string) error {
 	td := stackTemplateData{
-		Name:   c.stackName,
-		Bucket: acf.Bucket,
-		S3Key:  fmt.Sprintf("%s/setup.zip", acf.Path),
-		Region: c.aws.Region(),
+		Name:               c.stackName,
+		Bucket:             acf.Bucket,
+		S3Key:              fmt.Sprintf("%s/setup.zip", acf.Path),
+		Region:             c.aws.Region(),
+		Suffix:             suffix,
+		APIGatewayLogsRole: APIGatewayLogsRole,
 	}
 	t, err := c.renderStackTemplate(td)
 	if err != nil {

diff --git a/cli/controller/setup_stack_template.yml b/cli/controller/setup_stack_template.yml
@@ -1,7 +1,7 @@
 AWSTemplateFormatVersion: 2010-09-09
 Resources:
   MantilSetupRole:
-    Type: 'AWS::IAM::Role'
+    Type: AWS::IAM::Role
     Properties:
       RoleName: {{.Name}}
       AssumeRolePolicyDocument:
@@ -10,26 +10,109 @@ Resources:
           - Effect: Allow
             Principal:
               Service: lambda.amazonaws.com
-            Action: 'sts:AssumeRole'
+            Action: sts:AssumeRole
       Policies:
         - PolicyName: {{.Name}}
           PolicyDocument:
             Version: 2012-10-17
             Statement:
               - Effect: Allow
-                Action: '*'
-                Resource: '*'
+                Action:
+                  - apigateway:GET
+                  - apigateway:POST
+                  - apigateway:PATCH
+                  - apigateway:DELETE
+                  - apigateway:PUT
+                  - apigateway:TagResource
+                Resource:
+                  - "*"
+              - Effect: Allow
+                Action:
+                  - s3:GetObject
+                Resource:
+                  - arn:aws:s3:::mantil-releases*/*
+              - Effect: Allow
+                Action:
+                  - lambda:CreateFunction
+                  - lambda:AddPermission
+                  - lambda:ListVersionsByFunction
+                  - lambda:GetFunction
+                  - lambda:GetFunctionCodeSigningConfig
+                  - lambda:GetPolicy
+                  - lambda:DeleteFunction
+                  - lambda:RemovePermission
+                  - lambda:GetLayerVersion
+                Resource:
+                  - arn:aws:lambda:*:*:function:mantil-*-{{.Suffix}}
+                  - arn:aws:lambda:*:*:layer:*:*
+              - Effect: Allow
+                Action:
+                  - iam:GetRole
+                Resource:
+                  - arn:aws:iam::*:role/*
+              - Effect: Allow
+                Action:
+                  - iam:GetRolePolicy
+                  - iam:ListAttachedRolePolicies
+                  - iam:CreateRole
+                  - iam:ListRolePolicies
+                  - iam:PutRolePolicy
+                  - iam:DeleteRolePolicy
+                  - iam:DeleteRole
+                  - iam:ListInstanceProfilesForRole
+                  - iam:TagRole
+                  - iam:PassRole
+                Resource:
+                  - arn:aws:iam::*:role/mantil-*-{{.Suffix}}
+                  - arn:aws:iam::*:role/{{.APIGatewayLogsRole}}
+              - Effect: Allow
+                Action:
+                 - s3:CreateBucket
+                 - s3:PutBucketTagging
+                 - s3:PutLifecycleConfiguration
+                 - s3:DeleteBucket
+                 - s3:ListBucket
+                 - s3:PutObject
+                 - s3:GetObject
+                 - s3:DeleteObject
+                 - s3:DeleteObjectVersion
+                Resource:
+                  - arn:aws:s3:::mantil-*-{{.Suffix}}
+                  - arn:aws:s3:::mantil-*-{{.Suffix}}/*
+              - Effect: Allow
+                Action:
+                  - logs:CreateLogStream
+                  - logs:PutLogEvents
+                  - logs:DeleteLogGroup
+                  - logs:ListTagsLogGroup
+                Resource:
+                  - arn:aws:logs:*:*:log-group:*-{{.Suffix}}
+                  - arn:aws:logs:*:*:log-group:*-{{.Suffix}}:log-stream:*
+              - Effect: Allow
+                Action:
+                  - logs:PutResourcePolicy
+                  - logs:DescribeResourcePolicies
+                  - logs:PutRetentionPolicy
+                  - logs:CreateLogGroup
+                  - logs:DescribeLogGroups
+                  - logs:GetLogDelivery
+                  - logs:CreateLogDelivery
+                  - logs:UpdateLogDelivery
+                  - logs:ListLogDeliveries
+                  - logs:DeleteLogDelivery
+                Resource:
+                  - "*"
   MantilSetupLambda:
-    Type: 'AWS::Lambda::Function'
+    Type: AWS::Lambda::Function
     Properties:
       FunctionName: {{.Name}}
       Handler: bootstrap
       Runtime: provided.al2
       Timeout: 900
       MemorySize: 512
-      Architectures: ["arm64"]
+      Architectures: ['arm64']
       Layers:
-        - 'arn:aws:lambda:{{.Region}}:477361877445:layer:terraform-lambda:3'
+        - arn:aws:lambda:{{.Region}}:477361877445:layer:terraform-lambda:3
       Code:
         S3Bucket: {{.Bucket}}
         S3Key: {{.S3Key}}
@@ -40,7 +123,7 @@ Resources:
       - MantilSetupRole
       - MantilSetupLambdaLogGroup
   MantilSetupLambdaLogGroup:
-    Type: 'AWS::Logs::LogGroup'
+    Type: AWS::Logs::LogGroup
     Properties:
       LogGroupName: /aws/lambda/{{.Name}}
       RetentionInDays: 14
diff --git a/cli/controller/setup_test.go b/cli/controller/setup_test.go
@@ -10,10 +10,12 @@ import (
 
 func TestRenderTemplate(t *testing.T) {
 	td := stackTemplateData{
-		Name:   "mantil-setup",
-		Bucket: "bucket",
-		S3Key:  "bucket-key",
-		Region: "region",
+		Name:               "mantil-setup",
+		Bucket:             "bucket",
+		S3Key:              "bucket-key",
+		Region:             "region",
+		Suffix:             "suffix",
+		APIGatewayLogsRole: "logs-role",
 	}
 	s := &Setup{}
 	actual, err := s.renderStackTemplate(td)

diff --git a/cli/controller/testdata/template.yml b/cli/controller/testdata/template.yml
@@ -1,7 +1,7 @@
 AWSTemplateFormatVersion: 2010-09-09
 Resources:
   MantilSetupRole:
-    Type: 'AWS::IAM::Role'
+    Type: AWS::IAM::Role
     Properties:
       RoleName: mantil-setup
       AssumeRolePolicyDocument:
@@ -10,26 +10,109 @@ Resources:
           - Effect: Allow
             Principal:
               Service: lambda.amazonaws.com
-            Action: 'sts:AssumeRole'
+            Action: sts:AssumeRole
       Policies:
         - PolicyName: mantil-setup
           PolicyDocument:
             Version: 2012-10-17
             Statement:
               - Effect: Allow
-                Action: '*'
-                Resource: '*'
+                Action:
+                  - apigateway:GET
+                  - apigateway:POST
+                  - apigateway:PATCH
+                  - apigateway:DELETE
+                  - apigateway:PUT
+                  - apigateway:TagResource
+                Resource:
+                  - "*"
+              - Effect: Allow
+                Action:
+                  - s3:GetObject
+                Resource:
+                  - arn:aws:s3:::mantil-releases*/*
+              - Effect: Allow
+                Action:
+                  - lambda:CreateFunction
+                  - lambda:AddPermission
+                  - lambda:ListVersionsByFunction
+                  - lambda:GetFunction
+                  - lambda:GetFunctionCodeSigningConfig
+                  - lambda:GetPolicy
+                  - lambda:DeleteFunction
+                  - lambda:RemovePermission
+                  - lambda:GetLayerVersion
+                Resource:
+                  - arn:aws:lambda:*:*:function:mantil-*-suffix
+                  - arn:aws:lambda:*:*:layer:*:*
+              - Effect: Allow
+                Action:
+                  - iam:GetRole
+                Resource:
+                  - arn:aws:iam::*:role/*
+              - Effect: Allow
+                Action:
+                  - iam:GetRolePolicy
+                  - iam:ListAttachedRolePolicies
+                  - iam:CreateRole
+                  - iam:ListRolePolicies
+                  - iam:PutRolePolicy
+                  - iam:DeleteRolePolicy
+                  - iam:DeleteRole
+                  - iam:ListInstanceProfilesForRole
+                  - iam:TagRole
+                  - iam:PassRole
+                Resource:
+                  - arn:aws:iam::*:role/mantil-*-suffix
+                  - arn:aws:iam::*:role/logs-role
+              - Effect: Allow
+                Action:
+                 - s3:CreateBucket
+                 - s3:PutBucketTagging
+                 - s3:PutLifecycleConfiguration
+                 - s3:DeleteBucket
+                 - s3:ListBucket
+                 - s3:PutObject
+                 - s3:GetObject
+                 - s3:DeleteObject
+                 - s3:DeleteObjectVersion
+                Resource:
+                  - arn:aws:s3:::mantil-*-suffix
+                  - arn:aws:s3:::mantil-*-suffix/*
+              - Effect: Allow
+                Action:
+                  - logs:CreateLogStream
+                  - logs:PutLogEvents
+                  - logs:DeleteLogGroup
+                  - logs:ListTagsLogGroup
+                Resource:
+                  - arn:aws:logs:*:*:log-group:*-suffix
+                  - arn:aws:logs:*:*:log-group:*-suffix:log-stream:*
+              - Effect: Allow
+                Action:
+                  - logs:PutResourcePolicy
+                  - logs:DescribeResourcePolicies
+                  - logs:PutRetentionPolicy
+                  - logs:CreateLogGroup
+                  - logs:DescribeLogGroups
+                  - logs:GetLogDelivery
+                  - logs:CreateLogDelivery
+                  - logs:UpdateLogDelivery
+                  - logs:ListLogDeliveries
+                  - logs:DeleteLogDelivery
+                Resource:
+                  - "*"
   MantilSetupLambda:
-    Type: 'AWS::Lambda::Function'
+    Type: AWS::Lambda::Function
     Properties:
       FunctionName: mantil-setup
       Handler: bootstrap
       Runtime: provided.al2
       Timeout: 900
       MemorySize: 512
-      Architectures: ["arm64"]
+      Architectures: ['arm64']
       Layers:
-        - 'arn:aws:lambda:region:477361877445:layer:terraform-lambda:3'
+        - arn:aws:lambda:region:477361877445:layer:terraform-lambda:3
       Code:
         S3Bucket: bucket
         S3Key: bucket-key
@@ -40,7 +123,7 @@ Resources:
       - MantilSetupRole
       - MantilSetupLambdaLogGroup
   MantilSetupLambdaLogGroup:
-    Type: 'AWS::Logs::LogGroup'
+    Type: AWS::Logs::LogGroup
     Properties:
       LogGroupName: /aws/lambda/mantil-setup
       RetentionInDays: 14