From 612e0fa4a50e43cd0417768157d7fa5c78fd9094 Mon Sep 17 00:00:00 2001 From: Roohi Date: Mon, 11 Dec 2023 15:53:56 -0800 Subject: [PATCH] Move to generated folder, test with condition removed for CFCloudwatch --- .../docs/restricted-policy-doc-1.json5 | 2 +- .../docs/restricted-policy-doc-2.json5 | 7 +- .../managedArn-node-inline-policy.json | 4 +- aws-iam-policies/restricted-policy-1.json5 | 164 ---------------- aws-iam-policies/restricted-policy-2.json5 | 182 ------------------ .../restricted-policy-managedARN-1.json5 | 163 ---------------- .../restricted-policy-managedARN-2.json5 | 182 ------------------ main.py | 4 +- 8 files changed, 6 insertions(+), 702 deletions(-) delete mode 100644 aws-iam-policies/restricted-policy-1.json5 delete mode 100644 aws-iam-policies/restricted-policy-2.json5 delete mode 100644 aws-iam-policies/restricted-policy-managedARN-1.json5 delete mode 100644 aws-iam-policies/restricted-policy-managedARN-2.json5 diff --git a/aws-iam-policies/docs/restricted-policy-doc-1.json5 b/aws-iam-policies/docs/restricted-policy-doc-1.json5 index 26d2afc..8abcc87 100644 --- a/aws-iam-policies/docs/restricted-policy-doc-1.json5 +++ b/aws-iam-policies/docs/restricted-policy-doc-1.json5 @@ -3,7 +3,7 @@ "Statement": [ { "Sid": "ResourceTag", - // Control access to AWS serviceresources based on + // Control access to AWS service resources based on // resource tags using ResourceTag/key-name // condition key to allow access to resource or not // based on resource tagging diff --git a/aws-iam-policies/docs/restricted-policy-doc-2.json5 b/aws-iam-policies/docs/restricted-policy-doc-2.json5 index e2a0e0f..0c193b8 100644 --- a/aws-iam-policies/docs/restricted-policy-doc-2.json5 +++ b/aws-iam-policies/docs/restricted-policy-doc-2.json5 @@ -180,12 +180,7 @@ // Upload log events to log stream "logs:PutRetentionPolicy" // Change number of days Cloudwatch retains - ], - "Condition": { - "ForAnyValue:StringEquals": { - "aws:CalledVia": "cloudformation.amazonaws.com" - } - } + ] }, { "Sid": "CFKeys", diff --git a/aws-iam-policies/managedArn-node-inline-policy.json b/aws-iam-policies/managedArn-node-inline-policy.json index 97c5c0f..c39d6c6 100644 --- a/aws-iam-policies/managedArn-node-inline-policy.json +++ b/aws-iam-policies/managedArn-node-inline-policy.json @@ -5,8 +5,8 @@ "Sid": "clusterautoscaler", "Effect": "Allow", "Action": [ - "autoscaling:DescribeAutoScalingGroups", //comment 1 - "autoscaling:DescribeAutoScalingInstances", //comment 2 + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", "autoscaling:DescribeTags", "autoscaling:DescribeLaunchConfigurations", "autoscaling:SetDesiredCapacity", diff --git a/aws-iam-policies/restricted-policy-1.json5 b/aws-iam-policies/restricted-policy-1.json5 deleted file mode 100644 index fe141a3..0000000 --- a/aws-iam-policies/restricted-policy-1.json5 +++ /dev/null @@ -1,164 +0,0 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "ResourceTag", - "Effect": "Allow", - "Action": [ - "acm:DeleteCertificate", - "autoscaling:SuspendProcesses", - "autoscaling:UpdateAutoScalingGroup", - "cloudformation:DeleteStack", - "cloudformation:DescribeStackEvents", - "elasticfilesystem:PutFileSystemPolicy", - "rds:DeleteDBInstance", - "rds:DeleteDBSecurityGroup", - "rds:DeleteDBSubnetGroup", - "ec2:DeleteKeypair" - ], - "Resource": "*", - "Condition": { - "StringLike": { - "aws:ResourceTag/Cloudera-Resource-Name": "crn:cdp:*" - } - } - }, - { - "Sid": "RequestTag", - "Effect": "Allow", - "Action": [ - "autoscaling:CreateAutoScalingGroup", - "cloudformation:CreateStack", - "eks:TagResource", - "elasticfilesystem:CreateFileSystem", - "kms:CreateGrant", - "kms:CreateKey", - "rds:AddTagsToResource", - "cloudformation:UpdateStack" - ], - "Resource": "*", - "Condition": { - "StringLike": { - "aws:RequestTag/Cloudera-Resource-Name": "crn:cdp:*" - } - } - }, - { - "Sid": "AttachRole", - "Effect": "Allow", - "Action": "iam:AttachRolePolicy", - "Resource": [ - "arn:aws:iam::*:role/env-*-dwx-stack-EKSServiceRole-*", - "arn:aws:iam::*:role/env-*-dwx-stack-NodeInstanceRole-*" - ], - "Condition": { - "ForAnyValue:ArnEqualsIfExists": { - "iam:PolicyARN": [ - "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy", - "arn:aws:iam::aws:policy/AmazonEKSServicePolicy", - "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly", - "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy", - "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy", - "arn:aws:iam::aws:policy/CloudWatchAgentAdminPolicy" - ] - } - } - }, - { - "Sid": "Role", - "Effect": "Allow", - "Action": [ - "iam:AddRoleToInstanceProfile", - "iam:CreateInstanceProfile", - "iam:CreateRole", - "iam:DeleteInstanceProfile", - "iam:DeleteRole", - "iam:DeleteRolePolicy", - "iam:DetachRolePolicy", - "iam:GetRole", - "iam:GetRolePolicy", - "iam:PassRole", - "iam:PutRolePolicy", - "iam:RemoveRoleFromInstanceProfile" - ], - "Resource": [ - "arn:aws:iam::*:instance-profile/env-*-dwx-stack-NodeInstanceProfile-*", - "arn:aws:iam::*:role/env-*-dwx-stack-EKSServiceRole-*", - "arn:aws:iam::*:role/env-*-dwx-stack-NodeInstanceRole-*" - ] - }, - { - "Sid": "gocode", - "Effect": "Allow", - "Action": [ - "acm:DescribeCertificate", - "acm:ListCertificates", - "ec2:DescribeKeyPairs", - "ec2:DescribeDhcpOptions", - "ec2:DescribeSubnets", - "ec2:DescribeVpcs", - "autoscaling:DescribeAutoScalingGroups", - "iam:SimulatePrincipalPolicy", - "iam:ListAttachedRolePolicies", - "ec2:DescribeVpcAttribute", - "ec2:DescribeImages", - "ec2:CreateTags", - "ec2:CreateKeyPair" - ], - "Resource": "*" - }, - { - "Sid": "gocodeStack", - "Effect": "Allow", - "Action": [ - "cloudformation:DescribeStacks" - ], - "Resource": "arn:aws:cloudformation:*:*:stack/env-*-dwx-stack/*" - }, - { - "Sid": "gocodeEKSCluster", - "Effect": "Allow", - "Action": [ - "eks:UpdateClusterConfig", - "eks:UpdateClusterVersion", - "eks:DescribeUpdate" - ], - "Resource": "arn:aws:eks:*:*:cluster/env-*-dwx-stack-eks" - }, - { - "Sid": "S3full", - "Effect": "Allow", - "Action": [ - "s3:GetBucketLocation" - ], - "Resource": "*" - }, - { - "Sid": "S3PutGetObject", - "Effect": "Allow", - "Action": [ - "s3:PutObject", - "s3:GetObject" - ], - "Resource": [ - "arn:aws:s3:::${DATALAKE_BUCKET}/cf-templates/*", - "arn:aws:s3:::${DATALAKE_BUCKET}/backup/*" - ] - }, - { - "Sid": "UpgradeCfStack", - "Effect": "Allow", - "Action": [ - "cloudformation:GetTemplate", - "cloudformation:GetTemplateSummary", - "eks:ListUpdates", - "ec2:CreateLaunchTemplateVersion", - "autoscaling:TerminateInstanceInAutoScalingGroup", - "autoscaling:DescribeScheduledActions", - "autoscaling:SetDesiredCapacity", - "ec2:DescribeInstances" - ], - "Resource": "*" - } - ] -} \ No newline at end of file diff --git a/aws-iam-policies/restricted-policy-2.json5 b/aws-iam-policies/restricted-policy-2.json5 deleted file mode 100644 index 505be73..0000000 --- a/aws-iam-policies/restricted-policy-2.json5 +++ /dev/null @@ -1,182 +0,0 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "cloudformation", - "Effect": "Allow", - "Action": [ - "acm:AddTagsToCertificate", - "acm:DescribeCertificate", - "acm:RequestCertificate", - "autoscaling:DescribeScalingActivities", - "ec2:CreateLaunchTemplate", - "ec2:CreatePlacementGroup", - "ec2:CreateSecurityGroup", - "ec2:DescribeAccountAttributes", - "ec2:DescribeAvailabilityZones", - "ec2:DescribeLaunchTemplates", - "ec2:DescribeLaunchTemplateVersions", - "ec2:DescribePlacementGroups", - "ec2:DescribeSecurityGroups", - "ec2:RevokeSecurityGroupEgress", - "ec2:RevokeSecurityGroupIngress", - "ec2:RunInstances", - "ec2:DeleteLaunchTemplate", - "ec2:DeletePlacementGroup", - "elasticfilesystem:DescribeMountTargets", - "elasticfilesystem:DescribeFileSystems" - ], - "Resource": "*", - "Condition": { - "ForAnyValue:StringEquals": { - "aws:CalledVia": "cloudformation.amazonaws.com" - } - } - }, - { - "Sid": "CFResourceTag", - "Resource": "*", - "Effect": "Allow", - "Action": [ - "ec2:AuthorizeSecurityGroupEgress", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:RevokeSecurityGroupEgress", - "ec2:RevokeSecurityGroupIngress", - "autoscaling:DeleteAutoScalingGroup", - "ec2:DeleteSecurityGroup", - "eks:DeleteCluster" - ], - "Condition": { - "ForAnyValue:StringEquals": { - "aws:CalledVia": "cloudformation.amazonaws.com" - }, - "StringLike": { - "aws:ResourceTag/Cloudera-Resource-Name": "crn:cdp:*" - } - } - }, - { - "Sid": "CFRequestTag", - "Resource": "*", - "Effect": "Allow", - "Action": [ - "kms:TagResource", - "logs:CreateLogGroup" - ], - "Condition": { - "ForAnyValue:StringEquals": { - "aws:CalledVia": "cloudformation.amazonaws.com" - }, - "StringLike": { - "aws:RequestTag/Cloudera-Resource-Name": "crn:cdp:*" - } - } - }, - { - "Sid": "CFDatabase", - "Resource": [ - "arn:aws:rds:*:*:db:env-*-dwx-stack-rds", - "arn:aws:rds:*:*:subgrp:env-*-dwx-stack-dbsubnetgroup-*" - ], - "Effect": "Allow", - "Action": [ - "rds:CreateDBInstance", - "rds:DescribeDBInstances", - "rds:CreateDBSubnetGroup", - "rds:DescribeDBSubnetGroups", - "rds:ListTagsForResource" - ], - "Condition": { - "ForAnyValue:StringEquals": { - "aws:CalledVia": "cloudformation.amazonaws.com" - } - } - }, - { - "Sid": "CFEksCluster", - "Resource": "arn:aws:eks:*:*:cluster/env-*-dwx-stack-eks", - "Effect": "Allow", - "Action": [ - "eks:CreateCluster", - "eks:DescribeCluster" - ], - "Condition": { - "ForAnyValue:StringEquals": { - "aws:CalledVia": "cloudformation.amazonaws.com" - } - } - }, - { - "Sid": "CFCloudwatch", - "Resource": "arn:aws:eks:*::log-group:/aws/eks/env-*-dwx-stack-eks/cluster:*", - "Effect": "Allow", - "Action": [ - "logs:CreateLogStream", - "logs:DescribeLogStreams", - "logs:PutLogEvents", - "logs:PutRetentionPolicy" - ], - "Condition": { - "ForAnyValue:StringEquals": { - "aws:CalledVia": "cloudformation.amazonaws.com" - } - } - }, - { - "Sid": "CFKeys", - "Resource": "*", - "Effect": "Allow", - "Action": [ - "kms:CreateAlias", - "kms:DeleteAlias", - "kms:DescribeKey", - "kms:EnableKeyRotation", - "kms:GenerateDataKey", - "kms:GenerateDataKeyWithoutPlaintext", - "kms:ScheduleKeyDeletion" - ], - "Condition": { - "ForAnyValue:StringEquals": { - "aws:CalledVia": "cloudformation.amazonaws.com" - } - } - }, - { - "Sid": "CFFileSystem", - "Resource": "*", - "Effect": "Allow", - "Action": [ - "elasticfilesystem:CreateMountTarget", - "elasticfilesystem:DeleteFileSystem", - "elasticfilesystem:DeleteMountTarget" - ], - "Condition": { - "ForAnyValue:StringEquals": { - "aws:CalledVia": "cloudformation.amazonaws.com" - }, - "StringLike": { - "aws:ResourceTag/clusterId": "env-*" - } - } - }, - { - "Sid": "AllowSsmParams", - "Effect": "Allow", - "Action": [ - "ssm:DescribeParameters", - "ssm:GetParameter", - "ssm:GetParameters", - "ssm:GetParameterHistory", - "ssm:GetParametersByPath" - ], - "Resource": [ - "arn:aws:ssm:*:*:parameter/aws/service/eks/optimized-ami/*" - ], - "Condition": { - "ForAnyValue:StringEquals": { - "aws:CalledVia": "cloudformation.amazonaws.com" - } - } - } - ] -} \ No newline at end of file diff --git a/aws-iam-policies/restricted-policy-managedARN-1.json5 b/aws-iam-policies/restricted-policy-managedARN-1.json5 deleted file mode 100644 index 1a58282..0000000 --- a/aws-iam-policies/restricted-policy-managedARN-1.json5 +++ /dev/null @@ -1,163 +0,0 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "ResourceTag", - "Effect": "Allow", - "Action": [ - "acm:DeleteCertificate", - "autoscaling:SuspendProcesses", - "autoscaling:UpdateAutoScalingGroup", - "cloudformation:DeleteStack", - "cloudformation:DescribeStackEvents", - "elasticfilesystem:PutFileSystemPolicy", - "rds:DeleteDBInstance", - "rds:DeleteDBSecurityGroup", - "rds:DeleteDBSubnetGroup", - "ec2:DeleteKeypair" - ], - "Resource": "*", - "Condition": { - "StringLike": { - "aws:ResourceTag/Cloudera-Resource-Name": "crn:cdp:*" - } - } - }, - { - "Sid": "RequestTag", - "Effect": "Allow", - "Action": [ - "autoscaling:CreateAutoScalingGroup", - "cloudformation:CreateStack", - "eks:TagResource", - "elasticfilesystem:CreateFileSystem", - "kms:CreateGrant", - "kms:CreateKey", - "rds:AddTagsToResource", - "cloudformation:UpdateStack" - ], - "Resource": "*", - "Condition": { - "StringLike": { - "aws:RequestTag/Cloudera-Resource-Name": "crn:cdp:*" - } - } - }, - { - "Sid": "AttachRole", - "Effect": "Allow", - "Action": "iam:AttachRolePolicy", - "Resource": [ - "arn:aws:iam::*:role/env-*-dwx-stack-EKSServiceRole-*", - "arn:aws:iam::*:role/env-*-dwx-stack-NodeInstanceRole-*" - ], - "Condition": { - "ForAnyValue:ArnEqualsIfExists": { - "iam:PolicyARN": [ - "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy", - "arn:aws:iam::aws:policy/AmazonEKSServicePolicy", - "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly", - "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy", - "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy", - "arn:aws:iam::aws:policy/CloudWatchAgentAdminPolicy" - ] - } - } - }, - { - "Sid": "Role", - "Effect": "Allow", - "Action": [ - "iam:AddRoleToInstanceProfile", - "iam:CreateInstanceProfile", - "iam:CreateRole", - "iam:DeleteInstanceProfile", - "iam:DeleteRole", - "iam:DeleteRolePolicy", - "iam:DetachRolePolicy", - "iam:GetRole", - "iam:GetRolePolicy", - "iam:PassRole", - "iam:RemoveRoleFromInstanceProfile" - ], - "Resource": [ - "arn:aws:iam::*:instance-profile/env-*-dwx-stack-NodeInstanceProfile-*", - "arn:aws:iam::*:role/env-*-dwx-stack-EKSServiceRole-*", - "arn:aws:iam::*:role/env-*-dwx-stack-NodeInstanceRole-*" - ] - }, - { - "Sid": "gocode", - "Effect": "Allow", - "Action": [ - "acm:DescribeCertificate", - "acm:ListCertificates", - "ec2:DescribeKeyPairs", - "ec2:DescribeDhcpOptions", - "ec2:DescribeSubnets", - "ec2:DescribeVpcs", - "autoscaling:DescribeAutoScalingGroups", - "iam:SimulatePrincipalPolicy", - "iam:ListAttachedRolePolicies", - "ec2:DescribeVpcAttribute", - "ec2:DescribeImages", - "ec2:CreateTags", - "ec2:CreateKeyPair" - ], - "Resource": "*" - }, - { - "Sid": "gocodeStack", - "Effect": "Allow", - "Action": [ - "cloudformation:DescribeStacks" - ], - "Resource": "arn:aws:cloudformation:*:*:stack/env-*-dwx-stack/*" - }, - { - "Sid": "gocodeEKSCluster", - "Effect": "Allow", - "Action": [ - "eks:UpdateClusterConfig", - "eks:UpdateClusterVersion", - "eks:DescribeUpdate" - ], - "Resource": "arn:aws:eks:*:*:cluster/env-*-dwx-stack-eks" - }, - { - "Sid": "S3full", - "Effect": "Allow", - "Action": [ - "s3:GetBucketLocation" - ], - "Resource": "*" - }, - { - "Sid": "S3PutGetObject", - "Effect": "Allow", - "Action": [ - "s3:PutObject", - "s3:GetObject" - ], - "Resource": [ - "arn:aws:s3:::${DATALAKE_BUCKET}/cf-templates/*", - "arn:aws:s3:::${DATALAKE_BUCKET}/backup/*" - ] - }, - { - "Sid": "UpgradeCfStack", - "Effect": "Allow", - "Action": [ - "cloudformation:GetTemplate", - "cloudformation:GetTemplateSummary", - "eks:ListUpdates", - "ec2:CreateLaunchTemplateVersion", - "autoscaling:TerminateInstanceInAutoScalingGroup", - "autoscaling:DescribeScheduledActions", - "autoscaling:SetDesiredCapacity", - "ec2:DescribeInstances" - ], - "Resource": "*" - } - ] -} \ No newline at end of file diff --git a/aws-iam-policies/restricted-policy-managedARN-2.json5 b/aws-iam-policies/restricted-policy-managedARN-2.json5 deleted file mode 100644 index 505be73..0000000 --- a/aws-iam-policies/restricted-policy-managedARN-2.json5 +++ /dev/null @@ -1,182 +0,0 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "cloudformation", - "Effect": "Allow", - "Action": [ - "acm:AddTagsToCertificate", - "acm:DescribeCertificate", - "acm:RequestCertificate", - "autoscaling:DescribeScalingActivities", - "ec2:CreateLaunchTemplate", - "ec2:CreatePlacementGroup", - "ec2:CreateSecurityGroup", - "ec2:DescribeAccountAttributes", - "ec2:DescribeAvailabilityZones", - "ec2:DescribeLaunchTemplates", - "ec2:DescribeLaunchTemplateVersions", - "ec2:DescribePlacementGroups", - "ec2:DescribeSecurityGroups", - "ec2:RevokeSecurityGroupEgress", - "ec2:RevokeSecurityGroupIngress", - "ec2:RunInstances", - "ec2:DeleteLaunchTemplate", - "ec2:DeletePlacementGroup", - "elasticfilesystem:DescribeMountTargets", - "elasticfilesystem:DescribeFileSystems" - ], - "Resource": "*", - "Condition": { - "ForAnyValue:StringEquals": { - "aws:CalledVia": "cloudformation.amazonaws.com" - } - } - }, - { - "Sid": "CFResourceTag", - "Resource": "*", - "Effect": "Allow", - "Action": [ - "ec2:AuthorizeSecurityGroupEgress", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:RevokeSecurityGroupEgress", - "ec2:RevokeSecurityGroupIngress", - "autoscaling:DeleteAutoScalingGroup", - "ec2:DeleteSecurityGroup", - "eks:DeleteCluster" - ], - "Condition": { - "ForAnyValue:StringEquals": { - "aws:CalledVia": "cloudformation.amazonaws.com" - }, - "StringLike": { - "aws:ResourceTag/Cloudera-Resource-Name": "crn:cdp:*" - } - } - }, - { - "Sid": "CFRequestTag", - "Resource": "*", - "Effect": "Allow", - "Action": [ - "kms:TagResource", - "logs:CreateLogGroup" - ], - "Condition": { - "ForAnyValue:StringEquals": { - "aws:CalledVia": "cloudformation.amazonaws.com" - }, - "StringLike": { - "aws:RequestTag/Cloudera-Resource-Name": "crn:cdp:*" - } - } - }, - { - "Sid": "CFDatabase", - "Resource": [ - "arn:aws:rds:*:*:db:env-*-dwx-stack-rds", - "arn:aws:rds:*:*:subgrp:env-*-dwx-stack-dbsubnetgroup-*" - ], - "Effect": "Allow", - "Action": [ - "rds:CreateDBInstance", - "rds:DescribeDBInstances", - "rds:CreateDBSubnetGroup", - "rds:DescribeDBSubnetGroups", - "rds:ListTagsForResource" - ], - "Condition": { - "ForAnyValue:StringEquals": { - "aws:CalledVia": "cloudformation.amazonaws.com" - } - } - }, - { - "Sid": "CFEksCluster", - "Resource": "arn:aws:eks:*:*:cluster/env-*-dwx-stack-eks", - "Effect": "Allow", - "Action": [ - "eks:CreateCluster", - "eks:DescribeCluster" - ], - "Condition": { - "ForAnyValue:StringEquals": { - "aws:CalledVia": "cloudformation.amazonaws.com" - } - } - }, - { - "Sid": "CFCloudwatch", - "Resource": "arn:aws:eks:*::log-group:/aws/eks/env-*-dwx-stack-eks/cluster:*", - "Effect": "Allow", - "Action": [ - "logs:CreateLogStream", - "logs:DescribeLogStreams", - "logs:PutLogEvents", - "logs:PutRetentionPolicy" - ], - "Condition": { - "ForAnyValue:StringEquals": { - "aws:CalledVia": "cloudformation.amazonaws.com" - } - } - }, - { - "Sid": "CFKeys", - "Resource": "*", - "Effect": "Allow", - "Action": [ - "kms:CreateAlias", - "kms:DeleteAlias", - "kms:DescribeKey", - "kms:EnableKeyRotation", - "kms:GenerateDataKey", - "kms:GenerateDataKeyWithoutPlaintext", - "kms:ScheduleKeyDeletion" - ], - "Condition": { - "ForAnyValue:StringEquals": { - "aws:CalledVia": "cloudformation.amazonaws.com" - } - } - }, - { - "Sid": "CFFileSystem", - "Resource": "*", - "Effect": "Allow", - "Action": [ - "elasticfilesystem:CreateMountTarget", - "elasticfilesystem:DeleteFileSystem", - "elasticfilesystem:DeleteMountTarget" - ], - "Condition": { - "ForAnyValue:StringEquals": { - "aws:CalledVia": "cloudformation.amazonaws.com" - }, - "StringLike": { - "aws:ResourceTag/clusterId": "env-*" - } - } - }, - { - "Sid": "AllowSsmParams", - "Effect": "Allow", - "Action": [ - "ssm:DescribeParameters", - "ssm:GetParameter", - "ssm:GetParameters", - "ssm:GetParameterHistory", - "ssm:GetParametersByPath" - ], - "Resource": [ - "arn:aws:ssm:*:*:parameter/aws/service/eks/optimized-ami/*" - ], - "Condition": { - "ForAnyValue:StringEquals": { - "aws:CalledVia": "cloudformation.amazonaws.com" - } - } - } - ] -} \ No newline at end of file diff --git a/main.py b/main.py index 48cc517..216b8ac 100644 --- a/main.py +++ b/main.py @@ -9,10 +9,10 @@ myfile = 'aws-iam-policies/docs/' + file with open(myfile, "r+") as resultsFile: jsonData = json5.load(resultsFile) - writeRestrictedfile = 'aws-iam-policies/' + file.replace('-doc', '') + writeRestrictedfile = 'aws-iam-policies/generated/' + file.replace('-doc', '') with open(writeRestrictedfile, 'w') as f: json.dump(jsonData, f, indent=4) - writeRestrictedManagedArnfile = 'aws-iam-policies/' + file.replace('-doc', '-managedARN') + writeRestrictedManagedArnfile = 'aws-iam-policies/generated/' + file.replace('-doc', '-managedARN') with open(writeRestrictedManagedArnfile, 'w') as managedArn: for sid in jsonData['Statement']: actionsList = sid['Action']