From 60596ea5f6b3080074639898c7d52b6bf10525e0 Mon Sep 17 00:00:00 2001 From: jlourenco Date: Sat, 19 Aug 2023 12:48:33 +0100 Subject: [PATCH] Starting work on IAM importers. --- aws/aws_blueprints_template/main.tf | 12 +++++++ aws/iam_policy/blueprint.tf | 35 +++++++++++++++++++++ aws/iam_policy/config.json | 18 +++++++++++ aws/iam_policy/event_rule.yaml | 49 +++++++++++++++++++++++++++++ aws/iam_policy/policy.json | 16 ++++++++++ aws/iam_role/blueprint.tf | 41 ++++++++++++++++++++++++ aws/iam_role/config.json | 19 +++++++++++ aws/iam_role/event_rule.yaml | 41 ++++++++++++++++++++++++ aws/iam_role/policy.json | 9 ++++++ aws/iam_user/blueprint.tf | 49 +++++++++++++++++++++++++++++ aws/iam_user/config.json | 19 +++++++++++ aws/iam_user/event_rule.yaml | 41 ++++++++++++++++++++++++ aws/iam_user/policy.json | 8 +++++ 13 files changed, 357 insertions(+) create mode 100644 aws/iam_policy/blueprint.tf create mode 100644 aws/iam_policy/config.json create mode 100644 aws/iam_policy/event_rule.yaml create mode 100644 aws/iam_policy/policy.json create mode 100644 aws/iam_role/blueprint.tf create mode 100644 aws/iam_role/config.json create mode 100644 aws/iam_role/event_rule.yaml create mode 100644 aws/iam_role/policy.json create mode 100644 aws/iam_user/blueprint.tf create mode 100644 aws/iam_user/config.json create mode 100644 aws/iam_user/event_rule.yaml create mode 100644 aws/iam_user/policy.json diff --git a/aws/aws_blueprints_template/main.tf b/aws/aws_blueprints_template/main.tf index 2aab14b..9ef6240 100644 --- a/aws/aws_blueprints_template/main.tf +++ b/aws/aws_blueprints_template/main.tf @@ -86,4 +86,16 @@ module "port_load_balancer" { source = "../load_balancer" count = contains(var.resources, "load_balancer") ? 1 : 0 depends_on = [port-labs_blueprint.region] +} + +module "port_iam_role" { + source = "../iam_role" + count = contains(var.resources, "iam_role") ? 1 : 0 + depends_on = [port-labs_blueprint.region] +} + +module "port_iam_policy" { + source = "../iam_policy" + count = contains(var.resources, "iam_policy") ? 1 : 0 + depends_on = [port-labs_blueprint.region] } \ No newline at end of file diff --git a/aws/iam_policy/blueprint.tf b/aws/iam_policy/blueprint.tf new file mode 100644 index 0000000..393b06b --- /dev/null +++ b/aws/iam_policy/blueprint.tf @@ -0,0 +1,35 @@ +terraform { + required_providers { + port-labs = { + source = "port-labs/port-labs" + version = "0.10.4" + } + } +} + +resource "port-labs_blueprint" "iam_policy" { + title = "IAM Policy" + icon = "AWS" + identifier = "iam_policy" + + properties { + identifier = "link" + type = "string" + format = "url" + title = "Link" + } + + properties { + identifier = "arn" + type = "string" + title = "ARN" + } + + relations { + target = "region" + title = "Region" + identifier = "region" + many = false + required = false + } +} \ No newline at end of file diff --git a/aws/iam_policy/config.json b/aws/iam_policy/config.json new file mode 100644 index 0000000..1a8a8cd --- /dev/null +++ b/aws/iam_policy/config.json @@ -0,0 +1,18 @@ +{ + "kind": "AWS::IAM::Policy", + "port": { + "entity": { + "mappings": [ + { + "identifier": ".PolicyName", + "title": ".PolicyName", + "blueprint": "iam_policy", + "properties": { + "link": "\"https://console.aws.amazon.com/go/view?arn=\" + .Arn", + "arn": ".Arn" + } + } + ] + } + } +} diff --git a/aws/iam_policy/event_rule.yaml b/aws/iam_policy/event_rule.yaml new file mode 100644 index 0000000..230d86d --- /dev/null +++ b/aws/iam_policy/event_rule.yaml @@ -0,0 +1,49 @@ +SQSEventRule: + Type: AWS::Events::Rule + Properties: + EventBusName: default + EventPattern: + source: + - aws.iam + detail-type: + - AWS API Call via CloudTrail + detail: + eventSource: + - iam.amazonaws.com + eventName: + - prefix: AttachGroupPolicy + - prefix: AttachRolePolicy + - prefix: AttachUserPolicy + - prefix: CreatePolicy + - prefix: CreatePolicyVersion + - prefix: DeleteGroupPolicy + - prefix: DeletePolicy + - prefix: DeletePolicyVersion + - prefix: DeleteRolePolicy + - prefix: DeleteUserPolicy + - prefix: DetachGroupPolicy + - prefix: DetachRolePolicy + - prefix: DetachUserPolicy + - prefix: PutGroupPolicy + - prefix: PutRolePolicy + - prefix: PutUserPolicy + - prefix: SetDefaultPolicyVersion + Name: port-aws-exporter-sync-iam-trails + State: ENABLED + Targets: + - Id: PortAWSExporterEventsQueue + Arn: + Fn::ImportValue: + Fn::Sub: ${PortAWSExporterStackName}-EventsQueueARN + InputTransformer: + InputPathsMap: + awsRegion: $.detail.awsRegion + eventName: $.detail.eventName + requestPolicyName: $.detail.requestParameters.policyName + InputTemplate: |- + { + "resource_type": "AWS::IAM::Policy", + "region": "\"\"", + "identifier": "\"\"", + "action": "if \"\" | test(\"DeletePolicy[^a-zA-Z]*$\") then \"delete\" else \"upsert\" end" + } \ No newline at end of file diff --git a/aws/iam_policy/policy.json b/aws/iam_policy/policy.json new file mode 100644 index 0000000..5d37f4a --- /dev/null +++ b/aws/iam_policy/policy.json @@ -0,0 +1,16 @@ +[ + "iam:ListPolicies", + "iam:GetPolicyVersion", + "iam:GetPolicy", + "iam:ListGroupPolicies", + "iam:ListPoliciesGrantingServiceAccess", + "iam:ListEntitiesForPolicy", + "iam:ListUserPolicies", + "iam:ListPolicyVersions", + "iam:GetUserPolicy", + "iam:ListAttachedRolePolicies", + "iam:ListAttachedUserPolicies", + "iam:ListAttachedGroupPolicies", + "iam:ListPolicyTags", + "iam:ListRolePolicies" +] \ No newline at end of file diff --git a/aws/iam_role/blueprint.tf b/aws/iam_role/blueprint.tf new file mode 100644 index 0000000..5c35cc9 --- /dev/null +++ b/aws/iam_role/blueprint.tf @@ -0,0 +1,41 @@ +terraform { + required_providers { + port-labs = { + source = "port-labs/port-labs" + version = "0.10.4" + } + } +} + +resource "port-labs_blueprint" "iam_role" { + title = "IAM Role" + icon = "AWS" + identifier = "iam_role" + + properties { + identifier = "link" + type = "string" + format = "url" + title = "Link" + } + + properties { + identifier = "description" + type = "string" + title = "Description" + } + + properties { + identifier = "arn" + type = "string" + title = "ARN" + } + + relations { + target = "region" + title = "Region" + identifier = "region" + many = false + required = false + } +} \ No newline at end of file diff --git a/aws/iam_role/config.json b/aws/iam_role/config.json new file mode 100644 index 0000000..e79afca --- /dev/null +++ b/aws/iam_role/config.json @@ -0,0 +1,19 @@ +{ + "kind": "AWS::IAM::Role", + "port": { + "entity": { + "mappings": [ + { + "identifier": ".RoleName", + "title": ".RoleName", + "blueprint": "iam_role", + "properties": { + "link": "\"https://console.aws.amazon.com/go/view?arn=\" + .Arn", + "arn": ".Arn", + "description": ".Description" + } + } + ] + } + } +} diff --git a/aws/iam_role/event_rule.yaml b/aws/iam_role/event_rule.yaml new file mode 100644 index 0000000..5a56de1 --- /dev/null +++ b/aws/iam_role/event_rule.yaml @@ -0,0 +1,41 @@ +SQSEventRule: + Type: AWS::Events::Rule + Properties: + EventBusName: default + EventPattern: + source: + - aws.iam + detail-type: + - AWS API Call via CloudTrail + detail: + eventSource: + - iam.amazonaws.com + eventName: + - prefix: AddRoleToInstanceProfile + - prefix: AttachRolePolicy + - prefix: CreateRole + - prefix: DeleteRole + - prefix: DeleteRolePolicy + - prefix: DetachRolePolicy + - prefix: PutRolePolicy + - prefix: RemoveRoleFromInstanceProfile + - prefix: UpdateAssumeRolePolicy + Name: port-aws-exporter-sync-iam-trails + State: ENABLED + Targets: + - Id: PortAWSExporterEventsQueue + Arn: + Fn::ImportValue: + Fn::Sub: ${PortAWSExporterStackName}-EventsQueueARN + InputTransformer: + InputPathsMap: + awsRegion: $.detail.awsRegion + eventName: $.detail.eventName + requestRoleName: $.detail.requestParameters.roleName + InputTemplate: |- + { + "resource_type": "AWS::IAM::Role", + "region": "\"\"", + "identifier": "\"\"", + "action": "if \"\" | test(\"DeleteRole[^a-zA-Z]*$\") then \"delete\" else \"upsert\" end" + } \ No newline at end of file diff --git a/aws/iam_role/policy.json b/aws/iam_role/policy.json new file mode 100644 index 0000000..bee0db0 --- /dev/null +++ b/aws/iam_role/policy.json @@ -0,0 +1,9 @@ +[ + "iam:ListInstanceProfilesForRole", + "iam:ListRoleTags", + "iam:ListAttachedRolePolicies", + "iam:ListRoles", + "iam:ListRolePolicies", + "iam:GetRole", + "iam:GetRolePolicy" +] \ No newline at end of file diff --git a/aws/iam_user/blueprint.tf b/aws/iam_user/blueprint.tf new file mode 100644 index 0000000..d6da176 --- /dev/null +++ b/aws/iam_user/blueprint.tf @@ -0,0 +1,49 @@ +terraform { + required_providers { + port-labs = { + source = "port-labs/port-labs" + version = "0.10.4" + } + } +} + +resource "port-labs_blueprint" "iam_user" { + title = "IAM User" + icon = "AWS" + identifier = "iam_user" + + properties { + identifier = "link" + type = "string" + format = "url" + title = "Link" + } + + properties { + identifier = "description" + type = "string" + title = "Description" + } + + properties { + identifier = "arn" + type = "string" + title = "ARN" + } + + relations { + target = "region" + title = "Region" + identifier = "region" + many = false + required = false + } + + relations { + target = "role" + title = "Role" + identifier = "role" + many = true + required = false + } +} \ No newline at end of file diff --git a/aws/iam_user/config.json b/aws/iam_user/config.json new file mode 100644 index 0000000..73286ef --- /dev/null +++ b/aws/iam_user/config.json @@ -0,0 +1,19 @@ +{ + "kind": "AWS::IAM::User", + "port": { + "entity": { + "mappings": [ + { + "identifier": ".UserName", + "title": ".RoleName", + "blueprint": "iam_role", + "properties": { + "link": "\"https://console.aws.amazon.com/go/view?arn=\" + .Arn", + "arn": ".Arn", + "description": ".Description" + } + } + ] + } + } +} diff --git a/aws/iam_user/event_rule.yaml b/aws/iam_user/event_rule.yaml new file mode 100644 index 0000000..d142dbd --- /dev/null +++ b/aws/iam_user/event_rule.yaml @@ -0,0 +1,41 @@ +SQSEventRule: + Type: AWS::Events::Rule + Properties: + EventBusName: default + EventPattern: + source: + - aws.iam + detail-type: + - AWS API Call via CloudTrail + detail: + eventSource: + - iam.amazonaws.com + eventName: + - prefix: CreateUser + - prefix: AddUserToGroup + - prefix: AttachUserPolicy + - prefix: DeleteUser + - prefix: DeleteUserPolicy + - prefix: DetachUserPolicy + - prefix: PutUserPolicy + - prefix: RemoveUserFromGroup + - prefix: UpdateUser + Name: port-aws-exporter-sync-iam-user-trails + State: ENABLED + Targets: + - Id: PortAWSExporterEventsQueue + Arn: + Fn::ImportValue: + Fn::Sub: ${PortAWSExporterStackName}-EventsQueueARN + InputTransformer: + InputPathsMap: + awsRegion: $.detail.awsRegion + eventName: $.detail.eventName + requestUserName: $.detail.requestParameters.userName + InputTemplate: |- + { + "resource_type": "AWS::IAM::User", + "region": "\"\"", + "identifier": "\"\"", + "action": "if \"\" | test(\"DeleteUser[^a-zA-Z]*$\") then \"delete\" else \"upsert\" end" + } \ No newline at end of file diff --git a/aws/iam_user/policy.json b/aws/iam_user/policy.json new file mode 100644 index 0000000..fe623b6 --- /dev/null +++ b/aws/iam_user/policy.json @@ -0,0 +1,8 @@ +[ + "iam:ListInstanceProfilesForRole", + "iam:ListRoleTags", + "iam:ListAttachedRolePolicies", + "iam:ListRoles", + "iam:ListRolePolicies", + "iam:GetRole" +] \ No newline at end of file