Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AWS Lambda automate updating policies #3

Open
wants to merge 2 commits into
base: master
from

Conversation

@RyPeck
Copy link

commented Sep 4, 2019

Using AWS Lambda, configured via the AWS CDK.

Python dulwich module to perform git operations. get_aws_managed_policies.py still works as before.

See app.py doc string for details on setting up and configuring.

RyPeck added 2 commits Aug 30, 2019
Quick conversion from the awscli and bash commands to Python. This
enables future plans to automate the updates to this repository and to
run this in AWS Lambda.

Python outputs the same policy document json that the old process does.
`app.py` contains the AWS CDK to create a Python Lambda function with
the appropriate permission to log and pull all the IAM Policies.

The `dulwich` module is used for all git operations.

Before running `cdk deploy` an Secret needs to be created in AWS
Managed Secrets and a few environment variables need to be created.
See `app.py` for instructions.

Lambda Function is invoked every hour. To test, deploy and trigger
the Lambda with a test event. Execution can take around a minute. More
memory will speed it up.
@RyPeck

This comment has been minimized.

Copy link
Author

commented Sep 4, 2019

Note - this depends on having an GitHub Account with a Personal Access token. I took the route of creating a "machine user" @rypeck-bot to automate. Currently pointed at https://github.com/RyPeck/aws_managed_policies/tree/master and running every hour.

Next steps could be to get it working with SSH (there are Lambda Layers that make this look possible) but I thought I'd leave off here for now.

@z0ph

This comment has been minimized.

Copy link

commented Sep 5, 2019

Well done @RyPeck !!

@RyPeck

This comment has been minimized.

Copy link
Author

commented Sep 5, 2019

Here is what an update looks like right now - RyPeck@f21818a

@0xdabbad00 0xdabbad00 referenced this pull request Sep 18, 2019
mkdir lambda_package; cd lambda_package/
cp ../get_aws_managed_policies.py ../lambda-handler.py .
pip3 install dulwich -t .
zip -r ../deploymentPackage.zip .

This comment has been minimized.

Copy link
@0xdabbad00

0xdabbad00 Sep 18, 2019

Contributor

I think you could have avoided doing the manual zip here, but that's fine.

@@ -0,0 +1,108 @@
"""

This comment has been minimized.

Copy link
@0xdabbad00

0xdabbad00 Sep 18, 2019

Contributor

Awesome to see you went with the CDK!

This comment has been minimized.

Copy link
@0xdabbad00

0xdabbad00 Sep 18, 2019

Contributor

Should mention in the README how to deploy as a CDK app.

github_bot_username,
gh_access_token,
repo_owner,
repo_path="/tmp/aws_managed_policies",

This comment has been minimized.

Copy link
@0xdabbad00

0xdabbad00 Sep 18, 2019

Contributor

Nice job using the /tmp cache and later checking if this exists already or not!

@0xdabbad00

This comment has been minimized.

Copy link
Contributor

commented Sep 18, 2019

Looks like the bot is working against your repo. 👍 I did a review and this all looks good. I want to actually deploy this before I merge it in, but hope to do that this weekend. Awesome work!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.