installation/tef-custom-iam-roles.yml

AWSTemplateFormatVersion: 2010-09-09

Description: TEF Custom IAM Roles

Parameters:
  ResourceNamePrefix:
    Description: >
      Same with TEF
    Type: String
    Default: turbot
    MaxLength: 9
    AllowedPattern: "^[a-z][a-z0-9]*$"

  CustomResourceNamePrefix:
    Description: >
      Custom name prefix
    Type: String
    Default: acme
    MaxLength: 9
    AllowedPattern: "^[a-z][a-z0-9]*$"

  AlphaRegion:
    Description: >
      AlphaRegion
    Type: String
    Default: true
    AllowedValues:
      - true
      - false

  ApplyOverrides:
    Description: >
      Not just create the roles, but also use the roles in TEF (by creating the SSM override parameters)
    Type: String
    Default: true
    AllowedValues:
      - true
      - false

  ReleasePhase:
    Description: Portfolio lifecycle phase for deployment. Defines the artifacts to be used for this deployment.
    Type: String
    AllowedValues:
      - development
      - staging
      - production
    Default: production

Conditions:
  IsAlpha: !Equals [!Ref AlphaRegion, true]
  CreateSsmParameters: !Equals [!Ref ApplyOverrides, true]
  IsGovCloud: !Equals [!Ref "AWS::Partition", "aws-us-gov"]

Mappings:
  Constants:
    Portfolio:
      AccountId: "054892787221"
      GovCloudAccountId: "491412691920"

Resources:
  #
  # SSM
  #

  RunnableRoleInRegionParameter:
    Type: AWS::SSM::Parameter
    Condition: CreateSsmParameters
    Properties:
      Name: !Sub "/${ResourceNamePrefix}/overrides/enterprise/runnable_role_in_region"
      Description: "Overrides Runnable Role In Region (ARN)"
      Type: String
      Value: !GetAtt RunnableRoleInRegion.Arn

  RunnableInVpcRoleInRegionParameter:
    Type: AWS::SSM::Parameter
    Condition: CreateSsmParameters
    Properties:
      Name: !Sub "/${ResourceNamePrefix}/overrides/enterprise/runnable_in_vpc_role_in_region"
      Description: "Overrides Runnable Role In Region (ARN)"
      Type: String
      Value: !GetAtt RunnableInVpcRoleInRegion.Arn

  EC2InstanceProfileParameter:
    Type: AWS::SSM::Parameter
    Condition: CreateSsmParameters
    Properties:
      Name: !Sub "/${ResourceNamePrefix}/overrides/enterprise/ec2_instance_profile"
      Description: "Overrides EC2 Role (ARN)"
      Type: String
      Value: !GetAtt EC2InstanceProfile.Arn

  EC2RoleParameter:
    Type: AWS::SSM::Parameter
    Condition: CreateSsmParameters
    Properties:
      Name: !Sub "/${ResourceNamePrefix}/overrides/enterprise/ec2_role"
      Description: "Overrides EC2 Role (ARN)"
      Type: String
      Value: !GetAtt EC2Role.Arn

  HiveManagerExecutionRoleParameter:
    Type: AWS::SSM::Parameter
    Condition: CreateSsmParameters
    Properties:
      Name: !Sub "/${ResourceNamePrefix}/overrides/enterprise/hive_manager_execution_role"
      Description: "Overrides Hive Manager Execution Role"
      Type: String
      Value: !If
        - IsAlpha
        - !GetAtt HiveManagerExecutionRole.Arn
        - "Not applicable"

  WorkspaceManagerExecutionRoleParameter:
    Type: AWS::SSM::Parameter
    Condition: CreateSsmParameters
    Properties:
      Name: !Sub "/${ResourceNamePrefix}/overrides/enterprise/workspace_manager_execution_role"
      Description: "Overrides Workspace Manager Execution Role"
      Type: String
      Value: !If
        - IsAlpha
        - !GetAtt WorkspaceManagerExecutionRole.Arn
        - "Not applicable"

  EventProxyExecutionRoleParameter:
    Type: AWS::SSM::Parameter
    Condition: CreateSsmParameters
    Properties:
      Name: !Sub "/${ResourceNamePrefix}/overrides/enterprise/event_proxy_execution_role"
      Description: "Overrides Event Proxy Execution Role"
      Type: String
      Value: !GetAtt EventProxyExecutionRole.Arn

  HealthCheckProxyExecutionRoleParameter:
    Type: AWS::SSM::Parameter
    Condition: CreateSsmParameters
    Properties:
      Name: !Sub "/${ResourceNamePrefix}/overrides/enterprise/health_check_proxy_execution_role"
      Description: "Overrides Health Check Proxy Execution Role"
      Type: String
      Value: !GetAtt HealthCheckProxyExecutionRole.Arn

  ConnectivityCheckerRoleParameter:
    Type: AWS::SSM::Parameter
    Condition: CreateSsmParameters
    Properties:
      Name: !Sub "/${ResourceNamePrefix}/overrides/enterprise/connectivity_checker_role"
      Description: "Overrides Connectivity Checker Role"
      Type: String
      Value: !GetAtt ConnectivityCheckerRole.Arn

  PreinstallCheckerRoleParameter:
    Type: AWS::SSM::Parameter
    Condition: CreateSsmParameters
    Properties:
      Name: !Sub "/${ResourceNamePrefix}/overrides/enterprise/preinstall_checker_role"
      Description: "Overrides Preinstall Checker Role"
      Type: String
      Value: !GetAtt PreinstallCheckerRole.Arn

  #
  # IAM
  #

  RunnableRoleInRegion:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Sub
        - "${CustomResourceNamePrefix}_runnable_${Region}"
        - Region: !Join ["_", !Split ["-", !Ref "AWS::Region"]]
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - lambda.amazonaws.com
                - ecs-tasks.amazonaws.com
            Action:
              - sts:AssumeRole
      ManagedPolicyArns:
        - !Ref RunnablePolicyInRegion

  RunnablePolicyInRegion:
    Type: AWS::IAM::ManagedPolicy
    Properties:
      ManagedPolicyName: !Sub "${CustomResourceNamePrefix}_runnable_policy_${AWS::Region}"
      Description: Policy for creating a Lambda run policy
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Action:
              - sns:publish
            # This is not going to work when we do the work to run Lambda in the target account
            Resource: !Sub "arn:${AWS::Partition}:sns:${AWS::Region}:${AWS::AccountId}:${ResourceNamePrefix}_*_events"

          - Effect: Allow
            Action:
              - kms:Decrypt
              - kms:GenerateDataKey
            # Hack custom role
            Resource: "*"

          - Effect: Allow
            Action:
              - sqs:SendMessage
            Resource: !Sub "arn:${AWS::Partition}:sqs:${AWS::Region}:${AWS::AccountId}:${ResourceNamePrefix}_runnable_dlq"

          - Effect: Allow
            Action:
              - logs:CreateLogStream
              - logs:PutLogEvents
              - logs:CreateLogGroup
            Resource:
              # TODO: this is not going to work when we implement running Lambda in customers' account

              # Runnable name is create with `-` as separator
              - !Sub arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/${ResourceNamePrefix}-*
              - !Sub arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/${ResourceNamePrefix}-*:log-stream:*

  RunnableInVpcRoleInRegion:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Sub
        - "${CustomResourceNamePrefix}_runnable_in_vpc_${Region}"
        - Region: !Join ["_", !Split ["-", !Ref "AWS::Region"]]
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - lambda.amazonaws.com
                - ecs-tasks.amazonaws.com
            Action:
              - sts:AssumeRole
      ManagedPolicyArns:
        - !Ref RunnableInVpcPolicyInRegion

  RunnableInVpcPolicyInRegion:
    Type: AWS::IAM::ManagedPolicy
    Properties:
      ManagedPolicyName: !Sub "${CustomResourceNamePrefix}_runnable_in_vpc_policy_${AWS::Region}"
      Description: Policy for creating a Lambda run policy
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Action:
              - sns:publish
            # This is not going to work when we do the work to run Lambda in the target account
            Resource: !Sub "arn:${AWS::Partition}:sns:${AWS::Region}:${AWS::AccountId}:${ResourceNamePrefix}_*_events"

          - Effect: Allow
            Action:
              - kms:Decrypt
              - kms:GenerateDataKey
            # Hack custom role
            Resource: "*"

          - Effect: Allow
            Action:
              - sqs:SendMessage
            Resource: !Sub "arn:${AWS::Partition}:sqs:${AWS::Region}:${AWS::AccountId}:${ResourceNamePrefix}_runnable_dlq"

          - Effect: Allow
            Action:
              - logs:CreateLogStream
              - logs:PutLogEvents
              - logs:CreateLogGroup
            Resource:
              # TODO: this is not going to work when we implement running Lambda in customers' account

              # Runnable name is create with `-` as separator
              - !Sub arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/${ResourceNamePrefix}-*
              - !Sub arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/${ResourceNamePrefix}-*:log-stream:*

          # Required to run Lambda in VPC
          - Effect: Allow
            Action:
              - ec2:DescribeNetworkInterfaces
            Resource: "*"

          #
          # https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonec2.html
          #
          # CreateNetworkInterface and DeleteNetworkInterface needs resource * and does not have condition keys (except the global one)
          # meaning we can't restrict to the subnet or VPC.
          - Effect: Allow
            Action:
              - ec2:CreateNetworkInterface
              - ec2:DeleteNetworkInterface
            Resource: "*"

  EC2InstanceProfile:
    Type: AWS::IAM::InstanceProfile
    Properties:
      Path: "/"
      InstanceProfileName: !Sub
        - ${CustomResourceNamePrefix}_ecs_ec2_instance_profile_${Region}
        - Region: !Join ["_", !Split ["-", !Ref "AWS::Region"]]
      Roles:
        - !Ref EC2Role

  EC2Role:
    Type: AWS::IAM::Role
    Properties:
      Path: "/"
      RoleName: !Sub
        - "${CustomResourceNamePrefix}_ecs_ec2_host_role_${Region}"
        - Region: !Join ["_", !Split ["-", !Ref "AWS::Region"]]
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Action: sts:AssumeRole
            Effect: Allow
            Principal:
              Service: ec2.amazonaws.com
      Policies:
        - PolicyName: ECSforEC2InstanceRolePolicy
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Sid: ECRPolicies
                Effect: Allow
                Action:
                  - ecr:BatchCheckLayerAvailability
                  - ecr:GetDownloadUrlForLayer
                  - ecr:BatchGetImage
                Resource:
                  - !Sub
                    - "arn:${AWS::Partition}:ecr:${AWS::Region}:${PortfolioAccount}:repository/${ReleasePhase}/turbot"
                    - PortfolioAccount: !If
                        - IsGovCloud
                        - !FindInMap [Constants, Portfolio, GovCloudAccountId]
                        - !FindInMap [Constants, Portfolio, AccountId]
              - Sid: ECSPolicies
                Effect: Allow
                Action:
                  - ecs:DeregisterContainerInstance
                  - ecs:Poll
                  - ecs:RegisterContainerInstance
                  - ecs:StartTelemetrySession
                  - ecs:Submit*
                Resource:
                  - !Sub "arn:${AWS::Partition}:ecs:${AWS::Region}:${AWS::AccountId}:cluster/${ResourceNamePrefix}"
                  - !Sub "arn:${AWS::Partition}:ecs:${AWS::Region}:${AWS::AccountId}:container-instance/*"
              - Sid: RequiresAllResource
                Effect: Allow
                Action:
                  - ecs:DiscoverPollEndpoint
                  - ecr:GetAuthorizationToken
                Resource: "*"

  HiveManagerExecutionRole:
    Type: AWS::IAM::Role
    Condition: IsAlpha
    Properties:
      RoleName: !Sub ${CustomResourceNamePrefix}_hive_manager
      Path: /
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - lambda.amazonaws.com
            Action:
              - sts:AssumeRole
      Policies:
        - PolicyName: AllowSsmAndRds
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Sid: SsmPolicy
                Effect: Allow
                Action:
                  - ssm:GetParameters
                  - ssm:GetParameter
                  - ssm:PutParameter
                  - ssm:DeleteParameters
                  - ssm:DeleteParameter
                  - ssm:AddTagsToResource
                Resource: !Sub "arn:${AWS::Partition}:ssm:*:${AWS::AccountId}:parameter/${ResourceNamePrefix}/*"

              - Sid: LambdaPolicy
                Effect: Allow
                Action:
                  - lambda:listTags
                Resource:
                  # Need to be able to create Lambda in all regions
                  - !Sub arn:${AWS::Partition}:lambda:*:${AWS::AccountId}:function:${ResourceNamePrefix}*

              # Required to encrypt SSM key generated by the Hive Manager
              - Sid: KmsPolicies
                Effect: Allow
                Action:
                  - kms:Encrypt
                  - kms:Decrypt
                # Need to save in all regions for multi region support. Hive manager only runs in the Alpha region.
                Resource: !Sub "arn:${AWS::Partition}:kms:*:${AWS::AccountId}:key/*"

              - Sid: RdsPolicy
                Effect: Allow
                Action:
                  - rds:DescribeDBInstances
                  - rds:ModifyDBInstance
                Resource: !Sub "arn:${AWS::Partition}:rds:*:${AWS::AccountId}:db:${ResourceNamePrefix}-*"

              - Sid: CloudWatchLogging
                Effect: Allow
                Action:
                  - logs:CreateLogStream
                  - logs:PutLogEvents
                  - logs:CreateLogGroup
                Resource:
                  # Hive manager name uses `_`
                  - !Sub arn:${AWS::Partition}:logs:*:${AWS::AccountId}:log-group:/aws/lambda/${ResourceNamePrefix}_hive_manager
                  - !Sub arn:${AWS::Partition}:logs:*:${AWS::AccountId}:log-group:/aws/lambda/${ResourceNamePrefix}_hive_manager:log-stream:*

              - Sid: AllowEc2ToAll
                Effect: Allow
                Action:
                  # https://forum.serverless.com/t/very-long-delay-when-doing-sls-remove-of-lambda-in-a-vpc/2535/2
                  # https://stackoverflow.com/questions/35990747/lambda-creating-eni-everytime-it-is-invoked-hitting-limit
                  - ec2:CreateNetworkInterface
                  - ec2:DescribeNetworkInterfaces
                  - ec2:DeleteNetworkInterface
                Resource: "*"

  WorkspaceManagerExecutionRole:
    Type: AWS::IAM::Role
    Condition: IsAlpha
    Properties:
      RoleName: !Sub "${CustomResourceNamePrefix}_workspace_manager"
      Path: /
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - lambda.amazonaws.com
            Action:
              - sts:AssumeRole
      Policies:
        - PolicyName: AllowSsmAndLambdaInvoke
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Sid: SsmPolicy
                Effect: Allow
                Action:
                  - ssm:GetParameters
                  - ssm:GetParametersByPath
                Resource: !Sub "arn:${AWS::Partition}:ssm:*:${AWS::AccountId}:parameter/${ResourceNamePrefix}/*"

              - Sid: S3PolicyLogBucket
                Effect: Allow
                Action:
                  - s3:PutObject
                  - s3:GetObject
                  - s3:ListBucket
                Resource:
                  - !Sub "arn:${AWS::Partition}:s3:::${ResourceNamePrefix}-${AWS::AccountId}*/temp/*"

              - Sid: CloudWatchLogging
                Effect: Allow
                Action:
                  - logs:CreateLogStream
                  - logs:PutLogEvents
                  - logs:CreateLogGroup
                Resource:
                  # Hive manager name uses `_`
                  - !Sub arn:${AWS::Partition}:logs:*:${AWS::AccountId}:log-group:/aws/lambda/${ResourceNamePrefix}_workspace_manager
                  - !Sub arn:${AWS::Partition}:logs:*:${AWS::AccountId}:log-group:/aws/lambda/${ResourceNamePrefix}_workspace_manager:log-stream:*

              - Sid: AllowEc2ToAll
                Effect: Allow
                Action:
                  # https://forum.serverless.com/t/very-long-delay-when-doing-sls-remove-of-lambda-in-a-vpc/2535/2
                  # https://stackoverflow.com/questions/35990747/lambda-creating-eni-everytime-it-is-invoked-hitting-limit
                  - ec2:CreateNetworkInterface
                  - ec2:DescribeNetworkInterfaces
                  - ec2:DeleteNetworkInterface
                Resource: "*"

              - Sid: LambdaInvokePolicy
                Effect: Allow
                Action:
                  - lambda:InvokeFunction
                Resource: !Sub "arn:${AWS::Partition}:lambda:*:${AWS::AccountId}:function:${ResourceNamePrefix}_*_workspace_manager"

  EventProxyExecutionRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Sub
        - "${CustomResourceNamePrefix}_event_proxy_${Region}"
        - Region: !Join ["_", !Split ["-", !Ref "AWS::Region"]]
      Path: /
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - lambda.amazonaws.com
            Action:
              - sts:AssumeRole
      ManagedPolicyArns:
        - !Sub arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole

  HealthCheckProxyExecutionRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Sub
        - "${CustomResourceNamePrefix}_healthcheck_proxy_${Region}"
        - Region: !Join ["_", !Split ["-", !Ref "AWS::Region"]]
      Path: /
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - lambda.amazonaws.com
            Action:
              - sts:AssumeRole
      ManagedPolicyArns:
        - !Sub arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole

  ConnectivityCheckerRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Sub
        - "${CustomResourceNamePrefix}_connectivity_checker_${Region}"
        - Region: !Join ["_", !Split ["-", !Ref "AWS::Region"]]
      Path: /
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - lambda.amazonaws.com
            Action:
              - sts:AssumeRole
      Policies:
        - PolicyName: AllowReadAccessForLambdaInvoke
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Sid: SQSQueue
                Effect: Allow
                Action:
                  - sqs:GetQueueUrl
                # TODO: HACK
                # Resource: !GetAtt LambdaRunnableDeadLetterQueue.Arn
                Resource: "*"

              - Sid: SNSNotification
                Effect: Allow
                Action:
                  - sns:ListTopics
                Resource: !Sub "arn:${AWS::Partition}:sns:${AWS::Region}:${AWS::AccountId}:*"

              - Sid: S3Bucket
                Effect: Allow
                Action:
                  - s3:GetBucketLocation
                # TODO: HACK
                Resource: "*"

                # Resource: !GetAtt LogBucket.Arn
              - Sid: RDSInstances
                Effect: Allow
                Action:
                  - rds:DescribeSourceRegions
                # DescribeSourceRegions lists the source AWS Regions where the current AWS Region can create a
                # read replica or copy a DB snapshot fromPermission given to all.
                # This action needs all resources to work.
                Resource: "*"

              - Sid: LambdaFunction
                Effect: Allow
                Action:
                  - lambda:GetAccountSettings
                # GetAccountSettings details about your account's limits and usage in an AWS Region.
                # This action needs all resources to work.
                Resource: "*"

              - Sid: EC2Instance
                Effect: Allow
                Action:
                  - ec2:DescribeAccountAttributes
                  - ec2:DescribeNetworkInterfaces
                  - ec2:CreateNetworkInterface
                  - ec2:DeleteNetworkInterface
                # DescribeAccountAttributes describes attributes of your AWS account like
                # 1. supported-platforms (whether your account can launch instances into EC2-Classic and EC2-VPC, or only into EC2-VPC),
                # 2. default-vpc (id of default vpc)
                # 3. vpc-max-security-groups-per-interface (The maximum number of security groups that you can assign to a network interface) etc.
                # This action needs all resources to work.
                Resource: "*"

              - Sid: KMSKey
                Effect: Allow
                Action:
                  - kms:DescribeKey
                # TODO: HACK
                Resource: "*"

                # Resource: !GetAtt FoundationKey.Arn
              - Sid: SSMParameter
                Effect: Allow
                Action:
                  - ssm:GetParameters
                Resource: !Sub "arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:parameter/${ResourceNamePrefix}/*"

              - Sid: STS
                Effect: Allow
                Action:
                  - sts:GetCallerIdentity
                # GetCallerIdentity returns the following details about the IAM user or role whose credentials are
                # used to call the operation - account id, arn and user id
                # This action needs all resources to work.
                Resource: "*"

              - Sid: CloudWatchLogging
                Effect: Allow
                Action:
                  - logs:DescribeDestinations
                # DescribeDestinations lists all the destinations (https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-logs-destination.html)
                # This action needs all resources to work.
                Resource: "*"

              - Sid: LogsPolicy
                Effect: Allow
                Action:
                  - logs:CreateLogStream
                  - logs:PutLogEvents
                Resource: !Sub arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/${ResourceNamePrefix}_connectivity_checker:log-stream:*

  PreinstallCheckerRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Sub
        - "${CustomResourceNamePrefix}_preinstall_checker_${Region}"
        - Region: !Join ["_", !Split ["-", !Ref "AWS::Region"]]
      Path: /
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - lambda.amazonaws.com
            Action:
              - sts:AssumeRole
      Policies:
        - PolicyName: AllowReadAccessForSSM
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Sid: SSMParameter
                Effect: Allow
                Action:
                  - ssm:GetParametersByPath
                  - ssm:GetParameters
                Resource: !Sub "arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:parameter/${ResourceNamePrefix}/*"

              - Sid: EC2Instance
                Effect: Allow
                Action:
                  - ec2:DescribeNetworkInterfaces
                  - ec2:CreateNetworkInterface
                  - ec2:DeleteNetworkInterface
                Resource: "*"

              - Sid: LogsPolicy
                Effect: Allow
                Action:
                  - logs:CreateLogStream
                  - logs:PutLogEvents
                Resource: !Sub arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/${ResourceNamePrefix}_preinstall_checker:log-stream:*