-
Notifications
You must be signed in to change notification settings - Fork 7
/
iam.go
154 lines (143 loc) · 4.6 KB
/
iam.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
package serverless_aws_automation
import (
"context"
"fmt"
"strings"
aegis_aws_auth "github.com/zeus-fyi/zeus/pkg/aegis/aws/auth"
aegis_aws_iam "github.com/zeus-fyi/zeus/pkg/aegis/aws/iam"
)
func InternalUserRolePolicySetupForLambdaDeployment(ctx context.Context, auth aegis_aws_auth.AuthAWS) error {
err := CreateInternalLambdaUser(ctx, auth)
if err != nil {
return err
}
err = CreateInternalLambdaRole(ctx, auth)
if err != nil {
return err
}
err = CreateInternalLambdaPolicy(ctx, auth)
if err != nil {
return err
}
err = AddInternalLambdaPoliciesToRole(ctx, auth)
if err != nil {
return err
}
return err
}
func ExternalUserRolePolicySetupForLambdaDeployment(ctx context.Context, auth aegis_aws_auth.AuthAWS) error {
err := CreateExternalLambdaUser(ctx, auth)
if err != nil {
return err
}
err = AddExternalLambdaPolicyToUser(ctx, auth)
return err
}
func CreateExternalLambdaUserAccessKeys(ctx context.Context, auth aegis_aws_auth.AuthAWS) (aegis_aws_auth.AuthAWS, error) {
fmt.Println("INFO: creating access keys for external lambda invocation with username ", aegis_aws_iam.ExternalLambdaUserName)
iamClient, err := aegis_aws_iam.InitIAMClient(ctx, auth)
if err != nil {
return aegis_aws_auth.AuthAWS{}, err
}
keys, err := iamClient.CreateUserAccessKeys(ctx, aegis_aws_iam.ExternalLambdaUserName)
if err != nil {
return aegis_aws_auth.AuthAWS{}, err
}
return keys, err
}
func CreateExternalLambdaUser(ctx context.Context, auth aegis_aws_auth.AuthAWS) error {
fmt.Println("INFO: creating iam user for external lambda invocation with username", *aegis_aws_iam.ExternalLambdaUserAndPolicy.UserName.UserName)
iamClient, err := aegis_aws_iam.InitIAMClient(ctx, auth)
if err != nil {
return err
}
err = iamClient.CreateLambdaUser(ctx, aegis_aws_iam.ExternalLambdaUserAndPolicy)
if err != nil {
if strings.Contains(err.Error(), "EntityAlreadyExists:") {
fmt.Println("INFO: policy already exists, skipping creation")
return nil
}
return err
}
return err
}
func AddExternalLambdaPolicyToUser(ctx context.Context, auth aegis_aws_auth.AuthAWS) error {
iamClient, err := aegis_aws_iam.InitIAMClient(ctx, auth)
if err != nil {
return err
}
err = iamClient.AttachExternalLambdaUserPolicy(ctx)
if err != nil {
return err
}
return err
}
func CreateInternalLambdaUser(ctx context.Context, auth aegis_aws_auth.AuthAWS) error {
fmt.Println("INFO: creating iam user for lambda deployment with username ", *aegis_aws_iam.InternalLambdaUserAndPolicy.UserName.UserName)
iamClient, err := aegis_aws_iam.InitIAMClient(ctx, auth)
if err != nil {
return err
}
userExists := iamClient.DoesUserExist(ctx, aegis_aws_iam.InternalLambdaUserAndPolicy)
if userExists {
fmt.Println("INFO: user already exists, skipping creation")
return nil
}
err = iamClient.CreateLambdaUser(ctx, aegis_aws_iam.InternalLambdaUserAndPolicy)
if err != nil {
if strings.Contains(err.Error(), "EntityAlreadyExists:") {
fmt.Println("INFO: policy already exists, skipping creation")
return nil
}
return err
}
return err
}
func CreateInternalLambdaRole(ctx context.Context, auth aegis_aws_auth.AuthAWS) error {
fmt.Println("INFO: creating role for lambda deployment with role name ", aegis_aws_iam.LambdaRoleName)
iamClient, err := aegis_aws_iam.InitIAMClient(ctx, auth)
if err != nil {
return err
}
_, err = iamClient.CreateInternalLambdaRole(ctx)
if err != nil {
if strings.Contains(err.Error(), "EntityAlreadyExists:") {
fmt.Println("INFO: policy already exists, skipping creation")
return nil
}
return err
}
return err
}
func CreateInternalLambdaPolicy(ctx context.Context, auth aegis_aws_auth.AuthAWS) error {
fmt.Println("INFO: creating policy for lambda deployment with policy name ", aegis_aws_iam.InternalLambdaUserAndPolicy.PolicyName)
iamClient, err := aegis_aws_iam.InitIAMClient(ctx, auth)
if err != nil {
return err
}
_, err = iamClient.CreateNewLambdaUserPolicy(ctx, aegis_aws_iam.InternalLambdaUserAndPolicy)
if err != nil {
if strings.Contains(err.Error(), "EntityAlreadyExists:") {
fmt.Println("INFO: policy already exists, skipping creation")
return nil
}
return err
}
return err
}
func AddInternalLambdaPoliciesToRole(ctx context.Context, auth aegis_aws_auth.AuthAWS) error {
fmt.Println("INFO: adding policy to role for lambda deployment")
iamClient, err := aegis_aws_iam.InitIAMClient(ctx, auth)
if err != nil {
return err
}
_, err = iamClient.AddInternalPolicyToLambdaRolePolicies(ctx)
if err != nil {
if strings.Contains(err.Error(), "EntityAlreadyExists:") {
fmt.Println("INFO: policy already exists, skipping creation")
return nil
}
return err
}
return err
}