Skip to content

Added two new policy templates for SSM Parameter Store. #625

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 11 commits into from
Feb 1, 2019
Merged

Added two new policy templates for SSM Parameter Store. #625

Show file tree
Hide file tree
Changes from 8 commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
e9aaa2c
Added Parameters to Splunk and SQS example
RobRoseKnows Sep 24, 2018
5d2ac30
Merge branch 'develop' of https://github.com/awslabs/serverless-appli…
RobRoseKnows Oct 10, 2018
54186d2
Added DecodeSSMParameter and DecodeSSMParameterCustomKey
RobRoseKnows Oct 10, 2018
dcc9a6a
Fixed missing comma.
RobRoseKnows Oct 10, 2018
5a5abea
Fixed policy template regex error.
RobRoseKnows Oct 11, 2018
db98365
Added output to aws-cn and aws-us-gov.
RobRoseKnows Oct 13, 2018
42bc304
Updated PR
RobRoseKnows Oct 16, 2018
3fd4e1f
Updated tests with GetParameter
RobRoseKnows Oct 16, 2018
e89a714
Merged in upstream/develop
RobRoseKnows Jan 30, 2019
8eedad6
Addressed comments on #625
RobRoseKnows Jan 30, 2019
2d08fcd
Fixed flake8 errors
RobRoseKnows Jan 30, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 7 additions & 2 deletions examples/apps/splunk-cloudwatch-logs-processor/template.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,11 @@ Description: Stream events from AWS CloudWatch Logs to Splunk's HTTP event colle
Parameters:
BucketNameParameter:
Type: String
SplunkHecUrlParameter:
Type: String
AllowedPattern: '^(https?|ftp):\/\/[^\s/$.?#].[^\s]*$'
SplunkHecTokenParameter:
Type: String
Resources:
splunkcloudwatchlogsprocessor:
Type: 'AWS::Serverless::Function'
Expand All @@ -19,5 +24,5 @@ Resources:
BucketName: !Ref BucketNameParameter
Environment:
Variables:
SPLUNK_HEC_URL: <enter value here>
SPLUNK_HEC_TOKEN: <enter value here>
SPLUNK_HEC_URL: !Ref SplunkHecUrlParameter
SPLUNK_HEC_TOKEN: !Ref SplunkHecTokenParameter
10 changes: 8 additions & 2 deletions examples/apps/splunk-dynamodb-stream-processor/template.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,12 @@ Transform: 'AWS::Serverless-2016-10-31'
Description: >-
Stream AWS DynamoDB table activity from DynamoDB Stream to Splunk's HTTP event
collector
Parameters:
SplunkHecUrlParameter:
Type: String
AllowedPattern: '^(https?|ftp):\/\/[^\s/$.?#].[^\s]*$'
SplunkHecTokenParameter:
Type: String
Resources:
splunkdynamodbstreamprocessor:
Type: 'AWS::Serverless::Function'
Expand All @@ -28,8 +34,8 @@ Resources:
BatchSize: 100
Environment:
Variables:
SPLUNK_HEC_URL: <enter value here>
SPLUNK_HEC_TOKEN: <enter value here>
SPLUNK_HEC_URL: !Ref SplunkHecUrlParameter
SPLUNK_HEC_TOKEN: !Ref SplunkHecTokenParameter
Table1:
Type: 'AWS::DynamoDB::Table'
Properties:
Expand Down
9 changes: 7 additions & 2 deletions examples/apps/splunk-elb-application-access-logs-processor/template.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,11 @@ Description: Stream Application ELB access logs from S3 to Splunk's HTTP event c
Parameters:
BucketNameParameter:
Type: String
SplunkHecUrlParameter:
Type: String
AllowedPattern: '^(https?|ftp):\/\/[^\s/$.?#].[^\s]*$'
SplunkHecTokenParameter:
Type: String
Resources:
splunkelbapplicationaccesslogsprocessor:
Type: 'AWS::Serverless::Function'
Expand All @@ -29,7 +34,7 @@ Resources:
- 's3:ObjectCreated:*'
Environment:
Variables:
SPLUNK_HEC_URL: <enter value here>
SPLUNK_HEC_TOKEN: <enter value here>
SPLUNK_HEC_URL: !Ref SplunkHecUrlParameter
SPLUNK_HEC_TOKEN: !Ref SplunkHecTokenParameter
Bucket1:
Type: 'AWS::S3::Bucket'
9 changes: 7 additions & 2 deletions examples/apps/splunk-elb-classic-access-logs-processor/template.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,11 @@ Description: Stream Classic ELB access logs from S3 to Splunk's HTTP event colle
Parameters:
BucketNameParameter:
Type: String
SplunkHecUrlParameter:
Type: String
AllowedPattern: '^(https?|ftp):\/\/[^\s/$.?#].[^\s]*$'
SplunkHecTokenParameter:
Type: String
Resources:
splunkelbclassicaccesslogsprocessor:
Type: 'AWS::Serverless::Function'
Expand All @@ -27,7 +32,7 @@ Resources:
- 's3:ObjectCreated:*'
Environment:
Variables:
SPLUNK_HEC_URL: <enter value here>
SPLUNK_HEC_TOKEN: <enter value here>
SPLUNK_HEC_URL: !Ref SplunkHecUrlParameter
SPLUNK_HEC_TOKEN: !Ref SplunkHecTokenParameter
Bucket1:
Type: 'AWS::S3::Bucket'
10 changes: 8 additions & 2 deletions examples/apps/splunk-iot-processor/template.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,12 @@
AWSTemplateFormatVersion: '2010-09-09'
Transform: 'AWS::Serverless-2016-10-31'
Description: Stream events from AWS IoT to Splunk's HTTP event collector
Parameters:
SplunkHecUrlParameter:
Type: String
AllowedPattern: '^(https?|ftp):\/\/[^\s/$.?#].[^\s]*$'
SplunkHecTokenParameter:
Type: String
Resources:
splunkiotprocessor:
Type: 'AWS::Serverless::Function'
Expand All @@ -14,5 +20,5 @@ Resources:
Policies: []
Environment:
Variables:
SPLUNK_HEC_URL: <enter value here>
SPLUNK_HEC_TOKEN: <enter value here>
SPLUNK_HEC_URL: !Ref SplunkHecUrlParameter
SPLUNK_HEC_TOKEN: !Ref SplunkHecTokenParameter
10 changes: 8 additions & 2 deletions examples/apps/splunk-kinesis-stream-processor/template.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,12 @@
AWSTemplateFormatVersion: '2010-09-09'
Transform: 'AWS::Serverless-2016-10-31'
Description: Stream events from AWS Kinesis to Splunk's HTTP event collector
Parameters:
SplunkHecUrlParameter:
Type: String
AllowedPattern: '^(https?|ftp):\/\/[^\s/$.?#].[^\s]*$'
SplunkHecTokenParameter:
Type: String
Resources:
splunkkinesisstreamprocessor:
Type: 'AWS::Serverless::Function'
Expand All @@ -24,8 +30,8 @@ Resources:
BatchSize: 100
Environment:
Variables:
SPLUNK_HEC_URL: <enter value here>
SPLUNK_HEC_TOKEN: <enter value here>
SPLUNK_HEC_URL: !Ref SplunkHecUrlParameter
SPLUNK_HEC_TOKEN: !Ref SplunkHecTokenParameter
KinesisStream1:
Type: 'AWS::Kinesis::Stream'
Properties:
Expand Down
9 changes: 7 additions & 2 deletions examples/apps/splunk-logging/template.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,11 @@ Description: Demonstrates logging from AWS Lambda code to Splunk's HTTP event co
Parameters:
BucketNameParameter:
Type: String
SplunkHecUrlParameter:
Type: String
AllowedPattern: '^(https?|ftp):\/\/[^\s/$.?#].[^\s]*$'
SplunkHecTokenParameter:
Type: String
Resources:
splunklogging:
Type: 'AWS::Serverless::Function'
Expand All @@ -21,5 +26,5 @@ Resources:
BucketName: !Ref BucketNameParameter
Environment:
Variables:
SPLUNK_HEC_URL: <enter value here>
SPLUNK_HEC_TOKEN: <enter value here>
SPLUNK_HEC_URL: !Ref SplunkHecUrlParameter
SPLUNK_HEC_TOKEN: !Ref SplunkHecTokenParameter
10 changes: 7 additions & 3 deletions examples/apps/sqs-poller/template.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,9 +1,13 @@
AWSTemplateFormatVersion: '2010-09-09'
Transform: 'AWS::Serverless-2016-10-31'
Description: Periodically polls an SQS queue and asynchronously consumes each message.
Parameters:
QueueNameParameter:
Parameters:
QueueNameParameter:
Type: String
Description:
QueueUrlParameter:
Type: String
AllowedPattern: '^https:\/\/sqs\.[a-z\-0-9]+\.amazonaws\.com(?:.cn)?\/[0-9]{12}\/.{1,80}$'
Resources:
sqspoller:
Type: 'AWS::Serverless::Function'
Expand All @@ -20,4 +24,4 @@ Resources:
QueueName: !Ref QueueNameParameter
Environment:
Variables:
queueUrl: <enter value here>
queueUrl: !Ref QueueUrlParameter
102 changes: 102 additions & 0 deletions samtranslator/policy_templates_data/policy_templates.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1430,6 +1430,108 @@
"Resource": "*"
}]
}
},
"DecodeSSMParameterPolicy": {
"Description": "Gives access to SSM key and parameter to load secrets in this account.",
"Parameters": {
"ParameterName": {
"Description":"The name of the secret stored in SSM in your account."
}
},
"Definition": {
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:DescribeParameters"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ssm:GetParameters",
"ssm:GetParameter"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:parameter/${parameterName}",
{
"parameterName": {
"Ref": "ParameterName"
}
}
]
}
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:alias/aws/ssm"
]
}
}
]
}
},
"DecodeSSMParameterCustomKeyPolicy": {
"Description": "Gives access to decoding a SSM Parameters store using non-default key.",
"Parameters": {
"ParameterName": {
"Description": "The name of the secret stored in SSM in your account."
},
"KeyId": {
"Description": "ID of the KMS Key"
}
},
"Definition": {
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:DescribeParameters"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ssm:GetParameters",
"ssm:GetParameter"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:parameter/${parameterName}",
{
"parameterName": {
"Ref": "ParameterName"
}
}
]
}
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/${keyId}",
{
"keyId": {
"Ref": "KeyId"
}
}
]
}
}
]
}
}
}
}
13 changes: 10 additions & 3 deletions tests/translator/input/all_policy_templates.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -125,10 +125,17 @@ Resources:
CollectionId: collection

- EKSDescribePolicy: {}

- CostExplorerReadOnlyPolicy: {}

- OrganizationsListAccountsPolicy: {}

- DynamoDBReconfigurePolicy:
TableName: name

- DecodeSSMParameterPolicy:
ParameterName: name

- DecodeSSMParameterCustomKeyPolicy:
ParameterName: name
KeyId: id
83 changes: 83 additions & 0 deletions tests/translator/output/all_policy_templates.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1107,6 +1107,89 @@
}
]
}
},
{
"PolicyName": "KitchenSinkFunctionRolePolicy45",
"PolicyDocument": {
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:DescribeParameters"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ssm:GetParameters",
"ssm:GetParameter"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:parameter/${parameterName}",
{
"parameterName": "name"
}
]
}
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:alias/aws/ssm"
]
}
}
]
}
},
{
"PolicyName": "KitchenSinkFunctionRolePolicy46",
"PolicyDocument": {
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:DescribeParameters"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ssm:GetParameters",
"ssm:GetParameter"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:parameter/${parameterName}",
{
"parameterName": "name"
}
]
}
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/${keyId}",
{
"keyId": "id"
}
]
}
}
]
}
}
],
"AssumeRolePolicyDocument": {
Expand Down
Loading