-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathassume-role-mfa.cfndsl.rb
75 lines (59 loc) · 2.22 KB
/
assume-role-mfa.cfndsl.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
CloudFormation do
iam_policies = external_parameters.fetch(:iam_policies, [])
IAM_Role(:LambdaRoleKeyRotator) {
AssumeRolePolicyDocument service_assume_role_policy('lambda')
Policies iam_role_policies(iam_policies)
}
mfa_tags = []
mfa_tags.push({ Key: 'EnvironmentName', Value: Ref(:EnvironmentName) })
mfa_tags.push({ Key: 'EnvironmentType', Value: Ref(:EnvironmentType) })
users = external_parameters.fetch(:users, [])
users.each do |user|
resource_name = user['name'].capitalize.gsub(/[^a-zA-Z0-9]/, '')
policies = [
{
PolicyName: 'assume-role',
PolicyDocument: {
Version: "2012-10-17",
Statement: [
{
Effect: "Allow",
Action: "sts:AssumeRole",
Resource: user['roles']
}
]
}
}
]
user_tags = mfa_tags.clone()
user_tags.push({ Key: 'Name', Value: "jenkins-mfa-user-#{user['name']}" })
IAM_User("#{resource_name}User") {
UserName user['name']
Path '/ciinabox/mfa/'
Policies policies
Tags user_tags
}
IAM_AccessKey("#{resource_name}AccessKey") {
UserName Ref("#{resource_name}User")
Serial user['manually_rotate'] if user.has_key?('manually_rotate')
}
secret_tags = mfa_tags.clone()
secret_tags.push({ Key: 'ciinabox:iam:user', Value: user['name'] })
secret_tags.push({ Key: 'jenkins:credentials:type', Value: 'usernamePassword' })
secret_tags.push({ Key: 'jenkins:credentials:username', Value: Ref("#{resource_name}AccessKey") })
SecretsManager_Secret("#{resource_name}Secret") {
Name FnSub("/${EnvironmentName}/jenkins/mfa/#{user['name']}")
Description "IAM user access key for #{user['name']}"
SecretString FnGetAtt("#{resource_name}AccessKey", :SecretAccessKey)
Tags secret_tags
}
rotation = user.has_key?('rotation') ? user['rotation'] : 7
SecretsManager_RotationSchedule("#{resource_name}SecretRotationSchedule") {
SecretId Ref("#{resource_name}Secret")
RotationLambdaARN FnGetAtt(:CiinaboxKeyRotator, :Arn)
RotationRules({
AutomaticallyAfterDays: rotation.to_i
})
}
end
end