The intention behind RBAC Management Pipeline is to provide a self-managing, Infrastructure-as-Code, CI/CD pipeline for managing RBAC roles across your AWS accounts. I created this, and a series of posts, to help me managed the RBAC infrastructure in my personal AWS Accounts.
The posts can be found here:
- Part 1 - CloudFormation all the way down - Debug Guide
- Part 2 - CloudFormation all the way down - StackSets for Role Management
- Part 3 - CloudFormation all the way down - Designing RBAC
- Part 4 - CloudFormation all the way down - With Code!
All feedback and PR's are gratefully received!
-
Review the first blog post to ensure your accounts are ready to deploy this project.
-
Have all the accounts you want to manage under an OU (and have it's OrgId)
-
Install the following tools:
- Git
- AWS CLI
-
Make sure you have Admin permissions in the management (formerly known as master) account. Note This must be run from the master account or it wont work (I've tried, and failed :) )
-
Clone this repository and remove the
.git/
folder:git clone https://github.com/mechanicalpete/rbac-management-pipeline.git cd rbac-management-pipeline rm -rf .git/
-
Search and replace values between
@@
Key Example Description @@camel-case-name@@ MyRbacAccountManagement CameCase name, can be a mix of upper and lower alphabetic characters only. Also used for naming things. @@kebab-case-name@@ my-rbac-account-management Kebab-case name, needs to be all lowercase alphabetic characters and dashes. Used in naming resources like S3 Buckets. @@aws-profile@@ admin The AWS CLI profile to use to deploy everything. @@aws-region@@ ap-southeast-2 Which region you would like to deploy everything into. @@aws-organisational-unit@@ ou-1234-56781246 The organisational unit to deploy the CloudFormation StackSet which deploys cross-account roles. @@aws-child-accountid@@ 111111111111 The AWS Account ID of a child account @@aws-rolename-assumer@@ RbacAssumer The name to give the cross-account role which is assumed to deploy resources @@aws-rolename-deployer@@ RbacDeployer The name to give the cross-account role which deploys the resources -
Setup your preferred access to CodeCommit. If you use the
credential-helper
add this snippet into~\.gitconfig
.[credential "https://git-codecommit.@@aws-region@@.amazonaws.com/v1/repos/@@camel-case-name@@"] helper = !aws --profile @@aws-profile@@ codecommit credential-helper $@ UseHttpPath = true
-
Run
./init.sh
Due to a chicken-and-egg relationship between several permissions stanzas, the following lines need to be uncommented in pipelines/aws_seed.yml
:
-
S3 Bucket Policy
# - !Sub "arn:aws:iam::${ParamChild1AccountId}:role/${ParamAssumerRoleName}" # - !Sub "arn:aws:iam::${ParamChild1AccountId}:role/${ParamDeployerRoleName}"
-
CodePipeline Stage and Action:
# - Name: 'AdministerAccounts' # Actions: # - Name: 'ChildAccount1' # ActionTypeId: # Category: Deploy # Owner: AWS # Provider: CloudFormation # Version: '1' # Configuration: # ActionMode: REPLACE_ON_FAILURE # Capabilities: CAPABILITY_NAMED_IAM # ParameterOverrides: !Sub | # { # "ParamBucketName": "${CodePipelineBucket}", # "ParamPrimaryAccountId": "${AWS::AccountId}", # "ParamAdministratorRoleName": "${ParamAdministratorRoleName}", # "ParamReadOnlyRoleName": "${ParamReadOnlyRoleName}" # } # RoleArn: !Sub "arn:aws:iam::${ParamChild1AccountId}:role/${ParamDeployerRoleName}" # StackName: !Sub '${ParamPipelineName}-Rbac' # TemplateConfiguration: 'CodeCommitSource::pipeline/resource_tags.json' # TemplatePath: 'CodeCommitSource::infrastructure/iam_rbac_account_child1.yml' # RoleArn: !Sub "arn:aws:iam::${ParamChild1AccountId}:role/${ParamAssumerRoleName}" # InputArtifacts: # - Name: 'CodeCommitSource' # RunOrder: 1
-
KMS Key Resource Policy:
# - !Sub "arn:aws:iam::${ParamChild1AccountId}:role/${ParamAssumerRoleName}" # - !Sub "arn:aws:iam::${ParamChild1AccountId}:role/${ParamDeployerRoleName}"
Commit and push the changes...