cfndsl-pipeline 0.1.2 → 0.1.4

Sign up to get free protection for your applications and to get access to all the features.
Files changed (33) hide show
  1. checksums.yaml +4 -4
  2. data/.gitignore +11 -0
  3. data/.rspec +3 -0
  4. data/.rubocop.yml +33 -0
  5. data/.travis.yml +10 -0
  6. data/Gemfile +7 -0
  7. data/Guardfile +5 -0
  8. data/LICENCE +21 -0
  9. data/README.md +58 -0
  10. data/Rakefile +6 -0
  11. data/bin/cfndsl_pipeline +16 -14
  12. data/cfndsl-pipeline.gemspec +40 -0
  13. data/examples/common_definitions.yaml +63 -0
  14. data/examples/pipeline_multple_files.rb +42 -0
  15. data/examples/pipeline_single_file.rb +54 -0
  16. data/examples/s3bucket.rb +316 -0
  17. data/examples/s3bucket.yaml +241 -0
  18. data/examples/standard_tags.yaml +41 -0
  19. data/lib/cfndsl-pipeline.rb +15 -15
  20. data/lib/cli_options.rb +124 -0
  21. data/lib/exec_cfn_nag.rb +58 -0
  22. data/lib/{run-cfndsl.rb → exec_cfndsl.rb} +7 -5
  23. data/lib/exec_syntax.rb +87 -0
  24. data/lib/{monkey_patches.rb → monkey-patches/cfndsl_patch.rb} +40 -24
  25. data/lib/{stdout_capture.rb → monkey-patches/stdout_capture.rb} +0 -0
  26. data/lib/options.rb +10 -4
  27. data/lib/params.rb +6 -5
  28. data/lib/version.rb +2 -1
  29. data/spec/cfndsl/pipeline_spec.rb +11 -0
  30. data/spec/spec_helper.rb +15 -0
  31. metadata +119 -30
  32. data/lib/run-cfn_nag.rb +0 -38
  33. data/lib/run-syntax.rb +0 -89
data/examples/s3bucket.rb ADDED
@@ -0,0 +1,316 @@
1
+ # frozen_string_literal: true
2
+ CloudFormation do
3
+ Description 'S3 Storage integrated with KMS and IAM'
4
+ AWSTemplateFormatVersion '2010-09-09'
5
+
6
+ Parameter('ProvisioningRoleID') do
7
+ Description 'IAM RoleID to be allowed to administer KMS Key and access S3'
8
+ Type 'String'
9
+ Default 'AROAABCDEFGHIJKLMNOP'
10
+ end
11
+
12
+ Parameter('InstanceRoleID') do
13
+ Description 'IAM RoleID of instance profile using the KMS Key and access S3'
14
+ Type 'String'
15
+ Default 'AROA1234567890123456'
16
+ end
17
+
18
+ Parameter('LoggingBucket') do
19
+ Description 'S3 Bucket where access logs from new S3 bucket will be sent'
20
+ Type 'String'
21
+ end
22
+
23
+ Parameter('VPCEndpoint') do
24
+ Description 'VPC Endpoint ID'
25
+ Type 'String'
26
+ Default 'vpce-1234abcd5678ef90'
27
+ end
28
+
29
+ Parameter('BucketName') do
30
+ Description 'Hexadecimal string for bucket name'
31
+ Type 'String'
32
+ Default 'f4c8e474d09b'
33
+ end
34
+ KMS_Key('KMSKey') do
35
+ Description 'KMS Key for encrypting S3 Bucket'
36
+ Enabled(true)
37
+ EnableKeyRotation(true)
38
+ KeyPolicy({
39
+ 'Id' => 'KMS Key Access',
40
+ 'Statement' => [
41
+ {
42
+ 'Action' => [
43
+ 'kms:ScheduleKeyDeletion',
44
+ 'kms:Delete*'
45
+ ],
46
+ 'Effect' => 'Deny',
47
+ 'Principal' => '*',
48
+ 'Resource' => [
49
+ '*'
50
+ ],
51
+ 'Sid' => 'DenyDelete'
52
+ },
53
+ {
54
+ 'Action' => [
55
+ 'kms:*'
56
+ ],
57
+ 'Condition' => {
58
+ 'StringNotLike' => {
59
+ 'aws:userId' => [
60
+ FnSub('${ProvisioningRoleID}:*')
61
+ ]
62
+ }
63
+ },
64
+ 'Effect' => 'Deny',
65
+ 'Principal' => '*',
66
+ 'Resource' => [
67
+ '*'
68
+ ],
69
+ 'Sid' => 'DenyKeyAccess'
70
+ },
71
+ {
72
+ 'Action' => [
73
+ 'kms:CreateKey',
74
+ 'kms:CreateAlias',
75
+ 'kms:CreateGrant',
76
+ 'kms:Describe*',
77
+ 'kms:Enable*',
78
+ 'kms:List*',
79
+ 'kms:Put*',
80
+ 'kms:Update*',
81
+ 'kms:Revoke*',
82
+ 'kms:Disable*',
83
+ 'kms:Get*',
84
+ 'kms:TagResource',
85
+ 'kms:UntagResource',
86
+ 'kms:CancelKeyDeletion',
87
+ 'kms:GenerateDataKey*'
88
+ ],
89
+ 'Condition' => {
90
+ 'StringLike' => {
91
+ 'aws:userId' => [
92
+ FnSub('${ProvisioningRoleID}:*')
93
+ ]
94
+ }
95
+ },
96
+ 'Effect' => 'Allow',
97
+ 'Principal' => '*',
98
+ 'Resource' => [
99
+ '*'
100
+ ],
101
+ 'Sid' => 'AllowAccessForKeyAdministrator'
102
+ },
103
+ {
104
+ 'Action' => [
105
+ 'kms:Encrypt',
106
+ 'kms:Decrypt',
107
+ 'kms:DescribeKey',
108
+ 'kms:GenerateDataKey*'
109
+ ],
110
+ 'Condition' => {
111
+ 'StringLike' => {
112
+ 'aws:userId' => [
113
+ FnSub('${InstanceRoleID}:*')
114
+ ]
115
+ }
116
+ },
117
+ 'Effect' => 'Allow',
118
+ 'Principal' => '*',
119
+ 'Resource' => [
120
+ '*'
121
+ ],
122
+ 'Sid' => 'AllowUseOftheKey'
123
+ }
124
+ ],
125
+ 'Version' => '2012-10-17'
126
+ })
127
+ end
128
+ S3_BucketPolicy('BucketPolicy') do
129
+ DependsOn('Bucket')
130
+ Bucket(Ref('Bucket'))
131
+ PolicyDocument({
132
+ 'Statement' => [
133
+ {
134
+ 'Action' => [
135
+ 's3:*'
136
+ ],
137
+ 'Condition' => {
138
+ 'Bool' => {
139
+ 'aws:SecureTransport' => [
140
+ false
141
+ ]
142
+ }
143
+ },
144
+ 'Effect' => 'Deny',
145
+ 'Principal' => '*',
146
+ 'Resource' => [
147
+ FnGetAtt('Bucket', 'Arn'),
148
+ FnSub('${Bucket.Arn}/*')
149
+ ],
150
+ 'Sid' => 'DenyHTTPAccess'
151
+ },
152
+ {
153
+ 'Action' => [
154
+ 's3:PutObject'
155
+ ],
156
+ 'Condition' => {
157
+ 'StringNotEquals' => {
158
+ 's3:x-amz-server-side-encryption' => [
159
+ 'aws:kms'
160
+ ]
161
+ }
162
+ },
163
+ 'Effect' => 'Deny',
164
+ 'Principal' => '*',
165
+ 'Resource' => [
166
+ FnGetAtt('Bucket', 'Arn'),
167
+ FnSub('${Bucket.Arn}/*')
168
+ ],
169
+ 'Sid' => 'DenyIncorrectEncryptionHeader'
170
+ },
171
+ {
172
+ 'Action' => [
173
+ 's3:PutObject'
174
+ ],
175
+ 'Condition' => {
176
+ 'Null' => {
177
+ 's3:x-amz-server-side-encryption' => [
178
+ true
179
+ ]
180
+ }
181
+ },
182
+ 'Effect' => 'Deny',
183
+ 'Principal' => '*',
184
+ 'Resource' => [
185
+ FnGetAtt('Bucket', 'Arn'),
186
+ FnSub('${Bucket.Arn}/*')
187
+ ],
188
+ 'Sid' => 'DenyUnEncryptedObjectUploads'
189
+ },
190
+ {
191
+ 'Action' => [
192
+ 's3:PutObject'
193
+ ],
194
+ 'Condition' => {
195
+ 'StringNotLikeIfExists' => {
196
+ 's3:x-amz-server-side-encryption-aws-kms-key-id' => [
197
+ FnGetAtt('KMSKey', 'Arn')
198
+ ]
199
+ }
200
+ },
201
+ 'Effect' => 'Deny',
202
+ 'Principal' => '*',
203
+ 'Resource' => [
204
+ FnGetAtt('Bucket', 'Arn'),
205
+ FnSub('${Bucket.Arn}/*')
206
+ ],
207
+ 'Sid' => 'DenyAccessIfSpecificKMSKeyIsNotUsed'
208
+ },
209
+ {
210
+ 'Action' => [
211
+ 's3:Delete*'
212
+ ],
213
+ 'Effect' => 'Deny',
214
+ 'Principal' => '*',
215
+ 'Resource' => [
216
+ FnGetAtt('Bucket', 'Arn'),
217
+ FnSub('${Bucket.Arn}/*')
218
+ ],
219
+ 'Sid' => 'DenyDelete'
220
+ },
221
+ {
222
+ 'Action' => [
223
+ 's3:*'
224
+ ],
225
+ 'Condition' => {
226
+ 'StringNotEquals' => {
227
+ 'aws:sourceVpce' => FnSub('${VPCEndpoint}')
228
+ }
229
+ },
230
+ 'Effect' => 'Deny',
231
+ 'Principal' => '*',
232
+ 'Resource' => [
233
+ FnGetAtt('Bucket', 'Arn'),
234
+ FnSub('${Bucket.Arn}/*')
235
+ ],
236
+ 'Sid' => 'DenyAllExceptConnectAndOthersViaVPCE'
237
+ },
238
+ {
239
+ 'Action' => [
240
+ 's3:PutObject*',
241
+ 's3:Get*',
242
+ 's3:List*'
243
+ ],
244
+ 'Condition' => {
245
+ 'StringLike' => {
246
+ 'aws:userId' => [
247
+ FnSub('${InstanceRoleID}:*')
248
+ ]
249
+ }
250
+ },
251
+ 'Effect' => 'Allow',
252
+ 'Principal' => '*',
253
+ 'Resource' => [
254
+ FnGetAtt('Bucket', 'Arn'),
255
+ FnSub('${Bucket.Arn}/*')
256
+ ],
257
+ 'Sid' => 'AllowObjectReadWrite'
258
+ },
259
+ {
260
+ 'Action' => [
261
+ 's3:*'
262
+ ],
263
+ 'Condition' => {
264
+ 'StringLike' => {
265
+ 'aws:userId' => [
266
+ FnSub('${ProvisioningRoleID}:*')
267
+ ]
268
+ }
269
+ },
270
+ 'Effect' => 'Allow',
271
+ 'Principal' => '*',
272
+ 'Resource' => [
273
+ FnGetAtt('Bucket', 'Arn'),
274
+ FnSub('${Bucket.Arn}/*')
275
+ ],
276
+ 'Sid' => 'AllowBucketConfiguration'
277
+ }
278
+ ],
279
+ 'Version' => '2012-10-17'
280
+ })
281
+ end
282
+ S3_Bucket('Bucket') do
283
+ BucketName(FnSub('${BucketName}'))
284
+ Property("BucketEncryption", {
285
+ 'ServerSideEncryptionConfiguration' => [
286
+ {
287
+ 'ServerSideEncryptionByDefault' => {
288
+ 'KMSMasterKeyID' => FnGetAtt('KMSKey', 'Arn'),
289
+ 'SSEAlgorithm' => 'aws:kms'
290
+ }
291
+ }
292
+ ]
293
+ })
294
+ Property("PublicAccessBlockConfiguration", {
295
+ 'BlockPublicAcls' => true,
296
+ 'BlockPublicPolicy' => true,
297
+ 'IgnorePublicAcls' => true,
298
+ 'RestrictPublicBuckets' => true
299
+ })
300
+ Property("LoggingConfiguration",{
301
+ 'DestinationBucketName' => FnSub('${LoggingBucket}'),
302
+ 'LogFilePrefix' => FnSub('S3logs/${AWS::AccountId}/${BucketName}/')
303
+ })
304
+ Property("VersioningConfiguration", { 'Status' => 'Enabled' })
305
+ end
306
+
307
+ Output('BucketName') do
308
+ Description 'Bucket Arn'
309
+ Value FnGetAtt('Bucket', 'Arn')
310
+ end
311
+
312
+ Output('KMSKey') do
313
+ Description 'KMS Key Id'
314
+ Value Ref('KMSKey')
315
+ end
316
+ end
data/examples/s3bucket.yaml ADDED
@@ -0,0 +1,241 @@
1
+ AWSTemplateFormatVersion: '2010-09-09'
2
+ Description: S3 Storage integrated with KMS and IAM
3
+ Parameters:
4
+ ProvisioningRoleID:
5
+ Type: String
6
+ Default: AROAABCDEFGHIJKLMNOP
7
+ Description: IAM RoleID to be allowed to administer KMS Key and access S3
8
+ AllowPattern: "AROA[A-Z0-9]{17}"
9
+ InstanceRoleID:
10
+ Type: String
11
+ Default: AROA1234567890123456
12
+ Description: IAM RoleID of instance profile using the KMS Key and access S3
13
+ AllowPattern: "AROA[A-Z0-9]{17}"
14
+ LoggingBucket:
15
+ Type: String
16
+ Description: S3 Bucket where access logs from new S3 bucket will be sent
17
+ VPCEndpoint:
18
+ Type: String
19
+ Default: vpce-1234abcd5678ef90
20
+ Description: VPC Endpoint ID
21
+ AllowPattern: "vpce-[a-f0-9]{8,16}"
22
+ BucketName:
23
+ Type: String
24
+ Default: f4c8e474d09b
25
+ Description: Hexadecimal string for bucket name
26
+ AllowPattern: "[a-f0-9]{16}"
27
+
28
+ Resources:
29
+ KMSKey:
30
+ Type: "AWS::KMS::Key"
31
+ Properties:
32
+ Description: 'KMS Key for encrypting S3 Bucket'
33
+ Enabled: True
34
+ EnableKeyRotation: True
35
+ KeyPolicy:
36
+ Version: '2012-10-17'
37
+ Id: KMS Key Access
38
+ Statement:
39
+ - Sid: DenyDelete
40
+ Effect: Deny
41
+ Principal: '*'
42
+ Action:
43
+ - 'kms:ScheduleKeyDeletion'
44
+ - 'kms:Delete*'
45
+ Resource:
46
+ - '*'
47
+ - Sid: DenyKeyAccess
48
+ Effect: Deny
49
+ Principal: '*'
50
+ Action:
51
+ - 'kms:*'
52
+ Resource:
53
+ - '*'
54
+ Condition:
55
+ StringNotLike:
56
+ 'aws:userId':
57
+ - !Sub "${ProvisioningRoleID}:*"
58
+
59
+ - Sid: AllowAccessForKeyAdministrator
60
+ Effect: Allow
61
+ Principal: '*'
62
+ Action:
63
+ - 'kms:CreateKey'
64
+ - 'kms:CreateAlias'
65
+ - 'kms:CreateGrant'
66
+ - 'kms:Describe*'
67
+ - 'kms:Enable*'
68
+ - 'kms:List*'
69
+ - 'kms:Put*'
70
+ - 'kms:Update*'
71
+ - 'kms:Revoke*'
72
+ - 'kms:Disable*'
73
+ - 'kms:Get*'
74
+ - 'kms:TagResource'
75
+ - 'kms:UntagResource'
76
+ - 'kms:CancelKeyDeletion'
77
+ - 'kms:GenerateDataKey*'
78
+ Resource:
79
+ - '*'
80
+ Condition:
81
+ StringLike:
82
+ 'aws:userId':
83
+ - !Sub "${ProvisioningRoleID}:*"
84
+
85
+ - Sid: AllowUseOftheKey
86
+ Effect: Allow
87
+ Principal: '*'
88
+ Action:
89
+ - "kms:Encrypt"
90
+ - 'kms:Decrypt'
91
+ - 'kms:DescribeKey'
92
+ - 'kms:GenerateDataKey*'
93
+ Resource:
94
+ - '*'
95
+ Condition:
96
+ StringLike:
97
+ 'aws:userId':
98
+ - !Sub "${InstanceRoleID}:*"
99
+
100
+ BucketPolicy:
101
+ Type: "AWS::S3::BucketPolicy"
102
+ DependsOn: Bucket
103
+ Properties:
104
+ Bucket: !Ref Bucket
105
+ PolicyDocument:
106
+ Version: '2012-10-17'
107
+ Statement:
108
+ - Sid: DenyHTTPAccess
109
+ Effect: Deny
110
+ Principal: "*"
111
+ Action:
112
+ - 's3:*'
113
+ Resource:
114
+ - !GetAtt Bucket.Arn
115
+ - !Sub "${Bucket.Arn}/*"
116
+ Condition:
117
+ Bool:
118
+ aws:SecureTransport:
119
+ - false
120
+
121
+ - Sid: DenyIncorrectEncryptionHeader
122
+ Effect: Deny
123
+ Principal: "*"
124
+ Action:
125
+ - 's3:PutObject'
126
+ Resource:
127
+ - !GetAtt Bucket.Arn
128
+ - !Sub "${Bucket.Arn}/*"
129
+ Condition:
130
+ StringNotEquals:
131
+ s3:x-amz-server-side-encryption:
132
+ - aws:kms
133
+
134
+ - Sid: DenyUnEncryptedObjectUploads
135
+ Effect: Deny
136
+ Principal: "*"
137
+ Action:
138
+ - 's3:PutObject'
139
+ Resource:
140
+ - !GetAtt Bucket.Arn
141
+ - !Sub "${Bucket.Arn}/*"
142
+ Condition:
143
+ "Null":
144
+ s3:x-amz-server-side-encryption:
145
+ - true
146
+
147
+ - Sid: DenyAccessIfSpecificKMSKeyIsNotUsed
148
+ Effect: Deny
149
+ Principal: '*'
150
+ Action:
151
+ - 's3:PutObject'
152
+ Resource:
153
+ - !GetAtt Bucket.Arn
154
+ - !Sub "${Bucket.Arn}/*"
155
+ Condition:
156
+ StringNotLikeIfExists:
157
+ s3:x-amz-server-side-encryption-aws-kms-key-id:
158
+ - !GetAtt KMSKey.Arn
159
+
160
+ - Sid: DenyDelete
161
+ Effect: Deny
162
+ Principal: "*"
163
+ Action:
164
+ - 's3:Delete*'
165
+ Resource:
166
+ - !GetAtt Bucket.Arn
167
+ - !Sub "${Bucket.Arn}/*"
168
+
169
+ - Sid: DenyAllExceptConnectAndOthersViaVPCE
170
+ Effect: Deny
171
+ Principal: '*'
172
+ Action:
173
+ - 's3:*'
174
+ Resource:
175
+ - !GetAtt Bucket.Arn
176
+ - !Sub "${Bucket.Arn}/*"
177
+ Condition:
178
+ StringNotEquals:
179
+ aws:sourceVpce: !Sub "${VPCEndpoint}"
180
+
181
+ - Sid: AllowObjectReadWrite
182
+ Effect: Allow
183
+ Principal: '*'
184
+ Action:
185
+ - 's3:PutObject*'
186
+ - 's3:Get*'
187
+ - 's3:List*'
188
+ Resource:
189
+ - !GetAtt Bucket.Arn
190
+ - !Sub "${Bucket.Arn}/*"
191
+ Condition:
192
+ StringLike:
193
+ 'aws:userId':
194
+ - !Sub "${InstanceRoleID}:*"
195
+
196
+ - Sid: AllowBucketConfiguration
197
+ Effect: Allow
198
+ Principal: '*'
199
+ Action:
200
+ - 's3:*'
201
+ Resource:
202
+ - !GetAtt Bucket.Arn
203
+ - !Sub "${Bucket.Arn}/*"
204
+ Condition:
205
+ StringLike:
206
+ 'aws:userId':
207
+ - !Sub "${ProvisioningRoleID}:*"
208
+
209
+ Bucket:
210
+ Type: AWS::S3::Bucket
211
+ Properties:
212
+ BucketName: !Sub "${BucketName}"
213
+ BucketEncryption:
214
+ ServerSideEncryptionConfiguration:
215
+ - ServerSideEncryptionByDefault:
216
+ KMSMasterKeyID: !GetAtt KMSKey.Arn
217
+ SSEAlgorithm: "aws:kms"
218
+ PublicAccessBlockConfiguration:
219
+ BlockPublicAcls: true
220
+ BlockPublicPolicy: true
221
+ IgnorePublicAcls: true
222
+ RestrictPublicBuckets: true
223
+ LoggingConfiguration:
224
+ DestinationBucketName: !Sub "${LoggingBucket}"
225
+ LogFilePrefix: !Sub "S3logs/${AWS::AccountId}/${BucketName}/"
226
+ VersioningConfiguration:
227
+ Status: Enabled
228
+
229
+ Outputs:
230
+ BucketName:
231
+ Description: Bucket Name
232
+ Value: !Ref Bucket
233
+
234
+ BucketName:
235
+ Description: Bucket Arn
236
+ Value: !GetAtt Bucket.Arn
237
+
238
+ KMSKey:
239
+ Description: KMS Key Id
240
+ Value: !Ref KMSKey
241
+