cfndsl 0.3.2 → 0.3.3

checksums.yaml

@@ -1,15 +1,15 @@
 ---
 !binary "U0hBMQ==":
   metadata.gz: !binary |-
-    YmEzYWFkNWUxNGEwYzE5MDFkYTczOWUzNTk4NDIyZmE0ODM3NTI0Nw==
+    YjQzYjY0M2VhNGE2NGNhYjYxNTk4YjFhOWE0MGQ2YWNmNDQ4ZTcyYg==
   data.tar.gz: !binary |-
-    YTZlMzMxMmQ0NGQ2NjM4NjdjNDRmMmM1NzA3NDZiNTYzOTM0MzZjOA==
+    ODE0NWZkNmM5YjZjMTMzNzdmNjQ5ODE0ODMzZjZhNjIxYTFkYmU2Mw==
 SHA512:
   metadata.gz: !binary |-
-    ZGIzZWZiZjFiMDdlMTAwNzdjYzk5NGQ0N2VjZTQ2NDQxNTQ0OGM4NTMyMGIy
-    MDA0ZDA4MTI5MTRjZGE2OGNhMmFlZjAxNmY5ZWY4OGZkZTI4MzRkNWIzMWJh
-    NjgzZGYyODczNzdiMWEzY2RhMWFhMTVkMThmZWJmZjhlMDQwNGE=
+    ODgyMGY0MzBhODIyYjFmOWVmMjZkNjhjODZiNjFkMjM4YzVmNTlkOTc1ODEw
+    NGRlM2I0YmMwY2I4MDVhM2I1MTY3NTQyMGJiZDk1ZDAwMTQ0NWYyMWYxMGU5
+    MTYyYjhiZjI3YTRhNDc1Zjk0MTZhNTNlZDBlMmIyMWU2MWQwMjM=
   data.tar.gz: !binary |-
-    MjRiNDFjZDFhNDA0ZmU0NDAwYjY1ZTAxNjQxNzhlMDAzYjc5MzA0ZDg3NWJh
-    YzUyNmQ3MmZjYWIzZmQ5M2EzOWNiNjA3MTU3NTM2NDNiYTQwYzZlYTU0MDQy
-    NWYxNzcxNWM2M2YwZDMyNDY0NDZhNjZhMjA2MThhZjA4MDlkYTc=
+    ZDE0MWVjZjkyZTk0N2JkMjlmZThjN2M1MWFkYzIxYzg5MTg5ODEzZTFlMmMw
+    NjkwNmZlNzhjOWUyMGQzMDljYjM1NmUwOTViNDRlMDUyY2M1OGVhOWYwNzY1
+    ZTUzMDBhMWM2Mzg4M2Y1YTZlYzBmYjc3MGIzZGY4NWY2M2QyMGU=

data/lib/cfndsl/aws_types.yaml

@@ -118,6 +118,26 @@ Resources:
     Statistic: String
     Threshold: String
     Unit: String
+  "AWS::Config::ConfigRule" :
+   Properties:
+    ConfigRuleName: String
+    Description: String
+    InputParameters: JSON
+    MaximumExecutionFrequency: String
+    Scope: ConfigRuleScope
+    Source: ConfigRuleSource
+  "AWS::Config::ConfigurationRecorder" :
+   Properties:
+    Name: String
+    RecordingGroup: ConfigurationRecorderRecordingGroup
+    RoleARN: String
+  "AWS::Config::DeliveryChannel" :
+   Properties:
+    ConfigSnapshotDeliveryProperties: DeliveryChannelConfigSnapshotDeliveryProperties
+    Name: String
+    S3BucketName: String
+    S3KeyPrefix: String
+    SnsTopicARN: String
   "AWS::DynamoDB::Table" :
    Properties :
     AttributeDefinitions : [ AttributeDefinitionsType ]
@@ -441,6 +461,14 @@ Resources:
     Roles: [ String ]
    Attributes:
     Arn : String
+  "AWS::IAM::ManagedPolicy" :
+   Properties:
+    Description: String
+    PolicyDocument: JSON
+    Path: String
+    Groups: [ String ]
+    Users: [ String ]
+    Roles: [ String ]
   "AWS::IAM::Policy" :
    Properties:
     PolicyName: String
@@ -468,6 +496,12 @@ Resources:
     Policies: [ IAMEmbeddedPolicy ]
    Attributes:
     Arn: String
+  "AWS::KMS::Key" :
+    Properties:
+      Description: String
+      Enabled: Boolean
+      EnableKeyRotation: Boolean
+      KeyPolicy: JSON
   "AWS::Logs::LogGroup" :
     Properties:
       RetentionInDays: Integer
@@ -538,53 +572,91 @@ Resources:
       ServiceRoleArn: String
       UseCustomCookbooks: Boolean
       VpcId: String
+  "AWS::RDS::DBCluster" :
+    Properties:
+      AvailabilityZones: [ String ]
+      BackupRetentionPeriod: Integer
+      DatabaseName: String
+      DBClusterParameterGroupName: String
+      DBSubnetGroupName: String
+      Engine: String
+      EngineVersion: String
+      MasterUsername: String
+      MasterUserPassword: String
+      Port: Integer
+      PreferredBackupWindow: String
+      PreferredMaintenanceWindow: String
+      SnapshotIdentifier: String
+      Tags: JSON
+      VpcSecurityGroupIds: [ String ]
+  "AWS::RDS::DBClusterParameterGroup" :
+    Properties:
+      Description: String
+      Family: String
+      Parameters: JSON
+      Tags: JSON
   "AWS::RDS::DBInstance" :
     Properties:
-     DBSnapshotIdentifier: String
-     AllocatedStorage: String
-     AvailabilityZone: String
-     BackupRetentionPeriod: String
-     DBInstanceClass: String
-     DBInstanceIdentifier: String
-     DBName: String
-     DBParameterGroupName: String
-     DBSecurityGroups: [ String ]
-     DBSubnetGroupName: String
-     Engine: String
-     EngineVersion: String
-     LicenseModel: String
-     MasterUsername: String
-     MasterUserPassword: String
-     Port: String
-     PreferredBackupWindow: String
-     PreferredMaintenanceWindow: String
-     PubliclyAccessible: String
-     MultiAZ: Boolean
-     SourceDBInstanceIdentifier: String
-     Tags: [ EC2Tag ]
-     VPCSecurityGroups: [ String ]
+      AllocatedStorage: String
+      AllowMajorVersionUpgrade: Boolean
+      AutoMinorVersionUpgrade: Boolean
+      AvailabilityZone: String
+      BackupRetentionPeriod: String
+      CharacterSetName: String
+      DBClusterIdentifier: String
+      DBInstanceClass: String
+      DBInstanceIdentifier: String
+      DBName: String
+      DBParameterGroupName: String
+      DBSecurityGroups: [ String ]
+      DBSnapshotIdentifier: String
+      DBSubnetGroupName: String
+      Engine: String
+      EngineVersion: String
+      Iops: Number
+      KmsKeyId: String 
+      LicenseModel: String
+      MasterUsername: String
+      MasterUserPassword: String
+      MultiAZ: Boolean
+      OptionGroupName: String
+      Port: String
+      PreferredBackupWindow: String
+      PreferredMaintenanceWindow: String
+      PubliclyAccessible: String
+      SourceDBInstanceIdentifier: String
+      StorageEncrypted: Boolean
+      StorageType: String
+      Tags: [ EC2Tag ]
+      VPCSecurityGroups: [ String ]
     Attributes:
-     DBInstanceIdentifier: String
-     Endpoint.Address: String
-     Endpoint.Port: String
+      DBInstanceIdentifier: String
+      Endpoint.Address: String
+      Endpoint.Port: String
+  "AWS::RDS::DBParameterGroup":
+    Properties:
+      Description: String
+      Family: String
+      Parameters: JSON
+      Tags: JSON
   "AWS::RDS::DBSecurityGroup" :
-   Properties:
-    EC2VpcId: String
-    DBSecurityGroupIngress: [ RDSSecurityGroupRule ]
-    GroupDescription: String
-    SubnetIds: [ String ]
+    Properties:
+      EC2VpcId: String
+      DBSecurityGroupIngress: [ RDSSecurityGroupRule ]
+      GroupDescription: String
+      SubnetIds: [ String ]
   "AWS::RDS::DBSubnetGroup" :
-   Properties:
-    DBSubnetGroupDescription: String
-    SubnetIds: [ String ]
-    Tags: [ EC2Tag ]
+    Properties:
+      DBSubnetGroupDescription: String
+      SubnetIds: [ String ]
+      Tags: [ EC2Tag ]
   "AWS::RDS::DBSecurityGroupIngress" :
-   Properties:
-    CIDRIR: String
-    DBSecurityGroupName: String
-    EC2SecurityGroupId: String
-    EC2SecurityGroupName: String
-    EC2SecurityGroupOwnerId: String
+    Properties:
+      CIDRIP: String
+      DBSecurityGroupName: String
+      EC2SecurityGroupId: String
+      EC2SecurityGroupName: String
+      EC2SecurityGroupOwnerId: String
   "AWS::Redshift::Cluster":
     Properties:
       Allowversionupgrade: Boolean
@@ -1020,4 +1092,20 @@ Types:
  S3NotificationTopicConfiguration:
    Event: String
    Topic: String
-   
+ ConfigurationRecorderRecordingGroup:
+   AllSupported: Boolean
+   ResourceTypes: [ String ]
+ DeliveryChannelConfigSnapshotDeliveryProperties:
+   DeliveryFrequency: String
+ ConfigRuleScope:
+   ComplianceResourceId: String
+   ComplianceResourceTypes: [ String ]
+   TagKey: String
+   TagValue: String
+ ConfigRuleSource:
+   Owner: String
+   SourceDetails: ConfigRuleSourceDetails
+   SourceIdentifier: String
+ ConfigRuleSourceDetails:
+   EventSource: String
+   MessageType: String

data/lib/cfndsl/version.rb

@@ -1,3 +1,3 @@
 module CfnDsl
-  VERSION = "0.3.2"
+  VERSION = "0.3.3"
 end

data/sample/config-service.rb

@@ -0,0 +1,119 @@
+CloudFormation {
+  AWSTemplateFormatVersion "2010-09-09"
+
+  Description "Creates SNS, SQS, S3 bucket and enables AWS Config."
+
+  Queue("ConfigServiceQueue") {
+    QueueName "ConfigServiceQueue"
+  }
+
+  Bucket("ConfigServiceBucket") {
+  }
+
+  Policy("ConfigServiceS3BucketAccessPolicy") {
+    PolicyName "ConfigServiceS3BucketAccessPolicy"
+    PolicyDocument({
+          "Version" => "2012-10-17",
+          "Statement" =>
+           [
+             {
+               "Effect" => "Allow",
+               "Action" => ["s3:PutObject"],
+               "Resource" => FnJoin("", ["arn:aws:s3:::", Ref("ConfigServiceBucket"), "/AWSLogs/" , Ref("AWS::AccountId") , "/*"]),
+               "Condition" =>
+                {
+                  "StringLike" =>
+                    {
+                      "s3:x-amz-acl" => "bucket-owner-full-control"
+                    }
+                }
+             },
+             {
+               "Effect" => "Allow",
+               "Action" => ["s3:GetBucketAcl"],
+               "Resource" => FnJoin("", ["arn:aws:s3:::", Ref("ConfigServiceBucket")])
+             }
+          ]
+        })
+    Role Ref("ConfigServiceIAMRole")
+  }
+
+  Role("ConfigServiceIAMRole") {
+    AssumeRolePolicyDocument({
+      "Version" => "2012-10-17",
+      "Statement" => [
+        {
+          "Effect" => "Allow",
+          "Principal" => {
+            "Service" => "config.amazonaws.com"
+          },
+          "Action" => "sts:AssumeRole"
+        }
+      ]
+    })
+    ManagedPolicyArns([
+        "arn:aws:iam::aws:policy/service-role/AWSConfigRole"
+    ])
+  }
+
+  Topic("ConfigServiceTopic") {
+    DisplayName "ConfigSvc"
+    Subscription [{
+      "Endpoint" => FnGetAtt("ConfigServiceQueue", "Arn"),
+      "Protocol" => "sqs"
+      }]
+  }
+
+  Policy("ConfigServiceSNSTopicAccessPolicy") {
+    PolicyName "ConfigServiceSNSTopicAccessPolicy"
+    PolicyDocument({
+        "Version" => "2012-10-17",
+        "Statement" =>
+         [
+           {
+            "Effect" => "Allow",
+            "Action" => "sns:Publish",
+            "Resource" => Ref("ConfigServiceTopic")
+           }
+          ]
+        })
+    Role Ref("ConfigServiceIAMRole")
+  }
+
+  QueuePolicy("ConfigServiceQueuePolicy") {
+    PolicyDocument({
+      "Version" => "2012-10-17",
+      "Statement" => [
+        {
+          "Sid" => "Allow-SendMessage-To-ConfigService-Queue-From-SNS-Topic",
+          "Effect" => "Allow",
+          "Principal" => "*",
+          "Action" => ["sqs:SendMessage"],
+          "Resource" => "*",
+          "Condition" => {
+            "ArnEquals" => {
+              "aws:SourceArn" => Ref("ConfigServiceTopic")
+            }
+          }
+        }
+      ]
+    })
+    Queues [ Ref("ConfigServiceQueue") ]
+  }
+
+  DeliveryChannel("ConfigDeliveryChannel") {
+    ConfigSnapshotDeliveryProperties({
+        "DeliveryFrequency" => "Six_Hours"
+    })
+    S3BucketName Ref("ConfigServiceBucket")
+    SnsTopicARN Ref("ConfigServiceTopic")
+  }
+
+  ConfigurationRecorder("ConfigRecorder") {
+    Name "DefaultRecorder"
+    RecordingGroup({
+      "AllSupported" => true
+    })
+    RoleARN FnGetAtt("ConfigServiceIAMRole", "Arn")
+  }
+}

data/sample/iam-policies.rb

@@ -0,0 +1,82 @@
+CloudFormation {
+  AWSTemplateFormatVersion "2010-09-09"
+
+  Description "Creates sample IAM policies"
+
+  ManagedPolicy("AllowUserManagePasswordAccessKeys") {
+    Description "Allows user to manage passwords and access keys"
+    PolicyDocument({
+      "Version" => "2012-10-17",
+      "Statement" => [
+        {
+          "Effect" => "Allow",
+          "Action" => [
+            "iam:*LoginProfile",
+            "iam:*AccessKey*",
+            "iam:*SSHPublicKey*"
+          ],
+          "Resource" => FnJoin("", ["arn:aws:iam::", Ref("AWS::AccountId"), ":user/${aws:username}"])
+        }
+      ]
+      })
+    }
+
+  ManagedPolicy("AllowUserManageVirtualMFA") {
+    Description "Allows user to manage their virtual MFA device"
+    PolicyDocument({
+      "Version" => "2012-10-17",
+      "Statement" => [
+        {
+          "Sid" => "AllowUsersToCreateEnableResyncTheirOwnVirtualMFADevice",
+          "Effect" => "Allow",
+          "Action" => [
+              "iam:CreateVirtualMFADevice",
+              "iam:EnableMFADevice",
+              "iam:ResyncMFADevice"
+            ],
+          "Resource" => [
+              FnJoin("", ["arn:aws:iam::", Ref("AWS::AccountId"), ":mfa/${aws:username}"]),
+              FnJoin("", ["arn:aws:iam::", Ref("AWS::AccountId"), ":user/${aws:username}"])
+            ]
+        },
+        {
+          "Sid" => "AllowUsersToDeactivateDeleteTheirOwnVirtualMFADevice",
+          "Effect" => "Allow",
+          "Action" => [
+              "iam:DeactivateMFADevice",
+              "iam:DeleteVirtualMFADevice"
+            ],
+          "Resource" => [
+              FnJoin("", ["arn:aws:iam::", Ref("AWS::AccountId"), ":mfa/${aws:username}"]),
+              FnJoin("", ["arn:aws:iam::", Ref("AWS::AccountId"), ":user/${aws:username}"])
+            ],
+          "Condition" => {
+            "Bool" => {
+              "aws:MultiFactorAuthPresent" => true
+            }
+          }
+        },
+        {
+          "Sid" => "AllowUsersToListMFADevicesandUsersForConsole",
+          "Effect" => "Allow",
+          "Action" => [
+              "iam:ListMFADevices",
+              "iam:ListVirtualMFADevices",
+              "iam:ListUsers"
+            ],
+          "Resource" => "*"
+        }
+      ]
+    })
+  }
+
+  Output("AllowUserManagePasswordAccessKeysPolicyArn") {
+    Description "The ARN of the AllowUserManagePasswordAccessKeys IAM policy"
+    Value Ref("AllowUserManagePasswordAccessKeys")
+  }
+
+  Output("AllowUserManageVirtualMFAPolicyArn") {
+    Description "The ARN of the AllowUserManageVirtualMFA IAM policy"
+    Value Ref("AllowUserManageVirtualMFA")
+  }
+}

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: cfndsl
 version: !ruby/object:Gem::Version
-  version: 0.3.2
+  version: 0.3.3
 platform: ruby
 authors:
 - Steven Jack
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-11-20 00:00:00.000000000 Z
+date: 2015-12-26 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -69,7 +69,9 @@ files:
 - sample/autoscale2.rb
 - sample/circular.rb
 - sample/codedeploy.rb
+- sample/config-service.rb
 - sample/ecs.rb
+- sample/iam-policies.rb
 - sample/s3.rb
 - sample/t1.rb
 - sample/t1.yaml