dlz 0.0.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 42f9794bb5edc9d8aab1314af69e25103c9a63d9f2a1158fe83484a1e2740e0c
+  data.tar.gz: 60374a816b862eddfdf271b97c3fcbed44c3f225833a4b6bb03664dcb5b91249
+SHA512:
+  metadata.gz: 280f5e29740a01c2b8e0a5b0d1b78b054fc47f8b5d23d88c06e484fec59ab1861b9b07bf8a2b05e8300ce38444b30c04e8ec50db2e79099af3d0f26760de53ea
+  data.tar.gz: 02dde9770a7f200429bc5b0801a4a6cdec8863e87d170627505c4e473d69b795a029514da7841a1db659b217fd7c9fc0ec3e0bb8b93851ced818c8c4f099f929

data/LICENSE

@@ -0,0 +1,19 @@
+Copyright (c) 2019 Daniel Stamer
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

data/README.md

@@ -0,0 +1,3 @@
+# dlz - Dan's LZ: highly-opinionated AWS Landing Zone bootstrapping tool
+
+`dlz` bootstraps AWS organizations and accounts.

data/bin/dlz

@@ -0,0 +1,78 @@
+#!/usr/bin/env ruby
+
+require 'thor'
+require 'dlz'
+
+# Main Thor class for `dlz`
+class DLZ < Thor
+  desc 'init', 'Create new `dlz` configuration skeleton'
+  def init
+    Config.init
+  end
+
+  desc 'config', 'Inspect `dlz` configuration'
+  def config
+    Config.print
+  end
+
+  desc 'version', 'Print `dlz` version info'
+  def version
+    Config.version
+  end
+
+  desc 'render', 'Render CloudFormation templates for `dlz` and local resources'
+  def render
+    Renderer.render_all
+  end
+
+  desc 'organization COMMAND', 'Configure organization and organizational units'
+  long_desc <<-DESC
+    Manage AWS Organization and organizational units.
+    Commands:
+      - 'deploy':  `dlz` will try to deploy the organization and it's structure as
+                   configured in the configuration.
+      - 'destroy': `dlz` will attempt to destroy the organization completely.
+  DESC
+  def organization(command)
+    cfg = Config.load
+    return Organization.deploy(config: cfg) if command.casecmp('deploy').zero?
+    return Organization.destroy(config: cfg) if command.casecmp('destroy').zero?
+
+    Interface.error(message: "unable to understand '#{command}'")
+  end
+
+  desc 'accounts COMMAND', 'Create accounts and attach to organization'
+  long_desc <<-DESC
+    Create and configure AWS accounts to the currently configured organization.
+    Commands:
+      - 'deploy':  `dlz` will attempt to configure all accounts as configured and
+                   will try to enroll them into the organization at the specific
+                   organizational units.
+      - 'destroy': `dlz` will suspend accounts.
+  DESC
+  def accounts(command)
+    cfg = Config.load
+    return Accounts.deploy(config: cfg) if command.casecmp('deploy').zero?
+    return Accounts.destroy(config: cfg) if command.casecmp('destroy').zero?
+
+    Interface.error(message: "unable to understand '#{command}'")
+  end
+
+  desc 'resources COMMAND', 'Deploy resources per account'
+  long_desc <<-DESC
+    Manage AWS resources according to configuration.
+    Commands:
+      - 'deploy':  `dlz` will try to deploy all defined stacks and provision
+                   resources into AWS accounts.
+      - 'destroy': `dlz` will collapse all stacks and destroy all resources.
+  DESC
+  def resources(command)
+    cfg = Config.load
+    return Resources.deploy(config: cfg) if command.casecmp('deploy').zero?
+    return Resources.destroy(config: cfg) if command.casecmp('destroy').zero?
+
+    Interface.error(message: "unable to understand '#{command}'")
+  end
+end
+
+DLZ.start(ARGV)

data/lib/dlz.rb

@@ -0,0 +1,6 @@
+require 'dlz/accounts'
+require 'dlz/config'
+require 'dlz/interface'
+require 'dlz/organization'
+require 'dlz/renderer'
+require 'dlz/resources'

data/lib/dlz/accounts.rb

@@ -0,0 +1,12 @@
+require 'dlz/interface'
+
+# Module to create accounts and attach them to the organization
+module Accounts
+  def self.deploy(*)
+    Interface.error(message: 'I am not implemented yet!') # TODO: implement me
+  end
+
+  def self.destroy(*)
+    Interface.error(message: 'I am not implemented yet!') # TODO: implement me
+  end
+end

data/lib/dlz/config.rb

@@ -0,0 +1,92 @@
+require 'fileutils'
+require 'dlz/interface'
+require 'awesome_print'
+require 'yaml'
+
+# Configuration singleton for `dlz`
+class Config
+  class << self; attr_accessor :data end
+  @data = {}
+
+  def self.init
+    return Interface.panic(message: 'config seems to already exist!') if config?
+
+    FileUtils.mkdir_p(local_dlz_template_path)
+    FileUtils.cp(
+      "#{dlz_init_path}/dlz.yaml",
+      "#{local_path}/dlz.yaml"
+    )
+    Interface.info(message: 'created new default configuration.')
+  end
+
+  def self.load
+    unless File.exist?("#{local_path}/dlz.yaml")
+      return Interface.panic(message: 'no config file found. try `dlz init`.')
+    end
+
+    if @data.empty?
+      # Load, deserialize and symbolize keys
+      @data = YAML.load_file("#{local_path}/dlz.yaml")
+                  .each_with_object({}) do |(key, value), obj|
+                    obj[key.to_sym] = value
+                  end
+    end
+    @data
+  end
+
+  def self.version
+    Interface.info(
+      message: "current version is 'dlz-#{Gem.loaded_specs['dlz'].version}'"
+    )
+  end
+
+  def self.print
+    ap load
+  end
+
+  def self.config?
+    return true if File.exist?("#{local_path}/dlz.yaml")
+
+    false
+  end
+
+  def self.dlz_path
+    File.expand_path(File.dirname(__dir__))
+  end
+
+  def self.dlz_init_path
+    "#{dlz_path}/#{dlz_init_path_trailing}"
+  end
+
+  def self.dlz_init_path_trailing
+    'init'
+  end
+
+  def self.dlz_template_path
+    "#{dlz_path}/#{dlz_template_path_trailing}"
+  end
+
+  def self.dlz_template_path_trailing
+    'templates'
+  end
+
+  def self.local_path
+    Dir.pwd
+  end
+
+  def self.local_template_path
+    "#{local_path}/#{local_template_path_trailing}"
+  end
+
+  def self.local_template_path_trailing
+    'templates'
+  end
+
+  def self.local_dlz_template_path
+    "#{local_path}/#{local_dlz_template_path_trailing}"
+  end
+
+  def self.local_dlz_template_path_trailing
+    'templates/dlz'
+  end
+end

data/lib/dlz/interface.rb

@@ -0,0 +1,24 @@
+# Module to standardize formats for CLI communication.
+module Interface
+  PROMPT = 'DLZ>'.freeze
+  def self.print(message: 'something happened.', level: :info)
+    puts "#{PROMPT} #{level.to_s.upcase}: #{message.downcase}"
+  end
+
+  def self.info(message: 'something informative happened.')
+    print(message: message, level: :info)
+  end
+
+  def self.warn(message: 'something almost terrible happened.')
+    print(message: message, level: :warn)
+  end
+
+  def self.error(message: 'something terrible happened.')
+    print(message: message, level: :error)
+  end
+
+  def self.panic(message: 'something really fucked up happened.')
+    print(message: message, level: :error)
+    exit(-1)
+  end
+end

data/lib/dlz/organization.rb

@@ -0,0 +1,12 @@
+require 'dlz/interface'
+
+# Module to create the organization and organizational units
+module Organization
+  def self.deploy(*)
+    Interface.error(message: 'I am not implemented yet!') # TODO: implement me
+  end
+
+  def self.destroy(*)
+    Interface.error(message: 'I am not implemented yet!') # TODO: implement me
+  end
+end

data/lib/dlz/renderer.rb

@@ -0,0 +1,60 @@
+require 'erb'
+require 'dlz/config'
+require 'dlz/interface'
+require 'pathname'
+
+# Module to render cloudformation templates
+module Renderer
+  def self.render_dlz
+    render(source: {
+             path: Config.dlz_template_path,
+             root: Config.dlz_path,
+             id: :dlz
+           }, sink: {
+             path: Config.local_dlz_template_path,
+             root: Config.local_path,
+             id: :local
+           })
+  end
+
+  def self.render_local
+    render(source: {
+             path: Config.local_template_path,
+             root: Config.local_path,
+             id: :local
+           }, sink: {
+             path: Config.local_template_path,
+             root: Config.local_path,
+             id: :local
+           })
+  end
+
+  def self.render_all
+    FileUtils.mkdir_p(Config.local_dlz_template_path)
+    render_dlz
+    render_local
+  end
+
+  def self.render(source:, sink:)
+    cfg = Config.load
+    Dir.glob("#{source[:path]}/*.erb") do |path|
+      template = IO.read(path)
+      render = ERB.new(template, nil, '-').result(binding)
+      n_path = "#{sink[:path]}/#{File.basename(path, File.extname(path))}.yaml"
+      File.open(n_path, 'w') do |file|
+        file.write(render)
+      end
+      render_result(source: source, sink: sink, path: path, n_path: n_path)
+    end
+  end
+
+  def self.render_result(source:, sink:, path:, n_path:)
+    from = Pathname.new(path).relative_path_from(Pathname.new(source[:root]))
+    to = Pathname.new(n_path).relative_path_from(Pathname.new(sink[:root]))
+
+    Interface.info(
+      message:
+        "RENDER <#{source[:id].to_sym}>/#{from} => <#{sink[:id].to_sym}>/#{to}"
+    )
+  end
+end

data/lib/dlz/resources.rb

@@ -0,0 +1,12 @@
+require 'dlz/interface'
+
+# Module to deploy resources to individual accounts
+module Resources
+  def self.deploy(*)
+    Interface.error(message: 'I am not implemented yet!') # TODO: implement me
+  end
+
+  def self.destroy(*)
+    Interface.error(message: 'I am not implemented yet!') # TODO: implement me
+  end
+end

data/lib/init/dlz.yaml

@@ -0,0 +1,17 @@
+# This is the central config for `dlz`.
+
+# Account ID of organization master payer, this will be setup as organization
+# root. It will also act as trusted authority to assume the admin roles from.
+root_account_id: 123456789012
+
+# Pre-configured external ID to harden access to cross-account admin role.
+# CHANGE THIS!
+sts_external_id: 'change-me'
+
+# List of roles which will be assumed by the development teams. `dlz` will deploy
+# it's own resources and protect them from modification by these roles.
+restricted_roles:
+ - ReadOnly
+ - Developer
+ - Administrator
+

data/lib/templates/admin_role.erb

@@ -0,0 +1,27 @@
+Description: >
+  This stack will provision the admin role which `dlz` will use to deploy the landing zone.
+
+Resources:
+  dlzadm:
+    Type: AWS::IAM::Role
+    Properties:
+      Path: /dlz/admin/
+      RoleName: lzadm
+      AssumeRolePolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Action: sts:AssumeRole
+            Principal:
+              AWS: arn:aws:iam::<%= cfg[:root_account_id] %>:root
+            Condition:
+              StringEquals:
+                sts:ExternalId: "<%= cfg[:sts_external_id] %>"
+      Policies:
+        - PolicyName: dlzadm-policy
+          PolicyDocument:
+            Version: 2012-10-17
+            Statement:
+              - Effect: Allow
+                Action: "*"
+                Resource: "*"

data/lib/templates/protect_resources.erb

@@ -0,0 +1,70 @@
+Description: > 
+  This stack will restrict modification of `dlz` deployed resources.
+
+Resources:
+  dlzprotectpolicy:
+    Type: AWS::IAM::ManagedPolicy
+    Properties:
+      Description: This policy will restrict modification of `dlz` deployed resources.
+      ManagedPolicyName: dlz-restriction-policy
+      Roles:
+<% cfg[:restricted_roles].each do |role| -%>
+        - <%= role %>
+<% end -%>
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Deny
+            Action:
+              - iam:DeleteRole
+              - iam:UpdateRole
+              - iam:UpdateRoleDescription
+            Resources:
+              - !Sub 'arn:aws:iam::${AWS::AccountId}:role/dlzadm'
+<% cfg[:restricted_roles].each do |role| -%>
+              - !Sub 'arn:aws:iam::${AWS::AccountId}:role/<%= role %>'
+<% end -%>
+          - Effect: Deny
+            Action:
+              - 'organzations:*'
+              - iam:AddUserToGroup
+              - iam:AttachGroupPolicy
+              - iam:AttachUserPolicy
+              - iam:ChangePassword
+              - iam:CreateAccessKey
+              - iam:CreateAccountAlias
+              - iam:CreateGroup
+              - iam:CreateLoginProfile
+              - iam:CreateOpenIDConnectProvider
+              - iam:CreateSAMLProvider
+              - iam:CreateUser
+              - iam:CreateVirtualMFADevice
+              - iam:DeleteAccountAlias
+              - iam:DeleteAccountPasswordPolicy
+              - iam:DeleteGroup
+              - iam:DeleteLoginProfile
+              - iam:DeleteOpenIdConnectProvider
+              - iam:DeleteSAMLProvider
+              - iam:DeleteUser
+              - iam:DeleteUserPermissionBoundary
+              - iam:DeleteUserPolicy
+              - iam:DetachUserPolicy
+              - iam:EnableMFADevice
+              - iam:PutGroupPolicy
+              - iam:PutUserPermissionBoundary
+              - iam:PutUserPolicy
+              - iam:RemoveClientIDFromOpenIDConnectProvider
+              - iam:RemoveUserFromGroup
+              - iam:ResyncMFADevice
+              - iam:SetDefaultPolicyVersion
+              - iam:TagUser
+              - iam:UntagUser
+              - iam:UpdateAccessKey
+              - iam:UpdateAccountPasswordPolicy
+              - iam:UpdateGroup
+              - iam:UpdateLoginProfile
+              - iam:UpdateOpenIDConnectProviderThumbprint
+              - iam:UpdateSAMLProvider
+              - iam:UpdateUser
+            Resources:
+              - '*'

metadata

@@ -0,0 +1,61 @@
+--- !ruby/object:Gem::Specification
+name: dlz
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+platform: ruby
+authors:
+- Daniel Stamer
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2019-03-04 00:00:00.000000000 Z
+dependencies: []
+description: |2
+    dlz is a highly-opinionated bootstrapping framework for AWS landing zones.
+    It focuses on 3 main areas: creating and configuring an AWS Organization,
+    creating and attaching accounts to that organization and deploying resources
+    into those accounts.'
+email: dan@hello-world.sh
+executables:
+- dlz
+extensions: []
+extra_rdoc_files: []
+files:
+- LICENSE
+- README.md
+- bin/dlz
+- lib/dlz.rb
+- lib/dlz/accounts.rb
+- lib/dlz/config.rb
+- lib/dlz/interface.rb
+- lib/dlz/organization.rb
+- lib/dlz/renderer.rb
+- lib/dlz/resources.rb
+- lib/init/dlz.yaml
+- lib/templates/admin_role.erb
+- lib/templates/protect_resources.erb
+homepage: https://hello-world.sh
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.7.8
+signing_key: 
+specification_version: 4
+summary: dlz is an AWS landing zone bootstrapping tool.
+test_files: []