Release 2.6.1

Dome9.CloudGuardOnboarding.Orchestrator/Steps/InitServiceAccountStep.cs

@@ -47,7 +47,7 @@ public override async Task Rollback()
             try
             {
                 Console.WriteLine($"[INFO] [{nameof(InitServiceAccountStep)}.{nameof(Rollback)}] About to delete service account");
-                await _retryAndBackoffService.RunAsync(() => _apiProvider.UpdateOnboardingStatus(new StatusModel(_onboardingId, Enums.Feature.None, Enums.Status.PENDING, "Deleting service account", null, null, null)));
+                await _retryAndBackoffService.RunAsync(() => _apiProvider.UpdateOnboardingStatus(new StatusModel(_onboardingId, Enums.Feature.None, Enums.Status.ERROR, "Deleting service account", null, null, null)));
                 // must let all the statuses get posted before we delete the service account
                 await _retryAndBackoffService.RunAsync(() => _apiProvider.DeleteServiceAccount(new CredentialsModel { OnboardingId = _onboardingId }));
                 // can't write to dynamo anymore since we just deleted the service account 

cft/cft-replacer/replacer.js

@@ -36,14 +36,16 @@ let replacer = function () {
         const orchestratorInvokeProperties = yamlParse(fs.readFileSync(__dirname + '/../replacements/orchestrator_invoke_properties.yml', 'utf8'))
         const parameters = yamlParse(fs.readFileSync(__dirname + '/../replacements/parameters.yml', 'utf8'))
         const readonlyPolicy = yamlParse(fs.readFileSync(__dirname + '/../replacements/readonly_policy.yml', 'utf8'))
+        const readonlyPolicyStatements = yamlParse(fs.readFileSync(__dirname + '/../replacements/readonly_policy_statements_cft.yml', 'utf8'))
         const readwritePolicy = yamlParse(fs.readFileSync(__dirname + '/../replacements/readwrite_policy.yml', 'utf8'))
         const stackModifyPolicyStatements = yamlParse(fs.readFileSync(__dirname + '/../replacements/stack_modify_policy_statements.yml', 'utf8'))
         const metadata = yamlParse(fs.readFileSync(__dirname + '/../replacements/metadata.yml', 'utf8'))
         const userBasedOrchestratorRolePolicies = yamlParse(fs.readFileSync(__dirname + '/../replacements/user_based_orchestrator_role_policy_statements.yml', 'utf8'))
         const roleBasedOrchestratorRolePolicies = yamlParse(fs.readFileSync(__dirname + '/../replacements/role_based_orchestrator_role_policy_statements.yml', 'utf8'))
 
-        writToFile('/generated/templates/policies/readonly_policy.json', JSON.stringify(readonlyPolicy, null, 4))
-        writToFile('/generated/templates/policies/readwrite_policy.json', JSON.stringify(readwritePolicy, null, 4))
+        replaceObjectByPlaceholders(readonlyPolicy, [
+            {key: 'REPLACEMENT_READONLY_POLICY_STATEMENTS', value: readonlyPolicyStatements},
+        ]);
 
         // role based onboarding
         let orchestratorRole = yamlParse(fs.readFileSync(__dirname + '/../replacements/orchestartor_role.yml', 'utf8'))
@@ -124,6 +126,35 @@ let replacer = function () {
         permissionsReadwriteYml = yamlDump(permissionsReadwriteJson)
         writToFile('/generated/templates/user_based/permissions_readwrite_cft.yml', permissionsReadwriteYml)
 
+
+        // create policy json files
+        let readonlyPolicyStatementsJson = yamlParse(fs.readFileSync(__dirname + '/../replacements/readonly_policy_statements.yml', 'utf8'))
+        let readonlyPolicyJson = yamlParse(fs.readFileSync(__dirname + '/../replacements/readonly_policy.yml', 'utf8'))
+        replaceObjectByPlaceholders(readonlyPolicyJson, [
+            {key: 'REPLACEMENT_READONLY_POLICY_STATEMENTS', value: readonlyPolicyStatementsJson},
+            {key: 'REPLACEMENT_POLICY_PARTITION', value: "aws"}
+        ]);
+        writToFile('/generated/templates/policies/aws/readonly_policy.json', JSON.stringify(readonlyPolicyJson, null, 4))
+        writToFile('/generated/templates/policies/aws/readwrite_policy.json', JSON.stringify(readwritePolicy, null, 4))
+
+        readonlyPolicyStatementsJson = yamlParse(fs.readFileSync(__dirname + '/../replacements/readonly_policy_statements.yml', 'utf8'))
+        readonlyPolicyJson = yamlParse(fs.readFileSync(__dirname + '/../replacements/readonly_policy.yml', 'utf8'))
+        replaceObjectByPlaceholders(readonlyPolicyJson, [
+            {key: 'REPLACEMENT_READONLY_POLICY_STATEMENTS', value: readonlyPolicyStatementsJson},
+            {key: 'REPLACEMENT_POLICY_PARTITION', value: "aws-cn"}
+        ]);
+        writToFile('/generated/templates/policies/awschina/readonly_policy.json', JSON.stringify(readonlyPolicyJson, null, 4))
+        writToFile('/generated/templates/policies/awschina/readwrite_policy.json', JSON.stringify(readwritePolicy, null, 4))
+
+        readonlyPolicyStatementsJson = yamlParse(fs.readFileSync(__dirname + '/../replacements/readonly_policy_statements.yml', 'utf8'))
+        readonlyPolicyJson = yamlParse(fs.readFileSync(__dirname + '/../replacements/readonly_policy.yml', 'utf8'))
+        replaceObjectByPlaceholders(readonlyPolicyJson, [
+            {key: 'REPLACEMENT_READONLY_POLICY_STATEMENTS', value: readonlyPolicyStatementsJson},
+            {key: 'REPLACEMENT_POLICY_PARTITION', value: "aws-us-gov"}
+        ]);
+        writToFile('/generated/templates/policies/awsgov/readonly_policy.json', JSON.stringify(readonlyPolicyJson, null, 4))
+        writToFile('/generated/templates/policies/awsgov/readwrite_policy.json', JSON.stringify(readwritePolicy, null, 4))
+
     } catch (e) {
         console.log(e);
         throw e;

cft/generated/templates/policies/readonly_policy.json → cft/generated/templates/policies/aws/readonly_policy.json

@@ -62,9 +62,7 @@
                 "s3:GetObject"
             ],
             "Effect": "Allow",
-            "Resource": {
-                "Fn::Sub": "arn:${AWS::Partition}:s3:::elasticbeanstalk-env-resources-??*?/*"
-            }
+            "Resource": "arn:aws:s3:::elasticbeanstalk-env-resources-??*?/*"
         }
     ]
 }

cft/generated/templates/policies/awschina/readonly_policy.json

@@ -0,0 +1,68 @@
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "CloudGuardReadOnly",
+            "Action": [
+                "apigateway:GET",
+                "athena:GetQueryExecution",
+                "athena:GetWorkGroup",
+                "backup:ListBackupVaults",
+                "cognito-identity:DescribeIdentityPool",
+                "cognito-idp:DescribeUserPool",
+                "cognito-idp:DescribeRiskConfiguration",
+                "dynamodb:ListTagsOfResource",
+                "ec2:SearchTransitGatewayRoutes",
+                "elasticfilesystem:Describe*",
+                "elasticache:ListTagsForResource",
+                "es:ListTags",
+                "eks:DescribeNodegroup",
+                "eks:ListNodegroups",
+                "glue:GetConnections",
+                "glue:GetSecurityConfigurations",
+                "kafka:ListClusters",
+                "kinesis:List*",
+                "kinesis:Describe*",
+                "kinesisvideo:Describe*",
+                "kinesisvideo:List*",
+                "logs:Get*",
+                "logs:FilterLogEvents",
+                "logs:ListLogDeliveries",
+                "mq:DescribeBroker",
+                "mq:ListBrokers",
+                "network-firewall:DescribeFirewall",
+                "network-firewall:DescribeLoggingConfiguration",
+                "network-firewall:ListFirewalls",
+                "network-firewall:DescribeRuleGroup",
+                "network-firewall:DescribeFirewallPolicy",
+                "personalize:DescribeDatasetGroup",
+                "personalize:ListDatasetGroups",
+                "s3:List*",
+                "secretsmanager:DescribeSecret",
+                "sns:ListSubscriptions",
+                "sns:ListTagsForResource",
+                "sns:GetPlatformApplicationAttributes",
+                "sns:ListPlatformApplications",
+                "states:DescribeStateMachine",
+                "transcribe:Get*",
+                "transcribe:List*",
+                "translate:GetTerminology",
+                "waf-regional:ListResourcesForWebACL",
+                "wafv2:ListWebACLs",
+                "wafv2:ListResourcesForWebACL",
+                "eks:ListFargateProfiles",
+                "eks:DescribeFargateProfile"
+            ],
+            "Effect": "Allow",
+            "Resource": "*"
+        },
+        {
+            "Sid": "ElasticbeanstalkConfigurationSettingsPermission",
+            "Action": [
+                "s3:GetObject"
+            ],
+            "Effect": "Allow",
+            "Resource": "arn:aws-cn:s3:::elasticbeanstalk-env-resources-??*?/*"
+        }
+    ]
+}

cft/generated/templates/policies/awschina/readwrite_policy.json

@@ -0,0 +1,21 @@
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "CloudGuardWrite",
+            "Action": [
+                "ec2:AuthorizeSecurityGroupEgress",
+                "ec2:AuthorizeSecurityGroupIngress",
+                "ec2:CreateSecurityGroup",
+                "ec2:DeleteSecurityGroup",
+                "ec2:RevokeSecurityGroupEgress",
+                "ec2:RevokeSecurityGroupIngress",
+                "ec2:ModifyNetworkInterfaceAttribute",
+                "ec2:CreateTags",
+                "ec2:DeleteTags"
+            ],
+            "Effect": "Allow",
+            "Resource": "*"
+        }
+    ]
+}

cft/generated/templates/policies/awsgov/readonly_policy.json

@@ -0,0 +1,68 @@
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "CloudGuardReadOnly",
+            "Action": [
+                "apigateway:GET",
+                "athena:GetQueryExecution",
+                "athena:GetWorkGroup",
+                "backup:ListBackupVaults",
+                "cognito-identity:DescribeIdentityPool",
+                "cognito-idp:DescribeUserPool",
+                "cognito-idp:DescribeRiskConfiguration",
+                "dynamodb:ListTagsOfResource",
+                "ec2:SearchTransitGatewayRoutes",
+                "elasticfilesystem:Describe*",
+                "elasticache:ListTagsForResource",
+                "es:ListTags",
+                "eks:DescribeNodegroup",
+                "eks:ListNodegroups",
+                "glue:GetConnections",
+                "glue:GetSecurityConfigurations",
+                "kafka:ListClusters",
+                "kinesis:List*",
+                "kinesis:Describe*",
+                "kinesisvideo:Describe*",
+                "kinesisvideo:List*",
+                "logs:Get*",
+                "logs:FilterLogEvents",
+                "logs:ListLogDeliveries",
+                "mq:DescribeBroker",
+                "mq:ListBrokers",
+                "network-firewall:DescribeFirewall",
+                "network-firewall:DescribeLoggingConfiguration",
+                "network-firewall:ListFirewalls",
+                "network-firewall:DescribeRuleGroup",
+                "network-firewall:DescribeFirewallPolicy",
+                "personalize:DescribeDatasetGroup",
+                "personalize:ListDatasetGroups",
+                "s3:List*",
+                "secretsmanager:DescribeSecret",
+                "sns:ListSubscriptions",
+                "sns:ListTagsForResource",
+                "sns:GetPlatformApplicationAttributes",
+                "sns:ListPlatformApplications",
+                "states:DescribeStateMachine",
+                "transcribe:Get*",
+                "transcribe:List*",
+                "translate:GetTerminology",
+                "waf-regional:ListResourcesForWebACL",
+                "wafv2:ListWebACLs",
+                "wafv2:ListResourcesForWebACL",
+                "eks:ListFargateProfiles",
+                "eks:DescribeFargateProfile"
+            ],
+            "Effect": "Allow",
+            "Resource": "*"
+        },
+        {
+            "Sid": "ElasticbeanstalkConfigurationSettingsPermission",
+            "Action": [
+                "s3:GetObject"
+            ],
+            "Effect": "Allow",
+            "Resource": "arn:aws-us-gov:s3:::elasticbeanstalk-env-resources-??*?/*"
+        }
+    ]
+}

cft/generated/templates/policies/awsgov/readwrite_policy.json

@@ -0,0 +1,21 @@
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "CloudGuardWrite",
+            "Action": [
+                "ec2:AuthorizeSecurityGroupEgress",
+                "ec2:AuthorizeSecurityGroupIngress",
+                "ec2:CreateSecurityGroup",
+                "ec2:DeleteSecurityGroup",
+                "ec2:RevokeSecurityGroupEgress",
+                "ec2:RevokeSecurityGroupIngress",
+                "ec2:ModifyNetworkInterfaceAttribute",
+                "ec2:CreateTags",
+                "ec2:DeleteTags"
+            ],
+            "Effect": "Allow",
+            "Resource": "*"
+        }
+    ]
+}

cft/replacements/readonly_policy.yml

@@ -52,8 +52,4 @@ Statement:
       - 'eks:DescribeFargateProfile'
     Effect: Allow
     Resource: '*'
-  - Sid: ElasticbeanstalkConfigurationSettingsPermission
-    Action:
-      - 's3:GetObject'
-    Effect: Allow
-    Resource: !Sub 'arn:${AWS::Partition}:s3:::elasticbeanstalk-env-resources-??*?/*'
+  - REPLACEMENT_READONLY_POLICY_STATEMENTS

cft/replacements/readonly_policy_statements.yml

@@ -0,0 +1,5 @@
+- Sid: ElasticbeanstalkConfigurationSettingsPermission
+  Action:
+    - 's3:GetObject'
+  Effect: Allow
+  Resource: 'arn:REPLACEMENT_POLICY_PARTITION:s3:::elasticbeanstalk-env-resources-??*?/*'

cft/replacements/readonly_policy_statements_cft.yml

@@ -0,0 +1,5 @@
+- Sid: ElasticbeanstalkConfigurationSettingsPermission
+  Action:
+    - 's3:GetObject'
+  Effect: Allow
+  Resource: !Sub 'arn:${AWS::Partition}:s3:::elasticbeanstalk-env-resources-??*?/*'