From e775b3e3b545bce00b2b77377029526f7d876eef Mon Sep 17 00:00:00 2001 From: itzikYeret Date: Thu, 23 Dec 2021 07:11:10 +0000 Subject: [PATCH] Release 2.6.1 --- .../Steps/InitServiceAccountStep.cs | 2 +- cft/cft-replacer/replacer.js | 35 +++++++++- .../policies/{ => aws}/readonly_policy.json | 4 +- .../policies/{ => aws}/readwrite_policy.json | 0 .../policies/awschina/readonly_policy.json | 68 +++++++++++++++++++ .../policies/awschina/readwrite_policy.json | 21 ++++++ .../policies/awsgov/readonly_policy.json | 68 +++++++++++++++++++ .../policies/awsgov/readwrite_policy.json | 21 ++++++ cft/replacements/readonly_policy.yml | 6 +- .../readonly_policy_statements.yml | 5 ++ .../readonly_policy_statements_cft.yml | 5 ++ 11 files changed, 224 insertions(+), 11 deletions(-) rename cft/generated/templates/policies/{ => aws}/readonly_policy.json (94%) rename cft/generated/templates/policies/{ => aws}/readwrite_policy.json (100%) create mode 100644 cft/generated/templates/policies/awschina/readonly_policy.json create mode 100644 cft/generated/templates/policies/awschina/readwrite_policy.json create mode 100644 cft/generated/templates/policies/awsgov/readonly_policy.json create mode 100644 cft/generated/templates/policies/awsgov/readwrite_policy.json create mode 100644 cft/replacements/readonly_policy_statements.yml create mode 100644 cft/replacements/readonly_policy_statements_cft.yml diff --git a/Dome9.CloudGuardOnboarding.Orchestrator/Steps/InitServiceAccountStep.cs b/Dome9.CloudGuardOnboarding.Orchestrator/Steps/InitServiceAccountStep.cs index 8ae06dc..4a2937d 100644 --- a/Dome9.CloudGuardOnboarding.Orchestrator/Steps/InitServiceAccountStep.cs +++ b/Dome9.CloudGuardOnboarding.Orchestrator/Steps/InitServiceAccountStep.cs @@ -47,7 +47,7 @@ public override async Task Rollback() try { Console.WriteLine($"[INFO] [{nameof(InitServiceAccountStep)}.{nameof(Rollback)}] About to delete service account"); - await _retryAndBackoffService.RunAsync(() => _apiProvider.UpdateOnboardingStatus(new StatusModel(_onboardingId, Enums.Feature.None, Enums.Status.PENDING, "Deleting service account", null, null, null))); + await _retryAndBackoffService.RunAsync(() => _apiProvider.UpdateOnboardingStatus(new StatusModel(_onboardingId, Enums.Feature.None, Enums.Status.ERROR, "Deleting service account", null, null, null))); // must let all the statuses get posted before we delete the service account await _retryAndBackoffService.RunAsync(() => _apiProvider.DeleteServiceAccount(new CredentialsModel { OnboardingId = _onboardingId })); // can't write to dynamo anymore since we just deleted the service account diff --git a/cft/cft-replacer/replacer.js b/cft/cft-replacer/replacer.js index 807154a..7599fa6 100644 --- a/cft/cft-replacer/replacer.js +++ b/cft/cft-replacer/replacer.js @@ -36,14 +36,16 @@ let replacer = function () { const orchestratorInvokeProperties = yamlParse(fs.readFileSync(__dirname + '/../replacements/orchestrator_invoke_properties.yml', 'utf8')) const parameters = yamlParse(fs.readFileSync(__dirname + '/../replacements/parameters.yml', 'utf8')) const readonlyPolicy = yamlParse(fs.readFileSync(__dirname + '/../replacements/readonly_policy.yml', 'utf8')) + const readonlyPolicyStatements = yamlParse(fs.readFileSync(__dirname + '/../replacements/readonly_policy_statements_cft.yml', 'utf8')) const readwritePolicy = yamlParse(fs.readFileSync(__dirname + '/../replacements/readwrite_policy.yml', 'utf8')) const stackModifyPolicyStatements = yamlParse(fs.readFileSync(__dirname + '/../replacements/stack_modify_policy_statements.yml', 'utf8')) const metadata = yamlParse(fs.readFileSync(__dirname + '/../replacements/metadata.yml', 'utf8')) const userBasedOrchestratorRolePolicies = yamlParse(fs.readFileSync(__dirname + '/../replacements/user_based_orchestrator_role_policy_statements.yml', 'utf8')) const roleBasedOrchestratorRolePolicies = yamlParse(fs.readFileSync(__dirname + '/../replacements/role_based_orchestrator_role_policy_statements.yml', 'utf8')) - writToFile('/generated/templates/policies/readonly_policy.json', JSON.stringify(readonlyPolicy, null, 4)) - writToFile('/generated/templates/policies/readwrite_policy.json', JSON.stringify(readwritePolicy, null, 4)) + replaceObjectByPlaceholders(readonlyPolicy, [ + {key: 'REPLACEMENT_READONLY_POLICY_STATEMENTS', value: readonlyPolicyStatements}, + ]); // role based onboarding let orchestratorRole = yamlParse(fs.readFileSync(__dirname + '/../replacements/orchestartor_role.yml', 'utf8')) @@ -124,6 +126,35 @@ let replacer = function () { permissionsReadwriteYml = yamlDump(permissionsReadwriteJson) writToFile('/generated/templates/user_based/permissions_readwrite_cft.yml', permissionsReadwriteYml) + + // create policy json files + let readonlyPolicyStatementsJson = yamlParse(fs.readFileSync(__dirname + '/../replacements/readonly_policy_statements.yml', 'utf8')) + let readonlyPolicyJson = yamlParse(fs.readFileSync(__dirname + '/../replacements/readonly_policy.yml', 'utf8')) + replaceObjectByPlaceholders(readonlyPolicyJson, [ + {key: 'REPLACEMENT_READONLY_POLICY_STATEMENTS', value: readonlyPolicyStatementsJson}, + {key: 'REPLACEMENT_POLICY_PARTITION', value: "aws"} + ]); + writToFile('/generated/templates/policies/aws/readonly_policy.json', JSON.stringify(readonlyPolicyJson, null, 4)) + writToFile('/generated/templates/policies/aws/readwrite_policy.json', JSON.stringify(readwritePolicy, null, 4)) + + readonlyPolicyStatementsJson = yamlParse(fs.readFileSync(__dirname + '/../replacements/readonly_policy_statements.yml', 'utf8')) + readonlyPolicyJson = yamlParse(fs.readFileSync(__dirname + '/../replacements/readonly_policy.yml', 'utf8')) + replaceObjectByPlaceholders(readonlyPolicyJson, [ + {key: 'REPLACEMENT_READONLY_POLICY_STATEMENTS', value: readonlyPolicyStatementsJson}, + {key: 'REPLACEMENT_POLICY_PARTITION', value: "aws-cn"} + ]); + writToFile('/generated/templates/policies/awschina/readonly_policy.json', JSON.stringify(readonlyPolicyJson, null, 4)) + writToFile('/generated/templates/policies/awschina/readwrite_policy.json', JSON.stringify(readwritePolicy, null, 4)) + + readonlyPolicyStatementsJson = yamlParse(fs.readFileSync(__dirname + '/../replacements/readonly_policy_statements.yml', 'utf8')) + readonlyPolicyJson = yamlParse(fs.readFileSync(__dirname + '/../replacements/readonly_policy.yml', 'utf8')) + replaceObjectByPlaceholders(readonlyPolicyJson, [ + {key: 'REPLACEMENT_READONLY_POLICY_STATEMENTS', value: readonlyPolicyStatementsJson}, + {key: 'REPLACEMENT_POLICY_PARTITION', value: "aws-us-gov"} + ]); + writToFile('/generated/templates/policies/awsgov/readonly_policy.json', JSON.stringify(readonlyPolicyJson, null, 4)) + writToFile('/generated/templates/policies/awsgov/readwrite_policy.json', JSON.stringify(readwritePolicy, null, 4)) + } catch (e) { console.log(e); throw e; diff --git a/cft/generated/templates/policies/readonly_policy.json b/cft/generated/templates/policies/aws/readonly_policy.json similarity index 94% rename from cft/generated/templates/policies/readonly_policy.json rename to cft/generated/templates/policies/aws/readonly_policy.json index 79761b9..aded56f 100644 --- a/cft/generated/templates/policies/readonly_policy.json +++ b/cft/generated/templates/policies/aws/readonly_policy.json @@ -62,9 +62,7 @@ "s3:GetObject" ], "Effect": "Allow", - "Resource": { - "Fn::Sub": "arn:${AWS::Partition}:s3:::elasticbeanstalk-env-resources-??*?/*" - } + "Resource": "arn:aws:s3:::elasticbeanstalk-env-resources-??*?/*" } ] } \ No newline at end of file diff --git a/cft/generated/templates/policies/readwrite_policy.json b/cft/generated/templates/policies/aws/readwrite_policy.json similarity index 100% rename from cft/generated/templates/policies/readwrite_policy.json rename to cft/generated/templates/policies/aws/readwrite_policy.json diff --git a/cft/generated/templates/policies/awschina/readonly_policy.json b/cft/generated/templates/policies/awschina/readonly_policy.json new file mode 100644 index 0000000..11284d3 --- /dev/null +++ b/cft/generated/templates/policies/awschina/readonly_policy.json @@ -0,0 +1,68 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "CloudGuardReadOnly", + "Action": [ + "apigateway:GET", + "athena:GetQueryExecution", + "athena:GetWorkGroup", + "backup:ListBackupVaults", + "cognito-identity:DescribeIdentityPool", + "cognito-idp:DescribeUserPool", + "cognito-idp:DescribeRiskConfiguration", + "dynamodb:ListTagsOfResource", + "ec2:SearchTransitGatewayRoutes", + "elasticfilesystem:Describe*", + "elasticache:ListTagsForResource", + "es:ListTags", + "eks:DescribeNodegroup", + "eks:ListNodegroups", + "glue:GetConnections", + "glue:GetSecurityConfigurations", + "kafka:ListClusters", + "kinesis:List*", + "kinesis:Describe*", + "kinesisvideo:Describe*", + "kinesisvideo:List*", + "logs:Get*", + "logs:FilterLogEvents", + "logs:ListLogDeliveries", + "mq:DescribeBroker", + "mq:ListBrokers", + "network-firewall:DescribeFirewall", + "network-firewall:DescribeLoggingConfiguration", + "network-firewall:ListFirewalls", + "network-firewall:DescribeRuleGroup", + "network-firewall:DescribeFirewallPolicy", + "personalize:DescribeDatasetGroup", + "personalize:ListDatasetGroups", + "s3:List*", + "secretsmanager:DescribeSecret", + "sns:ListSubscriptions", + "sns:ListTagsForResource", + "sns:GetPlatformApplicationAttributes", + "sns:ListPlatformApplications", + "states:DescribeStateMachine", + "transcribe:Get*", + "transcribe:List*", + "translate:GetTerminology", + "waf-regional:ListResourcesForWebACL", + "wafv2:ListWebACLs", + "wafv2:ListResourcesForWebACL", + "eks:ListFargateProfiles", + "eks:DescribeFargateProfile" + ], + "Effect": "Allow", + "Resource": "*" + }, + { + "Sid": "ElasticbeanstalkConfigurationSettingsPermission", + "Action": [ + "s3:GetObject" + ], + "Effect": "Allow", + "Resource": "arn:aws-cn:s3:::elasticbeanstalk-env-resources-??*?/*" + } + ] +} \ No newline at end of file diff --git a/cft/generated/templates/policies/awschina/readwrite_policy.json b/cft/generated/templates/policies/awschina/readwrite_policy.json new file mode 100644 index 0000000..274ba86 --- /dev/null +++ b/cft/generated/templates/policies/awschina/readwrite_policy.json @@ -0,0 +1,21 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "CloudGuardWrite", + "Action": [ + "ec2:AuthorizeSecurityGroupEgress", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateSecurityGroup", + "ec2:DeleteSecurityGroup", + "ec2:RevokeSecurityGroupEgress", + "ec2:RevokeSecurityGroupIngress", + "ec2:ModifyNetworkInterfaceAttribute", + "ec2:CreateTags", + "ec2:DeleteTags" + ], + "Effect": "Allow", + "Resource": "*" + } + ] +} \ No newline at end of file diff --git a/cft/generated/templates/policies/awsgov/readonly_policy.json b/cft/generated/templates/policies/awsgov/readonly_policy.json new file mode 100644 index 0000000..ec524b1 --- /dev/null +++ b/cft/generated/templates/policies/awsgov/readonly_policy.json @@ -0,0 +1,68 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "CloudGuardReadOnly", + "Action": [ + "apigateway:GET", + "athena:GetQueryExecution", + "athena:GetWorkGroup", + "backup:ListBackupVaults", + "cognito-identity:DescribeIdentityPool", + "cognito-idp:DescribeUserPool", + "cognito-idp:DescribeRiskConfiguration", + "dynamodb:ListTagsOfResource", + "ec2:SearchTransitGatewayRoutes", + "elasticfilesystem:Describe*", + "elasticache:ListTagsForResource", + "es:ListTags", + "eks:DescribeNodegroup", + "eks:ListNodegroups", + "glue:GetConnections", + "glue:GetSecurityConfigurations", + "kafka:ListClusters", + "kinesis:List*", + "kinesis:Describe*", + "kinesisvideo:Describe*", + "kinesisvideo:List*", + "logs:Get*", + "logs:FilterLogEvents", + "logs:ListLogDeliveries", + "mq:DescribeBroker", + "mq:ListBrokers", + "network-firewall:DescribeFirewall", + "network-firewall:DescribeLoggingConfiguration", + "network-firewall:ListFirewalls", + "network-firewall:DescribeRuleGroup", + "network-firewall:DescribeFirewallPolicy", + "personalize:DescribeDatasetGroup", + "personalize:ListDatasetGroups", + "s3:List*", + "secretsmanager:DescribeSecret", + "sns:ListSubscriptions", + "sns:ListTagsForResource", + "sns:GetPlatformApplicationAttributes", + "sns:ListPlatformApplications", + "states:DescribeStateMachine", + "transcribe:Get*", + "transcribe:List*", + "translate:GetTerminology", + "waf-regional:ListResourcesForWebACL", + "wafv2:ListWebACLs", + "wafv2:ListResourcesForWebACL", + "eks:ListFargateProfiles", + "eks:DescribeFargateProfile" + ], + "Effect": "Allow", + "Resource": "*" + }, + { + "Sid": "ElasticbeanstalkConfigurationSettingsPermission", + "Action": [ + "s3:GetObject" + ], + "Effect": "Allow", + "Resource": "arn:aws-us-gov:s3:::elasticbeanstalk-env-resources-??*?/*" + } + ] +} \ No newline at end of file diff --git a/cft/generated/templates/policies/awsgov/readwrite_policy.json b/cft/generated/templates/policies/awsgov/readwrite_policy.json new file mode 100644 index 0000000..274ba86 --- /dev/null +++ b/cft/generated/templates/policies/awsgov/readwrite_policy.json @@ -0,0 +1,21 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "CloudGuardWrite", + "Action": [ + "ec2:AuthorizeSecurityGroupEgress", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateSecurityGroup", + "ec2:DeleteSecurityGroup", + "ec2:RevokeSecurityGroupEgress", + "ec2:RevokeSecurityGroupIngress", + "ec2:ModifyNetworkInterfaceAttribute", + "ec2:CreateTags", + "ec2:DeleteTags" + ], + "Effect": "Allow", + "Resource": "*" + } + ] +} \ No newline at end of file diff --git a/cft/replacements/readonly_policy.yml b/cft/replacements/readonly_policy.yml index 0fabca5..bf1498b 100644 --- a/cft/replacements/readonly_policy.yml +++ b/cft/replacements/readonly_policy.yml @@ -52,8 +52,4 @@ Statement: - 'eks:DescribeFargateProfile' Effect: Allow Resource: '*' - - Sid: ElasticbeanstalkConfigurationSettingsPermission - Action: - - 's3:GetObject' - Effect: Allow - Resource: !Sub 'arn:${AWS::Partition}:s3:::elasticbeanstalk-env-resources-??*?/*' \ No newline at end of file + - REPLACEMENT_READONLY_POLICY_STATEMENTS \ No newline at end of file diff --git a/cft/replacements/readonly_policy_statements.yml b/cft/replacements/readonly_policy_statements.yml new file mode 100644 index 0000000..cf3d331 --- /dev/null +++ b/cft/replacements/readonly_policy_statements.yml @@ -0,0 +1,5 @@ +- Sid: ElasticbeanstalkConfigurationSettingsPermission + Action: + - 's3:GetObject' + Effect: Allow + Resource: 'arn:REPLACEMENT_POLICY_PARTITION:s3:::elasticbeanstalk-env-resources-??*?/*' \ No newline at end of file diff --git a/cft/replacements/readonly_policy_statements_cft.yml b/cft/replacements/readonly_policy_statements_cft.yml new file mode 100644 index 0000000..29ed289 --- /dev/null +++ b/cft/replacements/readonly_policy_statements_cft.yml @@ -0,0 +1,5 @@ +- Sid: ElasticbeanstalkConfigurationSettingsPermission + Action: + - 's3:GetObject' + Effect: Allow + Resource: !Sub 'arn:${AWS::Partition}:s3:::elasticbeanstalk-env-resources-??*?/*' \ No newline at end of file