Merge pull request #71 from zanerock/work-liquid-labs/cloudsite/36

Determine and provide template for operator IAM policy

README.md

@@ -1,10 +1,5 @@
 # Cloudsite
 
-___This is alpha software and there's a bug in the documentation._  If you really like the project, you're welcome to contribute. Also, we provide support on [our discord channel](https://discord.gg/QWAav6fZ5C). You can also support the project on [Patreon @zanecodes](https://patreon.com/zanecodes).
-
-------------
-
-
 Low cost, high performance cloud based website hosting manager. Cloudsite features CDN integration, DoS protection, free SSL certificates, and contact forms. In addition, since Cloudsite use "pay as you go" cloud infrastructure, hosting costs are generally well below typical market rates.
 
 - [Installation](#installation)
@@ -17,6 +12,8 @@ Low cost, high performance cloud based website hosting manager. Cloudsite featur
 - [Contributing](#contributing)
 - [Support and feature requests](#support-and-feature-requests)
 
+If you appreciate this project, you can support us on [Patreon @zanecodes](https://patreon.com/zanecodes). We also provide support on [our discord channel](https://discord.gg/QWAav6fZ5C).
+
 ## Installation
 
 ### CLI installation
@@ -79,8 +76,6 @@ Cloudsite works by setting up AWS infrastructure within your own AWS account. Th
 
 If you aren't in a hurry, you might want to set up SSO authentication to start with. Otherwise, you can [setup access key authentication](#authenticating-with-api-keys) to get started quickly and then set up [SSO authentication](#sso-authentication) later (and then delete + disable your access keys).
 
-Note the following instructions use the 'PowerUserAccess' permissions policy, which is overbroad for our needs. Refer to the [Known limitations](#known-limitations) section for additional info.
-
 ### Sign up for your AWS account
 
 If you don't already have one, the first step is to create your AWS root account.
@@ -94,6 +89,21 @@ If you don't already have one, the first step is to create your AWS root account
 
 SSO authentication uses the new [AWS Identity Center](https://us-east-1.console.aws.amazon.com/singlesignon/home) to enable single-sign on across multiple AWS accounts. SSO is also integrated with the `aws` CLI tool and is the method by which we can create time-limited session credentials.
 
+#### Set up the CloudSiteManager policy
+
+1. Log into your AWS root account in the [AWS console](https://aws.amazon.com).
+2. In the 'Services' bar up top, search for 'IAM' and select that service or [click here](https://us-east-1.console.aws.amazon.com/iam/home).
+3. Select 'Policies' from the left hand menu options.
+4. Select 'Create policy'.
+5. Select the 'JSON' option.
+6. From the command line, execute:
+   ```bash
+   cloudsite get-iam-policy
+   ```
+7. Copy the output from the terminal and replace the JSON text in the Policy editor with the text from the terminal.
+8. Click 'Next'.
+9. Under 'Policy name' enter 'CloudSiteManager' and click 'Create policy'.
+
 #### Create SSO user, group, and set permissions
 
 First, we need to create your SSO user. It's considered best practice to assign permissions to groups and then add users those groups, so that's what we're going to do.
@@ -109,17 +119,19 @@ First, we need to create your SSO user. It's considered best practice to assign
 9. Select 'Create group'.
 10. For group name, enter 'cloudsite-managers' (or whatever you prefer). In the 'Add users to group' section, click the checkmark by the user you just created.
 11. From the left-hand menu, select 'Permission sets'.
-12. Under 'Types', select 'Predefined permission set' and then select the radio button for 'PowerUserAccess'.
-13. On the 'Specify permission set details' page, the 'Permission set name' is prefilled and you can leave as is. Increase the 'Session duration' if you like. When done, hit 'Next'.
-14. Review and click 'Create'.
-15. From the left-hand menu, select 'AWS accounts'.
-16. You should see your root account listed. Click the checkbox next to the root account and click 'Assign users or groups'.
-17. Select the 'Cloudsite managers' group you just created (or whatever you called it).
-18. On the 'Assign permission sets' page, select 'PowerUserAccess' and click 'Next'.
-19. Review and click 'Submit'.
-20. Just to make things a little nicer, let's rename your SSO access portal page. On the right hand side, in the 'Settings summary' box, click 'Edit' next to 'Instance name'.
-21. Choose a (free) instance name; this could be based on your own name or your organization's. We used 'liquid-labs'.
-22. You should receive an email titled something like 'Invitation to join AWS IAM Identity Center'. Open that email and click the 'Accept invitation'. This will take you to AWS Identity Center and ask you to create a password for the account.
+12. Under 'Types', select 'Custom permission set' and then hit 'Next'.
+13. Expand the 'Customer Managed Policies' section and click 'Attach policies'.
+14. Where it says 'Enter policy names', enter 'CloudSiteManager' and hit next.
+15. On the 'Specify permission set details' page, under 'Permission set name', enter 'CloudSiteManager'. When done, hit 'Next'.
+16. Review and click 'Create'.
+17. From the left-hand menu, select 'AWS accounts'.
+18. You should see your root account listed. Click the checkbox next to the root account and click 'Assign users or groups'.
+19. Select the 'Cloudsite managers' group you just created (or whatever you called it).
+20. On the 'Assign permission sets' page, select 'PowerUserAccess' and click 'Next'.
+21. Review and click 'Submit'.
+22. Just to make things a little nicer, let's rename your SSO access portal page. On the right hand side, in the 'Settings summary' box, click 'Edit' next to 'Instance name'.
+23. Choose a (free) instance name; this could be based on your own name or your organization's. We used 'liquid-labs'.
+24. You should receive an email titled something like 'Invitation to join AWS IAM Identity Center'. Open that email and click the 'Accept invitation'. This will take you to AWS Identity Center and ask you to create a password for the account.
 
 #### Local SSO configuration and authentication
 
@@ -279,6 +291,7 @@ cloudsite update your-domain.com
 - [`create`](#cloudsite-create): Creates a new website, setting up infrastructure and copying content.
 - [`destroy`](#cloudsite-destroy): Destroys the named site. I.e., deletes all cloud resources associated with the site.
 - [`detail`](#cloudsite-detail): Prints details for the indicated site.
+- [`get-iam-policy`](#cloudsite-get-iam-policy): Prints an IAM policy suitable for operating cloudsite.
 - [`list`](#cloudsite-list): Lists the sites registered in the local database.
 - [`plugin-settings`](#cloudsite-plugin-settings): Sets (or deletes) a site option.
 - [`update`](#cloudsite-update): Updates a website content and/or infrastructure.
@@ -354,6 +367,17 @@ Prints details for the indicated site.
 |`[apex-domain]`|(_main argument_,_required_) The domain of the site to detail.|
 |`--format`|Sets the format for the output. May be 'terminal' (default), 'text', 'json', or 'yaml'.|
 
+<span id="cloudsite-get-iam-policy"></span>
+#### `cloudsite get-iam-policy <options>`
+
+Prints an IAM policy suitable for operating cloudsite.
+
+##### `get-iam-policy` options
+
+|Option|Description|
+|------|------|
+|`--with-instructions`|When set, will print instructions for creating the policy along with the policy.|
+
 <span id="cloudsite-list"></span>
 #### `cloudsite list <options>`
 
@@ -416,7 +440,6 @@ Verifies the site is up and running and that the stack and content are up-to-dat
 
 ## Known limitations
 
-- The current setup instructions grant the user 'PowerUserAccess', which is overly broad. We need to determine what permissions are needed and generate a permissions policy document with only the necessary permissions. See [issue #36](https://github.com/liquid-labs/cloudsite/issues/36).
 - The permissions used by the 'ContactHandler' Lambda function are overly broad and need to be narrowed. See [issue #34](https://github.com/liquid-labs/cloudsite/issues/34).
 
 ## Contributing

src/cli/cloudsite.mjs

@@ -9,6 +9,7 @@ import { handleConfiguration } from './lib/handle-configuration'
 import { handleCreate } from './lib/handle-create'
 import { handleDestroy } from './lib/handle-destroy'
 import { handleDetail } from './lib/handle-detail'
+import { handleGetIAMPolicy } from './lib/handle-get-iam-policy'
 import { handleList } from './lib/handle-list'
 import { handlePluginSettings } from './lib/handle-plugin-settings'
 import { handleUpdate } from './lib/handle-update'
@@ -60,6 +61,8 @@ const cloudsite = async () => {
       case 'document':
         console.log(commandLineDocumentation(cliSpec, { sectionDepth : 2, title : 'Command reference' }))
         break
+      case 'get-iam-policy':
+        await handleGetIAMPolicy({ argv }); break
       case 'list':
         await handleList({ argv, globalOptions, sitesInfo }); break
       case 'plugin-settings':

src/cli/constants.mjs

@@ -124,6 +124,17 @@ const cliSpec = {
         }
       ]
     },
+    {
+      name        : 'get-iam-policy',
+      description : 'Prints an IAM policy suitable for operating cloudsite.',
+      arguments   : [
+        {
+          name        : 'with-instructions',
+          description : 'When set, will print instructions for creating the policy along with the policy.',
+          type        : Boolean
+        }
+      ]
+    },
     {
       name        : 'list',
       description : 'Lists the sites registered in the local database.',

src/cli/lib/handle-get-iam-policy.mjs

@@ -0,0 +1,110 @@
+import commandLineArgs from 'command-line-args'
+
+import { cliSpec } from '../constants'
+
+const iamPolicy = {
+  Version   : '2012-10-17',
+  Statement : [
+    {
+      Sid    : 'VisualEditor0',
+      Effect : 'Allow',
+      Action : [
+        'acm:ListCertificates',
+        'acm:RequestCertificate',
+        'cloudformation:DescribeStackDriftDetectionStatus',
+        'cloudformation:DescribeStackEvents',
+        'cloudformation:DescribeStacks',
+        'cloudformation:ListChangeSets',
+        'cloudformation:DetectStackDrift',
+        'cloudformation:GetTemplate',
+        'cloudformation:CreateStack',
+        'cloudformation:DeleteStack',
+        'cloudformation:UpdateStack',
+        'cloudfront:CreateDistribution',
+        'cloudfront:CreateInvalidation',
+        'cloudfront:CreateOriginAccessControl',
+        'cloudfront:DeleteDistribution',
+        'cloudfront:DeleteOriginAccessControl',
+        'cloudfront:GetDistribution',
+        'cloudfront:GetOriginAccessControl',
+        'cloudfront:ListDistributions',
+        'cloudfront:ListOriginAccessControls',
+        'cloudfront:TagResource',
+        'cloudfront:UpdateDistribution',
+        'cloudfront:UpdateOriginAccessControl',
+        'dynamodb:CreateTable',
+        'dynamodb:DeleteTable',
+        'dynamodb:DescribeTable',
+        'dynamodb:UpdateTable',
+        'iam:AttachRolePolicy',
+        'iam:CreateRole',
+        'iam:DeleteRole',
+        'iam:DetachRolePolicy',
+        'iam:DeleteRolePolicy',
+        'iam:GetRole',
+        'iam:PutRolePolicy',
+        'iam:UpdateRole',
+        'lambda:AddPermission',
+        'lambda:CreateFunction',
+        'lambda:CreateEventSourceMapping',
+        'lambda:CreateFunctionUrlConfig',
+        'lambda:DeleteEventSourceMapping',
+        'lambda:DeleteFunction',
+        'lambda:DeleteFunctionUrlConfig',
+        'lambda:EnableReplication',
+        'lambda:GetEventSourceMapping',
+        'lambda:GetFunction',
+        'lambda:GetFunctionConfiguration',
+        'lambda:GetFunctionUrlConfig',
+        'lambda:ListFunctions',
+        'lambda:ListFunctionUrlConfigs',
+        'lambda:ListVersionsByFunction',
+        'iam:PassRole',
+        'lambda:PublishVersion',
+        'lambda:RemovePermission',
+        'lambda:UpdateFunctionUrlConfig',
+        'logs:CreateLogGroup',
+        'logs:DeleteLogGroup',
+        'logs:DeleteRetentionPolicy',
+        'logs:PutRetentionPolicy',
+        'route53:ListHostedZones',
+        'route53:ChangeResourceRecordSets',
+        'route53:ListResourceRecordSets',
+        's3:CreateBucket',
+        's3:PutObject',
+        's3:DeleteObject',
+        's3:DeleteBucket',
+        's3:DeleteBucketPolicy',
+        's3:GetObject',
+        's3:ListBucket',
+        's3:PutBucketAcl',
+        's3:PutBucketPolicy',
+        's3:*'
+      ],
+      Resource : [
+        '*'
+      ]
+    }
+  ]
+}
+
+const instructions =
+`1. Log into the AWS console.
+2. Select/navigate to the IAM service.
+3. Select 'Policies' from the left hand menu options.
+4. Select 'Create policy'.
+5. Select the 'JSON' option.
+6. Replace the JSON with the text below.`
+
+const handleGetIAMPolicy = ({ argv }) => {
+  const getIAMPolicyOptionsSpec = cliSpec.commands.find(({ name }) => name === 'get-iam-policy').arguments
+  const getIAMPolicyOptions = commandLineArgs(getIAMPolicyOptionsSpec, { argv })
+  const withInstructions = getIAMPolicyOptions['with-instructions']
+
+  if (withInstructions === true) {
+    process.stdout.write(instructions + '\n\n')
+  }
+  process.stdout.write(JSON.stringify(iamPolicy, null, '  ') + '\n')
+}
+
+export { handleGetIAMPolicy }

src/docs/README-prefix.md

@@ -1,10 +1,5 @@
 # Cloudsite
 
-___This is alpha software and there's a bug in the documentation._  If you really like the project, you're welcome to contribute. Also, we provide support on [our discord channel](https://discord.gg/QWAav6fZ5C). You can also support the project on [Patreon @zanecodes](https://patreon.com/zanecodes).
-
-------------
-
-
 Low cost, high performance cloud based website hosting manager. Cloudsite features CDN integration, DoS protection, free SSL certificates, and contact forms. In addition, since Cloudsite use "pay as you go" cloud infrastructure, hosting costs are generally well below typical market rates.
 
 - [Installation](#installation)
@@ -17,6 +12,8 @@ Low cost, high performance cloud based website hosting manager. Cloudsite featur
 - [Contributing](#contributing)
 - [Support and feature requests](#support-and-feature-requests)
 
+If you appreciate this project, you can support us on [Patreon @zanecodes](https://patreon.com/zanecodes). We also provide support on [our discord channel](https://discord.gg/QWAav6fZ5C).
+
 ## Installation
 
 ### CLI installation
@@ -79,8 +76,6 @@ Cloudsite works by setting up AWS infrastructure within your own AWS account. Th
 
 If you aren't in a hurry, you might want to set up SSO authentication to start with. Otherwise, you can [setup access key authentication](#authenticating-with-api-keys) to get started quickly and then set up [SSO authentication](#sso-authentication) later (and then delete + disable your access keys).
 
-Note the following instructions use the 'PowerUserAccess' permissions policy, which is overbroad for our needs. Refer to the [Known limitations](#known-limitations) section for additional info.
-
 ### Sign up for your AWS account
 
 If you don't already have one, the first step is to create your AWS root account.
@@ -94,6 +89,21 @@ If you don't already have one, the first step is to create your AWS root account
 
 SSO authentication uses the new [AWS Identity Center](https://us-east-1.console.aws.amazon.com/singlesignon/home) to enable single-sign on across multiple AWS accounts. SSO is also integrated with the `aws` CLI tool and is the method by which we can create time-limited session credentials.
 
+#### Set up the CloudSiteManager policy
+
+1. Log into your AWS root account in the [AWS console](https://aws.amazon.com).
+2. In the 'Services' bar up top, search for 'IAM' and select that service or [click here](https://us-east-1.console.aws.amazon.com/iam/home).
+3. Select 'Policies' from the left hand menu options.
+4. Select 'Create policy'.
+5. Select the 'JSON' option.
+6. From the command line, execute:
+   ```bash
+   cloudsite get-iam-policy
+   ```
+7. Copy the output from the terminal and replace the JSON text in the Policy editor with the text from the terminal.
+8. Click 'Next'.
+9. Under 'Policy name' enter 'CloudSiteManager' and click 'Create policy'.
+
 #### Create SSO user, group, and set permissions
 
 First, we need to create your SSO user. It's considered best practice to assign permissions to groups and then add users those groups, so that's what we're going to do.
@@ -109,17 +119,19 @@ First, we need to create your SSO user. It's considered best practice to assign
 9. Select 'Create group'.
 10. For group name, enter 'cloudsite-managers' (or whatever you prefer). In the 'Add users to group' section, click the checkmark by the user you just created.
 11. From the left-hand menu, select 'Permission sets'.
-12. Under 'Types', select 'Predefined permission set' and then select the radio button for 'PowerUserAccess'.
-13. On the 'Specify permission set details' page, the 'Permission set name' is prefilled and you can leave as is. Increase the 'Session duration' if you like. When done, hit 'Next'.
-14. Review and click 'Create'.
-15. From the left-hand menu, select 'AWS accounts'.
-16. You should see your root account listed. Click the checkbox next to the root account and click 'Assign users or groups'.
-17. Select the 'Cloudsite managers' group you just created (or whatever you called it).
-18. On the 'Assign permission sets' page, select 'PowerUserAccess' and click 'Next'.
-19. Review and click 'Submit'.
-20. Just to make things a little nicer, let's rename your SSO access portal page. On the right hand side, in the 'Settings summary' box, click 'Edit' next to 'Instance name'.
-21. Choose a (free) instance name; this could be based on your own name or your organization's. We used 'liquid-labs'.
-22. You should receive an email titled something like 'Invitation to join AWS IAM Identity Center'. Open that email and click the 'Accept invitation'. This will take you to AWS Identity Center and ask you to create a password for the account.
+12. Under 'Types', select 'Custom permission set' and then hit 'Next'.
+13. Expand the 'Customer Managed Policies' section and click 'Attach policies'.
+14. Where it says 'Enter policy names', enter 'CloudSiteManager' and hit next.
+15. On the 'Specify permission set details' page, under 'Permission set name', enter 'CloudSiteManager'. When done, hit 'Next'.
+16. Review and click 'Create'.
+17. From the left-hand menu, select 'AWS accounts'.
+18. You should see your root account listed. Click the checkbox next to the root account and click 'Assign users or groups'.
+19. Select the 'Cloudsite managers' group you just created (or whatever you called it).
+20. On the 'Assign permission sets' page, select 'PowerUserAccess' and click 'Next'.
+21. Review and click 'Submit'.
+22. Just to make things a little nicer, let's rename your SSO access portal page. On the right hand side, in the 'Settings summary' box, click 'Edit' next to 'Instance name'.
+23. Choose a (free) instance name; this could be based on your own name or your organization's. We used 'liquid-labs'.
+24. You should receive an email titled something like 'Invitation to join AWS IAM Identity Center'. Open that email and click the 'Accept invitation'. This will take you to AWS Identity Center and ask you to create a password for the account.
 
 #### Local SSO configuration and authentication
 

src/docs/README-suffix.md

@@ -1,6 +1,5 @@
 ## Known limitations
 
-- The current setup instructions grant the user 'PowerUserAccess', which is overly broad. We need to determine what permissions are needed and generate a permissions policy document with only the necessary permissions. See [issue #36](https://github.com/liquid-labs/cloudsite/issues/36).
 - The permissions used by the 'ContactHandler' Lambda function are overly broad and need to be narrowed. See [issue #34](https://github.com/liquid-labs/cloudsite/issues/34).
 
 ## Contributing