Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Determine and provide template for operator IAM policy #71

Merged
merged 6 commits into from
Mar 16, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
61 changes: 42 additions & 19 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,10 +1,5 @@
# Cloudsite

___This is alpha software and there's a bug in the documentation._ If you really like the project, you're welcome to contribute. Also, we provide support on [our discord channel](https://discord.gg/QWAav6fZ5C). You can also support the project on [Patreon @zanecodes](https://patreon.com/zanecodes).

------------


Low cost, high performance cloud based website hosting manager. Cloudsite features CDN integration, DoS protection, free SSL certificates, and contact forms. In addition, since Cloudsite use "pay as you go" cloud infrastructure, hosting costs are generally well below typical market rates.

- [Installation](#installation)
Expand All @@ -17,6 +12,8 @@ Low cost, high performance cloud based website hosting manager. Cloudsite featur
- [Contributing](#contributing)
- [Support and feature requests](#support-and-feature-requests)

If you appreciate this project, you can support us on [Patreon @zanecodes](https://patreon.com/zanecodes). We also provide support on [our discord channel](https://discord.gg/QWAav6fZ5C).

## Installation

### CLI installation
Expand Down Expand Up @@ -79,8 +76,6 @@ Cloudsite works by setting up AWS infrastructure within your own AWS account. Th

If you aren't in a hurry, you might want to set up SSO authentication to start with. Otherwise, you can [setup access key authentication](#authenticating-with-api-keys) to get started quickly and then set up [SSO authentication](#sso-authentication) later (and then delete + disable your access keys).

Note the following instructions use the 'PowerUserAccess' permissions policy, which is overbroad for our needs. Refer to the [Known limitations](#known-limitations) section for additional info.

### Sign up for your AWS account

If you don't already have one, the first step is to create your AWS root account.
Expand All @@ -94,6 +89,21 @@ If you don't already have one, the first step is to create your AWS root account

SSO authentication uses the new [AWS Identity Center](https://us-east-1.console.aws.amazon.com/singlesignon/home) to enable single-sign on across multiple AWS accounts. SSO is also integrated with the `aws` CLI tool and is the method by which we can create time-limited session credentials.

#### Set up the CloudSiteManager policy

1. Log into your AWS root account in the [AWS console](https://aws.amazon.com).
2. In the 'Services' bar up top, search for 'IAM' and select that service or [click here](https://us-east-1.console.aws.amazon.com/iam/home).
3. Select 'Policies' from the left hand menu options.
4. Select 'Create policy'.
5. Select the 'JSON' option.
6. From the command line, execute:
```bash
cloudsite get-iam-policy
```
7. Copy the output from the terminal and replace the JSON text in the Policy editor with the text from the terminal.
8. Click 'Next'.
9. Under 'Policy name' enter 'CloudSiteManager' and click 'Create policy'.

#### Create SSO user, group, and set permissions

First, we need to create your SSO user. It's considered best practice to assign permissions to groups and then add users those groups, so that's what we're going to do.
Expand All @@ -109,17 +119,19 @@ First, we need to create your SSO user. It's considered best practice to assign
9. Select 'Create group'.
10. For group name, enter 'cloudsite-managers' (or whatever you prefer). In the 'Add users to group' section, click the checkmark by the user you just created.
11. From the left-hand menu, select 'Permission sets'.
12. Under 'Types', select 'Predefined permission set' and then select the radio button for 'PowerUserAccess'.
13. On the 'Specify permission set details' page, the 'Permission set name' is prefilled and you can leave as is. Increase the 'Session duration' if you like. When done, hit 'Next'.
14. Review and click 'Create'.
15. From the left-hand menu, select 'AWS accounts'.
16. You should see your root account listed. Click the checkbox next to the root account and click 'Assign users or groups'.
17. Select the 'Cloudsite managers' group you just created (or whatever you called it).
18. On the 'Assign permission sets' page, select 'PowerUserAccess' and click 'Next'.
19. Review and click 'Submit'.
20. Just to make things a little nicer, let's rename your SSO access portal page. On the right hand side, in the 'Settings summary' box, click 'Edit' next to 'Instance name'.
21. Choose a (free) instance name; this could be based on your own name or your organization's. We used 'liquid-labs'.
22. You should receive an email titled something like 'Invitation to join AWS IAM Identity Center'. Open that email and click the 'Accept invitation'. This will take you to AWS Identity Center and ask you to create a password for the account.
12. Under 'Types', select 'Custom permission set' and then hit 'Next'.
13. Expand the 'Customer Managed Policies' section and click 'Attach policies'.
14. Where it says 'Enter policy names', enter 'CloudSiteManager' and hit next.
15. On the 'Specify permission set details' page, under 'Permission set name', enter 'CloudSiteManager'. When done, hit 'Next'.
16. Review and click 'Create'.
17. From the left-hand menu, select 'AWS accounts'.
18. You should see your root account listed. Click the checkbox next to the root account and click 'Assign users or groups'.
19. Select the 'Cloudsite managers' group you just created (or whatever you called it).
20. On the 'Assign permission sets' page, select 'PowerUserAccess' and click 'Next'.
21. Review and click 'Submit'.
22. Just to make things a little nicer, let's rename your SSO access portal page. On the right hand side, in the 'Settings summary' box, click 'Edit' next to 'Instance name'.
23. Choose a (free) instance name; this could be based on your own name or your organization's. We used 'liquid-labs'.
24. You should receive an email titled something like 'Invitation to join AWS IAM Identity Center'. Open that email and click the 'Accept invitation'. This will take you to AWS Identity Center and ask you to create a password for the account.

#### Local SSO configuration and authentication

Expand Down Expand Up @@ -279,6 +291,7 @@ cloudsite update your-domain.com
- [`create`](#cloudsite-create): Creates a new website, setting up infrastructure and copying content.
- [`destroy`](#cloudsite-destroy): Destroys the named site. I.e., deletes all cloud resources associated with the site.
- [`detail`](#cloudsite-detail): Prints details for the indicated site.
- [`get-iam-policy`](#cloudsite-get-iam-policy): Prints an IAM policy suitable for operating cloudsite.
- [`list`](#cloudsite-list): Lists the sites registered in the local database.
- [`plugin-settings`](#cloudsite-plugin-settings): Sets (or deletes) a site option.
- [`update`](#cloudsite-update): Updates a website content and/or infrastructure.
Expand Down Expand Up @@ -354,6 +367,17 @@ Prints details for the indicated site.
|`[apex-domain]`|(_main argument_,_required_) The domain of the site to detail.|
|`--format`|Sets the format for the output. May be 'terminal' (default), 'text', 'json', or 'yaml'.|

<span id="cloudsite-get-iam-policy"></span>
#### `cloudsite get-iam-policy <options>`

Prints an IAM policy suitable for operating cloudsite.

##### `get-iam-policy` options

|Option|Description|
|------|------|
|`--with-instructions`|When set, will print instructions for creating the policy along with the policy.|

<span id="cloudsite-list"></span>
#### `cloudsite list <options>`

Expand Down Expand Up @@ -416,7 +440,6 @@ Verifies the site is up and running and that the stack and content are up-to-dat

## Known limitations

- The current setup instructions grant the user 'PowerUserAccess', which is overly broad. We need to determine what permissions are needed and generate a permissions policy document with only the necessary permissions. See [issue #36](https://github.com/liquid-labs/cloudsite/issues/36).
- The permissions used by the 'ContactHandler' Lambda function are overly broad and need to be narrowed. See [issue #34](https://github.com/liquid-labs/cloudsite/issues/34).

## Contributing
Expand Down
3 changes: 3 additions & 0 deletions src/cli/cloudsite.mjs
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ import { handleConfiguration } from './lib/handle-configuration'
import { handleCreate } from './lib/handle-create'
import { handleDestroy } from './lib/handle-destroy'
import { handleDetail } from './lib/handle-detail'
import { handleGetIAMPolicy } from './lib/handle-get-iam-policy'
import { handleList } from './lib/handle-list'
import { handlePluginSettings } from './lib/handle-plugin-settings'
import { handleUpdate } from './lib/handle-update'
Expand Down Expand Up @@ -60,6 +61,8 @@ const cloudsite = async () => {
case 'document':
console.log(commandLineDocumentation(cliSpec, { sectionDepth : 2, title : 'Command reference' }))
break
case 'get-iam-policy':
await handleGetIAMPolicy({ argv }); break
case 'list':
await handleList({ argv, globalOptions, sitesInfo }); break
case 'plugin-settings':
Expand Down
11 changes: 11 additions & 0 deletions src/cli/constants.mjs
Original file line number Diff line number Diff line change
Expand Up @@ -124,6 +124,17 @@ const cliSpec = {
}
]
},
{
name : 'get-iam-policy',
description : 'Prints an IAM policy suitable for operating cloudsite.',
arguments : [
{
name : 'with-instructions',
description : 'When set, will print instructions for creating the policy along with the policy.',
type : Boolean
}
]
},
{
name : 'list',
description : 'Lists the sites registered in the local database.',
Expand Down
110 changes: 110 additions & 0 deletions src/cli/lib/handle-get-iam-policy.mjs
Original file line number Diff line number Diff line change
@@ -0,0 +1,110 @@
import commandLineArgs from 'command-line-args'

import { cliSpec } from '../constants'

const iamPolicy = {
Version : '2012-10-17',
Statement : [
{
Sid : 'VisualEditor0',
Effect : 'Allow',
Action : [
'acm:ListCertificates',
'acm:RequestCertificate',
'cloudformation:DescribeStackDriftDetectionStatus',
'cloudformation:DescribeStackEvents',
'cloudformation:DescribeStacks',
'cloudformation:ListChangeSets',
'cloudformation:DetectStackDrift',
'cloudformation:GetTemplate',
'cloudformation:CreateStack',
'cloudformation:DeleteStack',
'cloudformation:UpdateStack',
'cloudfront:CreateDistribution',
'cloudfront:CreateInvalidation',
'cloudfront:CreateOriginAccessControl',
'cloudfront:DeleteDistribution',
'cloudfront:DeleteOriginAccessControl',
'cloudfront:GetDistribution',
'cloudfront:GetOriginAccessControl',
'cloudfront:ListDistributions',
'cloudfront:ListOriginAccessControls',
'cloudfront:TagResource',
'cloudfront:UpdateDistribution',
'cloudfront:UpdateOriginAccessControl',
'dynamodb:CreateTable',
'dynamodb:DeleteTable',
'dynamodb:DescribeTable',
'dynamodb:UpdateTable',
'iam:AttachRolePolicy',
'iam:CreateRole',
'iam:DeleteRole',
'iam:DetachRolePolicy',
'iam:DeleteRolePolicy',
'iam:GetRole',
'iam:PutRolePolicy',
'iam:UpdateRole',
'lambda:AddPermission',
'lambda:CreateFunction',
'lambda:CreateEventSourceMapping',
'lambda:CreateFunctionUrlConfig',
'lambda:DeleteEventSourceMapping',
'lambda:DeleteFunction',
'lambda:DeleteFunctionUrlConfig',
'lambda:EnableReplication',
'lambda:GetEventSourceMapping',
'lambda:GetFunction',
'lambda:GetFunctionConfiguration',
'lambda:GetFunctionUrlConfig',
'lambda:ListFunctions',
'lambda:ListFunctionUrlConfigs',
'lambda:ListVersionsByFunction',
'iam:PassRole',
'lambda:PublishVersion',
'lambda:RemovePermission',
'lambda:UpdateFunctionUrlConfig',
'logs:CreateLogGroup',
'logs:DeleteLogGroup',
'logs:DeleteRetentionPolicy',
'logs:PutRetentionPolicy',
'route53:ListHostedZones',
'route53:ChangeResourceRecordSets',
'route53:ListResourceRecordSets',
's3:CreateBucket',
's3:PutObject',
's3:DeleteObject',
's3:DeleteBucket',
's3:DeleteBucketPolicy',
's3:GetObject',
's3:ListBucket',
's3:PutBucketAcl',
's3:PutBucketPolicy',
's3:*'
],
Resource : [
'*'
]
}
]
}

const instructions =
`1. Log into the AWS console.
2. Select/navigate to the IAM service.
3. Select 'Policies' from the left hand menu options.
4. Select 'Create policy'.
5. Select the 'JSON' option.
6. Replace the JSON with the text below.`

const handleGetIAMPolicy = ({ argv }) => {
const getIAMPolicyOptionsSpec = cliSpec.commands.find(({ name }) => name === 'get-iam-policy').arguments
const getIAMPolicyOptions = commandLineArgs(getIAMPolicyOptionsSpec, { argv })
const withInstructions = getIAMPolicyOptions['with-instructions']

if (withInstructions === true) {
process.stdout.write(instructions + '\n\n')
}
process.stdout.write(JSON.stringify(iamPolicy, null, ' ') + '\n')
}

export { handleGetIAMPolicy }
48 changes: 30 additions & 18 deletions src/docs/README-prefix.md
Original file line number Diff line number Diff line change
@@ -1,10 +1,5 @@
# Cloudsite

___This is alpha software and there's a bug in the documentation._ If you really like the project, you're welcome to contribute. Also, we provide support on [our discord channel](https://discord.gg/QWAav6fZ5C). You can also support the project on [Patreon @zanecodes](https://patreon.com/zanecodes).

------------


Low cost, high performance cloud based website hosting manager. Cloudsite features CDN integration, DoS protection, free SSL certificates, and contact forms. In addition, since Cloudsite use "pay as you go" cloud infrastructure, hosting costs are generally well below typical market rates.

- [Installation](#installation)
Expand All @@ -17,6 +12,8 @@ Low cost, high performance cloud based website hosting manager. Cloudsite featur
- [Contributing](#contributing)
- [Support and feature requests](#support-and-feature-requests)

If you appreciate this project, you can support us on [Patreon @zanecodes](https://patreon.com/zanecodes). We also provide support on [our discord channel](https://discord.gg/QWAav6fZ5C).

## Installation

### CLI installation
Expand Down Expand Up @@ -79,8 +76,6 @@ Cloudsite works by setting up AWS infrastructure within your own AWS account. Th

If you aren't in a hurry, you might want to set up SSO authentication to start with. Otherwise, you can [setup access key authentication](#authenticating-with-api-keys) to get started quickly and then set up [SSO authentication](#sso-authentication) later (and then delete + disable your access keys).

Note the following instructions use the 'PowerUserAccess' permissions policy, which is overbroad for our needs. Refer to the [Known limitations](#known-limitations) section for additional info.

### Sign up for your AWS account

If you don't already have one, the first step is to create your AWS root account.
Expand All @@ -94,6 +89,21 @@ If you don't already have one, the first step is to create your AWS root account

SSO authentication uses the new [AWS Identity Center](https://us-east-1.console.aws.amazon.com/singlesignon/home) to enable single-sign on across multiple AWS accounts. SSO is also integrated with the `aws` CLI tool and is the method by which we can create time-limited session credentials.

#### Set up the CloudSiteManager policy

1. Log into your AWS root account in the [AWS console](https://aws.amazon.com).
2. In the 'Services' bar up top, search for 'IAM' and select that service or [click here](https://us-east-1.console.aws.amazon.com/iam/home).
3. Select 'Policies' from the left hand menu options.
4. Select 'Create policy'.
5. Select the 'JSON' option.
6. From the command line, execute:
```bash
cloudsite get-iam-policy
```
7. Copy the output from the terminal and replace the JSON text in the Policy editor with the text from the terminal.
8. Click 'Next'.
9. Under 'Policy name' enter 'CloudSiteManager' and click 'Create policy'.

#### Create SSO user, group, and set permissions

First, we need to create your SSO user. It's considered best practice to assign permissions to groups and then add users those groups, so that's what we're going to do.
Expand All @@ -109,17 +119,19 @@ First, we need to create your SSO user. It's considered best practice to assign
9. Select 'Create group'.
10. For group name, enter 'cloudsite-managers' (or whatever you prefer). In the 'Add users to group' section, click the checkmark by the user you just created.
11. From the left-hand menu, select 'Permission sets'.
12. Under 'Types', select 'Predefined permission set' and then select the radio button for 'PowerUserAccess'.
13. On the 'Specify permission set details' page, the 'Permission set name' is prefilled and you can leave as is. Increase the 'Session duration' if you like. When done, hit 'Next'.
14. Review and click 'Create'.
15. From the left-hand menu, select 'AWS accounts'.
16. You should see your root account listed. Click the checkbox next to the root account and click 'Assign users or groups'.
17. Select the 'Cloudsite managers' group you just created (or whatever you called it).
18. On the 'Assign permission sets' page, select 'PowerUserAccess' and click 'Next'.
19. Review and click 'Submit'.
20. Just to make things a little nicer, let's rename your SSO access portal page. On the right hand side, in the 'Settings summary' box, click 'Edit' next to 'Instance name'.
21. Choose a (free) instance name; this could be based on your own name or your organization's. We used 'liquid-labs'.
22. You should receive an email titled something like 'Invitation to join AWS IAM Identity Center'. Open that email and click the 'Accept invitation'. This will take you to AWS Identity Center and ask you to create a password for the account.
12. Under 'Types', select 'Custom permission set' and then hit 'Next'.
13. Expand the 'Customer Managed Policies' section and click 'Attach policies'.
14. Where it says 'Enter policy names', enter 'CloudSiteManager' and hit next.
15. On the 'Specify permission set details' page, under 'Permission set name', enter 'CloudSiteManager'. When done, hit 'Next'.
16. Review and click 'Create'.
17. From the left-hand menu, select 'AWS accounts'.
18. You should see your root account listed. Click the checkbox next to the root account and click 'Assign users or groups'.
19. Select the 'Cloudsite managers' group you just created (or whatever you called it).
20. On the 'Assign permission sets' page, select 'PowerUserAccess' and click 'Next'.
21. Review and click 'Submit'.
22. Just to make things a little nicer, let's rename your SSO access portal page. On the right hand side, in the 'Settings summary' box, click 'Edit' next to 'Instance name'.
23. Choose a (free) instance name; this could be based on your own name or your organization's. We used 'liquid-labs'.
24. You should receive an email titled something like 'Invitation to join AWS IAM Identity Center'. Open that email and click the 'Accept invitation'. This will take you to AWS Identity Center and ask you to create a password for the account.

#### Local SSO configuration and authentication

Expand Down
1 change: 0 additions & 1 deletion src/docs/README-suffix.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,5 @@
## Known limitations

- The current setup instructions grant the user 'PowerUserAccess', which is overly broad. We need to determine what permissions are needed and generate a permissions policy document with only the necessary permissions. See [issue #36](https://github.com/liquid-labs/cloudsite/issues/36).
- The permissions used by the 'ContactHandler' Lambda function are overly broad and need to be narrowed. See [issue #34](https://github.com/liquid-labs/cloudsite/issues/34).

## Contributing
Expand Down