Skip to content

Latest commit

 

History

History
83 lines (68 loc) · 3.25 KB

File metadata and controls

83 lines (68 loc) · 3.25 KB

This project is a companion for a blog post comparing various infrastructure management tools for AWS. As an example, it creates a set of users, groups, and roles as describe in this blog post.

The four tools that I compare are:

  • CloudFormation, the AWS standard for declarative infrastructure.
  • CFNDSL, a Ruby gem that allows generating CloudFormation templates programmatically.
  • CDK, an AWS-supported open-source project for generating and deploying CloudFormation templates.
  • Terraform, the leading non-AWS contender for managing infrastructure declaratively.

General Notes

To run, you must have the ability to create users, groups, and policies (essentially, admin-level rights). I strongly recommend running in a "sandbox" account so that you won't interfere with operational users/groups.

Each variant lives in its own sub-directory, so that it can create artifacts without interfering with the others (this is particularly important for Terraform and CDK). Each variant has a README that describes how to run it:

Resources Created

Each variant of this project creates the following resources:

  • Three users: user1, user2, and user3.
  • Two groups: group and group2, which have permissions to assume specific roles.

It does not create the various IAM roles referenced by the group policies, as that's beyond the scope of the example (and the roles don't need to exist to be referenced).

It also does not create a managed policy named BasicUserPolicy, even though that policy must exist for the users to be successfully created. For demonstration purposes, you can create a policy with no permissions. If you'd like to use a real policy, here's the one we use for our sandbox accounts:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": [
                "iam:UploadSSHPublicKey",
                "iam:UpdateSSHPublicKey",
                "iam:UpdateAccessKey",
                "iam:List*",
                "iam:Get*",
                "iam:EnableMFADevice",
                "iam:DeleteSSHPublicKey",
                "iam:DeleteAccessKey",
                "iam:CreateAccessKey",
                "iam:ChangePassword"
            ],
            "Resource": "arn:aws:iam::*:user/${aws:username}"
        },
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": "iam:DeleteVirtualMFADevice",
            "Resource": "arn:aws:iam::*:mfa/${aws:username}"
        },
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": [
                "iam:ListVirtualMFADevices",
                "iam:CreateVirtualMFADevice"
            ],
            "Resource": "*"
        }
    ]
}