Create the cloud-governance infra: User, Policy, Bucket

iam/clouds/aws/CloudGovernanceDeletePolicy.json → iam/clouds/aws/CloudGovernanceInfra/CloudGovernanceDeletePolicy.json

@@ -48,8 +48,6 @@
         "ec2:DeleteVpcPeeringConnection",
         "autoscaling:DescribeLaunchConfigurations",
         "ec2:DescribeRegions",
-        "ec2:CreateImage",
-        "ec2:CreateVpc",
         "ec2:DescribeDhcpOptions",
         "ec2:DescribeSnapshots",
         "ec2:DeleteRouteTable",
@@ -72,7 +70,6 @@
         "ec2:DeleteNetworkInterface",
         "ec2:DetachInternetGateway",
         "ec2:DescribeNatGateways",
-        "ec2:StopInstances",
         "ec2:DisassociateRouteTable",
         "ec2:DescribeSecurityGroups",
         "ec2:RevokeSecurityGroupIngress",
@@ -104,17 +101,11 @@
       "Effect": "Allow",
       "Action": [
         "iam:GetRole",
-        "iam:DeleteAccessKey",
-        "iam:DeleteGroup",
         "iam:TagRole",
         "iam:DeleteUserPolicy",
         "iam:ListRoles",
-        "iam:DeleteUser",
         "iam:ListUserPolicies",
-        "iam:CreateUser",
         "iam:TagUser",
-        "sts:AssumeRole",
-        "iam:RemoveUserFromGroup",
         "iam:GetUserPolicy",
         "iam:ListAttachedRolePolicies",
         "iam:ListUsers",
@@ -145,7 +136,6 @@
         "s3:PutObject",
         "s3:GetObject",
         "s3:ListAllMyBuckets",
-        "s3:CreateBucket",
         "s3:ListBucket",
         "s3:PutObjectTagging",
         "s3:DeleteObject",

iam/clouds/aws/CloudGovernanceReadPolicy.json → iam/clouds/aws/CloudGovernanceInfra/CloudGovernanceReadPolicy.json

@@ -82,7 +82,6 @@
         "iam:TagRole",
         "iam:ListRoles",
         "iam:ListUserPolicies",
-        "iam:CreateUser",
         "iam:TagUser",
         "iam:GetUserPolicy",
         "iam:ListAttachedRolePolicies",
@@ -109,7 +108,6 @@
         "s3:PutObject",
         "s3:GetObject",
         "s3:ListAllMyBuckets",
-        "s3:CreateBucket",
         "s3:ListBucket",
         "s3:PutObjectTagging",
         "s3:putBucketTagging",

iam/clouds/aws/CloudGovernanceInfra/create_infra.sh

@@ -0,0 +1,144 @@
+#!/bin/bash
+
+username=""
+policy_type="read"
+s3_bucket_name=""
+show_help=false
+AWS_DEFAULT_REGION=us-east-2
+export AWS_DEFAULT_PROFILE=athiruma
+
+show_help() {
+    echo "Usage: $0 --username <username> --s3-bucket-name <bucket-name> [--policy-type <policy-type>]"
+    echo ""
+    echo "Options:"
+    echo "  --username <username>       Specify the IAM username to create."
+    echo "  --policy-type <type>        (Optional) Specify the policy type to create and attach. Supported Values: read, delete."
+    echo "  --s3-bucket-name <bucket-name>  Specify the S3 bucket name to create."
+    echo "  --help                      Display this help message."
+    echo ""
+    echo "Example:"
+    echo "  $0 --username my-username --policy-type read --s3-bucket-name my-bucket"
+    echo "  $0 --username my-username --s3-bucket-name my-bucket"
+    exit 0
+}
+
+to_title_case() {
+    echo "$1" | awk '{print toupper(substr($0,1,1)) tolower(substr($0,2))}'
+}
+
+delete_user() {
+    aws iam delete-user --user-name "$1" 1>/dev/null
+    echo "Deleted IAM User $1 due to failures."
+}
+
+delete_policy() {
+    aws iam delete-policy --policy-arn "$1" 1>/dev/null
+    echo "Deleted IAM Policy $1 due to failures."
+}
+
+delete_bucket() {
+    aws s3 rb "s3://$1" --force 1>/dev/null
+    echo "Deleted S3 bucket $1 due to failures."
+}
+
+while [[ "$#" -gt 0 ]]; do
+    case $1 in
+        --username) username="$2"; shift ;;
+        --policy-type) policy_type="$2"; shift ;;
+        --s3-bucket-name) s3_bucket_name="$2"; shift ;;
+        --help) show_help=true ;;
+        *) echo "Unknown parameter passed: $1"; show_help ;;
+    esac
+    shift
+done
+
+if [ "$show_help" = true ]; then
+    show_help
+fi
+
+
+
+if [ -z "$username" ] || [ -z "$s3_bucket_name" ]; then
+    echo "Error: --username and --s3-bucket-name are required."
+    show_help
+fi
+
+if [ -n "$policy_type" ]; then
+    case "$(to_title_case "$policy_type")" in
+        Read|Delete) policy_type=$(to_title_case "$policy_type") ;;
+        *) echo "Error: Unsupported policy type '$policy_type'. Supported values are: Read, Delete."; exit 1 ;;
+    esac
+fi
+
+policy_document="./CloudGovernance${policy_type}Policy.json"
+account_id=$(aws sts get-caller-identity --query 'Account' --output text)
+if [ $? -ne 0 ]; then
+    echo "Failed to retrieve AWS account ID."
+    exit 1
+fi
+echo "AWS Account ID: $account_id"
+
+if [ -n "$account_id" ]; then
+  sed -i '' -e "s/account_id/${account_id}/g" "$policy_document"
+fi
+
+
+if ! aws iam create-user --user-name "$username" --tags "Key=User,Value=${username}" 1>/dev/null; then
+    echo "Failed to create user $username."
+    exit 1
+fi
+echo "User $username created successfully."
+
+if [ -n "$policy_type" ]; then
+    policy_name="CloudGovernance${policy_type}"
+
+
+    if [ ! -f "$policy_document" ]; then
+        echo "Error: Policy document file $policy_document does not exist."
+        delete_user "$username"
+        exit 1
+    fi
+
+    policy_arn=$(aws iam create-policy --policy-name "$policy_name" --policy-document "file://$policy_document" --query 'Policy.Arn' --output text)
+    if [ $? -ne 0 ]; then
+        echo "Failed to create policy $policy_name."
+        delete_user "$username"
+        exit 1
+    fi
+    echo "Policy $policy_name created successfully with ARN $policy_arn."
+
+    if ! aws iam attach-user-policy --user-name "$username" --policy-arn "$policy_arn"; then
+        echo "Failed to attach policy $policy_name to user $username."
+        delete_policy "$policy_arn"
+        delete_user "$username"
+        exit 1
+    fi
+    echo "Policy $policy_name attached to user $username successfully."
+fi
+
+if ! aws s3api create-bucket --bucket "$s3_bucket_name" --region "$AWS_DEFAULT_REGION" --create-bucket-configuration LocationConstraint="$AWS_DEFAULT_REGION" 1>/dev/null; then
+    echo "Failed to create S3 bucket $s3_bucket_name."
+    delete_user "$username"
+    if [ -n "$policy_arn" ]; then
+        delete_policy "$policy_arn"
+    fi
+    exit 1
+fi
+echo "S3 bucket $s3_bucket_name created successfully."
+
+access_key_json=$(aws iam create-access-key --user-name "$username" --query 'AccessKey.[AccessKeyId,SecretAccessKey]' --output json)
+if [ $? -ne 0 ]; then
+    echo "Failed to create access key for user $username."
+    delete_user "$username"
+    delete_bucket "$s3_bucket_name"
+    if [ -n "$policy_arn" ]; then
+        delete_policy "$policy_arn"
+    fi
+    exit 1
+fi
+
+access_key_id=$(echo "$access_key_json" | jq -r '.[0]')
+secret_access_key=$(echo "$access_key_json" | jq -r '.[1]')
+
+echo "Access Key ID: $access_key_id"
+echo "Secret Access Key: $secret_access_key"

jenkins/tenant/aws/README.md

@@ -1,12 +1,15 @@
 # How to run cloud-governance on Tenant Accounts
 
 Steps
-1. Create AWS User and attach user by [CloudGovernanceDeletePolicy.json](../../../iam/clouds/aws/CloudGovernanceDeletePolicy.json). [ Note: Replace account_id with actual account id]
+
+1. Create AWS User and attach user
+   by [CloudGovernanceDeletePolicy.json](../../../iam/clouds/aws/CloudGovernanceCloudCreds/CloudGovernanceDeletePolicy.json). [ Note: Replace account_id with actual account id]
 2. Create S3 bucket
 3. Add kind secret-text to jenkins with below naming conventions
-   1. ${account_name}-aws-access-key-id
-   2. ${account_name}-aws-secret-key-id
-   3. ${account_name}-s3-bucket
+    1. ${account_name}-aws-access-key-id
+    2. ${account_name}-aws-secret-key-id
+    3. ${account_name}-s3-bucket
 4. Create folder named that you want to run the cloud-governance policies and copy the file in templates.
-5. Add account_name to account variable in this [PolicyJenkinsfileDaily](../aws/template/PolicyJenkinsfileDaily) and [TaggingJenkinsfileHourly](../aws/template/TaggingJenkinsfileHourly).
+5. Add account_name to account variable in this [PolicyJenkinsfileDaily](../aws/template/PolicyJenkinsfileDaily)
+   and [TaggingJenkinsfileHourly](../aws/template/TaggingJenkinsfileHourly).
 6. Create two Jenkins jobs by using this two Jenkinsfile