From 87f1d0b496b4e596d3ee0d8d0b613efff0a21af9 Mon Sep 17 00:00:00 2001
From: Thirumalesh Aaraveti <athiruma@redhat.com>
Date: Wed, 11 Sep 2024 11:25:14 +0530
Subject: [PATCH] Create the cloud-governance infra: User, Policy, Bucket

---
 iam/clouds/aws/CloudGovernanceInfra.tar       | Bin 0 -> 25088 bytes
 .../CloudGovernanceDeletePolicy.json          |  10 --
 .../CloudGovernanceReadPolicy.json            |   2 -
 .../aws/CloudGovernanceInfra/create_infra.sh  | 144 ++++++++++++++++++
 jenkins/tenant/aws/README.md                  |  13 +-
 5 files changed, 152 insertions(+), 17 deletions(-)
 create mode 100644 iam/clouds/aws/CloudGovernanceInfra.tar
 rename iam/clouds/aws/{ => CloudGovernanceInfra}/CloudGovernanceDeletePolicy.json (94%)
 rename iam/clouds/aws/{ => CloudGovernanceInfra}/CloudGovernanceReadPolicy.json (98%)
 create mode 100755 iam/clouds/aws/CloudGovernanceInfra/create_infra.sh

diff --git a/iam/clouds/aws/CloudGovernanceInfra.tar b/iam/clouds/aws/CloudGovernanceInfra.tar
new file mode 100644
index 0000000000000000000000000000000000000000..6357b50da109a7c8cf41ee4c421b57c3fa45b342
GIT binary patch
literal 25088
zcmeGk+iu&+(JfFERr}gL@8L1vI4~trvLr`|Qz*8RW7J7}Y$vA&fh*AD%3@5B3NOAi
z$shCs`rQ6tKcO>w;Z39@-*VE10t{2Tvoo`E+u`nx>VqxEi>w#kIrUw`HR-N9^o^xE
z{b-ujZMVr1{_pVrT63L!hb9f4TSQ;)bhTzn)8JXtJIz*eiD-AqMG3Mf2n`=tGs2PW
zN8{3|1K4m_f&-h`Of)$uG6VAK>iW%}e!KMRrKOjKNnRh4zY_7mwx!>}Ulaa5z#o49
zH~cN|=^q^(2rwM+Px$+NZrHDq_CK25xNb})4y{joFhgdAO90UR!{7d+{p%lt+|cUl
zT}oizxcq?{7WEtV7YD#KX8XU^&G~<~+vzNk%e$Ot8Ln^K|C^7<IJC!fQ|~rATC4S_
z-L7ko)|;ITeWTXylD*w${e!I^cHi#QFO4wt>qXwW+5fTMfA!-f-Pqo;-#_1|tv@1%
zFlg`RS%Xq8UMtg1)qc+sDDwKo9n+lW|InZF|BlwxmPq@K`6xv9jr)J0{_FXqaGN?b
zr2C#@n^*Psf#(*AvaAvG+ga!N-kkie*=;v90tsOo<A0U^l}Ypt+pGNV4u$!@hpN#3
zOOwKz#eup0ALoD4|2wTFy#H1C-~HQDKL6{kuh;dC-tMlqnpOUH|MLH(DHQsDuJLAG
zpUiBw|LeNek^4W=|JPgXR<-^o61=~sk2OM+x6}`8&sBOvX=-{?)iqV`Dr?wv7#blR
zQ#XXpchEoxj=+y{Xj?d9%L~Gt%ZcOp)MsN@=gx3QO&p~39ml&!I{IeFNpWlp*rdG|
zG(<#w*Lo8er!<BKI!W(ypkW$8s0bF0kwu2#fCgUVn-mE?<lUcnXP(`it!Cdey~qvs
z=s9&_Ldvx`re?Fp-QvhN4Pqp~E%t2r6r{#_W^tO5fZ@A6<09zc=!ZRnGdQrVp6$ZM
zBW%ky9;S(ug8N<+QZ+PAoJB{tG`#TqGu3uO>JN>DDKU5$te(PDFN~`N8MH>`MD-?U
z1Hr5zy}&gl!N?0|0j1=0J~0=Bqz+h+ZL0QU!2wc2hUqLi!U(S?m4KR&Z--avDJXDJ
zzF^8Kb*+g9s#uV*AUc8BEC_t=Inj8g8TITj_$r{2R?hyHJD&8?+k2i*PwfB<b{82)
zdq(1zhitATeZsh=djr$APiWt=d>RCF%ComA2iO&ESpa}<%5Nv;j?hdw#6G3I?VfIV
zt_z_OgQ5&)5JrqB^a9gx0006FC%R`ut~mnup?w<p2J@lx7(RCndjJ9g7c1-D1~+`o
zy|4`AP{^nN2Tt(-Bh3*8nlc2t7*W97Uhn`>g6A!>vN9a6cywZ@FgRt96v?O$ay#U5
zdx5@`8ITqbr(4jClgqI_hr7P%6yOnhh{aR@f~3R@0Y{$70c^S$fwaYZZ$Ah;(+1Jb
zP~{Qz$F>VFGt4zK%u!y-d0Nr{i`F{X2PQvd&{I=>=~?#hDo?Ht`^xqSnA0@fl!Rg%
zn1;eREUGf2+#c<~kV2hr-G?G%7hBl@J@?LN24>ei#h5b9y@)6n$x3@cx&?hGoeYgq
z<RV-hT}_H;Af6d!#1oxYvE<6AEEM(12J>(o#7l{cg^FA>=BIXho?$&R988yPnu&_!
zzyVAr3=@yPD4;^@nDFs@B0q#{b;@IkfMK;+2u`|Mnv+`zY`6b1R>$@7U)vaC%6{Nw
z!#_5|REnCp5xohh&$p3d!XQE%wg>Auj?0+2?1+ci)BQjXyYu*fyLi-9z7vT-)Pb-;
zEhNfVD!`3!h-Hc?fxQr~3CmRQ7kV`{NKSDUHSuoJcWem#Qy91qi^YqxiRUskV?MH2
z^a<ADe&k!OAp5>Iv_VVoDpthC0Ug5;KK4BKy>V_(T3SIEuy;PgaUhGc-~|)X-`hC<
zzHgi0tTBxR>{*%cF~|ta%Zkh}k@z*@&SC3WWS-IRI<!;oenG3ZABC?^-s20i413@e
z&<>0hwln*6oR?ReaKbeohTS=qct=bJoaQtwE#A!yp^zf)DnvSo1hHbIFb6(tPWPT?
zvXu5VM!+_%j(o#TlBoskAf*cvFGGchptt9FXVGK_E~KQa0_2ni0XZ{jw~E4y>7R_y
z9L3td0n-<V01f6Pg>1^ieH-A;&ZZ5F_Z;N55gLoh9NzAZYoDvL`up3B`|_BX@#Sv+
zHR=PC?O+XTybM?mMz`Y&_J6x@#J|A(zh<}D?85o4-t4ri{omV3eZkSy`R{^)`u_wg
z^#A1i_fF!#T>sbQ{U7Q7Elr2>pX&Vg{%x+MW$*vB+mGrS?G1>-k2-pF0DS)n_=PDH
z`v0AHeKN7x{;z9YT^INNr2p$$Td&stM1uGC^!;~@6WeW^7{RDki(sq6HQ+L^qSPkr
zvfm(t9m7opvO!C!1+Bped(j<8AUL4A7>uYh*&G^9Kx_S<4hP#i&--uojs^!iFLqzQ
z+Kd7fcCkaXS)-Q|&kso&X8+*z^WD9jO<8<VtHl@}tcsInYK}ajuv6h4S=NZEN;b(8
z`ScW8gO<v<Q;|FJB=zMfd8ev;LMl#(JV||ddd%N`IGyyfI3Vez+eit0ehz&&p(bo_
zlW;@{Y_1W>9|=9eovNNkmg0mwLFS%vRD?X>^bKc~r1A0rgv}#HOAOZ{a6cRNfa>Hh
znxLeqMcx`tM1vkd{jCv;-Qt|$V5Z<Qqz_w!OO-GY$JD1#qDjbUWdCp5!Nf68LUuqH
z*cf)pVCy@BBQ2zzOJfYhAvrB%4Pkth7)4goIP+=a0C+x;G$E3+t}N1=l=2uZ?T~2j
za$F0&0c>SCbO09>XwHb2b%lH)#>E*~`3QSYZU}Y(x}yFAIG7DW|G~1hrmyL%tI!UY
zCNk~K)z!}{NPuf`fTk6rhpPhw_DY3@nJk2za%WJGvi`JT(es8IISxCg<p$3;b}VMD
zZvZD*)`=BSwAdkRgG6v<0jf#pa`P*rEQ~YO0bEod3liUF0cRe0uC@&Mphf%>wq4d}
z;5=1z=)qNxIrB|yxopB0BiQI9@7}=#z6Y$QpkQ)*{FqoC6CdgqxwT#P70o;eO{=l%
zZz{`8<uM6H_An%mAE#istXM!=CH#vBw`C);Hn>Xi0l91(`WZmS!8-Io!6{xIt`ZSt
z-80v_aLL5*A%?>7Ej+<7xCMb%XOj@&UJj;#VX_&q>D4UHrL~$pBq+0(oI*AUqX@Et
zz{tfF_tu7X4L)p;`ga&7W2Qom$)`_%inV5^3VkVDocA5y_xxT;2P`H|tqX=vAsl{)
zY@b>p=45%{oS@mJbdn{=RIe;Q$oP70z^anAi~|TmpSY`Kbv*}(6f{~_tR*qiH*OFI
zdd@0e6jsuVucViQbG9515J8V1M{9($R0rKsj9|K?#}td25i+nm6Yhez;igj07m6)^
zOv&l<eo`Z#)ROx-o68R{M!~K>IfXkza6k{+{;DnZ{XuCTBI;j}6><Er0xfWG4m-;v
zq?h3;H;?5%6V;{Yg;UCZ4xtLxI|y1nZhykfF3dBCV1Vpy%jJd55^atf4FU<800d^9
zu&hX<L{msLr>KKx5Y;9tz%GRV)JUKj%O8_3pBtx2VjWVH3b%YPx9?y{;PIR12u1Nb
z@d_2Lcbx`AffJ@p4A^UIk>6bYC_z4FLj4R;acV45k=X4@1cj6mAd$>iB#78)*AUi}
zD;O!<c&76RYvCzm?)4*UOMs6B7v_=Q5p`G~#FRGBM~Dby!bP|>Ld53QOYrE5NcV_a
zEsqAo^+NQ4AQS>XT&blNNK5(hoPp8e)`XAfEBIf`4%R(k^0+JuwemhNZT=vaW-$Z>
zf{T~vjJZ>g=^iX?0#0@ytniwB?sR?MopK!HiOH|fd9ar|LgGNeDmb-RSjgRtC6kch
zoMx~V+7h|2!x8Bpyoy0VqG(`<D&sOd>18e>L<e#~RY~#2YD;9xvl1as_yXZCUYHVI
z6OnKlLbowTG6zNiiEB&?Nk}qYPmmy+2a>v;i6zVx36itP!(f)Fyq}`A#!?Jg#>AF3
zD)M_(<i}w4`IT2y@$#LAKAwJ+<F9*Yl)~CMCe=(|S0nO}4=%AmzH2}V4Ea$JnpCoy
zQcj7jrgFI~w?Y}Sgv^{nO+_qJ&s0<q7)n(M0%f|%Eia{v6&gL-H>?`)J~TL^R|BlG
zn+_rzKm~vqcAl)J{3=5IU0>cx*tOQ+$`GuQam#TkXdun&thORpaHa?{1-W<eiZV+H
zqE8s#l+8)6hg|T^6_u8_ZGpVGjp2%)Rs_Ddz5hT|pRCm1X~!$8wSY-+kiacAR>!e2
z`(QK(tmJX>A!)+hdI7|>g;@&pAuMDmQ?!+vp33GHVD{@DaQ>HT#$=I4oa<MAvY*Dd
zZvAJo)vfmb?r+yGg}FNaO9|uKd(1gH_y6SlFV}suI54~Z3x5A6b^gcezuQnJUY-Aa
z32V%s|MB|I_4dZP-mT96zJvyTSsFP9=l-8-yqVW0^P1!TUAP?-pZ|&9f6$uM`kx5!
z9-lr!Ze7)X!n@n`u3Taz(UxCTd6rbIR#l!wwY>1wR#kZ}RuP`A)Vo<RW>InAS5rVK
zO1|b6NOHJ*y<FzHf6+W|Uj&&Ue8c+2+t)A3f+wgP$jmuy9ShYRN<>KwTPZ%+ZedPZ
zT-PTNvAW|@9L3doQt7;)|ERbWj|0uFq~kDOb-^5GaY}FBZ1tNg{mPh3RoxaJgTy6(
zxstJ>I<u;D438S{gC$~dNmpDv#M{4c=~z_+2EPFy%=soiOT%8d@45(#m3E~n3QeqT
g%awnn3dI&;AAqVNuzP$VuTWPKs3cHH;0sCMzr^NFJOBUy

literal 0
HcmV?d00001

diff --git a/iam/clouds/aws/CloudGovernanceDeletePolicy.json b/iam/clouds/aws/CloudGovernanceInfra/CloudGovernanceDeletePolicy.json
similarity index 94%
rename from iam/clouds/aws/CloudGovernanceDeletePolicy.json
rename to iam/clouds/aws/CloudGovernanceInfra/CloudGovernanceDeletePolicy.json
index f2fa18701..b114cc4db 100644
--- a/iam/clouds/aws/CloudGovernanceDeletePolicy.json
+++ b/iam/clouds/aws/CloudGovernanceInfra/CloudGovernanceDeletePolicy.json
@@ -48,8 +48,6 @@
         "ec2:DeleteVpcPeeringConnection",
         "autoscaling:DescribeLaunchConfigurations",
         "ec2:DescribeRegions",
-        "ec2:CreateImage",
-        "ec2:CreateVpc",
         "ec2:DescribeDhcpOptions",
         "ec2:DescribeSnapshots",
         "ec2:DeleteRouteTable",
@@ -72,7 +70,6 @@
         "ec2:DeleteNetworkInterface",
         "ec2:DetachInternetGateway",
         "ec2:DescribeNatGateways",
-        "ec2:StopInstances",
         "ec2:DisassociateRouteTable",
         "ec2:DescribeSecurityGroups",
         "ec2:RevokeSecurityGroupIngress",
@@ -104,17 +101,11 @@
       "Effect": "Allow",
       "Action": [
         "iam:GetRole",
-        "iam:DeleteAccessKey",
-        "iam:DeleteGroup",
         "iam:TagRole",
         "iam:DeleteUserPolicy",
         "iam:ListRoles",
-        "iam:DeleteUser",
         "iam:ListUserPolicies",
-        "iam:CreateUser",
         "iam:TagUser",
-        "sts:AssumeRole",
-        "iam:RemoveUserFromGroup",
         "iam:GetUserPolicy",
         "iam:ListAttachedRolePolicies",
         "iam:ListUsers",
@@ -145,7 +136,6 @@
         "s3:PutObject",
         "s3:GetObject",
         "s3:ListAllMyBuckets",
-        "s3:CreateBucket",
         "s3:ListBucket",
         "s3:PutObjectTagging",
         "s3:DeleteObject",
diff --git a/iam/clouds/aws/CloudGovernanceReadPolicy.json b/iam/clouds/aws/CloudGovernanceInfra/CloudGovernanceReadPolicy.json
similarity index 98%
rename from iam/clouds/aws/CloudGovernanceReadPolicy.json
rename to iam/clouds/aws/CloudGovernanceInfra/CloudGovernanceReadPolicy.json
index a67c8b894..4594436f2 100644
--- a/iam/clouds/aws/CloudGovernanceReadPolicy.json
+++ b/iam/clouds/aws/CloudGovernanceInfra/CloudGovernanceReadPolicy.json
@@ -82,7 +82,6 @@
         "iam:TagRole",
         "iam:ListRoles",
         "iam:ListUserPolicies",
-        "iam:CreateUser",
         "iam:TagUser",
         "iam:GetUserPolicy",
         "iam:ListAttachedRolePolicies",
@@ -109,7 +108,6 @@
         "s3:PutObject",
         "s3:GetObject",
         "s3:ListAllMyBuckets",
-        "s3:CreateBucket",
         "s3:ListBucket",
         "s3:PutObjectTagging",
         "s3:putBucketTagging",
diff --git a/iam/clouds/aws/CloudGovernanceInfra/create_infra.sh b/iam/clouds/aws/CloudGovernanceInfra/create_infra.sh
new file mode 100755
index 000000000..4ffe3a201
--- /dev/null
+++ b/iam/clouds/aws/CloudGovernanceInfra/create_infra.sh
@@ -0,0 +1,144 @@
+#!/bin/bash
+
+username=""
+policy_type="read"
+s3_bucket_name=""
+show_help=false
+AWS_DEFAULT_REGION=us-east-2
+export AWS_DEFAULT_PROFILE=athiruma
+
+show_help() {
+    echo "Usage: $0 --username <username> --s3-bucket-name <bucket-name> [--policy-type <policy-type>]"
+    echo ""
+    echo "Options:"
+    echo "  --username <username>       Specify the IAM username to create."
+    echo "  --policy-type <type>        (Optional) Specify the policy type to create and attach. Supported Values: read, delete."
+    echo "  --s3-bucket-name <bucket-name>  Specify the S3 bucket name to create."
+    echo "  --help                      Display this help message."
+    echo ""
+    echo "Example:"
+    echo "  $0 --username my-username --policy-type read --s3-bucket-name my-bucket"
+    echo "  $0 --username my-username --s3-bucket-name my-bucket"
+    exit 0
+}
+
+to_title_case() {
+    echo "$1" | awk '{print toupper(substr($0,1,1)) tolower(substr($0,2))}'
+}
+
+delete_user() {
+    aws iam delete-user --user-name "$1" 1>/dev/null
+    echo "Deleted IAM User $1 due to failures."
+}
+
+delete_policy() {
+    aws iam delete-policy --policy-arn "$1" 1>/dev/null
+    echo "Deleted IAM Policy $1 due to failures."
+}
+
+delete_bucket() {
+    aws s3 rb "s3://$1" --force 1>/dev/null
+    echo "Deleted S3 bucket $1 due to failures."
+}
+
+while [[ "$#" -gt 0 ]]; do
+    case $1 in
+        --username) username="$2"; shift ;;
+        --policy-type) policy_type="$2"; shift ;;
+        --s3-bucket-name) s3_bucket_name="$2"; shift ;;
+        --help) show_help=true ;;
+        *) echo "Unknown parameter passed: $1"; show_help ;;
+    esac
+    shift
+done
+
+if [ "$show_help" = true ]; then
+    show_help
+fi
+
+
+
+if [ -z "$username" ] || [ -z "$s3_bucket_name" ]; then
+    echo "Error: --username and --s3-bucket-name are required."
+    show_help
+fi
+
+if [ -n "$policy_type" ]; then
+    case "$(to_title_case "$policy_type")" in
+        Read|Delete) policy_type=$(to_title_case "$policy_type") ;;
+        *) echo "Error: Unsupported policy type '$policy_type'. Supported values are: Read, Delete."; exit 1 ;;
+    esac
+fi
+
+policy_document="./CloudGovernance${policy_type}Policy.json"
+account_id=$(aws sts get-caller-identity --query 'Account' --output text)
+if [ $? -ne 0 ]; then
+    echo "Failed to retrieve AWS account ID."
+    exit 1
+fi
+echo "AWS Account ID: $account_id"
+
+if [ -n "$account_id" ]; then
+  sed -i '' -e "s/account_id/${account_id}/g" "$policy_document"
+fi
+
+
+if ! aws iam create-user --user-name "$username" --tags "Key=User,Value=${username}" 1>/dev/null; then
+    echo "Failed to create user $username."
+    exit 1
+fi
+echo "User $username created successfully."
+
+if [ -n "$policy_type" ]; then
+    policy_name="CloudGovernance${policy_type}"
+
+
+    if [ ! -f "$policy_document" ]; then
+        echo "Error: Policy document file $policy_document does not exist."
+        delete_user "$username"
+        exit 1
+    fi
+
+    policy_arn=$(aws iam create-policy --policy-name "$policy_name" --policy-document "file://$policy_document" --query 'Policy.Arn' --output text)
+    if [ $? -ne 0 ]; then
+        echo "Failed to create policy $policy_name."
+        delete_user "$username"
+        exit 1
+    fi
+    echo "Policy $policy_name created successfully with ARN $policy_arn."
+
+    if ! aws iam attach-user-policy --user-name "$username" --policy-arn "$policy_arn"; then
+        echo "Failed to attach policy $policy_name to user $username."
+        delete_policy "$policy_arn"
+        delete_user "$username"
+        exit 1
+    fi
+    echo "Policy $policy_name attached to user $username successfully."
+fi
+
+if ! aws s3api create-bucket --bucket "$s3_bucket_name" --region "$AWS_DEFAULT_REGION" --create-bucket-configuration LocationConstraint="$AWS_DEFAULT_REGION" 1>/dev/null; then
+    echo "Failed to create S3 bucket $s3_bucket_name."
+    delete_user "$username"
+    if [ -n "$policy_arn" ]; then
+        delete_policy "$policy_arn"
+    fi
+    exit 1
+fi
+echo "S3 bucket $s3_bucket_name created successfully."
+
+access_key_json=$(aws iam create-access-key --user-name "$username" --query 'AccessKey.[AccessKeyId,SecretAccessKey]' --output json)
+if [ $? -ne 0 ]; then
+    echo "Failed to create access key for user $username."
+    delete_user "$username"
+    delete_bucket "$s3_bucket_name"
+    if [ -n "$policy_arn" ]; then
+        delete_policy "$policy_arn"
+    fi
+    exit 1
+fi
+
+access_key_id=$(echo "$access_key_json" | jq -r '.[0]')
+secret_access_key=$(echo "$access_key_json" | jq -r '.[1]')
+
+echo "Access Key ID: $access_key_id"
+echo "Secret Access Key: $secret_access_key"
diff --git a/jenkins/tenant/aws/README.md b/jenkins/tenant/aws/README.md
index afcae3a85..3191ef335 100644
--- a/jenkins/tenant/aws/README.md
+++ b/jenkins/tenant/aws/README.md
@@ -1,12 +1,15 @@
 # How to run cloud-governance on Tenant Accounts
 
 Steps
-1. Create AWS User and attach user by [CloudGovernanceDeletePolicy.json](../../../iam/clouds/aws/CloudGovernanceDeletePolicy.json). [ Note: Replace account_id with actual account id]
+
+1. Create AWS User and attach user
+   by [CloudGovernanceDeletePolicy.json](../../../iam/clouds/aws/CloudGovernanceCloudCreds/CloudGovernanceDeletePolicy.json). [ Note: Replace account_id with actual account id]
 2. Create S3 bucket
 3. Add kind secret-text to jenkins with below naming conventions
-   1. ${account_name}-aws-access-key-id
-   2. ${account_name}-aws-secret-key-id
-   3. ${account_name}-s3-bucket
+    1. ${account_name}-aws-access-key-id
+    2. ${account_name}-aws-secret-key-id
+    3. ${account_name}-s3-bucket
 4. Create folder named that you want to run the cloud-governance policies and copy the file in templates.
-5. Add account_name to account variable in this [PolicyJenkinsfileDaily](../aws/template/PolicyJenkinsfileDaily) and [TaggingJenkinsfileHourly](../aws/template/TaggingJenkinsfileHourly).
+5. Add account_name to account variable in this [PolicyJenkinsfileDaily](../aws/template/PolicyJenkinsfileDaily)
+   and [TaggingJenkinsfileHourly](../aws/template/TaggingJenkinsfileHourly).
 6. Create two Jenkins jobs by using this two Jenkinsfile