mirror of
https://github.com/AdaCore/e3-aws.git
synced 2026-02-12 13:02:04 -08:00
3b0f8a2aec
This module provides helper classes to build an AWS CloudFormation stack with troposphere and deploy it.
105 lines
3.0 KiB
Python
105 lines
3.0 KiB
Python
"""E3 troposphere usage example."""
|
|
|
|
from __future__ import annotations
|
|
import logging
|
|
|
|
from troposphere import Ref
|
|
|
|
from e3.aws import Session, Stack
|
|
|
|
from e3.aws.troposphere.config.config_rule import (
|
|
S3BucketPublicWriteProhibited,
|
|
S3BucketPublicReadProhibited,
|
|
S3BucketServerSideEncryptionEnabled,
|
|
S3BucketSSLRequestsOnly,
|
|
IAMUserNoPoliciesCheck,
|
|
)
|
|
from e3.aws.troposphere.config.configuration_recorder import ConfigurationRecorder
|
|
from e3.aws.troposphere.iam.role import Role
|
|
from e3.aws.troposphere.s3.bucket import Bucket
|
|
from e3.aws.troposphere.s3.managed_policy import S3AccessManagedPolicy
|
|
|
|
logging.basicConfig(level=logging.INFO)
|
|
|
|
|
|
def build_and_deploy_tstacks() -> None:
|
|
"""Build and deploy two simple troposphere stacks.
|
|
|
|
Two stacks in two different regions are deployed. An us stack define only a secure
|
|
bucket. An eu stack define secure s3 buckets, a role to add object to the eu bucket
|
|
and a AWSConfig recorder with rules that check s3 buckets security configurations
|
|
across both regions.
|
|
"""
|
|
sessions = {
|
|
"eu": Session(regions=["eu-west-1"]),
|
|
"us": Session(regions=["us-east-1"]),
|
|
}
|
|
stack = {}
|
|
for region in ("eu", "us"):
|
|
stack[region] = Stack(
|
|
f"e3-example-{region}",
|
|
sessions[region],
|
|
opts={"Capabilities": ["CAPABILITY_NAMED_IAM"]},
|
|
)
|
|
|
|
# Add a s3 secure bucket in each region
|
|
stack["eu"].add_construct([Bucket(name="e3-l1-example")])
|
|
stack["us"].add_construct([Bucket(name="e3-l2-example")])
|
|
|
|
# Define a new IAM-Roles that will be used to acces e3-l1-example bucket
|
|
stack["eu"].add_construct(
|
|
[
|
|
Role(
|
|
name="L1WriteRole",
|
|
description="Role to write to l1 buckets",
|
|
principal={"Service": "ecs-tasks.amazonaws.com"},
|
|
)
|
|
]
|
|
)
|
|
|
|
# Define a new IAM-Policy to putObject in e3-l1-example bucket
|
|
# and attach the L1WriteRole role to it
|
|
stack["eu"].add_construct(
|
|
[
|
|
S3AccessManagedPolicy(
|
|
name="S3WriteAccess",
|
|
buckets=["e3-l1-example"],
|
|
action=["s3:PutObject"],
|
|
roles=[Ref(stack["eu"]["L1WriteRole"])],
|
|
)
|
|
]
|
|
)
|
|
|
|
# Add AWS config rules to check S3 buckets security configuration.
|
|
# This should only be defined in one region
|
|
for region in ("eu",):
|
|
stack[region].add_construct(
|
|
[ConfigurationRecorder(bucket_name="config-bucket-example")]
|
|
)
|
|
|
|
for region in ("eu",):
|
|
stack[region].add_construct(
|
|
[
|
|
S3BucketPublicWriteProhibited,
|
|
S3BucketPublicReadProhibited,
|
|
S3BucketServerSideEncryptionEnabled,
|
|
S3BucketSSLRequestsOnly,
|
|
IAMUserNoPoliciesCheck,
|
|
]
|
|
)
|
|
|
|
# Deploy stacks
|
|
for region in ("eu", "us"):
|
|
stack[region].deploy()
|
|
|
|
|
|
def main() -> None:
|
|
"""Provide entry point."""
|
|
build_and_deploy_tstacks()
|
|
|
|
return
|
|
|
|
|
|
if __name__ == "__main__":
|
|
main()
|