Skip to content

Commit

Permalink
Add support for IAM Server Certificates
Browse files Browse the repository at this point in the history
  • Loading branch information
@tremble
tremble committed Sep 23, 2021
1 parent e6e4863 commit 8be2d25
Show file tree
Hide file tree
Showing 2 changed files with 36 additions and 4 deletions.
15 changes: 11 additions & 4 deletions aws/policy/security-services.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -100,23 +100,26 @@ Statement:
- Sid: AllowGlobalRestrictedResourceActionsWhichIncurFees
Effect: Allow
Action:
- iam:DeleteServerCertificate
- iam:UploadServerCertificate
- secretsmanager:CreateSecret
- secretsmanager:UpdateSecret
- secretsmanager:DeleteSecret
- secretsmanager:GetSecretValue
- secretsmanager:RotateSecret
- secretsmanager:UntagResource
- secretsmanager:TagResource
- secretsmanager:UntagResource
- secretsmanager:UpdateSecret
Resource:
- 'arn:aws:iam::{{ aws_account_id }}:server-certificate/*'
- 'arn:aws:secretsmanager:{{ aws_region }}:{{ aws_account_id }}:secret:ansible-test*'

- Sid: AllowResourceRestrictedActionsWhichIncurNoFees
Effect: Allow
Action:
- acm:DescribeCertificate
- acm:GetCertificate
- acm:AddTagsToCertificate
- acm:DeleteCertificate
- acm:DescribeCertificate
- acm:GetCertificate
- iam:AddRoleToInstanceProfile
- iam:CreateInstanceProfile
- iam:CreateRole
Expand All @@ -126,15 +129,19 @@ Statement:
- iam:DeleteSAMLProvider
- iam:GetInstanceProfile
- iam:GetSAMLProvider
- iam:GetServerCertificate
- iam:ListInstanceProfilesForRole
- iam:ListServerCertificates
- iam:PassRole
- iam:RemoveRoleFromInstanceProfile
- iam:UpdateSAMLProvider
- iam:UpdateServerCertificate
- sts:AssumeRole
Resource:
- 'arn:aws:acm:{{ aws_region }}:{{ aws_account_id }}:certificate/*'
- 'arn:aws:iam::{{ aws_account_id }}:instance-profile/ansible-test-*'
- 'arn:aws:iam::{{ aws_account_id }}:saml-provider/ansible-test-*'
- 'arn:aws:iam::{{ aws_account_id }}:server-certificate/*'
- 'arn:aws:iam::{{ aws_account_id }}:role/ansible-test-*'
# This is hard coded into DMS...
- 'arn:aws:iam::{{ aws_account_id }}:role/dms-vpc-role'
Expand Down
25 changes: 25 additions & 0 deletions aws/terminator/security_services.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,31 @@ def terminate(self):
self.client.delete_instance_profile(InstanceProfileName=self.name)


class IamServerCertificate(Terminator):
@staticmethod
def create(credentials):
return Terminator._create(credentials, IamServerCertificate, 'iam', lambda client: client.list_server_certificates()['ServerCertificateMetadataList'])

@property
def id(self):
return self.instance['ServerCertificateId']

@property
def name(self):
return self.instance['ServerCertificateName']

@property
def ignore(self):
return not self.name.startswith('ansible-test-')

@property
def created_time(self):
return self.instance['UploadDate']

def terminate(self):
self.client.delete_server_certificate(ServerCertificateName=self.name)


class ACMCertificate(DbTerminator):
# ACM provides a created time, but there are cases where describe_certificate can fail
# We need to be able to delete anyway, so use DbTerminator
Expand Down

0 comments on commit 8be2d25

Please sign in to comment.