diff --git a/helpers/vs-code-ec2.yaml b/helpers/vs-code-ec2.yaml index 6d24e08..8efdacd 100644 --- a/helpers/vs-code-ec2.yaml +++ b/helpers/vs-code-ec2.yaml @@ -16,15 +16,29 @@ Parameters: - t3.large - t3.xlarge ConstraintDescription: Must be a valid EC2 instance type + LatestAmiId: + Type: "AWS::SSM::Parameter::Value" + Default: "/aws/service/ami-amazon-linux-latest/al2023-ami-kernel-default-x86_64" AllowedIP: Description: Allowed IP address for connecting to the VSCode server and Gitea (CIDR) AllowedPattern: ^([0-9]{1,3}\.){3}[0-9]{1,3}/([0-9]|[1-2][0-9]|3[0-2])$ ConstraintDescription: Must be a valid IP CIDR range of the form x.x.x.x/x Type: String Default: 0.0.0.0/0 - LatestAmiId: - Type: "AWS::SSM::Parameter::Value" - Default: "/aws/service/ami-amazon-linux-latest/al2023-ami-kernel-default-x86_64" + WorldAccessAcknowledgment: + Description: Type 'I AGREE' to acknowledge you're allowing world access (only required if SSHLocation is 0.0.0.0/0) + Type: String + Default: 'Enter String' + +Rules: + ValidateWorldAccessAcknowledgment: + RuleCondition: !Equals [!Ref AllowedIP, '0.0.0.0/0'] + Assertions: + - Assert: + Fn::Equals: + - !Ref WorldAccessAcknowledgment + - 'I AGREE' + AssertDescription: You must type 'I AGREE' in the WorldAccessAcknowledgment parameter when allowing world access (0.0.0.0/0) Resources: ################## PERMISSIONS AND ROLES ################# @@ -47,8 +61,6 @@ Resources: - codebuild.amazonaws.com Action: - sts:AssumeRole - ManagedPolicyArns: - - arn:aws:iam::aws:policy/AdministratorAccess Path: "/" ################## ARTIFACTS BUCKET ############### @@ -275,6 +287,134 @@ Resources: - Key: Environment Value: !Sub ${EnvironmentName} + SaaSEKSGitOpsWorkshopPolicy: + Type: AWS::IAM::ManagedPolicy + Properties: + ManagedPolicyName: SaaSEKSGitOpsWorkshopPolicy + Description: 'Consolidated IAM policy for SaaS on EKS GitOps Workshop' + PolicyDocument: + Version: '2012-10-17' + Statement: + - Sid: EKSFullAccess + Effect: Allow + Action: + - 'eks:*' + Resource: '*' + - Sid: EC2AndNetworkingFullAccess + Effect: Allow + Action: + - 'ec2:*' + - 'elasticloadbalancing:*' + - 'autoscaling:*' + Resource: '*' + - Sid: ContainerServicesFullAccess + Effect: Allow + Action: + - 'ecr:*' + Resource: '*' + - Sid: IAMManagement + Effect: Allow + Action: + - 'iam:CreateRole' + - 'iam:DeleteRole' + - 'iam:GetRole' + - 'iam:ListRoles' + - 'iam:PassRole' + - 'iam:AttachRolePolicy' + - 'iam:DetachRolePolicy' + - 'iam:CreatePolicy' + - 'iam:DeletePolicy' + - 'iam:GetPolicy' + - 'iam:ListPolicies' + - 'iam:CreateServiceLinkedRole' + - 'iam:TagRole' + - 'iam:UntagRole' + - 'iam:GetRolePolicy' + - 'iam:PutRolePolicy' + - 'iam:DeleteRolePolicy' + - 'iam:ListAttachedRolePolicies' + - 'iam:ListRolePolicies' + - 'iam:ListEntitiesForPolicy' + - 'iam:CreateInstanceProfile' + - 'iam:GetPolicyVersion' + - 'iam:GetInstanceProfile' + - 'iam:CreateOpenIDConnectProvider' + - 'iam:TagPolicy' + - 'iam:TagOpenIDConnectProvider' + - 'iam:GetOpenIDConnectProvider' + - 'iam:DeleteOpenIDConnectProvider' + - 'iam:AddRoleToInstanceProfile' + - 'iam:DeleteInstanceProfile' + Resource: '*' + - Sid: ApplicationServicesFullAccess + Effect: Allow + Action: + - 'sqs:*' + - 'dynamodb:*' + - 's3:*' + Resource: '*' + - Sid: SystemsManagerAccess + Effect: Allow + Action: + - 'ssm:GetParameter' + - 'ssm:GetParameters' + - 'ssm:PutParameter' + - 'ssm:DeleteParameter' + - 'ssm:DescribeParameters' + - 'ssm:SendCommand' + - 'ssm:ListCommands' + - 'ssm:ListCommandInvocations' + - 'ssm:DescribeInstanceInformation' + - 'ssm:GetCommandInvocation' + - 'ssm:UpdateInstanceInformation' + - 'ssm:CreateDocument' + - 'ssm:DescribeDocumentParameters' + - 'ssm:GetDocument' + - 'ssm:ListDocuments' + - 'ssm:CreateAssociation' + - 'ssm:DescribeAssociation' + - 'ssm:ListAssociations' + - 'ssm:UpdateAssociation' + - 'ssm:DeleteAssociation' + - 'ssm:DescribeAssociationExecutions' + - 'ssm:DescribeAssociationExecutionTargets' + - 'ssm:StartAssociationsOnce' + - 'ssm:ListTagsForResource' + - 'ssmmessages:*' + Resource: '*' + - Sid: CloudFormationFullAccess + Effect: Allow + Action: + - 'cloudformation:*' + Resource: '*' + - Sid: KMSAccess + Effect: Allow + Action: + - 'kms:Decrypt' + - 'kms:DescribeKey' + - 'kms:CreateKey' + - 'kms:CreateAlias' + - 'kms:Encrypt' + - 'kms:GenerateDataKey' + - 'kms:ReEncrypt*' + - 'kms:TagResource' + - 'kms:ListAliases' + - 'kms:DeleteAlias' + Resource: '*' + - Sid: LogsAccess + Effect: Allow + Action: + - 'logs:CreateLogGroup' + - 'logs:CreateLogStream' + - 'logs:PutLogEvents' + - 'logs:DescribeLogGroups' + - 'logs:DescribeLogStreams' + - 'logs:PutRetentionPolicy' + - 'logs:ListTagsForResource' + Resource: '*' + Roles: + - !Ref EC2Role + Outputs: VsCodeIdeUrl: Description: The URL to access VS Code IDE diff --git a/tenant-microservices/consumer/requirements.txt b/tenant-microservices/consumer/requirements.txt index 9b1a241..81c73ae 100644 --- a/tenant-microservices/consumer/requirements.txt +++ b/tenant-microservices/consumer/requirements.txt @@ -2,7 +2,7 @@ blinker==1.6.3 click==8.1.7 Flask==3.0.0 itsdangerous==2.1.2 -Jinja2==3.1.5 +Jinja2==3.1.6 MarkupSafe==2.1.3 Werkzeug==3.0.6 boto3~=1.28.59 diff --git a/tenant-microservices/payments/requirements.txt b/tenant-microservices/payments/requirements.txt index 2421c30..45d0ba5 100644 --- a/tenant-microservices/payments/requirements.txt +++ b/tenant-microservices/payments/requirements.txt @@ -2,6 +2,6 @@ blinker==1.6.3 click==8.1.7 Flask==3.0.0 itsdangerous==2.1.2 -Jinja2==3.1.3 +Jinja2==3.1.6 MarkupSafe==2.1.3 Werkzeug==3.0.6 \ No newline at end of file