Review/guardian

helpers/vs-code-ec2.yaml

@@ -16,15 +16,29 @@ Parameters:
       - t3.large
       - t3.xlarge
     ConstraintDescription: Must be a valid EC2 instance type
+  LatestAmiId:
+    Type: "AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>"
+    Default: "/aws/service/ami-amazon-linux-latest/al2023-ami-kernel-default-x86_64"
   AllowedIP:
     Description: Allowed IP address for connecting to the VSCode server and Gitea (CIDR)
     AllowedPattern: ^([0-9]{1,3}\.){3}[0-9]{1,3}/([0-9]|[1-2][0-9]|3[0-2])$
     ConstraintDescription: Must be a valid IP CIDR range of the form x.x.x.x/x
     Type: String
     Default: 0.0.0.0/0
-  LatestAmiId:
-    Type: "AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>"
-    Default: "/aws/service/ami-amazon-linux-latest/al2023-ami-kernel-default-x86_64"
+  WorldAccessAcknowledgment:
+    Description: Type 'I AGREE' to acknowledge you're allowing world access (only required if SSHLocation is 0.0.0.0/0)
+    Type: String
+    Default: 'Enter String'
+
+Rules:
+  ValidateWorldAccessAcknowledgment:
+    RuleCondition: !Equals [!Ref AllowedIP, '0.0.0.0/0']
+    Assertions:
+      - Assert: 
+          Fn::Equals:
+            - !Ref WorldAccessAcknowledgment
+            - 'I AGREE'
+        AssertDescription: You must type 'I AGREE' in the WorldAccessAcknowledgment parameter when allowing world access (0.0.0.0/0)
 
 Resources:
   ################## PERMISSIONS AND ROLES #################
@@ -47,8 +61,6 @@ Resources:
                 - codebuild.amazonaws.com
             Action:
               - sts:AssumeRole
-      ManagedPolicyArns:
-        - arn:aws:iam::aws:policy/AdministratorAccess
       Path: "/"
 
   ################## ARTIFACTS BUCKET ###############
@@ -275,6 +287,134 @@ Resources:
         - Key: Environment
           Value: !Sub ${EnvironmentName}
 
+  SaaSEKSGitOpsWorkshopPolicy:
+    Type: AWS::IAM::ManagedPolicy
+    Properties:
+      ManagedPolicyName: SaaSEKSGitOpsWorkshopPolicy
+      Description: 'Consolidated IAM policy for SaaS on EKS GitOps Workshop'
+      PolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+          - Sid: EKSFullAccess
+            Effect: Allow
+            Action:
+              - 'eks:*'
+            Resource: '*'
+          - Sid: EC2AndNetworkingFullAccess
+            Effect: Allow
+            Action:
+              - 'ec2:*'
+              - 'elasticloadbalancing:*'
+              - 'autoscaling:*'
+            Resource: '*'
+          - Sid: ContainerServicesFullAccess
+            Effect: Allow
+            Action:
+              - 'ecr:*'
+            Resource: '*'
+          - Sid: IAMManagement
+            Effect: Allow
+            Action:
+              - 'iam:CreateRole'
+              - 'iam:DeleteRole'
+              - 'iam:GetRole'
+              - 'iam:ListRoles'
+              - 'iam:PassRole'
+              - 'iam:AttachRolePolicy'
+              - 'iam:DetachRolePolicy'
+              - 'iam:CreatePolicy'
+              - 'iam:DeletePolicy'
+              - 'iam:GetPolicy'
+              - 'iam:ListPolicies'
+              - 'iam:CreateServiceLinkedRole'
+              - 'iam:TagRole'
+              - 'iam:UntagRole'
+              - 'iam:GetRolePolicy'
+              - 'iam:PutRolePolicy'
+              - 'iam:DeleteRolePolicy'
+              - 'iam:ListAttachedRolePolicies'
+              - 'iam:ListRolePolicies'
+              - 'iam:ListEntitiesForPolicy'
+              - 'iam:CreateInstanceProfile'
+              - 'iam:GetPolicyVersion'
+              - 'iam:GetInstanceProfile'
+              - 'iam:CreateOpenIDConnectProvider'
+              - 'iam:TagPolicy'
+              - 'iam:TagOpenIDConnectProvider'
+              - 'iam:GetOpenIDConnectProvider'
+              - 'iam:DeleteOpenIDConnectProvider'
+              - 'iam:AddRoleToInstanceProfile'
+              - 'iam:DeleteInstanceProfile'
+            Resource: '*'
+          - Sid: ApplicationServicesFullAccess
+            Effect: Allow
+            Action:
+              - 'sqs:*'
+              - 'dynamodb:*'
+              - 's3:*'
+            Resource: '*'
+          - Sid: SystemsManagerAccess
+            Effect: Allow
+            Action:
+              - 'ssm:GetParameter'
+              - 'ssm:GetParameters'
+              - 'ssm:PutParameter'
+              - 'ssm:DeleteParameter'
+              - 'ssm:DescribeParameters'
+              - 'ssm:SendCommand'
+              - 'ssm:ListCommands'
+              - 'ssm:ListCommandInvocations'
+              - 'ssm:DescribeInstanceInformation'
+              - 'ssm:GetCommandInvocation'
+              - 'ssm:UpdateInstanceInformation'
+              - 'ssm:CreateDocument'
+              - 'ssm:DescribeDocumentParameters'
+              - 'ssm:GetDocument'
+              - 'ssm:ListDocuments'
+              - 'ssm:CreateAssociation'
+              - 'ssm:DescribeAssociation'
+              - 'ssm:ListAssociations'
+              - 'ssm:UpdateAssociation'
+              - 'ssm:DeleteAssociation'
+              - 'ssm:DescribeAssociationExecutions'
+              - 'ssm:DescribeAssociationExecutionTargets'
+              - 'ssm:StartAssociationsOnce'
+              - 'ssm:ListTagsForResource'
+              - 'ssmmessages:*'
+            Resource: '*'
+          - Sid: CloudFormationFullAccess
+            Effect: Allow
+            Action:
+              - 'cloudformation:*'
+            Resource: '*'
+          - Sid: KMSAccess
+            Effect: Allow
+            Action:
+              - 'kms:Decrypt'
+              - 'kms:DescribeKey'
+              - 'kms:CreateKey'
+              - 'kms:CreateAlias'
+              - 'kms:Encrypt'
+              - 'kms:GenerateDataKey'
+              - 'kms:ReEncrypt*'
+              - 'kms:TagResource'
+              - 'kms:ListAliases'
+              - 'kms:DeleteAlias'
+            Resource: '*'
+          - Sid: LogsAccess
+            Effect: Allow
+            Action:
+              - 'logs:CreateLogGroup'
+              - 'logs:CreateLogStream'
+              - 'logs:PutLogEvents'
+              - 'logs:DescribeLogGroups'
+              - 'logs:DescribeLogStreams'
+              - 'logs:PutRetentionPolicy'
+              - 'logs:ListTagsForResource'
+            Resource: '*'
+      Roles: 
+        - !Ref EC2Role
+
 Outputs:
   VsCodeIdeUrl:
     Description: The URL to access VS Code IDE

tenant-microservices/consumer/requirements.txt

@@ -2,7 +2,7 @@ blinker==1.6.3
 click==8.1.7
 Flask==3.0.0
 itsdangerous==2.1.2
-Jinja2==3.1.5
+Jinja2==3.1.6
 MarkupSafe==2.1.3
 Werkzeug==3.0.6
 boto3~=1.28.59

tenant-microservices/payments/requirements.txt

@@ -2,6 +2,6 @@ blinker==1.6.3
 click==8.1.7
 Flask==3.0.0
 itsdangerous==2.1.2
-Jinja2==3.1.3
+Jinja2==3.1.6
 MarkupSafe==2.1.3
 Werkzeug==3.0.6