Created
June 19, 2017 14:04
-
-
Save n0ts/c847f3d13142ab092043400a92e3df50 to your computer and use it in GitHub Desktop.
kumogata-tempate exanple
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # | |
| # iam-and-s3 | |
| # | |
| require 'aws-sdk' | |
| $: << File.dirname(__FILE__) | |
| ### common local library | |
| require 'meta' | |
| require 'aws' | |
| AWSTemplateFormatVersion "2010-09-09" | |
| Description (<<-EOS).undent | |
| iam-user, | |
| included all IAM users and S3 | |
| EOS | |
| Parameters do | |
| # このファイルのスタック名(複数の環境を同じコードで作っているため、--parameter で渡しているスタック名) | |
| _parameter "stack name", default: "", description: "the name of this stack" | |
| # 任意に読み込みたいパラメータファイル | |
| _include "parameter.rb", name: "iam-and-s3", stage: "" | |
| # S3 バケット名、具体的には `infra` と `infra-dev` という名前のバケットが作成される | |
| _parameter "bucket name", default: "infra", description: "infra bucket name" | |
| _parameter "dev bucket name", default: "infra-dev", description: "infra-dev bucket name" | |
| end | |
| Mappings do | |
| end | |
| Resources do | |
| # 複数の IAM ユーザとそのポリシー定義、ポリシー自体は Ruby Hash で meta.rb で記述されている | |
| USERS.each do |user| | |
| _iam_user user | |
| _iam_access_key user, ref_user: user | |
| const_name = user.gsub(" ", "_").upcase | |
| policy = eval("#{const_name}_POLICY") | |
| next if policy.empty? | |
| _iam_policy user, policy: "v7-#{user}", policy_document: policy, ref_users: user | |
| end | |
| # 複数の IAM ロールの定義 | |
| ROLES.each do |role| | |
| const_name = role.gsub(" ", "_").upcase | |
| policy = eval("#{const_name}_POLICY") | |
| # ここでは Datadog の Role を参照していたりする | |
| _iam_role role, aws: { account_id: DATADOG_ACCOUNT_ID, root: true }, | |
| external_id: DATADOG_AWS_EXTERNAL_ID | |
| _iam_policy role, policy: role, | |
| policy_document: policy, | |
| ref_roles: role | |
| end | |
| # AWS ウェブコンソールへログインできる `Administrator` 権限をもった MFA ユーザ | |
| ADMIN_USERS.each do |user| | |
| _iam_user user, login_profile: { password: user } | |
| _iam_access_key user, ref_user: user | |
| end | |
| ADMIN_GROUPS.each do |group, prop| | |
| _iam_group group, managed_policies: prop[:managed_policies] | |
| _iam_user_to_group_addition group, ref_group: "#{group} group", | |
| ref_users: ADMIN_USERS.map{|user| "#{user} user" } | |
| end | |
| # AWS ウェブコンソールへログインできる `ReadOnly` ユーザ | |
| READONLY_USERS.each do |user| | |
| _iam_user user, login_profile: { password: user, reset_required: false } | |
| _iam_access_key user, ref_user: user | |
| end | |
| READONLY_GROPUS.each do |group, prop| | |
| _iam_group group, managed_policies: prop[:managed_policies] | |
| _iam_user_to_group_addition group, ref_group: "#{group} group", | |
| ref_users: READONLY_USERS.map{|user| "#{user} user" } | |
| end | |
| # 複数の S3 バケット | |
| BUCKETS.each do |bucket, value| | |
| _s3_bucket bucket, value | |
| end | |
| # 共通の EC2 IAM Instance Profile | |
| _iam_role 'ec2 infra', service: "ec2" | |
| _iam_policy 'ec2 infra', policy: 'infra', | |
| policy_document: EC2_INFRA_EC2_POLICY, | |
| ref_roles: 'ec2 infra' | |
| _iam_instance_profile "ec2 infra", ref_roles: 'ec2 infra' | |
| end | |
| Outputs do | |
| # 作成した IAM ユーザ情報を出力して、外部から利用できるようにする | |
| (USERS + ADMIN_USERS + READONLY_USERS).each do |user| | |
| _output_name "#{user} user" | |
| _output_access_key "#{user} access key" | |
| end | |
| (ADMIN_GROUPS.merge(READONLY_GROPUS)).each do |group, _| | |
| _output_name "#{group} group" | |
| end | |
| ROLES.each do |role| | |
| _output_iam_role role | |
| end | |
| BUCKETS.each do |bucket, value| | |
| _output_s3 bucket | |
| end | |
| _output_iam_instance_profile 'ec2 infra' | |
| end |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment