sineto · June 24, 2022 22:38
diff --git a/ansible.cfg b/ansible.cfg
 [defaults]
 inventory = inventory/
 stdout_callback = yaml
diff --git a/aws-iam-create-bulk-users.yml b/aws-iam-create-bulk-users.yml
 ---
 - hosts: local
  tasks:
    - name: Read CSV files
      community.general.read_csv:
        path: ./files/usuarios2-210513-201333.csv
        delimiter: ","
      register: users
      delegate_to: localhost

    - name: Output CSV content
      ansible.builtin.debug:
        msg: "Users: {{ users.list }}"

    - name: AWS IAM - Create custom policy to enforce MFA
      community.aws.iam_managed_policy:
        policy_name: EnforceMFAPolicy
        policy: "{{ lookup('file', 'enforce-mfa-policy.json') }}"
        state: present
      register: enforce_policy

    - name: AWS IAM - Create main groups
      community.aws.iam_group:
        name: "{{ item.name }}"
        managed_policies:
          - "{{ item.policy }}"
          - "{{ enforce_policy.policy.arn }}"
        state: present
      with_items:
        - { name: CloudAdmin, policy: arn:aws:iam::aws:policy/AdministratorAccess }
        - { name: LinuxAdmin, policy: arn:aws:iam::aws:policy/AmazonEC2FullAccess }
        - { name: RedesAdmin, policy: arn:aws:iam::aws:policy/AmazonVPCFullAccess }
        - { name: DBA, policy: arn:aws:iam::aws:policy/AmazonRDSFullAccess }
        - { name: Estagiarios, policy: arn:aws:iam::aws:policy/ReadOnlyAccess }
      register: groups
      
    - name: AWS IAM - Create users based on CSV list
      community.aws.iam_user:
        name: "{{ item.usuarios }}"
        password: "{{ item.senha }}"
        state: present
      loop: "{{ users.list }}"

    - name: AWS IAM - Add users to main groups
      community.aws.iam_group:
        name: "{{ item.grupo }}"
        users:
          - "{{ item.usuarios }}"
        state: present
      loop: "{{ users.list }}"
diff --git a/aws-iam-cria-policy.sh b/aws-iam-cria-policy.sh
 #!/bin/bash

 INPUT=$1
 POLICY_NAME=EnforceMFAPolicy

 declare -a groups=(CloudAdmin LinuxAdmin RedesAdmin DBA Estagiarios)

 command -v jq >/dev/null || {
 	echo "utilitario jq nao encontrado. Por favor, instale jq antes de rodar o script."
 	exit 1
 }

 # create policy EnforceMFAPolicy
 POLICY_ARN=$(aws iam create-policy --policy-name $POLICY_NAME --policy-document file://$INPUT | jq '.Policy | .Arn')

 # attach policy EnforceMFAPolicy to defined groups
 for group in ${groups[@]}; do
 	aws iam attach-group-policy --group-name "$group" --policy-arn $(echo "$POLICY_ARN" | sed 's/"//g')
 done
diff --git a/aws-iam-cria-usuario.sh b/aws-iam-cria-usuario.sh
 #!/bin/bash
 # Proposito: Automatiza a criação de usuários na AWS
 # Utilizacao: ./aws-iam-cria-usuario.sh <formato arquivo entrada .csv>
 # Formato do arquivo de entrada: usuarios,grupo,senha
 # Autor: Jean Rodrigues
 # ------------------------------------------

 INPUT=$1
 OLDIFS=$IFS
 IFS=',;'

 [ ! -f $INPUT ] && {
 	echo "$INPUT arquivo nao encontrado"
 	exit 99
 }

 ## this code block is no needed for Linux users
 command -v dos2unix >/dev/null || {
 	echo "utilitario dos2unix nao encontrado. Por favor, instale dos2unix antes de rodar o script."
 	exit 1
 }

 dos2unix $INPUT
 ##

 while read -r usuario grupo senha || [ -n "$usuario" ]; do
 	if [ "$usuario" != "usuarios" ]; then
 		aws iam create-user --user-name $usuario
 		aws iam create-login-profile --password-reset-required --user-name $usuario --password $senha
 		aws iam add-user-to-group --group-name $grupo --user-name $usuario
 	fi

 done <$INPUT

 IFS=$OLDIFS
diff --git a/enforce-mfa-policy.json b/enforce-mfa-policy.json
 {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowViewAccountInfo",
      "Effect": "Allow",
      "Action": "iam:ListVirtualMFADevices",
      "Resource": "*"
    },
    {
      "Sid": "AllowManageOwnVirtualMFADevice",
      "Effect": "Allow",
      "Action": ["iam:CreateVirtualMFADevice", "iam:DeleteVirtualMFADevice"],
      "Resource": "arn:aws:iam::*:mfa/${aws:username}"
    },
    {
      "Sid": "AllowManageOwnUserMFA",
      "Effect": "Allow",
      "Action": [
        "iam:DeactivateMFADevice",
        "iam:EnableMFADevice",
        "iam:GetUser",
        "iam:ListMFADevices",
        "iam:ResyncMFADevice"
      ],
      "Resource": "arn:aws:iam::*:user/${aws:username}"
    },
    {
      "Sid": "DenyAllExceptListedIfNoMFA",
      "Effect": "Deny",
      "NotAction": [
        "iam:ListUsers",
        "iam:CreateVirtualMFADevice",
        "iam:EnableMFADevice",
        "iam:GetUser",
        "iam:ListMFADevices",
        "iam:ListVirtualMFADevices",
        "iam:ResyncMFADevice",
        "iam:ChangePassword",
        "iam:CreateUser",
        "iam:CreateLoginProfile",
        "iam:AddUserToGroup",
        "sts:GetSessionToken"
      ],
      "Resource": "*",
      "Condition": {
        "BoolIfExists": {
          "aws:MultiFactorAuthPresent": "false"
        }
      }
    }
  ]
 }
diff --git a/localhost.yml b/localhost.yml
 ---
 local:
  hosts:
    localhost:
      ansible_connection: local
	---
	- hosts: local
	tasks:
	- name: Read CSV files
	community.general.read_csv:
	path: ./files/usuarios2-210513-201333.csv
	delimiter: ","
	register: users
	delegate_to: localhost

	- name: Output CSV content
	ansible.builtin.debug:
	msg: "Users: {{ users.list }}"

	- name: AWS IAM - Create custom policy to enforce MFA
	community.aws.iam_managed_policy:
	policy_name: EnforceMFAPolicy
	policy: "{{ lookup('file', 'enforce-mfa-policy.json') }}"
	state: present
	register: enforce_policy

	- name: AWS IAM - Create main groups
	community.aws.iam_group:
	name: "{{ item.name }}"
	managed_policies:
	- "{{ item.policy }}"
	- "{{ enforce_policy.policy.arn }}"
	state: present
	with_items:
	- { name: CloudAdmin, policy: arn:aws:iam::aws:policy/AdministratorAccess }
	- { name: LinuxAdmin, policy: arn:aws:iam::aws:policy/AmazonEC2FullAccess }
	- { name: RedesAdmin, policy: arn:aws:iam::aws:policy/AmazonVPCFullAccess }
	- { name: DBA, policy: arn:aws:iam::aws:policy/AmazonRDSFullAccess }
	- { name: Estagiarios, policy: arn:aws:iam::aws:policy/ReadOnlyAccess }
	register: groups

	- name: AWS IAM - Create users based on CSV list
	community.aws.iam_user:
	name: "{{ item.usuarios }}"
	password: "{{ item.senha }}"
	state: present
	loop: "{{ users.list }}"

	- name: AWS IAM - Add users to main groups
	community.aws.iam_group:
	name: "{{ item.grupo }}"
	users:
	- "{{ item.usuarios }}"
	state: present
	loop: "{{ users.list }}"
	#!/bin/bash

	INPUT=$1
	POLICY_NAME=EnforceMFAPolicy

	declare -a groups=(CloudAdmin LinuxAdmin RedesAdmin DBA Estagiarios)

	command -v jq >/dev/null \|\| {
	echo "utilitario jq nao encontrado. Por favor, instale jq antes de rodar o script."
	exit 1
	}

	# create policy EnforceMFAPolicy
	POLICY_ARN=$(aws iam create-policy --policy-name $POLICY_NAME --policy-document file://$INPUT \| jq '.Policy \| .Arn')

	# attach policy EnforceMFAPolicy to defined groups
	for group in ${groups[@]}; do
	aws iam attach-group-policy --group-name "$group" --policy-arn $(echo "$POLICY_ARN" \| sed 's/"//g')
	done
	#!/bin/bash
	# Proposito: Automatiza a criação de usuários na AWS
	# Utilizacao: ./aws-iam-cria-usuario.sh <formato arquivo entrada .csv>
	# Formato do arquivo de entrada: usuarios,grupo,senha
	# Autor: Jean Rodrigues
	# ------------------------------------------

	INPUT=$1
	OLDIFS=$IFS
	IFS=',;'

	[ ! -f $INPUT ] && {
	echo "$INPUT arquivo nao encontrado"
	exit 99
	}

	## this code block is no needed for Linux users
	command -v dos2unix >/dev/null \|\| {
	echo "utilitario dos2unix nao encontrado. Por favor, instale dos2unix antes de rodar o script."
	exit 1
	}

	dos2unix $INPUT
	##

	while read -r usuario grupo senha \|\| [ -n "$usuario" ]; do
	if [ "$usuario" != "usuarios" ]; then
	aws iam create-user --user-name $usuario
	aws iam create-login-profile --password-reset-required --user-name $usuario --password $senha
	aws iam add-user-to-group --group-name $grupo --user-name $usuario
	fi

	done <$INPUT

	IFS=$OLDIFS
	{
	"Version": "2012-10-17",
	"Statement": [
	{
	"Sid": "AllowViewAccountInfo",
	"Effect": "Allow",
	"Action": "iam:ListVirtualMFADevices",
	"Resource": "*"
	},
	{
	"Sid": "AllowManageOwnVirtualMFADevice",
	"Effect": "Allow",
	"Action": ["iam:CreateVirtualMFADevice", "iam:DeleteVirtualMFADevice"],
	"Resource": "arn:aws:iam::*:mfa/${aws:username}"
	},
	{
	"Sid": "AllowManageOwnUserMFA",
	"Effect": "Allow",
	"Action": [
	"iam:DeactivateMFADevice",
	"iam:EnableMFADevice",
	"iam:GetUser",
	"iam:ListMFADevices",
	"iam:ResyncMFADevice"
	],
	"Resource": "arn:aws:iam::*:user/${aws:username}"
	},
	{
	"Sid": "DenyAllExceptListedIfNoMFA",
	"Effect": "Deny",
	"NotAction": [
	"iam:ListUsers",
	"iam:CreateVirtualMFADevice",
	"iam:EnableMFADevice",
	"iam:GetUser",
	"iam:ListMFADevices",
	"iam:ListVirtualMFADevices",
	"iam:ResyncMFADevice",
	"iam:ChangePassword",
	"iam:CreateUser",
	"iam:CreateLoginProfile",
	"iam:AddUserToGroup",
	"sts:GetSessionToken"
	],
	"Resource": "*",
	"Condition": {
	"BoolIfExists": {
	"aws:MultiFactorAuthPresent": "false"
	}
	}
	}
	]
	}