Skip to content

Instantly share code, notes, and snippets.

@wesen

wesen/2023-07-03.org

Created July 7, 2023 12:10
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save wesen/e700892a39a2c4c459aa6dadb3b099e8 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save wesen/e700892a39a2c4c459aa6dadb3b099e8 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
2023-07-03.org

2023 07 03

IAM :

  • everything in AWS has an arn
  • IAM is a mapping from arn principals to a list of other ARNs
  • these other ARNs are actions you are allowed to do
  • every action is labeled with an ARN
    • in this context () is allowed to do this action.ARN in this environment

an iam role is a name and what it does, the role will assume:

  • the assume is tricky concept this iam role is allow to run the AssumeRole in the lambda service
    • assume a lambda role

file

Generate a DSL

Here’s a list of the properties of terraform AWS resources we care about.

  • ecr
    • image tag mutability name encryption type image scanning configuration lifecycle policy
  • event rule description schedule event target arn
  • lambda permission cloudwatch specific and the action is cloudwatch the principal is events.amazonwas.com
  • iam name: this appears in the logs role policy: assumeRole in principal lambda.amazonaws.com

    other role: assume the role for the root account

  • lambda:
    • account id depends on function name role (explicit in order to get the name in the logs) package_type image image_uri memory_size timeout
  • s3 bucket bucket_versioning public access block server side encryption configuration

This describes the deployment of a lambda using a docker image.

AWS Config (the config tool in AWS) continually scans the resources and analyzes them according to a set of conformance rules (it can probably do other stuff).

Here's a list of the properties of terraform AWS resources we care about.

- ecr
  - image tag mutability
    name
    encryption type
    image scanning configuration
    lifecycle policy

- event rule
    description
    schedule
    event target
    arn

- lambda permission
    cloudwatch specific and the action is cloudwatch
    the principal is events.amazonwas.com

- iam
  name: this appears in the logs
  role policy: assumeRole in principal lambda.amazonaws.com

  other role:
  assume the role for the root account

- lambda:
  - account id
    depends on
    function name
    role (explicit in order to get the name in the logs)
    package_type image
    image_uri
    memory_size
    timeout

- s3
  bucket
  bucket_versioning
  public access block
  server side encryption configuration

This describes the deployment of a lambda using a docker image.

We want the user to generate application deployment descriptions using this DSL which can:

- have one or multiple lambdas, using one or multiple images
- one or multiple S3 buckets
- create IAM roles for each lambda to control which S3 buckets they have access to
- create one or multiple cloudwatch events to trigger these lambdas on schedules

For each object in the DSL, add a description field with a concise natural language explanation of what this object is for.


Following is a sample DSL structure that presents the AWS resources you mentioned. Please note that it's a simplified & partial representation, expand upon it as per your requirement:

```yaml
application:
  description: "Application details for deployment of lambdas using docker image(s)"
  lambdas:
    - lambda1:
        description: "First Lambda function"
        accountId: 123456789012
        dependsOn: resourceX
        functionName: myFunction
        role: myLambdaRole
        packageType: image
        imageUri: 123456789012.dkr.ecr.us-west-2.amazonaws.com/my-repo:latest
        memorySize: 128
        timeout: 60
    - lambda2:
        description: "Second Lambda function"
  ecr:
    description: "AWS ECR configuration"
    name: my-repo
    imageTagMutability: MUTABLE
    encryptionType: AES256
    imageScanningConfiguration:
      scanOnPush: true
    lifecyclePolicy:
      lifecyclePolicyText: policyJson
  eventRules:
    - eventRule1:
        description: "First scheduled event rule"
        schedule: rate(5 minutes)
        eventSourceArn: ARN
    - eventRule2:
        description: "Second scheduled event rule"
  iamRoles:
    - lambdaRole:
        description: "IAM role for lambda function"
        policy:
          action: 'sts:AssumeRole'
          principal:
            service: "lambda.amazonaws.com"
    - rootRole:
        description: "Root account IAM Role"
        policy:
          action: 'sts:AssumeRole'
          principal:
            AWS: arn:aws:iam::123456789012:root
  s3:
    - bucket1:
        description: "First S3 bucket configuration, used for storing artefacts"
        versioning:
          status: Enabled
        publicAccessBlock:
          blockPublicAcls: true
          blockPublicPolicy: true
          ignorePublicAcls: true
          restrictPublicBuckets: true
        serverSideEncryptionConfiguration:
          rule:
            applyServerSideEncryptionByDefault:
              sseAlgorithm: AES256
    - bucket2:
        description: "Second S3 bucket"
```

In this YAML structure:

- Under `lambdas`, we have multiple lambda function deployments with specific configurations.
- Similarly, `eventRules` represents multiple CloudWatch Event rules that trigger these lambdas on schedules.
- `iamRoles` section represents IAM roles which are assigned to lambdas.
- `s3` section describes S3 bucket configuration.

Each IAM role, event rule, lambda function, ecr and S3 bucket has a good concise description that explains its purpose in this deployment. You can add/edit fields as per your requirements.

Create a DSL representation of an app:
- two lambdas, one for inventory control, and for inventory upload
- two buckets, one for the inventory control reports, one for the inventory uploads
- the buckets are not server side encrypted, and are publicly accessible
- create a role to only allow inventory upload, but not access to the control reports
- create another role for the reports, which writes to the reports and reads from the uploads
- trigger the uploads every sunday at noon
- trigger the reports on mondays, thursdays during the night
Here's a list of the properties of terraform AWS resources we care about.

- ecr
  - image tag mutability
    name
    encryption type
    image scanning configuration
    lifecycle policy

- event rule
    description
    schedule
    event target
    arn

- lambda permission
    cloudwatch specific and the action is cloudwatch
    the principal is events.amazonwas.com

- iam
  name: this appears in the logs
  role policy: assumeRole in principal lambda.amazonaws.com

  other role:
  assume the role for the root account

- lambda:
  - account id
    depends on
    function name
    role (explicit in order to get the name in the logs)
    package_type image
    image_uri
    memory_size
    timeout

- s3
  bucket
  bucket_versioning
  public access block
  server side encryption configuration

This describes the deployment of a lambda using a docker image.

We want the user to generate application deployment descriptions using this DSL which can:

- have one or multiple lambdas, using one or multiple images
- one or multiple S3 buckets
- create IAM roles for each lambda to control which S3 buckets they have access to
- create one or multiple cloudwatch events to trigger these lambdas on schedules

For each object in the DSL, add a description field with a concise natural language explanation of what this object is for.


Following is a sample DSL structure that presents the AWS resources you mentioned. Please note that it's a simplified & partial representation, expand upon it as per your requirement:

```yaml
application:
  description: "Application details for deployment of lambdas using docker image(s)"
  lambdas:
    - myFunction:
        description: "My first function"
        roles:
          - allowBucket1Write
        memory: small
        timeout: 60
    - myOtherFunction:
        description: "Second Lambda function"
        roles:
          - allowBucket1Read
          - allowBucket2All
        memory: medium
  eventRules:
    - runMyFunctionEvery5Mintes:
        description: "Run myFunction every 5 minutes"
        schedule: rate(n=5, units=minutes)
        target: myFunction
    - eventRule2:
        description: "Run myOtherFunction every sunday"
        target: myOtherFunction
        schedule: every(day=sunday)
  iamRoles:
    - allowBucket1Read:
        description: "Allow reading from bucket1"
        resources:
          bucket1:
            - read
    - allowBucket2All
        description: "Allow reading from bucket1"
        resources:
          bucket2:
            - read
            - write
  storage:
    - bucket1:
        type: objectStorage
        description: "First S3 bucket configuration, used for storing artefacts"
        configuration:
            versioning: true
            publicAccess: true
            serverSideEncryption: false
    - bucket2:
        type: objectStorage
        description: "Second S3 bucket"
        configuration:
            serverSideEncryption: AES256
```

In this YAML structure:

- Under `lambdas`, we have multiple lambda function deployments with specific configurations.
- Similarly, `eventRules` represents multiple CloudWatch Event rules that trigger these lambdas on schedules.
- `iamRoles` section represents IAM roles which are assigned to lambdas.
- `storage` section describes S3 bucket configuration.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment