Skip to content

Commit

Permalink
liberator permissions (#1478)
Browse files Browse the repository at this point in the history
* iam:PassRole statements

* update export principal

* kms actions

* read event to dict

* import ast

* log event

* resource arn value

* update kms sid
  • Loading branch information
timburke-hackit authored Nov 3, 2023
1 parent 583d6cb commit 23f8939
Show file tree
Hide file tree
Showing 3 changed files with 43 additions and 10 deletions.
10 changes: 8 additions & 2 deletions lambdas/export_rds_snapshot_to_s3/main.py
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
import logging
import os
import ast

import boto3
from botocore.exceptions import ClientError
Expand All @@ -9,12 +10,17 @@


def lambda_handler(event, context):
snapshot_identifier = event["detail"]["SnapshotIdentifier"]
source_arn = event["detail"]["SourceArn"]
print("## EVENT")
print(event)

bucket_name = os.environ["BUCKET_NAME"]
iam_role_arn = os.environ["IAM_ROLE_ARN"]
kms_key_id = os.environ["KMS_KEY_ID"]

event = ast.literal_eval(event)
snapshot_identifier = event["detail"]["SourceIdentifier"]
source_arn = event["detail"]["SourceArn"]

try:
rds.start_export_task(
ExportTaskIdentifier=snapshot_identifier,
Expand Down
10 changes: 7 additions & 3 deletions lambdas/rds_snapshot_export_s3_to_s3_copier/main.py
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
import os
import ast

import boto3

Expand Down Expand Up @@ -57,8 +58,8 @@ def s3_copy_folder(
continue
source_key_split = source_key.split("/")
parquet_file_name = source_key_split[-1]
database_name = source_key_split("/")[1]
table_name = source_key_split("/")[2]
database_name = source_key_split[1]
table_name = source_key_split[2]
copy_object_params = {
"Bucket": target_bucket,
"CopySource": f"{source_bucket}/{source_key}",
Expand All @@ -85,6 +86,8 @@ def start_workflow_run(workflow_name: str, glue_client):


def lambda_handler(event, context) -> None:
print("## EVENT")
print(event)
s3 = boto3.client("s3")

source_bucket = os.environ["SOURCE_BUCKET"]
Expand All @@ -98,7 +101,8 @@ def lambda_handler(event, context) -> None:
else:
target_prefix = ""

snapshot_id = event["detail"]["SnapshotIdentifier"]
event = ast.literal_eval(event)
snapshot_id = event["detail"]["SourceIdentifier"]

s3_copy_folder(
s3, source_bucket, source_prefix, target_bucket, target_prefix, snapshot_id
Expand Down
33 changes: 28 additions & 5 deletions terraform/modules/rds-snapshot-to-s3/iam.tf
Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,18 @@ data "aws_iam_policy_document" "lambda_assume_role" {
type = "Service"
}
}

statement {
actions = [
"sts:AssumeRole"
]
principals {
identifiers = [
"export.rds.amazonaws.com"
]
type = "Service"
}
}
}

# RDS Snapshot to S3 lambda IAM
Expand All @@ -86,9 +98,13 @@ data "aws_iam_policy_document" "rds_snapshot_to_s3_lambda" {
}

statement {
actions = ["iam:PassRole"]
effect = "Allow"
resources = [var.rds_snapshot_service_arn]
actions = [
"iam:PassRole"
]
effect = "Allow"
resources = [
aws_iam_role.rds_snapshot_to_s3_lambda_role.arn
]
}

statement {
Expand All @@ -103,10 +119,17 @@ data "aws_iam_policy_document" "rds_snapshot_to_s3_lambda" {
}

statement {
sid = "AllowKMSDecrypt"
sid = "AllowKMSAccess"
actions = [
"kms:Encrypt",
"kms:GenerateDataKey",
"kms:Decrypt",
"kms:GenerateDataKey*"
"kms:GenerateDataKeyPairWithoutPlaintext",
"kms:ReEncryptFrom",
"kms:ReEncryptTo",
"kms:CreateGrant",
"kms:DescribeKey",
"kms:RetireGrant"
]
effect = "Allow"
resources = [
Expand Down

0 comments on commit 23f8939

Please sign in to comment.