125 lines
3.5 KiB
PowerShell
125 lines
3.5 KiB
PowerShell
|
function Get-SftpUserDefaultSecretString {
|
||
|
|
<#
|
||
|
|
.SYNOPSIS
|
||
|
|
Returns the default string for an SFTP user AWS Secret.
|
||
|
|
|
||
|
|
.DESCRIPTION
|
||
|
|
Returns the default string for an SFTP user AWS Secret. This structure must match exactly the expectations of the SFTP Authentication Lambda.
|
||
|
|
|
||
|
|
.PARAMETER BucketName
|
||
|
|
[string] The target SFTP S3 Bucket name for the environment.
|
||
|
|
|
||
|
|
.PARAMETER HomeDirSuffix
|
||
|
|
[string] The relative path in the target SFTP S3 bucket to jail the user's home directory.
|
||
|
|
|
||
|
|
.PARAMETER KmsArn
|
||
|
|
[string] The ARN of the KMS key used for SFTP S3 bucket object encryption for the environment.
|
||
|
|
|
||
|
|
.PARAMETER RoleArn
|
||
|
|
[string] The ARN of the IAM role used by the SFTP Transfer Server for the environment.
|
||
|
|
|
||
|
|
.PARAMETER PasswordHash
|
||
|
|
[string] The hashed password for the SFTP user.
|
||
|
|
#>
|
||
|
|
|
||
|
|
[CmdletBinding()]
|
||
|
|
[OutputType([string])]
|
||
|
|
param(
|
||
|
|
[Parameter(Mandatory = $true)]
|
||
|
|
[ValidateNotNullOrEmpty()]
|
||
|
|
[string] $BucketName,
|
||
|
|
|
||
|
|
[Parameter(Mandatory = $true)]
|
||
|
|
[ValidateNotNullOrEmpty()]
|
||
|
|
[string] $HomeDirSuffix,
|
||
|
|
|
||
|
|
[Parameter(Mandatory = $true)]
|
||
|
|
[ValidateNotNullOrEmpty()]
|
||
|
|
[string] $KmsArn,
|
||
|
|
|
||
|
|
[Parameter(Mandatory = $true)]
|
||
|
|
[ValidateNotNullOrEmpty()]
|
||
|
|
[string] $RoleArn,
|
||
|
|
|
||
|
|
[Parameter(Mandatory = $true)]
|
||
|
|
[ValidateNotNullOrEmpty()]
|
||
|
|
[string] $PasswordHash
|
||
|
|
)
|
||
|
|
|
||
|
|
$policyObj = @{
|
||
|
|
Version = '2012-10-17'
|
||
|
|
Statement = @(
|
||
|
|
@{
|
||
|
|
Sid = 'KMSAccess'
|
||
|
|
Action = @(
|
||
|
|
'kms:Decrypt',
|
||
|
|
'kms:Encrypt',
|
||
|
|
'kms:GenerateDataKey'
|
||
|
|
)
|
||
|
|
Effect = 'Allow'
|
||
|
|
Resource = $KmsArn
|
||
|
|
},
|
||
|
|
@{
|
||
|
|
Sid = 'AllowListingOfUserFolder'
|
||
|
|
Action = @(
|
||
|
|
's3:ListBucket'
|
||
|
|
)
|
||
|
|
Effect = 'Allow'
|
||
|
|
Resource = @(
|
||
|
|
"arn:aws:s3:::$BucketName"
|
||
|
|
)
|
||
|
|
Condition = @{
|
||
|
|
StringLike = @{
|
||
|
|
's3:prefix' = @(
|
||
|
|
"$HomeDirSuffix/*",
|
||
|
|
"$HomeDirSuffix"
|
||
|
|
)
|
||
|
|
}
|
||
|
|
}
|
||
|
|
},
|
||
|
|
@{
|
||
|
|
Sid = 'AWSTransferRequirements'
|
||
|
|
Effect = 'Allow'
|
||
|
|
Action = @(
|
||
|
|
's3:ListAllMyBuckets',
|
||
|
|
's3:GetBucketLocation'
|
||
|
|
)
|
||
|
|
Resource = '*'
|
||
|
|
},
|
||
|
|
@{
|
||
|
|
Sid = 'HomeDirObjectAccess'
|
||
|
|
Effect = 'Allow'
|
||
|
|
Action = @(
|
||
|
|
's3:PutObject',
|
||
|
|
's3:GetObject',
|
||
|
|
's3:DeleteObjectVersion',
|
||
|
|
's3:DeleteObject',
|
||
|
|
's3:GetObjectVersion'
|
||
|
|
)
|
||
|
|
Resource = @(
|
||
|
|
"arn:aws:s3:::$BucketName/$HomeDirSuffix/*"
|
||
|
|
)
|
||
|
|
}
|
||
|
|
)
|
||
|
|
}
|
||
|
|
|
||
|
|
$homeDirObj = @(
|
||
|
|
@{
|
||
|
|
Entry = '/'
|
||
|
|
Target = "/$BucketName/$HomeDirSuffix"
|
||
|
|
}
|
||
|
|
)
|
||
|
|
|
||
|
|
$policyStr = (ConvertTo-Json -InputObject $policyObj -Compress -Depth 10)
|
||
|
|
$homeDirStr = (ConvertTo-Json -InputObject $homeDirObj -Compress -Depth 10)
|
||
|
|
|
||
|
|
$object = @{
|
||
|
|
Password = $PasswordHash
|
||
|
|
Role = $RoleArn
|
||
|
|
Policy = $policyStr
|
||
|
|
HomeDirectoryDetails = $homeDirStr
|
||
|
|
}
|
||
|
|
|
||
|
|
return (ConvertTo-Json -InputObject $object)
|
||
|
|
}
|