cbrand/ps
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
c34cead304
ps/Modules/Alkami.DevOps.SystemEngineering/Private/Get-AlkamiSecretResourcePolicyString.ps1
jcolebrand c34cead304 First full commit
2023-05-30 22:51:22 -07:00

69 lines
2.8 KiB
PowerShell
Raw Blame History

function Get-AlkamiSecretResourcePolicyString {
<#
.SYNOPSIS
Returns the string for an AWS Secret resource policy that allows access to admins and SysEng (by default).
.PARAMETER ProfileName
[string] The AWS profile to use during when creating the resource policy.
.PARAMETER SecretAccessExtraArns
[string[]] An array of AWS ARNs allowed to access the secret in addition to the defaults.
.EXAMPLE
Get-AlkamiSecretResourcePolicyString -ProfileName 'temp-dev'
{"Version":"2012-10-17","Statement":[{"Action":"secretsmanager:*","Condition":{"ArnNotEquals":{"aws:PrincipalArn":["arn:aws:iam::327695573722:role/CLI-SRE-Admin","arn:aws:iam::327695573722:role/DAG-AWS-Admins","arn:aws:iam::327695573722:root"]}},"Principal":{"AWS":"*"},"Resource":"*","Effect":"Deny","Sid":"DenyAllUnlessExplicitlyAllowed"}]}
.EXAMPLE
Get-AlkamiSecretResourcePolicyString -ProfileName 'temp-dev' -SecretAccessExtraArns @( 'ExampleArn1', 'ExampleArn2' )
{"Version":"2012-10-17","Statement":[{"Action":"secretsmanager:*","Condition":{"ArnNotEquals":{"aws:PrincipalArn":["arn:aws:iam::327695573722:role/CLI-SRE-Admin","arn:aws:iam::327695573722:role/DAG-AWS-Admins","arn:aws:iam::327695573722:root","ExampleArn1","ExampleArn2"]}},"Principal":{"AWS":"*"},"Resource":"*","Effect":"Deny","Sid":"DenyAllUnlessExplicitlyAllowed"}]}
#>
[CmdletBinding()]
[OutputType([string])]
param(
[Parameter(Mandatory = $true)]
[ValidateNotNullOrEmpty()]
[string] $ProfileName,
[Parameter(Mandatory = $false)]
[string[]] $SecretAccessExtraArns = $null
)
Import-AWSModule
$accountNumber = (Get-STSCallerIdentity -ProfileName $ProfileName).Account
$policyObj = @{
Version = "2012-10-17"
Statement = @(
@{
Sid = "DenyAllUnlessExplicitlyAllowed"
Action = "secretsmanager:*"
Effect = "Deny"
Resource = "*"
Principal = @{
AWS = "*"
}
Condition = @{
ArnNotEquals = @{
"aws:PrincipalArn" = @(
"arn:aws:iam::${accountNumber}:role/CLI-SRE-Admin",
"arn:aws:iam::${accountNumber}:role/DAG-AWS-Admins",
"arn:aws:iam::${accountNumber}:root"
)
}
}
}
)
}
# Add any extra ARNs that need access to the secret.
foreach ( $extraArn in $SecretAccessExtraArns ) {
if ( $false -eq [string]::IsNullOrWhitespace($extraArn)) {
$policyObj.Statement.Condition.ArnNotEquals.'aws:PrincipalArn' += $extraArn
}
}
return (ConvertTo-Json -InputObject $policyObj -Compress -Depth 10)
}
Reference in New Issue View Git Blame Copy Permalink