Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add CMS IAM user and key #793

Merged
merged 1 commit into from
Dec 9, 2024
Merged

Add CMS IAM user and key #793

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
89 changes: 89 additions & 0 deletions spire/templates/apps/cms.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -135,6 +135,87 @@ Resources:
Threshold: 0
TreatMissingData: notBreaching

TaskUser:
Type: AWS::IAM::User
Properties:
Policies:
- PolicyDocument:
Statement:
- Action: sns:Publish
Effect: Allow
Resource: !Ref PorterJobExecutionSnsTopicArn
Sid: AllowPublish
Version: "2012-10-17"
PolicyName: Porter
- PolicyDocument:
Statement:
- Action:
- sqs:ChangeMessageVisibility
- sqs:DeleteMessage
- sqs:GetQueueAttributes
- sqs:GetQueueUrl
- sqs:ReceiveMessage
- sqs:SendMessage
Effect: Allow
Resource:
- !GetAtt AudioCallbackQueue.Arn
- !GetAtt ImageCallbackQueue.Arn
- !GetAtt PodcastImportQueue.Arn
- !GetAtt SearchIndexerQueue.Arn
- !GetAtt DefaultJobQueue.Arn
Sid: AllowShoryuken
Version: "2012-10-17"
PolicyName: AppQueues
- PolicyDocument:
Statement:
- Action: sns:Publish
Effect: Allow
Resource: !Sub arn:${AWS::Partition}:sns:${AWS::Region}:${AWS::AccountId}:${AnnounceResourcePrefix}*
Sid: AllowPublish
Version: "2012-10-17"
PolicyName: Announce
- PolicyDocument:
Statement:
- Action:
- s3:GetObject
- s3:GetObjectVersion
- s3:ListBucket
- s3:ListAllMyBuckets
Effect: Allow
Resource: "*" # TODO Seems very permissive
Version: "2012-10-17"
PolicyName: S3ReadOnly
- PolicyDocument:
Statement:
- Action: s3:ListAllMyBuckets
Effect: Allow
Resource: "*"
- Action:
- s3:AbortMultipartUpload
- s3:DeleteObject
- s3:Get*
- s3:List*
- s3:Put*
- s3:RestoreObject
Effect: Allow
Resource:
- !Sub ${FeedsS3BucketArn}/*
- !Ref FeedsS3BucketArn
Version: "2012-10-17"
PolicyName: S3FeedBucket
Tags:
- { Key: prx:meta:tagging-version, Value: "2021-04-07" }
- { Key: prx:cloudformation:stack-name, Value: !Ref AWS::StackName }
- { Key: prx:cloudformation:stack-id, Value: !Ref AWS::StackId }
- { Key: prx:cloudformation:root-stack-name, Value: !Ref RootStackName }
- { Key: prx:cloudformation:root-stack-id, Value: !Ref RootStackId }
- { Key: prx:ops:environment, Value: !Ref EnvironmentType }
- { Key: prx:dev:application, Value: Network }
TaskUserAccessKey:
Type: AWS::IAM::AccessKey
Properties:
UserName: !Ref TaskUser

TaskRole:
Type: AWS::IAM::Role
Properties:
Expand Down Expand Up @@ -329,6 +410,10 @@ Resources:
Value: !Ref AWS::Region
- Name: AWS_DEFAULT_REGION
Value: !Ref AWS::Region
- Name: AWS_ACCESS_KEY_ID
Value: !Ref TaskUserAccessKey
- Name: AWS_SECRET_ACCESS_KEY
Value: !GetAtt TaskUserAccessKey.SecretAccessKey
- Name: MEMCACHE_SERVERS
Value: !Ref SharedMemcachedEndpointAddress
- Name: DB_PORT_3306_TCP_ADDR
Expand Down Expand Up @@ -442,6 +527,10 @@ Resources:
Value: !Ref AWS::Region
- Name: AWS_DEFAULT_REGION
Value: !Ref AWS::Region
- Name: AWS_ACCESS_KEY_ID
Value: !Ref TaskUserAccessKey
- Name: AWS_SECRET_ACCESS_KEY
Value: !GetAtt TaskUserAccessKey.SecretAccessKey
- Name: MEMCACHE_SERVERS
Value: !Ref SharedMemcachedEndpointAddress
- Name: DB_PORT_3306_TCP_ADDR
Expand Down
Loading