mirror of
https://github.com/ivabus/www
synced 2024-11-22 23:45:06 +03:00
ops: implement granular permission configuration per lambda function
This commit is contained in:
parent
587d76a2b6
commit
1dff4c5323
5 changed files with 51 additions and 20 deletions
|
@ -33,6 +33,7 @@
|
||||||
"json-schema-to-ts": "^1.5.0",
|
"json-schema-to-ts": "^1.5.0",
|
||||||
"serverless": "^3.0.0",
|
"serverless": "^3.0.0",
|
||||||
"serverless-esbuild": "^1.23.3",
|
"serverless-esbuild": "^1.23.3",
|
||||||
|
"serverless-iam-roles-per-function": "^3.2.0",
|
||||||
"ts-node": "^10.4.0",
|
"ts-node": "^10.4.0",
|
||||||
"tsconfig-paths": "^3.9.0",
|
"tsconfig-paths": "^3.9.0",
|
||||||
"typescript": "^4.1.3"
|
"typescript": "^4.1.3"
|
||||||
|
|
|
@ -6,7 +6,10 @@ import ipfsUpload from '@functions/ipfsUpload';
|
||||||
const serverlessConfiguration: AWS = {
|
const serverlessConfiguration: AWS = {
|
||||||
service: 'lambdas',
|
service: 'lambdas',
|
||||||
frameworkVersion: '3',
|
frameworkVersion: '3',
|
||||||
plugins: ['serverless-esbuild'],
|
plugins: [
|
||||||
|
'serverless-esbuild',
|
||||||
|
'serverless-iam-roles-per-function'
|
||||||
|
],
|
||||||
provider: {
|
provider: {
|
||||||
name: 'aws',
|
name: 'aws',
|
||||||
runtime: 'nodejs14.x',
|
runtime: 'nodejs14.x',
|
||||||
|
@ -22,22 +25,7 @@ const serverlessConfiguration: AWS = {
|
||||||
iam: {
|
iam: {
|
||||||
deploymentRole: `arn:aws:iam::${process.env.AWS_ACCOUNT_ID || '640264234305'}:role/CloudFormationExecutionRole`,
|
deploymentRole: `arn:aws:iam::${process.env.AWS_ACCOUNT_ID || '640264234305'}:role/CloudFormationExecutionRole`,
|
||||||
role: {
|
role: {
|
||||||
statements: [
|
statements: []
|
||||||
{
|
|
||||||
"Effect": "Allow",
|
|
||||||
"Resource": [
|
|
||||||
"arn:aws:s3:::dist.tea.xyz",
|
|
||||||
"arn:aws:s3:::dist.tea.xyz/*",
|
|
||||||
"arn:aws:s3:::dist.tea.xyz/*/*",
|
|
||||||
],
|
|
||||||
"Action": [
|
|
||||||
"s3:GetBucketAcl",
|
|
||||||
"s3:List",
|
|
||||||
"s3:ListBucket",
|
|
||||||
"s3:PutObject"
|
|
||||||
]
|
|
||||||
}
|
|
||||||
]
|
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
vpc: {
|
vpc: {
|
||||||
|
@ -67,6 +55,11 @@ const serverlessConfiguration: AWS = {
|
||||||
platform: 'node',
|
platform: 'node',
|
||||||
concurrency: 10,
|
concurrency: 10,
|
||||||
},
|
},
|
||||||
|
'serverless-iam-roles-per-function': {
|
||||||
|
// on inherit: try to configure permission per function correctly
|
||||||
|
// TODO: ci/cd puresec-ish auto-auditing permissions
|
||||||
|
defaultInherit: false,
|
||||||
|
}
|
||||||
},
|
},
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
@ -10,5 +10,21 @@ export default {
|
||||||
AWS_DIST_BUCKET: '${ssm:AW5_S3_BUCKET}',
|
AWS_DIST_BUCKET: '${ssm:AW5_S3_BUCKET}',
|
||||||
ALGOLIA_APP_ID: '${ssm:/algolia/app_id}',
|
ALGOLIA_APP_ID: '${ssm:/algolia/app_id}',
|
||||||
ALGOLIA_SEARCH_API_KEY: '${ssm:/algolia/search_api_key}',
|
ALGOLIA_SEARCH_API_KEY: '${ssm:/algolia/search_api_key}',
|
||||||
|
},
|
||||||
|
iamRoleStatements: [
|
||||||
|
{
|
||||||
|
Effect: 'Allow',
|
||||||
|
Action: [
|
||||||
|
's3:GetBucketAcl',
|
||||||
|
's3:List',
|
||||||
|
's3:ListBucket',
|
||||||
|
's3:PutObject'
|
||||||
|
],
|
||||||
|
Resource: [
|
||||||
|
"arn:aws:s3:::${ssm:AW5_S3_BUCKET}",
|
||||||
|
"arn:aws:s3:::${ssm:AW5_S3_BUCKET}/*",
|
||||||
|
"arn:aws:s3:::${ssm:AW5_S3_BUCKET}/*/*",
|
||||||
|
]
|
||||||
}
|
}
|
||||||
|
]
|
||||||
};
|
};
|
||||||
|
|
|
@ -32,5 +32,19 @@ export default {
|
||||||
environment: {
|
environment: {
|
||||||
AWS_DIST_BUCKET: '${ssm:AW5_S3_BUCKET}',
|
AWS_DIST_BUCKET: '${ssm:AW5_S3_BUCKET}',
|
||||||
IPFS_IP4_ADDRESS: '${ssm:/ipfs/ip4_address}',
|
IPFS_IP4_ADDRESS: '${ssm:/ipfs/ip4_address}',
|
||||||
|
},
|
||||||
|
iamRoleStatements: [
|
||||||
|
{
|
||||||
|
Effect: 'Allow',
|
||||||
|
Action: [
|
||||||
|
's3:GetObject',
|
||||||
|
's3:PutObject',
|
||||||
|
],
|
||||||
|
Resource: [
|
||||||
|
"arn:aws:s3:::${ssm:AW5_S3_BUCKET}",
|
||||||
|
"arn:aws:s3:::${ssm:AW5_S3_BUCKET}/*",
|
||||||
|
"arn:aws:s3:::${ssm:AW5_S3_BUCKET}/*/*",
|
||||||
|
]
|
||||||
}
|
}
|
||||||
|
]
|
||||||
};
|
};
|
||||||
|
|
|
@ -2856,7 +2856,7 @@ lodash.union@^4.6.0:
|
||||||
resolved "https://registry.yarnpkg.com/lodash.union/-/lodash.union-4.6.0.tgz#48bb5088409f16f1821666641c44dd1aaae3cd88"
|
resolved "https://registry.yarnpkg.com/lodash.union/-/lodash.union-4.6.0.tgz#48bb5088409f16f1821666641c44dd1aaae3cd88"
|
||||||
integrity sha512-c4pB2CdGrGdjMKYLA+XiRDO7Y0PRQbm/Gzg8qMj+QH+pFVAoTp5sBpO0odL3FjoPCGjK96p6qsP+yQoiLoOBcw==
|
integrity sha512-c4pB2CdGrGdjMKYLA+XiRDO7Y0PRQbm/Gzg8qMj+QH+pFVAoTp5sBpO0odL3FjoPCGjK96p6qsP+yQoiLoOBcw==
|
||||||
|
|
||||||
lodash@^4.17.11, lodash@^4.17.14, lodash@^4.17.15, lodash@^4.17.21:
|
lodash@^4.17.11, lodash@^4.17.14, lodash@^4.17.15, lodash@^4.17.20, lodash@^4.17.21:
|
||||||
version "4.17.21"
|
version "4.17.21"
|
||||||
resolved "https://registry.yarnpkg.com/lodash/-/lodash-4.17.21.tgz#679591c564c3bffaae8454cf0b3df370c3d6911c"
|
resolved "https://registry.yarnpkg.com/lodash/-/lodash-4.17.21.tgz#679591c564c3bffaae8454cf0b3df370c3d6911c"
|
||||||
integrity sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg==
|
integrity sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg==
|
||||||
|
@ -3893,6 +3893,13 @@ serverless-esbuild@^1.23.3:
|
||||||
ramda "^0.27.0"
|
ramda "^0.27.0"
|
||||||
semver "^7.3.5"
|
semver "^7.3.5"
|
||||||
|
|
||||||
|
serverless-iam-roles-per-function@^3.2.0:
|
||||||
|
version "3.2.0"
|
||||||
|
resolved "https://registry.yarnpkg.com/serverless-iam-roles-per-function/-/serverless-iam-roles-per-function-3.2.0.tgz#8bb5f68e73f391ac8ff9809b8e7726e5bafba4c4"
|
||||||
|
integrity sha512-AXmxACHEUsDcFDcv8QNwDgn2L0brRJ7pz/phD3lFB/wQ3TtPJkorC+J7PxgFQbaWIQk15EIlU83BtKXeQoPTAg==
|
||||||
|
dependencies:
|
||||||
|
lodash "^4.17.20"
|
||||||
|
|
||||||
serverless@^3.0.0:
|
serverless@^3.0.0:
|
||||||
version "3.23.0"
|
version "3.23.0"
|
||||||
resolved "https://registry.yarnpkg.com/serverless/-/serverless-3.23.0.tgz#407f804d55f3c11212b8e4de4325006b01658f7d"
|
resolved "https://registry.yarnpkg.com/serverless/-/serverless-3.23.0.tgz#407f804d55f3c11212b8e4de4325006b01658f7d"
|
||||||
|
|
Loading…
Reference in a new issue