ops: implement granular permission configuration per lambda function

This commit is contained in:
neil 2022-10-28 10:11:48 +08:00
parent 587d76a2b6
commit 1dff4c5323
5 changed files with 51 additions and 20 deletions

View file

@ -33,6 +33,7 @@
"json-schema-to-ts": "^1.5.0", "json-schema-to-ts": "^1.5.0",
"serverless": "^3.0.0", "serverless": "^3.0.0",
"serverless-esbuild": "^1.23.3", "serverless-esbuild": "^1.23.3",
"serverless-iam-roles-per-function": "^3.2.0",
"ts-node": "^10.4.0", "ts-node": "^10.4.0",
"tsconfig-paths": "^3.9.0", "tsconfig-paths": "^3.9.0",
"typescript": "^4.1.3" "typescript": "^4.1.3"

View file

@ -6,7 +6,10 @@ import ipfsUpload from '@functions/ipfsUpload';
const serverlessConfiguration: AWS = { const serverlessConfiguration: AWS = {
service: 'lambdas', service: 'lambdas',
frameworkVersion: '3', frameworkVersion: '3',
plugins: ['serverless-esbuild'], plugins: [
'serverless-esbuild',
'serverless-iam-roles-per-function'
],
provider: { provider: {
name: 'aws', name: 'aws',
runtime: 'nodejs14.x', runtime: 'nodejs14.x',
@ -22,22 +25,7 @@ const serverlessConfiguration: AWS = {
iam: { iam: {
deploymentRole: `arn:aws:iam::${process.env.AWS_ACCOUNT_ID || '640264234305'}:role/CloudFormationExecutionRole`, deploymentRole: `arn:aws:iam::${process.env.AWS_ACCOUNT_ID || '640264234305'}:role/CloudFormationExecutionRole`,
role: { role: {
statements: [ statements: []
{
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::dist.tea.xyz",
"arn:aws:s3:::dist.tea.xyz/*",
"arn:aws:s3:::dist.tea.xyz/*/*",
],
"Action": [
"s3:GetBucketAcl",
"s3:List",
"s3:ListBucket",
"s3:PutObject"
]
}
]
} }
}, },
vpc: { vpc: {
@ -67,6 +55,11 @@ const serverlessConfiguration: AWS = {
platform: 'node', platform: 'node',
concurrency: 10, concurrency: 10,
}, },
'serverless-iam-roles-per-function': {
// on inherit: try to configure permission per function correctly
// TODO: ci/cd puresec-ish auto-auditing permissions
defaultInherit: false,
}
}, },
}; };

View file

@ -10,5 +10,21 @@ export default {
AWS_DIST_BUCKET: '${ssm:AW5_S3_BUCKET}', AWS_DIST_BUCKET: '${ssm:AW5_S3_BUCKET}',
ALGOLIA_APP_ID: '${ssm:/algolia/app_id}', ALGOLIA_APP_ID: '${ssm:/algolia/app_id}',
ALGOLIA_SEARCH_API_KEY: '${ssm:/algolia/search_api_key}', ALGOLIA_SEARCH_API_KEY: '${ssm:/algolia/search_api_key}',
},
iamRoleStatements: [
{
Effect: 'Allow',
Action: [
's3:GetBucketAcl',
's3:List',
's3:ListBucket',
's3:PutObject'
],
Resource: [
"arn:aws:s3:::${ssm:AW5_S3_BUCKET}",
"arn:aws:s3:::${ssm:AW5_S3_BUCKET}/*",
"arn:aws:s3:::${ssm:AW5_S3_BUCKET}/*/*",
]
} }
]
}; };

View file

@ -32,5 +32,19 @@ export default {
environment: { environment: {
AWS_DIST_BUCKET: '${ssm:AW5_S3_BUCKET}', AWS_DIST_BUCKET: '${ssm:AW5_S3_BUCKET}',
IPFS_IP4_ADDRESS: '${ssm:/ipfs/ip4_address}', IPFS_IP4_ADDRESS: '${ssm:/ipfs/ip4_address}',
},
iamRoleStatements: [
{
Effect: 'Allow',
Action: [
's3:GetObject',
's3:PutObject',
],
Resource: [
"arn:aws:s3:::${ssm:AW5_S3_BUCKET}",
"arn:aws:s3:::${ssm:AW5_S3_BUCKET}/*",
"arn:aws:s3:::${ssm:AW5_S3_BUCKET}/*/*",
]
} }
]
}; };

View file

@ -2856,7 +2856,7 @@ lodash.union@^4.6.0:
resolved "https://registry.yarnpkg.com/lodash.union/-/lodash.union-4.6.0.tgz#48bb5088409f16f1821666641c44dd1aaae3cd88" resolved "https://registry.yarnpkg.com/lodash.union/-/lodash.union-4.6.0.tgz#48bb5088409f16f1821666641c44dd1aaae3cd88"
integrity sha512-c4pB2CdGrGdjMKYLA+XiRDO7Y0PRQbm/Gzg8qMj+QH+pFVAoTp5sBpO0odL3FjoPCGjK96p6qsP+yQoiLoOBcw== integrity sha512-c4pB2CdGrGdjMKYLA+XiRDO7Y0PRQbm/Gzg8qMj+QH+pFVAoTp5sBpO0odL3FjoPCGjK96p6qsP+yQoiLoOBcw==
lodash@^4.17.11, lodash@^4.17.14, lodash@^4.17.15, lodash@^4.17.21: lodash@^4.17.11, lodash@^4.17.14, lodash@^4.17.15, lodash@^4.17.20, lodash@^4.17.21:
version "4.17.21" version "4.17.21"
resolved "https://registry.yarnpkg.com/lodash/-/lodash-4.17.21.tgz#679591c564c3bffaae8454cf0b3df370c3d6911c" resolved "https://registry.yarnpkg.com/lodash/-/lodash-4.17.21.tgz#679591c564c3bffaae8454cf0b3df370c3d6911c"
integrity sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg== integrity sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg==
@ -3893,6 +3893,13 @@ serverless-esbuild@^1.23.3:
ramda "^0.27.0" ramda "^0.27.0"
semver "^7.3.5" semver "^7.3.5"
serverless-iam-roles-per-function@^3.2.0:
version "3.2.0"
resolved "https://registry.yarnpkg.com/serverless-iam-roles-per-function/-/serverless-iam-roles-per-function-3.2.0.tgz#8bb5f68e73f391ac8ff9809b8e7726e5bafba4c4"
integrity sha512-AXmxACHEUsDcFDcv8QNwDgn2L0brRJ7pz/phD3lFB/wQ3TtPJkorC+J7PxgFQbaWIQk15EIlU83BtKXeQoPTAg==
dependencies:
lodash "^4.17.20"
serverless@^3.0.0: serverless@^3.0.0:
version "3.23.0" version "3.23.0"
resolved "https://registry.yarnpkg.com/serverless/-/serverless-3.23.0.tgz#407f804d55f3c11212b8e4de4325006b01658f7d" resolved "https://registry.yarnpkg.com/serverless/-/serverless-3.23.0.tgz#407f804d55f3c11212b8e4de4325006b01658f7d"