mirror of
https://github.com/ivabus/www
synced 2024-11-22 18:55:06 +03:00
ops: implement granular permission configuration per lambda function
This commit is contained in:
parent
587d76a2b6
commit
1dff4c5323
5 changed files with 51 additions and 20 deletions
|
@ -33,6 +33,7 @@
|
|||
"json-schema-to-ts": "^1.5.0",
|
||||
"serverless": "^3.0.0",
|
||||
"serverless-esbuild": "^1.23.3",
|
||||
"serverless-iam-roles-per-function": "^3.2.0",
|
||||
"ts-node": "^10.4.0",
|
||||
"tsconfig-paths": "^3.9.0",
|
||||
"typescript": "^4.1.3"
|
||||
|
|
|
@ -6,7 +6,10 @@ import ipfsUpload from '@functions/ipfsUpload';
|
|||
const serverlessConfiguration: AWS = {
|
||||
service: 'lambdas',
|
||||
frameworkVersion: '3',
|
||||
plugins: ['serverless-esbuild'],
|
||||
plugins: [
|
||||
'serverless-esbuild',
|
||||
'serverless-iam-roles-per-function'
|
||||
],
|
||||
provider: {
|
||||
name: 'aws',
|
||||
runtime: 'nodejs14.x',
|
||||
|
@ -22,22 +25,7 @@ const serverlessConfiguration: AWS = {
|
|||
iam: {
|
||||
deploymentRole: `arn:aws:iam::${process.env.AWS_ACCOUNT_ID || '640264234305'}:role/CloudFormationExecutionRole`,
|
||||
role: {
|
||||
statements: [
|
||||
{
|
||||
"Effect": "Allow",
|
||||
"Resource": [
|
||||
"arn:aws:s3:::dist.tea.xyz",
|
||||
"arn:aws:s3:::dist.tea.xyz/*",
|
||||
"arn:aws:s3:::dist.tea.xyz/*/*",
|
||||
],
|
||||
"Action": [
|
||||
"s3:GetBucketAcl",
|
||||
"s3:List",
|
||||
"s3:ListBucket",
|
||||
"s3:PutObject"
|
||||
]
|
||||
}
|
||||
]
|
||||
statements: []
|
||||
}
|
||||
},
|
||||
vpc: {
|
||||
|
@ -67,6 +55,11 @@ const serverlessConfiguration: AWS = {
|
|||
platform: 'node',
|
||||
concurrency: 10,
|
||||
},
|
||||
'serverless-iam-roles-per-function': {
|
||||
// on inherit: try to configure permission per function correctly
|
||||
// TODO: ci/cd puresec-ish auto-auditing permissions
|
||||
defaultInherit: false,
|
||||
}
|
||||
},
|
||||
};
|
||||
|
||||
|
|
|
@ -10,5 +10,21 @@ export default {
|
|||
AWS_DIST_BUCKET: '${ssm:AW5_S3_BUCKET}',
|
||||
ALGOLIA_APP_ID: '${ssm:/algolia/app_id}',
|
||||
ALGOLIA_SEARCH_API_KEY: '${ssm:/algolia/search_api_key}',
|
||||
},
|
||||
iamRoleStatements: [
|
||||
{
|
||||
Effect: 'Allow',
|
||||
Action: [
|
||||
's3:GetBucketAcl',
|
||||
's3:List',
|
||||
's3:ListBucket',
|
||||
's3:PutObject'
|
||||
],
|
||||
Resource: [
|
||||
"arn:aws:s3:::${ssm:AW5_S3_BUCKET}",
|
||||
"arn:aws:s3:::${ssm:AW5_S3_BUCKET}/*",
|
||||
"arn:aws:s3:::${ssm:AW5_S3_BUCKET}/*/*",
|
||||
]
|
||||
}
|
||||
]
|
||||
};
|
||||
|
|
|
@ -32,5 +32,19 @@ export default {
|
|||
environment: {
|
||||
AWS_DIST_BUCKET: '${ssm:AW5_S3_BUCKET}',
|
||||
IPFS_IP4_ADDRESS: '${ssm:/ipfs/ip4_address}',
|
||||
},
|
||||
iamRoleStatements: [
|
||||
{
|
||||
Effect: 'Allow',
|
||||
Action: [
|
||||
's3:GetObject',
|
||||
's3:PutObject',
|
||||
],
|
||||
Resource: [
|
||||
"arn:aws:s3:::${ssm:AW5_S3_BUCKET}",
|
||||
"arn:aws:s3:::${ssm:AW5_S3_BUCKET}/*",
|
||||
"arn:aws:s3:::${ssm:AW5_S3_BUCKET}/*/*",
|
||||
]
|
||||
}
|
||||
]
|
||||
};
|
||||
|
|
|
@ -2856,7 +2856,7 @@ lodash.union@^4.6.0:
|
|||
resolved "https://registry.yarnpkg.com/lodash.union/-/lodash.union-4.6.0.tgz#48bb5088409f16f1821666641c44dd1aaae3cd88"
|
||||
integrity sha512-c4pB2CdGrGdjMKYLA+XiRDO7Y0PRQbm/Gzg8qMj+QH+pFVAoTp5sBpO0odL3FjoPCGjK96p6qsP+yQoiLoOBcw==
|
||||
|
||||
lodash@^4.17.11, lodash@^4.17.14, lodash@^4.17.15, lodash@^4.17.21:
|
||||
lodash@^4.17.11, lodash@^4.17.14, lodash@^4.17.15, lodash@^4.17.20, lodash@^4.17.21:
|
||||
version "4.17.21"
|
||||
resolved "https://registry.yarnpkg.com/lodash/-/lodash-4.17.21.tgz#679591c564c3bffaae8454cf0b3df370c3d6911c"
|
||||
integrity sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg==
|
||||
|
@ -3893,6 +3893,13 @@ serverless-esbuild@^1.23.3:
|
|||
ramda "^0.27.0"
|
||||
semver "^7.3.5"
|
||||
|
||||
serverless-iam-roles-per-function@^3.2.0:
|
||||
version "3.2.0"
|
||||
resolved "https://registry.yarnpkg.com/serverless-iam-roles-per-function/-/serverless-iam-roles-per-function-3.2.0.tgz#8bb5f68e73f391ac8ff9809b8e7726e5bafba4c4"
|
||||
integrity sha512-AXmxACHEUsDcFDcv8QNwDgn2L0brRJ7pz/phD3lFB/wQ3TtPJkorC+J7PxgFQbaWIQk15EIlU83BtKXeQoPTAg==
|
||||
dependencies:
|
||||
lodash "^4.17.20"
|
||||
|
||||
serverless@^3.0.0:
|
||||
version "3.23.0"
|
||||
resolved "https://registry.yarnpkg.com/serverless/-/serverless-3.23.0.tgz#407f804d55f3c11212b8e4de4325006b01658f7d"
|
||||
|
|
Loading…
Reference in a new issue