922 - Replace IAM inline policies by configurable Managed Policies for folder and bucket sharing

.checkov.baseline

@@ -66,7 +66,8 @@
                 {
                     "resource": "AWS::IAM::ManagedPolicy.PivotRolepolicy3",
                     "check_ids": [
-                        "CKV_AWS_109"
+                        "CKV_AWS_109",
+                        "CKV_AWS_110"
                     ]
                 }
             ]

backend/dataall/base/aws/iam.py

@@ -2,7 +2,6 @@
 
 from .sts import SessionHelper
 
-
 log = logging.getLogger(__name__)
 
 
@@ -47,10 +46,10 @@ def get_role_arn_by_name(account_id: str, role_name: str, role=None):
 
     @staticmethod
     def update_role_policy(
-        account_id: str,
-        role_name: str,
-        policy_name: str,
-        policy: str,
+            account_id: str,
+            role_name: str,
+            policy_name: str,
+            policy: str,
     ):
         try:
             iamcli = IAM.client(account_id)
@@ -67,9 +66,9 @@ def update_role_policy(
 
     @staticmethod
     def get_role_policy(
-        account_id: str,
-        role_name: str,
-        policy_name: str,
+            account_id: str,
+            role_name: str,
+            policy_name: str,
     ):
         try:
             iamcli = IAM.client(account_id)
@@ -87,9 +86,9 @@ def get_role_policy(
 
     @staticmethod
     def delete_role_policy(
-        account_id: str,
-        role_name: str,
-        policy_name: str,
+            account_id: str,
+            role_name: str,
+            policy_name: str,
     ):
         try:
             iamcli = IAM.client(account_id)
@@ -101,3 +100,147 @@ def delete_role_policy(
             log.error(
                 f'Failed to delete policy {policy_name} of role {role_name} : {e}'
             )
+
+    @staticmethod
+    def create_managed_policy(
+            account_id: str,
+            policy_name: str,
+            policy: str
+    ):
+        try:
+            iamcli = IAM.client(account_id)
+            response = iamcli.create_policy(
+                PolicyName=policy_name,
+                PolicyDocument=policy,
+            )
+            arn = response['Policy']['Arn']
+            log.info(
+                f'Created managed policy {arn}'
+            )
+            return arn
+        except Exception as e:
+            log.error(
+                f'Failed to create managed policy {policy_name} : {e}'
+            )
+            return None
+
+    @staticmethod
+    def delete_managed_policy_by_name(
+            account_id: str,
+            policy_name):
+        try:
+            arn = f'arn:aws:iam::{account_id}:policy/{policy_name}'
+            iamcli = IAM.client(account_id)
+            iamcli.delete_policy(
+                PolicyArn=arn
+            )
+        except Exception as e:
+            log.error(
+                f'Failed to delete managed policy {policy_name} : {e}'
+            )
+
+    @staticmethod
+    def get_managed_policy_default_version(
+            account_id: str,
+            policy_name: str):
+        try:
+            arn = f'arn:aws:iam::{account_id}:policy/{policy_name}'
+            iamcli = IAM.client(account_id)
+            response = iamcli.get_policy(PolicyArn=arn)
+            versionId = response['Policy']['DefaultVersionId']
+            policyVersion = iamcli.get_policy_version(PolicyArn=arn, VersionId=versionId)
+            policyDocument = policyVersion['PolicyVersion']['Document']
+            return versionId, policyDocument
+        except Exception as e:
+            log.error(
+                f'Failed to get policy {policy_name} : {e}'
+            )
+            return None
+
+    @staticmethod
+    def update_managed_policy_default_version(
+            account_id: str,
+            policy_name: str,
+            old_version_id: str,
+            policy_document: str):
+        try:
+            arn = f'arn:aws:iam::{account_id}:policy/{policy_name}'
+            iamcli = IAM.client(account_id)
+            iamcli.create_policy_version(
+                PolicyArn=arn,
+                PolicyDocument=policy_document,
+                SetAsDefault=True
+            )
+
+            iamcli.delete_policy_version(PolicyArn=arn, VersionId=old_version_id)
+        except Exception as e:
+            log.error(
+                f'Failed to update policy {policy_name} : {e}'
+            )
+
+    @staticmethod
+    def detach_policy_from_role(
+            account_id: str,
+            role_name: str,
+            policy_name: str):
+
+        try:
+            arn = f'arn:aws:iam::{account_id}:policy/{policy_name}'
+            iamcli = IAM.client(account_id)
+            iamcli.detach_role_policy(
+                RoleName=role_name,
+                PolicyArn=arn
+            )
+        except Exception as e:
+            log.error(
+                f'Failed to detach policy {policy_name} from role {role_name} : {e}'
+            )
+
+    @staticmethod
+    def get_policy_by_name(
+            account_id: str,
+            policy_name: str
+    ):
+        try:
+            arn = f'arn:aws:iam::{account_id}:policy/{policy_name}'
+            iamcli = IAM.client(account_id)
+            response = iamcli.get_policy(PolicyArn=arn)
+            return response['Policy']
+        except Exception as e:
+            log.error(
+                f'Failed to get policy {policy_name} : {e}'
+            )
+            return None
+
+    @staticmethod
+    def is_policy_attached(
+            account_id: str,
+            policy_name: str,
+            role_name: str
+    ):
+        try:
+            iamcli = IAM.client(account_id)
+            response = iamcli.list_attached_role_policies(RoleName=role_name)
+            return policy_name in [p['PolicyName'] for p in response['AttachedPolicies']]
+        except Exception as e:
+            log.error(
+                f'Failed to get the list of attached policies to the role {role_name}: {e}'
+            )
+            return False
+
+    @staticmethod
+    def attach_role_policy(
+            account_id,
+            role_name,
+            policy_arn
+    ):
+        try:
+            iamcli = IAM.client(account_id)
+            response = iamcli.attach_role_policy(
+                RoleName=role_name,
+                PolicyArn=policy_arn
+            )
+        except Exception as e:
+            log.error(
+                f'Failed to attach policy {policy_arn} to the role {role_name}: {e}'
+            )

backend/dataall/base/utils/naming_convention.py

@@ -6,7 +6,8 @@
 class NamingConventionPattern(Enum):
 
     S3 = {'regex': '[^a-zA-Z0-9-]', 'separator': '-', 'max_length': 63}
-    IAM = {'regex': '[^a-zA-Z0-9-_]', 'separator': '-', 'max_length': 63}
+    IAM = {'regex': '[^a-zA-Z0-9-_]', 'separator': '-', 'max_length': 63}  # Role names up to 64 chars
+    IAM_POLICY = {'regex': '[^a-zA-Z0-9-_]', 'separator': '-', 'max_length': 128}  # Policy names up to 128 chars
     GLUE = {'regex': '[^a-zA-Z0-9_]', 'separator': '_', 'max_length': 240}  # Limit 255 - 15 extra chars buffer
     GLUE_ETL = {'regex': '[^a-zA-Z0-9-]', 'separator': '-', 'max_length': 52}
     NOTEBOOK = {'regex': '[^a-zA-Z0-9-]', 'separator': '-', 'max_length': 63}

backend/dataall/core/environment/api/input_types.py

@@ -106,6 +106,8 @@ class EnvironmentSortField(GraphQLEnumMapper):
         gql.Argument('groupUri', gql.NonNullableType(gql.String)),
         gql.Argument('IAMRoleArn', gql.NonNullableType(gql.String)),
         gql.Argument('environmentUri', gql.NonNullableType(gql.String)),
+        gql.Argument('dataallManaged', gql.NonNullableType(gql.Boolean)),
+
     ],
 )
 

backend/dataall/core/environment/api/resolvers.py

@@ -12,6 +12,7 @@
 from dataall.base.aws.sts import SessionHelper
 from dataall.base.utils import Parameter
 from dataall.core.environment.db.environment_models import Environment, EnvironmentGroup
+from dataall.core.environment.services.managed_iam_policies import PolicyManager
 from dataall.core.environment.services.environment_resource_manager import EnvironmentResourceManager
 from dataall.core.environment.services.environment_service import EnvironmentService
 from dataall.core.environment.api.enums import EnvironmentPermission
@@ -39,7 +40,8 @@ def get_trust_account(context: Context, source, **kwargs):
 
 
 def get_pivot_role_as_part_of_environment(context: Context, source, **kwargs):
-    ssm_param = ParameterStoreManager.get_parameter_value(region=os.getenv('AWS_REGION', 'eu-west-1'), parameter_path=f"/dataall/{os.getenv('envname', 'local')}/pivotRole/enablePivotRoleAutoCreate")
+    ssm_param = ParameterStoreManager.get_parameter_value(region=os.getenv('AWS_REGION', 'eu-west-1'),
+                                                          parameter_path=f"/dataall/{os.getenv('envname', 'local')}/pivotRole/enablePivotRoleAutoCreate")
     return True if ssm_param == "True" else False
 
 
@@ -122,7 +124,7 @@ def create_environment(context: Context, source, input={}):
 
 
 def update_environment(
-    context: Context, source, environmentUri: str = None, input: dict = None
+        context: Context, source, environmentUri: str = None, input: dict = None
 ):
     if input.get('SamlGroupName') and input.get('SamlGroupName') not in context.groups:
         raise exceptions.UnauthorizedOperation(
@@ -233,7 +235,7 @@ def update_consumption_role(context: Context, source, environmentUri=None, consu
 
 
 def list_environment_invited_groups(
-    context: Context, source, environmentUri=None, filter=None
+        context: Context, source, environmentUri=None, filter=None
 ):
     if filter is None:
         filter = {}
@@ -257,7 +259,7 @@ def list_environment_groups(context: Context, source, environmentUri=None, filte
 
 
 def list_all_environment_groups(
-    context: Context, source, environmentUri=None, filter=None
+        context: Context, source, environmentUri=None, filter=None
 ):
     if filter is None:
         filter = {}
@@ -270,7 +272,7 @@ def list_all_environment_groups(
 
 
 def list_environment_consumption_roles(
-    context: Context, source, environmentUri=None, filter=None
+        context: Context, source, environmentUri=None, filter=None
 ):
     if filter is None:
         filter = {}
@@ -283,7 +285,7 @@ def list_environment_consumption_roles(
 
 
 def list_all_environment_consumption_roles(
-    context: Context, source, environmentUri=None, filter=None
+        context: Context, source, environmentUri=None, filter=None
 ):
     if filter is None:
         filter = {}
@@ -296,9 +298,9 @@ def list_all_environment_consumption_roles(
 
 
 def list_environment_group_invitation_permissions(
-    context: Context,
-    source,
-    environmentUri=None,
+        context: Context,
+        source,
+        environmentUri=None,
 ):
     with context.engine.scoped_session() as session:
         return EnvironmentService.list_group_invitation_permissions(
@@ -331,7 +333,7 @@ def list_groups(context: Context, source, filter=None):
 
 
 def list_consumption_roles(
-    context: Context, source, environmentUri=None, filter=None
+        context: Context, source, environmentUri=None, filter=None
 ):
     if filter is None:
         filter = {}
@@ -343,7 +345,7 @@ def list_consumption_roles(
 
 
 def list_environment_networks(
-    context: Context, source, environmentUri=None, filter=None
+        context: Context, source, environmentUri=None, filter=None
 ):
     if filter is None:
         filter = {}
@@ -360,6 +362,17 @@ def get_parent_organization(context: Context, source, **kwargs):
     return org
 
 
+def get_policies(context: Context, source, **kwargs):
+    with context.engine.scoped_session() as session:
+        environment = EnvironmentService.get_environment_by_uri(session, source.environmentUri)
+        return PolicyManager(
+            role_name=source.IAMRoleName,
+            environmentUri=environment.environmentUri,
+            account=environment.AwsAccountId,
+            resource_prefix=environment.resourcePrefix
+        ).get_all_policies()
+
+
 def resolve_environment_networks(context: Context, source, **kwargs):
     return VpcService.get_environment_networks(environment_uri=source.environmentUri)
 
@@ -392,7 +405,7 @@ def resolve_user_role(context: Context, source: Environment):
 
 
 def list_environment_group_permissions(
-    context, source, environmentUri: str = None, groupUri: str = None
+        context, source, environmentUri: str = None, groupUri: str = None
 ):
     with context.engine.scoped_session() as session:
         return EnvironmentService.list_group_permissions(
@@ -404,7 +417,7 @@ def list_environment_group_permissions(
 
 @is_feature_enabled('core.features.env_aws_actions')
 def _get_environment_group_aws_session(
-    session, username, groups, environment, groupUri=None
+        session, username, groups, environment, groupUri=None
 ):
     if groupUri and groupUri not in groups:
         raise exceptions.UnauthorizedOperation(
@@ -452,10 +465,10 @@ def _get_environment_group_aws_session(
 
 @is_feature_enabled('core.features.env_aws_actions')
 def get_environment_assume_role_url(
-    context: Context,
-    source,
-    environmentUri: str = None,
-    groupUri: str = None,
+        context: Context,
+        source,
+        environmentUri: str = None,
+        groupUri: str = None,
 ):
     with context.engine.scoped_session() as session:
         ResourcePolicy.check_user_resource_permission(
@@ -481,7 +494,7 @@ def get_environment_assume_role_url(
 
 @is_feature_enabled('core.features.env_aws_actions')
 def generate_environment_access_token(
-    context, source, environmentUri: str = None, groupUri: str = None
+        context, source, environmentUri: str = None, groupUri: str = None
 ):
     with context.engine.scoped_session() as session:
         ResourcePolicy.check_user_resource_permission(
@@ -515,7 +528,7 @@ def get_environment_stack(context: Context, source: Environment, **kwargs):
 
 
 def delete_environment(
-    context: Context, source, environmentUri: str = None, deleteFromAWS: bool = False
+        context: Context, source, environmentUri: str = None, deleteFromAWS: bool = False
 ):
     with context.engine.scoped_session() as session:
         environment = EnvironmentService.get_environment_by_uri(session, environmentUri)
@@ -537,7 +550,7 @@ def delete_environment(
 
 
 def enable_subscriptions(
-    context: Context, source, environmentUri: str = None, input: dict = None
+        context: Context, source, environmentUri: str = None, input: dict = None
 ):
     with context.engine.scoped_session() as session:
         ResourcePolicy.check_user_resource_permission(