Initial Identity Templates. Derived originally from dxc-prototype.

Identity-CustomGroups-StackPolicy.json

@@ -0,0 +1,16 @@
+{
+  "Statement" : [
+    {
+      "Effect" : "Allow",
+      "Action" : "Update:Modify",
+      "Principal" : "*",
+      "Resource" : "*"
+    },
+    {
+      "Effect" : "Deny",
+      "Action" : [ "Update:Replace", "Update:Delete" ],
+      "Principal" : "*",
+      "Resource" : "*"
+    }
+  ]
+}

Identity-CustomGroups.yaml

@@ -0,0 +1,66 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: Identity-CustomGroups Template.
+  This creates Custom IAM Groups. Groups should be kept in 1:1 sync with Roles, to insure IAM Users and Federated Users have the same permissions.
+Metadata:
+  AWS::CloudFormation::Interface:
+    ParameterGroups:
+      - Label:
+          default: Stack Dependencies
+        Parameters:
+          - CustomManagedPoliciesStackName
+          - ManagedPoliciesStackName
+    ParameterLabels:
+      CustomManagedPoliciesStackName:
+        default: Custom ManagedPolicies Stack Name
+      ManagedPoliciesStackName:
+        default: ManagedPolicies Stack Name
+Parameters:
+  CustomManagedPoliciesStackName:
+    Description: Name of the CloudFormation Stack containing Custom ManagedPolicies
+    Type: String
+    MinLength: 2
+    MaxLength: 64
+    Default: CustomManagedPolicies
+    AllowedPattern: ^[A-Z][-a-zA-Z0-9]*$
+    ConstraintDescription: must begin with an upper case letter and contain alphanumeric characters and dashes.
+  ManagedPoliciesStackName:
+    Description: Name of the CloudFormation Stack containing ManagedPolicies
+    Type: String
+    MinLength: 2
+    MaxLength: 64
+    Default: ManagedPolicies
+    AllowedPattern: ^[A-Z][-a-zA-Z0-9]*$
+    ConstraintDescription: must begin with an upper case letter and contain alphanumeric characters and dashes.
+Rules:
+  ValidateRegion:
+    Assertions:
+      - Assert: !Equals [ !Ref 'AWS::Region', us-east-1 ]
+        AssertDescription: This Template can only be used in Region us-east-1.
+Resources:
+  ApplicationAdministratorsGroup:
+    Type: AWS::IAM::Group
+    Properties:
+      GroupName: ApplicationAdministrators
+      Path: /
+      ManagedPolicyArns:
+        - !ImportValue
+          Fn::Sub: ${CustomManagedPoliciesStackName}-ApplicationAdministratorAccess
+  TableauAdministratorsGroup:
+    Type: AWS::IAM::Group
+    Properties:
+      GroupName: TableauAdministrators
+      Path: /
+      ManagedPolicyArns:
+        - !ImportValue
+          Fn::Sub: ${CustomManagedPoliciesStackName}-TableauAdministratorAccess
+Outputs:
+  ApplicationAdministratorsGroup:
+    Description: The ApplicationAdministratorsGroup Name
+    Value: !Ref ApplicationAdministratorsGroup
+    Export:
+      Name: !Sub ${AWS::StackName}-ApplicationAdministratorsGroup
+  TableauAdministratorsGroup:
+    Description: The TableauAdministratorsGroup Name
+    Value: !Ref TableauAdministratorsGroup
+    Export:
+      Name: !Sub ${AWS::StackName}-TableauAdministratorsGroup

Identity-CustomManagedPolicies-StackPolicy.json

@@ -0,0 +1,16 @@
+{
+  "Statement" : [
+    {
+      "Effect" : "Allow",
+      "Action" : "Update:Modify",
+      "Principal" : "*",
+      "Resource" : "*"
+    },
+    {
+      "Effect" : "Deny",
+      "Action" : [ "Update:Replace", "Update:Delete" ],
+      "Principal" : "*",
+      "Resource" : "*"
+    }
+  ]
+}

Identity-CustomManagedPolicies.yaml

@@ -0,0 +1,119 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: Identity-CustomManagedPolicies Template.
+  This creates Custom IAM ManagedPolicies.
+Rules:
+  ValidateRegion:
+    Assertions:
+      - Assert: !Equals [ !Ref 'AWS::Region', us-east-1 ]
+        AssertDescription: This Template can only be used in Region us-east-1.
+Resources:
+  ApplicationAdministratorAccess:
+    Type: AWS::IAM::ManagedPolicy
+    Properties:
+      ManagedPolicyName: ApplicationAdministratorAccess
+      Description: Provides partial access to Development AWS services and resources, needed for Application Administrators.
+      Path: /
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Action:
+              - ec2:StartInstances
+              - ec2:StopInstances
+              - ec2:RebootInstances
+              - ec2:TerminateInstances
+            Condition:
+              StringEquals:
+                ec2:ResourceTag/Environment: Development
+            Resource:
+              - !Sub arn:aws:ec2::${AWS::AccountId}:instance/*
+  TableauAdministratorAccess:
+    Type: AWS::IAM::ManagedPolicy
+    Properties:
+      ManagedPolicyName: TableauAdministratorAccess
+      Description: Provides partial access to Tableau AWS services and resources, needed for Tableau Administrators.
+      Path: /
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Sid: AllowUserToListBucketsInTheConsole
+            Effect: Allow
+            Action:
+              - s3:ListAllMyBuckets
+              - s3:GetBucketLocation
+            Resource:
+              - arn:aws:s3:::*
+          - Sid: AllowRootListingOfBucketsContainingTableauObjects
+            Effect: Allow
+            Action:
+              - s3:ListBucket
+            Resource:
+              - arn:aws:s3:::products-us-east-1-dxchlsb
+              - arn:aws:s3:::products-us-east-2-dxchlsb
+              - arn:aws:s3:::products-us-west-2-dxchlsb
+              - arn:aws:s3:::configurations-us-east-1-dxchlsb
+              - arn:aws:s3:::configurations-us-east-2-dxchlsb
+              - arn:aws:s3:::configurations-us-west-2-dxchlsb
+            Condition:
+              StringEquals:
+                s3:prefix:
+                  - ''
+                s3:delimiter:
+                  - /
+          - Sid: AllowListingOfTableauFolder
+            Effect: Allow
+            Action:
+              - s3:ListBucket
+            Resource:
+              - arn:aws:s3:::products-us-east-1-dxchlsb
+              - arn:aws:s3:::products-us-east-2-dxchlsb
+              - arn:aws:s3:::products-us-west-2-dxchlsb
+              - arn:aws:s3:::configurations-us-east-1-dxchlsb
+              - arn:aws:s3:::configurations-us-east-2-dxchlsb
+              - arn:aws:s3:::configurations-us-west-2-dxchlsb
+            Condition:
+              StringLike:
+                s3:prefix:
+                  - Tableau/*
+          - Sid: AllowReadWriteActionsInTableauFolder
+            Effect: Allow
+            Action:
+              - s3:PutObject
+              - s3:GetObject
+              - s3:GetObjectVersion
+              - s3:DeleteObject
+              - s3:DeleteObjectVersion
+            Resource:
+              - arn:aws:s3:::products-us-east-1-dxchlsb/Tableau/*
+              - arn:aws:s3:::products-us-east-2-dxchlsb/Tableau/*
+              - arn:aws:s3:::products-us-west-2-dxchlsb/Tableau/*
+              - arn:aws:s3:::configurations-us-east-1-dxchlsb/Tableau/*
+              - arn:aws:s3:::configurations-us-east-2-dxchlsb/Tableau/*
+              - arn:aws:s3:::configurations-us-west-2-dxchlsb/Tableau/*
+          - Sid: AllowStartStopRebootOfTableauInstancesInNonProduction
+            Effect: Allow
+            Action:
+              - ec2:StartInstances
+              - ec2:StopInstances
+              - ec2:RebootInstances
+            Condition:
+              StringEquals:
+                ec2:ResourceTag/Application: Tableau
+              ForAnyValue:StringEquals:
+                ec2:ResourceTag/Environment:
+                  - Staging
+                  - Testing
+                  - Development
+            Resource:
+              - !Sub arn:aws:ec2::${AWS::AccountId}:instance/*
+Outputs:
+  ApplicationAdministratorAccess:
+    Description: The ApplictionAdministratorAccess ManagedPolicy ARN
+    Value: !Ref ApplicationAdministratorAccess
+    Export:
+      Name: !Sub ${AWS::StackName}-ApplicationAdministratorAccess
+  TableauAdministratorAccess:
+    Description: The TableauAdministratorAccess ManagedPolicy ARN
+    Value: !Ref TableauAdministratorAccess
+    Export:
+      Name: !Sub ${AWS::StackName}-TableauAdministratorAccess

Identity-CustomRoles-StackPolicy.json

@@ -0,0 +1,16 @@
+{
+  "Statement" : [
+    {
+      "Effect" : "Allow",
+      "Action" : "Update:Modify",
+      "Principal" : "*",
+      "Resource" : "*"
+    },
+    {
+      "Effect" : "Deny",
+      "Action" : [ "Update:Replace", "Update:Delete" ],
+      "Principal" : "*",
+      "Resource" : "*"
+    }
+  ]
+}

Identity-CustomRoles.yaml

@@ -0,0 +1,119 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: Identity-CustomRoles Template.
+  This creates Custom IAM Roles. These are not Application specific - Roles created here are for Federated Identity and Cross-Account Access. Roles should be kept in 1:1 sync with Groups, to insure IAM Users and Federated Users have the same permissions.
+Metadata:
+  AWS::CloudFormation::Interface:
+    ParameterGroups:
+      - Label:
+          default: Stack Dependencies
+        Parameters:
+          - CustomManagedPoliciesStackName
+          - ManagedPoliciesStackName
+      - Label:
+          default: Identity Provider Dependencies
+        Parameters:
+          - SamlProviderName
+      - Label:
+          default: Account Dependencies
+        Parameters:
+          - AdministratorAccount
+    ParameterLabels:
+      CustomManagedPoliciesStackName:
+        default: Custom ManagedPolicies Stack Name
+      ManagedPoliciesStackName:
+        default: ManagedPolicies Stack Name
+      SamlProviderName:
+        default: SAML Provider Name
+      AdministratorAccount:
+        default: Administrator Account
+Parameters:
+  CustomManagedPoliciesStackName:
+    Description: Name of the CloudFormation Stack containing Custom ManagedPolicies
+    Type: String
+    MinLength: 2
+    MaxLength: 64
+    Default: CustomManagedPolicies
+    AllowedPattern: ^[A-Z][-a-zA-Z0-9]*$
+    ConstraintDescription: must begin with an upper case letter and contain alphanumeric characters and dashes.
+  ManagedPoliciesStackName:
+    Description: Name of the CloudFormation Stack containing ManagedPolicies
+    Type: String
+    MinLength: 2
+    MaxLength: 64
+    Default: ManagedPolicies
+    AllowedPattern: ^[A-Z][-a-zA-Z0-9]*$
+    ConstraintDescription: must begin with an upper case letter and contain alphanumeric characters and dashes.
+  SamlProviderName:
+    Description: Name of the SAML Provider
+    Type: String
+    Default: ''
+    AllowedPattern: (^$|^[-.a-zA-Z0-9]{2,64}$)
+    ConstraintDescription: must begin with a letter and contain alphanumeric characters, dashes and periods, or blank.
+  AdministratorAccount:
+    Description: AWS Account ID of the Organization Administrator Account
+    Type: String
+    Default: ''
+    AllowedPattern: (^$|^[0-9]{12}$)
+    ConstraintDescription: must be a valid AWS Account ID, or blank.
+Rules:
+  ValidateRegion:
+    Assertions:
+      - Assert: !Equals [ !Ref 'AWS::Region', us-east-1 ]
+        AssertDescription: This Template can only be used in Region us-east-1.
+Conditions:
+  ConfigureSamlRoles: !Not [ !Equals [ !Ref SamlProviderName, '' ]]
+  ConfigureCrossAccountRoles: !Not [ !Equals [ !Ref AdministratorAccount, '' ]]
+Resources:
+  ApplicationAdministratorsRole:
+    Type: AWS::IAM::Role
+    Properties:
+      RoleName: ApplicationAdministrators
+      Path: /
+      AssumeRolePolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Principal:
+              Federated: !Sub arn:aws:iam::${AWS::AccountId}:saml-provider/${SamlProviderName}
+            Action:
+              - sts:AssumeRoleWithSAML
+            Condition:
+              StringEquals:
+                SAML:aud: https://signin.aws.amazon.com/saml
+      ManagedPolicyArns:
+        - !ImportValue
+          Fn::Sub: ${CustomManagedPoliciesStackName}-ApplicationAdministratorAccess
+    Condition: ConfigureSamlRoles
+  TableauAdministratorsRole:
+    Type: AWS::IAM::Role
+    Properties:
+      RoleName: TableauAdministrators
+      Path: /
+      AssumeRolePolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Principal:
+              Federated: !Sub arn:aws:iam::${AWS::AccountId}:saml-provider/${SamlProviderName}
+            Action:
+              - sts:AssumeRoleWithSAML
+            Condition:
+              StringEquals:
+                SAML:aud: https://signin.aws.amazon.com/saml
+      ManagedPolicyArns:
+        - !ImportValue
+          Fn::Sub: ${CustomManagedPoliciesStackName}-TableauAdministratorAccess
+    Condition: ConfigureSamlRoles
+Outputs:
+  ApplicationAdministratorsRole:
+    Description: The ApplicationAdministratorsRole Name
+    Value: !Ref ApplicationAdministratorsRole
+    Export:
+      Name: !Sub ${AWS::StackName}-ApplicationAdministratorsRole
+    Condition: ConfigureSamlRoles
+  TableauAdministratorsRole:
+    Description: The TableauAdministratorsRole Name
+    Value: !Ref TableauAdministratorsRole
+    Export:
+      Name: !Sub ${AWS::StackName}-TableauAdministratorsRole
+    Condition: ConfigureSamlRoles

Identity-CustomUsers-StackPolicy.json

@@ -0,0 +1,16 @@
+{
+  "Statement" : [
+    {
+      "Effect" : "Allow",
+      "Action" : "Update:Modify",
+      "Principal" : "*",
+      "Resource" : "*"
+    },
+    {
+      "Effect" : "Deny",
+      "Action" : [ "Update:Replace", "Update:Delete" ],
+      "Principal" : "*",
+      "Resource" : "*"
+    }
+  ]
+}