This repository has been archived by the owner on Sep 18, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 6
/
Copy pathMakefile
100 lines (93 loc) · 4.54 KB
/
Makefile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
GROUP_ROLE_MAP_BUILDER_STACK_NAME := GroupRoleMapBuilder
IDTOKEN_FOR_ROLES_STACK_NAME := IdtokenForRoles
GROUP_ROLE_MAP_BUILDER_CODE_STORAGE_S3_PREFIX := group-role-map-builder
IDTOKEN_FOR_ROLES_CODE_STORAGE_S3_PREFIX := idtoken-for-roles
PROD_LAMBDA_CODE_STORAGE_S3_BUCKET_NAME := public.us-west-2.infosec.mozilla.org
DEV_LAMBDA_CODE_STORAGE_S3_BUCKET_NAME := public.us-west-2.security.allizom.org
PROD_ACCOUNT_ID := 371522382791
DEV_ACCOUNT_ID := 656532927350
PROD_S3_BUCKET_NAME := mozilla-infosec-auth0-rule-assets
DEV_S3_BUCKET_NAME := mozilla-infosec-auth0-dev-rule-assets
PROD_DOMAIN_NAME := roles-and-aliases.security.mozilla.org
DEV_DOMAIN_NAME := roles-and-aliases.security.allizom.org
PROD_DOMAIN_ZONE := security.mozilla.org.
DEV_DOMAIN_ZONE := security.allizom.org.
PROD_CERT_ARN := arn:aws:acm:us-west-2:371522382791:certificate/88c3077f-9b6a-490e-9d7c-67bee0f72eb4
DEV_CERT_ARN := arn:aws:acm:us-west-2:656532927350:certificate/46428d8b-7b26-4ad0-84d1-cd2d386e7a43
PROD_CLIENT_ID := N7lULzWtfVUDGymwDs0yDEq6ZcwmFazj
DEV_CLIENT_ID := xRFzU2bj7Lrbo3875aXwyxIArdkq1AOT
PROD_ISSUER := https://auth.mozilla.auth0.com/
DEV_ISSUER := https://auth-dev.mozilla.auth0.com/
PROD_PROVIDER_URLS := https://auth.mozilla.auth0.com/
DEV_PROVIDER_URLS := https://auth-dev.mozilla.auth0.com/,https://auth.mozilla.auth0.com/
PROD_AMR_CLAIMS := auth.mozilla.auth0.com/:amr
DEV_AMR_CLAIMS := auth-dev.mozilla.auth0.com/:amr,auth.mozilla.auth0.com/:amr
.PHONE: deploy-group-role-map-builder
deploy-group-role-map-builder:
./deploy.sh \
$(PROD_ACCOUNT_ID) \
group_role_map_builder/group_role_map_builder.yaml \
$(PROD_LAMBDA_CODE_STORAGE_S3_BUCKET_NAME) \
$(GROUP_ROLE_MAP_BUILDER_STACK_NAME) \
$(GROUP_ROLE_MAP_BUILDER_CODE_STORAGE_S3_PREFIX) \
"S3BucketName=$(PROD_S3_BUCKET_NAME) \
ProviderUrls=$(PROD_PROVIDER_URLS) \
AmrClaims=$(PROD_AMR_CLAIMS)"
.PHONE: deploy-group-role-map-builder-dev
deploy-group-role-map-builder-dev:
./deploy.sh \
$(DEV_ACCOUNT_ID) \
group_role_map_builder/group_role_map_builder.yaml \
$(DEV_LAMBDA_CODE_STORAGE_S3_BUCKET_NAME) \
$(GROUP_ROLE_MAP_BUILDER_STACK_NAME) \
$(GROUP_ROLE_MAP_BUILDER_CODE_STORAGE_S3_PREFIX) \
"S3BucketName=$(DEV_S3_BUCKET_NAME) \
ProviderUrls=$(DEV_PROVIDER_URLS) \
AmrClaims=$(DEV_AMR_CLAIMS)"
.PHONE: deploy-idtoken-for-roles-dev
deploy-idtoken-for-roles-dev:
./deploy.sh \
$(DEV_ACCOUNT_ID) \
idtoken_for_roles/idtoken_for_roles.yaml \
$(DEV_LAMBDA_CODE_STORAGE_S3_BUCKET_NAME) \
$(IDTOKEN_FOR_ROLES_STACK_NAME) \
$(IDTOKEN_FOR_ROLES_CODE_STORAGE_S3_PREFIX) \
"S3BucketName=$(DEV_S3_BUCKET_NAME) \
CustomDomainName=$(DEV_DOMAIN_NAME) \
DomainNameZone=$(DEV_DOMAIN_ZONE) \
CertificateArn=$(DEV_CERT_ARN) \
AllowedIssuer=$(DEV_ISSUER) \
AllowedAudience=$(DEV_CLIENT_ID) \
AllowedMapBuilderSubPrefix=ad|Mozilla-LDAP-Dev|" \
AliasesEndpointUrl
.PHONE: deploy-idtoken-for-roles
deploy-idtoken-for-roles:
./deploy.sh \
$(PROD_ACCOUNT_ID) \
idtoken_for_roles/idtoken_for_roles.yaml \
$(PROD_LAMBDA_CODE_STORAGE_S3_BUCKET_NAME) \
$(IDTOKEN_FOR_ROLES_STACK_NAME) \
$(IDTOKEN_FOR_ROLES_CODE_STORAGE_S3_PREFIX) \
"S3BucketName=$(PROD_S3_BUCKET_NAME) \
CustomDomainName=$(PROD_DOMAIN_NAME) \
DomainNameZone=$(PROD_DOMAIN_ZONE) \
CertificateArn=$(PROD_CERT_ARN) \
AllowedIssuer=$(PROD_ISSUER) \
AllowedAudience=$(PROD_CLIENT_ID) \
AllowedMapBuilderSubPrefix=ad|Mozilla-LDAP|" \
AliasesEndpointUrl
.PHONE: create-federated-role-dev
create-federated-role-dev:
aws iam create-role \
--role-name MAWS-test \
--description "Maws Test Role https://github.com/mozilla-iam/mozilla-aws-cli/blob/master/cloudformation/Makefile" \
--max-session-duration 43200 \
--assume-role-policy-document '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"Federated":"arn:aws:iam::656532927350:oidc-provider/auth-dev.mozilla.auth0.com/"},"Action":"sts:AssumeRoleWithWebIdentity","Condition":{"StringEquals":{"auth-dev.mozilla.auth0.com/:aud":"xRFzU2bj7Lrbo3875aXwyxIArdkq1AOT"},"ForAnyValue:StringEquals":{"auth-dev.mozilla.auth0.com/:amr":"team_opsec"}}}]}'
aws iam put-role-policy \
--role-name MAWS-test \
--policy-name AllowSTSGetCallerIdentity \
--policy-document '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"sts:GetCallerIdentity","Resource":"*"}]}'
.PHONE: test-idtoken-for-roles
test-idtoken-for-roles:
URL=`aws cloudformation describe-stacks --stack-name $(IDTOKEN_FOR_ROLES_STACK_NAME) --query "Stacks[0].Outputs[?OutputKey=='AliasesEndpointUrl'].OutputValue" --output text` && \
curl $$URL