Pull request fixes

Signed-off-by: Kevin DeJong <[email protected]>
Optum · Sep 9, 2019 · 7455bb2 · 7455bb2
1 parent 76bb011
commit 7455bb2
Show file tree

Hide file tree

Showing 4 changed files with 29 additions and 11 deletions.
diff --git a/README.md b/README.md
@@ -147,6 +147,7 @@ Response:
   "accountStatus": "NotReady",
   "adminRoleArn": "arn:aws:iam::1234567890123:role/adminRole",
   "principalRoleArn":  "arn:aws:iam::1234567890123:role/RedboxPrincipal",
+  "principalPolicyHash": "",
   "createdOn": 1560306008,
   "lastModifiedOn": 1560306008,
   "metadata": {}
@@ -199,6 +200,10 @@ terraform output api_access_policy_name
 terraform output api_access_policy_arn
 ```
 
+#### IAM Policy for Redbox Accounts
+
+The Terraform module will come with a sane starting policy that is applied to the IAM principal.  This policy is applied when a new account is added or when a lease is unlocked.  It is possible to change the policy to what is needed by providing the Terraform variable `redbox_principal_policy`.  The value of this variable is a location of a policy file that can be a Go template.  It is uploaded into S3 and is read from there as the policy is applied.
+
 #### Signing requests in Go
 
 The AWS SDK for Go exposes a [`signer/v4` package](https://docs.aws.amazon.com/sdk-for-go/api/aws/signer/v4/), which may be used to sign API requests. For example:
@@ -276,6 +281,7 @@ Example:
   "accountStatus": "NotReady",
   "adminRoleArn": "arn:aws:iam::1234567890123:role/adminRole",
   "principalRoleArn": "arn:aws:iam::1234567890123:role/RedboxPrincipal",
+  "principalPolicyHash": "\"d41d8cd98f00b204e9800998ecf8427e-38\"",
   "createdOn": 1560306008,
   "lastModifiedOn": 1560306008,
   "metadata": {}
@@ -655,4 +661,4 @@ Some variables used in notification templates (conatined in modules/variables.tf
   - Lease.AccountID : The Account number of the AWS account in use
   - Lease.BudgetAmount : The configured budget amount for the lease
   - ActualSpend : The calculated spend on the account at time of notification
-  - ThresholdPercentile : The conigured threshold percentage for the notification, prior to exhaustion
+  - ThresholdPercentile : The conigured threshold percentage for the notification, prior to exhaustion
diff --git a/modules/swaggerRedbox.yaml b/modules/swaggerRedbox.yaml
@@ -134,7 +134,7 @@ paths:
               budgetNotificationEmails:
                 type: array
                 items:
-                  type: string   
+                  type: string
       produces:
         - application/json
       responses:
@@ -262,6 +262,9 @@ definitions:
       principalRoleArn:
         type: string
         description: ARN for an IAM role within this AWS account. This role is created by the Redbox master account, and may be assumed by principals to login to their AWS Redbox account.
+      principalPolicyHash:
+        type: string
+        description: The S3 object ETag used to apply the Principal IAM Policy within this AWS account.  This policy is created by the Redbox master account, and is assumed by people with access to principalRoleArn.
       lastModifiedOn:
         type: integer
         description: Epoch timestamp, when account record was last modified

diff --git a/modules/update_redbox_policy_lambda.tf b/modules/update_redbox_policy_lambda.tf
@@ -1,4 +1,4 @@
-module "update-redbox-principal-policy" {
+module "update_redbox_principal_policy" {
   source          = "./lambda"
   name            = "update_redbox_principal_policy-${var.namespace}"
   namespace       = var.namespace
@@ -25,22 +25,22 @@ module "update-redbox-principal-policy" {
   }
 }
 
-resource "aws_sns_topic_subscription" "update-redbox-principal-policy" {
+resource "aws_sns_topic_subscription" "update_redbox_principal_policy" {
   topic_arn = aws_sns_topic.lease_unlocked.arn
   protocol  = "lambda"
-  endpoint  = module.update-redbox-principal-policy.arn
+  endpoint  = module.update_redbox_principal_policy.arn
 }
 
-resource "aws_lambda_permission" "update-redbox-principal-policy" {
+resource "aws_lambda_permission" "update_redbox_principal_policy" {
   statement_id  = "AllowExecutionFromSNS"
   action        = "lambda:InvokeFunction"
-  function_name = module.update-redbox-principal-policy.name
+  function_name = module.update_redbox_principal_policy.name
   principal     = "sns.amazonaws.com"
   source_arn    = aws_sns_topic.lease_unlocked.arn
 }
 
-resource "aws_iam_role_policy" "update-redbox-principal-policy" {
-  role   = module.update-redbox-principal-policy.execution_role_name
+resource "aws_iam_role_policy" "update_redbox_principal_policy" {
+  role   = module.update_redbox_principal_policy.execution_role_name
   policy = <<POLICY
 {
   "Version": "2012-10-17",

diff --git a/pkg/rolemanager/policymanager.go b/pkg/rolemanager/policymanager.go
@@ -58,14 +58,23 @@ func (rm *IAMPolicyManager) MergePolicy(input *MergePolicyInput) error {
 	}
 
 	// Prune old versions of the policy.  Making sure we have room for one more policy version
-	rm.PrunePolicyVersions(input.PolicyArn.String())
+	err = rm.PrunePolicyVersions(input.PolicyArn.String())
+	if err != nil {
+		log.Printf("Found an issue pruning versions for policy '%s': %s", input.PolicyArn.String(), err)
+		return err
+	}
 
 	// Create a new Policy Version and set as default
-	rm.IAM.CreatePolicyVersion(&iam.CreatePolicyVersionInput{
+	_, err = rm.IAM.CreatePolicyVersion(&iam.CreatePolicyVersionInput{
 		PolicyArn:      aws.String(input.PolicyArn.String()),
 		PolicyDocument: aws.String(input.PolicyDocument),
 		SetAsDefault:   aws.Bool(true),
 	})
+	if err != nil {
+		log.Printf("Found an issue creating a new policy version for policy '%s': %s", input.PolicyArn.String(), err)
+		return err
+	}
+
 	return nil
 }