diff --git a/codegen/src/main.ts b/codegen/src/main.ts index 01161a4..903feb7 100644 --- a/codegen/src/main.ts +++ b/codegen/src/main.ts @@ -16,6 +16,7 @@ const scriptDir = path.dirname(scriptPath); const iamPoliciesTfModulePath = path.join( path.join(scriptDir, "../../iam-policies/terraform"), ); +const iamPoliciesOutDir = path.join(iamPoliciesTfModulePath, "policies"); async function writePolicy(policyName: string, policy: Policy) { const policyDocument = { @@ -33,11 +34,7 @@ async function writePolicy(policyName: string, policy: Policy) { const policyDocumentJson = JSON.stringify(policyDefinition, null, 2); - const policyOutputPath = path.join( - iamPoliciesTfModulePath, - "policies", - `${policyName}.json`, - ); + const policyOutputPath = path.join(iamPoliciesOutDir, `${policyName}.json`); await fs.writeFile(policyOutputPath, policyDocumentJson); } @@ -47,6 +44,9 @@ async function main() { const policyFiles = await fs.readdir(policiesDir); const policyNames = policyFiles.map((file) => path.basename(file, ".ts")); + await fs.rm(iamPoliciesOutDir, { recursive: true, force: true }); + await fs.mkdir(iamPoliciesOutDir, { recursive: true }); + const policies = await Promise.all( policyNames.map(async (policyName) => { const policyPath = path.join(policiesDir, `${policyName}.ts`); diff --git a/codegen/src/policies/ElastioAwsBackupEc2Scan.ts b/codegen/src/policies/ElastioAwsBackupEc2Scan.ts deleted file mode 100644 index 2254569..0000000 --- a/codegen/src/policies/ElastioAwsBackupEc2Scan.ts +++ /dev/null @@ -1,115 +0,0 @@ -import * as iam from "../iam"; - -export default { - description: "Allows Elastio to scan AWS Backup EC2 and EBS recovery points.", - - statements: [ - { - Sid: "ReadBackupInventory", - Action: [ - // Vaults - "backup:ListBackupVaults", - "backup:DescribeBackupVault", - - // Recovery points - "backup:ListRecoveryPointsByResource", - "backup:DescribeRecoveryPoint", - "backup:ListRecoveryPointsByBackupVault", - "backup:GetRecoveryPointRestoreMetadata", - - // Common for all resources - "backup:ListTags", - - // Misc. - "backup:ListProtectedResources", - "backup:ListProtectedResourcesByBackupVault", - ], - Resource: "*", - }, - - { - Sid: "ReadEbsInventory", - Action: [ - // Volumes - "ec2:DescribeVolumeStatus", - "ec2:DescribeVolumes", - - // Snapshots - "ec2:DescribeSnapshots", - "ec2:DescribeSnapshotAttribute", - - // Common for all resources - "ec2:DescribeTags", - - // Used for cost estimation and scanning itself - "ebs:ListSnapshotBlocks", - "ebs:ListChangedBlocks", - ], - Resource: "*", - }, - - { - Sid: "ReadEbsSnapshotsData", - Action: ["ebs:GetSnapshotBlock"], - Resource: "*", - }, - - { - Sid: "ReadEc2Inventory", - Action: [ - "ec2:DescribeInstances", - "ec2:DescribeImages", - "ec2:DescribeHosts", - "ssm:DescribeInstanceInformation", - ], - Resource: "*", - }, - - { - Sid: "ShareEbsSnapshot", - Action: ["ec2:ModifySnapshotAttribute"], - Resource: "*", - Condition: { - // Needed to add createVolumePermission for sharing the snapshot - // with the connector account. - StringLike: { - "ec2:Add/userId": "*", - }, - }, - }, - - // Required for encrypted backups - { - Sid: "KmsAccess", - - // Users need to put a special tag on their KMS keys to allow Elastio - // use them for decrypting their data. It must be documented in public - // Elastio documentation. - Condition: iam.hasResourceTag("elastio:authorize"), - - Action: [ - // These actions are needed to reencrypt the volumes that were encrypted - // by the KMS key. - "kms:ReEncryptFrom", - "kms:ReEncryptTo", - "kms:CreateGrant", - "kms:Encrypt", - - // Needed only for some cases. For example, when we want to snapshot an EBS - // volume that was created from a snapshot of the root volume of an EC2 instance. - // These calls are made by the ebs.amazonaws.com and not by our code. - "kms:DescribeKey", - - // GenerateDataKeyWithoutPlaintext in particular is required in case when - // we create a volume from an unencrypted snapshot but there is a default - // KMS encryption key set in EBS for the volume. - "kms:GenerateDataKey", - "kms:GenerateDataKeyWithoutPlaintext", - - // This is required when reading S3 buckets encrypted with a KMS key - "kms:Decrypt", - ], - Resource: "*", - }, - ], -} satisfies iam.Policy; diff --git a/iam-policies/terraform/README.md b/iam-policies/terraform/README.md index af81153..80e9991 100644 --- a/iam-policies/terraform/README.md +++ b/iam-policies/terraform/README.md @@ -30,10 +30,8 @@ See the basic [usage example](./examples/basic/main.tf). | Policy | Description | | ------------------------------------------------------------ | -------------------------------------------------------------- | | [`ElastioAssetAccountDeployer`][ElastioAssetAccountDeployer] | Permissions required to deploy the Elastio Asset Account stack | -| [`ElastioAwsBackupEc2Scan`][ElastioAwsBackupEc2Scan] | Allows Elastio to scan AWS Backup EC2 and EBS recovery points. | [ElastioAssetAccountDeployer]: ../../codegen/src/policies/ElastioAssetAccountDeployer.ts -[ElastioAwsBackupEc2Scan]: ../../codegen/src/policies/ElastioAwsBackupEc2Scan.ts diff --git a/iam-policies/terraform/policies/ElastioAwsBackupEc2Scan.json b/iam-policies/terraform/policies/ElastioAwsBackupEc2Scan.json deleted file mode 100644 index 95f98d8..0000000 --- a/iam-policies/terraform/policies/ElastioAwsBackupEc2Scan.json +++ /dev/null @@ -1,86 +0,0 @@ -{ - "Description": "Allows Elastio to scan AWS Backup EC2 and EBS recovery points.", - "PolicyDocument": { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "ReadBackupInventory", - "Action": [ - "backup:ListBackupVaults", - "backup:DescribeBackupVault", - "backup:ListRecoveryPointsByResource", - "backup:DescribeRecoveryPoint", - "backup:ListRecoveryPointsByBackupVault", - "backup:GetRecoveryPointRestoreMetadata", - "backup:ListTags", - "backup:ListProtectedResources", - "backup:ListProtectedResourcesByBackupVault" - ], - "Resource": "*", - "Effect": "Allow" - }, - { - "Sid": "ReadEbsInventory", - "Action": [ - "ec2:DescribeVolumeStatus", - "ec2:DescribeVolumes", - "ec2:DescribeSnapshots", - "ec2:DescribeSnapshotAttribute", - "ec2:DescribeTags", - "ebs:ListSnapshotBlocks", - "ebs:ListChangedBlocks" - ], - "Resource": "*", - "Effect": "Allow" - }, - { - "Sid": "ReadEbsSnapshotsData", - "Action": ["ebs:GetSnapshotBlock"], - "Resource": "*", - "Effect": "Allow" - }, - { - "Sid": "ReadEc2Inventory", - "Action": [ - "ec2:DescribeInstances", - "ec2:DescribeImages", - "ec2:DescribeHosts", - "ssm:DescribeInstanceInformation" - ], - "Resource": "*", - "Effect": "Allow" - }, - { - "Sid": "ShareEbsSnapshot", - "Action": ["ec2:ModifySnapshotAttribute"], - "Resource": "*", - "Condition": { - "StringLike": { - "ec2:Add/userId": "*" - } - }, - "Effect": "Allow" - }, - { - "Sid": "KmsAccess", - "Condition": { - "StringLike": { - "aws:ResourceTag/elastio:authorize": "*" - } - }, - "Action": [ - "kms:ReEncryptFrom", - "kms:ReEncryptTo", - "kms:CreateGrant", - "kms:Encrypt", - "kms:DescribeKey", - "kms:GenerateDataKey", - "kms:GenerateDataKeyWithoutPlaintext", - "kms:Decrypt" - ], - "Resource": "*", - "Effect": "Allow" - } - ] - } -}