IAM Policy Role Generator

This CDK Project helps create IAM Managed Policies and IAM Roles using JSON Configuration

Prerequsites

Place all the Policy Json files inside config/policy folder and policy file would look something like this:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "codecommit:CancelUploadArchive",
        "codecommit:UploadArchive"
      ],
      "Resource": "*"
    }
  ]
}

Configure the policies and roles to be created in config/iam_generator_config.json file and would look something like this:

{
    "policies": [     
        {
            "policy_name": "CodeCommitArchive",
            "description": "CodeCommitArchive policy",
            "policy_file": "CodeCommitArchive.json"
        },
        {
            "policy_name": "KMSPolicy",
            "description": "KMSPolicy policy",
            "policy_file": "KMSPolicy.json"
        },
        {
            "policy_name": "CreateServiceLinkedRoleECS",
            "description": "CreateServiceLinkedRoleECS policy",
            "policy_file": "CreateServiceLinkedRoleECS.json"
        },
        {
            "policy_name": "DeployService1",
            "description": "DeployService1 policy",
            "policy_file": "DeployService1.json"
        },
        {
            "policy_name": "DeployService2",
            "description": "DeployService2 policy",
            "policy_file": "DeployService2.json"
        }
    ],
    "roles": [
        {
            "role_name": "TestRole1",
            "trust_service_principal": ["apigateway.amazonaws.com","lambda.amazonaws.com"],
            "customer_managed_policies": ["DeployService1","DeployService2","KMSPolicy"],
            "aws_managed_policies": ["service-role/AmazonAPIGatewayPushToCloudWatchLogs"]
        },
        {
            "role_name": "TestRole2",
            "trust_service_principal": ["sns.amazonaws.com"],
            "trust_account_principal": ["748669239283"],
            "customer_managed_policies": ["CreateServiceLinkedRoleECS","CodeCommitArchive","KMSPolicy"],
            "aws_managed_policies": ["service-role/AmazonAPIGatewayPushToCloudWatchLogs"]
        },
        {
            "role_name": "TestRole3",
            "trust_service_principal": ["ec2.amazonaws.com","sns.amazonaws.com"],
            "trust_account_principal": ["748669239283"],
            "customer_managed_policies": ["DeployService2","CodeCommitArchive","KMSPolicy"],
            "aws_managed_policies": ["AWSLambdaFullAccess"]
        }
        
    ]
}

Build

To build this app, you need to be in this example's root folder. Then run the following:

npm install -g aws-cdk
npm install
npm run build

This will install the necessary CDK, then this example's dependencies, and then build your TypeScript files and your CloudFormation template.

Synthesize Cloudformation Template

To see the Cloudformation template generated by the CDK, run cdk synth, then check the output file in the "cdk.out" directory.

Deploy

• Run cdk ls . This will list out IamPolicyGeneratorStack and IamRoleGeneratorStack.
• Run cdk deploy IamPolicyGeneratorStack. This will create the IAM Managed Policies from config/policy folder and configured in config/iam_generator_config.json .
• Run cdk deploy IamRoleGeneratorStack. This will create the IAM Roles configured in config/iam_generator_config.json. This stack has a dependency to IamPolicyGeneratorStack to ensure that policies are created before they are being used in the roles in config/iam_generator_config.json.

Useful CDK commands

• npm run build compile typescript to js
• npm run watch watch for changes and compile
• npm run test perform the jest unit tests
• cdk deploy deploy this stack to your default AWS account/region
• cdk diff compare deployed stack with current state
• cdk synth emits the synthesized CloudFormation template
• cdk ls list cdk stacks in the app