-
Notifications
You must be signed in to change notification settings - Fork 1
/
Makefile
151 lines (140 loc) · 5.21 KB
/
Makefile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
# Magic sauce
profile =
ifneq ($(origin AWS_DEFAULT_PROFILE), undefined)
profile = --profile $(AWS_DEFAULT_PROFILE)
endif
s3bucket =
ifneq ($(origin S3_BUCKET), undefined)
s3bucket = $(S3_BUCKET)
endif
s3prefix =
ifneq ($(origin S3_PREFIX), undefined)
s3prefix = --s3-prefix $(S3_PREFIX)
endif
lambdastackname = security-lambda-s3control
ifneq ($(origin LAMBDA_STACK_NAME), undefined)
lambdastackname = $(LAMBDA_STACK_NAME)
endif
cfnstackname = security-s3control
ifneq ($(origin CFN_STACK_NAME), undefined)
cfnstackname = $(CFN_STACK_NAME)
endif
s3controlpolicyname = lambda-policy-s3control
ifneq ($(origin S3_CONTROL_POLICY_NAME), undefined)
s3controlpolicyname = $(S3_CONTROL_POLICY_NAME)
endif
s3controlrolename = lambda-role-s3control
ifneq ($(origin S3_CONTROL_ROLE_NAME), undefined)
s3controlrolename = $(S3_CONTROL_ROLE_NAME)
endif
s3controlrolepath = /
ifneq ($(origin S3_CONTROL_ROLE_PATH), undefined)
s3controlrolepath = $(S3_CONTROL_ROLE_PATH)
endif
customfunctionoutputkeyname = custom-resource-block-public-s3-buckets
ifneq ($(origin CUSTOM_FUNCTION_OUTPUT_KEY_NAME), undefined)
customfunctionoutputkeyname = $(CUSTOM_FUNCTION_OUTPUT_KEY_NAME)
endif
bpa = true
ifneq ($(origin BLOCK_PUBLIC_ACLS), undefined)
bpa = $(BLOCK_PUBLIC_ACLS)
endif
ipa = true
ifneq ($(origin IGNORE_PUBLIC_ACLS), undefined)
ipa = $(IGNORE_PUBLIC_ACLS)
endif
bpp = true
ifneq ($(origin BLOCK_PUBLIC_POLICY), undefined)
bpp = $(BLOCK_PUBLIC_POLICY)
endif
rpb = true
ifneq ($(origin RESTRICT_PUBLIC_BUCKETS), undefined)
rpb = $(RESTRICT_PUBLIC_BUCKETS)
endif
parameteroverrides = 'S3ControlPolicyName=$(s3controlpolicyname)' \
'S3ControlRoleName=$(s3controlrolename)' \
'S3ControlRolePath=$(s3controlrolepath)' \
'CustomFunctionOutputKeyName=$(customfunctionoutputkeyname)' \
'BPA=$(bpa)' \
'IPA=$(ipa)' \
'BPP=$(bpp)' \
'RPB=$(rpb)'
all: deploy
.PHONY: distclean clean prereqs package build test deploy destroy-stack update update-policy update-resource
distclean: clean
-rm -rf requirements.txt Pipfile.lock pkg/
clean:
-rm -rf pkg/publicbuckets.py templates/packaged.yaml
prereqs: requirements.txt
package: pkg/publicbuckets.py
build: templates/packaged.yaml
update: update-resource update-policy
requirements.txt:
@echo 'Building requirements list...'
@pipenv install
@pipenv lock -r > requirements.txt
@pip install -r requirements.txt -t pkg/
pkg/publicbuckets.py: clean requirements.txt pkg/ src/publicbuckets.py
@echo 'Copy lambda source to package staging location...'
@cp src/publicbuckets.py pkg/
templates/packaged.yaml: pkg/publicbuckets.py
@echo 'Attempting to compile cloudformation from template...'
aws $(profile) cloudformation package \
--template-file templates/template.yaml \
--output-template-file templates/packaged.yaml \
--s3-bucket $(s3bucket) \
$(s3prefix)
deploy: build
@echo "Attempting to deploy resources for custom lambda..."
@aws $(profile) cloudformation deploy \
--template-file templates/packaged.yaml \
--stack-name $(lambdastackname) \
--parameter-overrides $(parameteroverrides) \
--capabilities CAPABILITY_NAMED_IAM
@echo "Sleeping for 60 seconds to ensure that IAM role is available to the \
lambda service..."
@sleep 60
@echo "Attempting to execute custom lambda..."
@aws $(profile) cloudformation deploy --template-file templates/stack.yaml \
--stack-name $(cfnstackname) --parameter-overrides $(parameteroverrides)
@echo "Waiting for $(cfnstackname) to be complete..."
@aws $(profile) cloudformation wait stack-create-complete \
--stack-name $(cfnstackname)
@echo "Applying termination protection..."
@aws $(profile) cloudformation update-termination-protection \
--enable-termination-protection \
--stack-name $(cfnstackname)
@aws $(profile) cloudformation update-termination-protection \
--enable-termination-protection \
--stack-name $(lambdastackname)
update-resource: clean build
@echo "Attempting to update resources for custom lambda..."
@aws $(profile) cloudformation deploy \
--template-file templates/packaged.yaml \
--stack-name $(lambdastackname) \
--parameter-overrides $(parameteroverrides) \
--capabilities CAPABILITY_NAMED_IAM
update-policy:
@echo "Attempting to update S3 public bucket policy..."
@aws $(profile) cloudformation deploy --template-file templates/stack.yaml \
--stack-name $(cfnstackname) --parameter-overrides $(parameteroverrides)
@echo "Waiting for $(cfnstackname) to be complete..."
@aws $(profile) cloudformation wait stack-update-complete \
--stack-name $(cfnstackname)
destroy-stack:
@echo "Removing termination protection..."
@aws $(profile) cloudformation update-termination-protection \
--no-enable-termination-protection \
--stack-name $(cfnstackname)
@aws $(profile) cloudformation update-termination-protection \
--no-enable-termination-protection \
--stack-name $(lambdastackname)
@echo "Attempting to destroy stack..."
@aws $(profile) cloudformation delete-stack --stack-name $(cfnstackname)
@echo "Waiting for $(cfnstackname) to be deleted..."
@aws $(profile) cloudformation wait stack-delete-complete \
--stack-name $(cfnstackname)
@aws $(profile) cloudformation delete-stack --stack-name $(lambdastackname)
@echo "Waiting for $(lambdastackname) to be deleted..."
@aws $(profile) cloudformation wait stack-delete-complete \
--stack-name $(lambdastackname)