Skip to content

feat: manage pypi aws tf groups, memberships, policies #217

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

feat: manage pypi aws tf groups, memberships, policies #217

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
af0d7ea
feat: manage pypi aws tf groups and memberships
JacobCoffee Oct 3, 2025
0f72bfc
fix: clean up things we dont use/are default
JacobCoffee Oct 10, 2025
80bdb04
feat: codify polciies into tf
JacobCoffee Oct 10, 2025
84dbb78
apply code reviiew
JacobCoffee Oct 10, 2025
4711d30
fix: dont output role now that we removed it
JacobCoffee Oct 10, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
111 changes: 111 additions & 0 deletions terraform/aws-iam/datadog.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,111 @@
# Datadog AWS Integration Resources

resource "aws_iam_policy" "datadog_integration" {
name = "AWSDataDogIntegration"

policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Effect = "Allow"
Action = [
"autoscaling:Describe*",
"budgets:ViewBudget",
"cloudfront:GetDistributionConfig",
"cloudfront:ListDistributions",
"cloudtrail:DescribeTrails",
"cloudtrail:GetTrailStatus",
"cloudwatch:Describe*",
"cloudwatch:Get*",
"cloudwatch:List*",
"codedeploy:List*",
"codedeploy:BatchGet*",
"directconnect:Describe*",
"dynamodb:List*",
"dynamodb:Describe*",
"ec2:Describe*",
"ec2:Get*",
"ecs:Describe*",
"ecs:List*",
"elasticache:Describe*",
"elasticache:List*",
"elasticfilesystem:DescribeFileSystems",
"elasticfilesystem:DescribeTags",
"elasticloadbalancing:Describe*",
"elasticmapreduce:List*",
"elasticmapreduce:Describe*",
"es:ListTags",
"es:ListDomainNames",
"es:DescribeElasticsearchDomains",
"health:DescribeEvents",
"health:DescribeEventDetails",
"health:DescribeAffectedEntities",
"kinesis:List*",
"kinesis:Describe*",
"lambda:AddPermission",
"lambda:GetPolicy",
"lambda:List*",
"lambda:RemovePermission",
"logs:Get*",
"logs:Describe*",
"logs:FilterLogEvents",
"logs:TestMetricFilter",
"rds:Describe*",
"rds:List*",
"redshift:DescribeClusters",
"redshift:DescribeLoggingStatus",
"route53:List*",
"s3:GetBucketTagging",
"s3:ListAllMyBuckets",
"s3:GetBucketLogging",
"s3:GetBucketLocation",
"s3:GetBucketNotification",
"s3:ListAllMyBuckets",
"s3:PutBucketNotification",
"ses:Get*",
"sns:List*",
"sns:Publish",
"sqs:ListQueues",
"support:*",
"tag:getResources",
"tag:getTagKeys",
"tag:getTagValues",
"apigateway:GET",
"ec2:SearchTransitGatewayRoutes",
"elasticfilesystem:DescribeAccessPoints",
"fsx:DescribeFileSystems",
"states:ListStateMachines",
"apigateway:GET"
]
Resource = "*"
}
]
})
}

resource "aws_iam_role" "datadog_integration" {
name = "AWSDataDogIntegration"

assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Effect = "Allow"
Principal = {
AWS = "arn:aws:iam::464622532012:root"
}
Action = "sts:AssumeRole"
Condition = {
StringEquals = {
"sts:ExternalId" = "63ce1985605d40499b0a2a0091d76b0e"
}
}
}
]
})
}

resource "aws_iam_role_policy_attachment" "datadog_integration" {
role = aws_iam_role.datadog_integration.name
policy_arn = aws_iam_policy.datadog_integration.arn
}
27 changes: 27 additions & 0 deletions terraform/aws-iam/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
# Data source to get current AWS account info
data "aws_caller_identity" "current" {}

# IAM Groups
resource "aws_iam_group" "administrator" {
name = "administrator"
path = "/"
}

# Group Memberships
resource "aws_iam_group_membership" "administrator" {
name = "administrator-membership"
group = aws_iam_group.administrator.name
users = [
"di",
"dstufft",
"coffee",
"terraform-pypi",
"ee",
]
}

# Group Policy Attachments
resource "aws_iam_group_policy_attachment" "administrator_admin_access" {
group = aws_iam_group.administrator.name
policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
}
20 changes: 20 additions & 0 deletions terraform/aws-iam/outputs.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
output "group_arns" {
description = "ARNs of IAM groups"
value = {
administrator = aws_iam_group.administrator.arn
}
}

output "role_arns" {
description = "ARNs of IAM roles"
value = {
datadog_integration = aws_iam_role.datadog_integration.arn
}
}

output "policy_arns" {
description = "ARNs of custom IAM policies"
value = {
datadog_integration = aws_iam_policy.datadog_integration.arn
}
}
214 changes: 214 additions & 0 deletions terraform/aws-iam/pypi_policies.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,214 @@
# PyPI IAM Policies

# to clean up (?)
# pypi-bandersnatch-mirror - 1031 days ago
# pypi-db-backup-archive - 795 days ago
# PyPIReadOnly - 913 days ago

# DB Backup Archive Policy - not used in 795 days
# resource "aws_iam_policy" "pypi_db_backup_archive" {
# name = "pypi-db-backup-archive"
#
# policy = jsonencode({
# Version = "2012-10-17"
# Statement = [
# {
# Effect = "Allow"
# Action = "s3:ListAllMyBuckets"
# Resource = "*"
# },
# {
# Effect = "Allow"
# Action = "s3:*"
# Resource = [
# "arn:aws:s3:::pypi-db-backup-archive",
# "arn:aws:s3:::pypi-db-backup-archive/*"
# ]
# }
# ]
# })
# }

# opensearch
resource "aws_iam_policy" "pypi_elasticsearch" {
name = "PyPIElasticSearch"

policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Sid = "VisualEditor0"
Effect = "Allow"
Action = [
"es:DescribeReservedElasticsearchInstanceOfferings",
"es:ESHttpGet",
"es:ListTags",
"es:DescribeElasticsearchDomainConfig",
"es:GetUpgradeHistory",
"es:DescribeReservedElasticsearchInstances",
"es:ESHttpHead",
"es:ListDomainNames",
"es:DescribeElasticsearchDomain",
"es:GetCompatibleElasticsearchVersions",
"es:GetUpgradeStatus",
"es:DescribeElasticsearchDomains",
"es:ListElasticsearchInstanceTypes",
"es:ListElasticsearchVersions",
"es:DescribeElasticsearchInstanceTypeLimits"
]
Resource = "*"
},
{
Sid = "VisualEditor1"
Effect = "Allow"
Action = "es:*"
Resource = "arn:aws:es:us-east-2:220435833635:domain/warehouse-7/production*"
},
{
Sid = "VisualEditor2"
Effect = "Allow"
Action = "es:*"
Resource = "arn:aws:es:us-east-2:220435833635:domain/warehouse-opensearch/production*"
}
]
})
}

# amazon ses
resource "aws_iam_policy" "pypi_email" {
name = "PyPIEmail"
description = "Allows sending email as pypi.org"

policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Effect = "Allow"
Action = [
"ses:SendEmail",
"ses:SendRawEmail"
]
Resource = "arn:aws:ses:us-west-2:220435833635:identity/pypi.org"
},
{
Effect = "Allow"
Action = [
"sns:ConfirmSubscription"
]
Resource = "arn:aws:sns:us-west-2:220435833635:pypi-ses-delivery-events-topic"
}
]
})
}

# pypi files/docs ro - unused 913 days
# resource "aws_iam_policy" "pypi_readonly" {
# name = "PyPIReadOnly"
# description = "PyPI Files/Docs Read-Only Access"
#
# policy = jsonencode({
# Version = "2012-10-17"
# Statement = [
# {
# Effect = "Allow"
# Action = [
# "s3:GetObject",
# "s3:ListBucket"
# ]
# Resource = [
# "arn:aws:s3:::pypi-docs",
# "arn:aws:s3:::pypi-docs/*",
# "arn:aws:s3:::pypi-files",
# "arn:aws:s3:::pypi-files/*"
# ]
# }
# ]
# })
# }

# s3 r/w
resource "aws_iam_policy" "pypi_s3_access" {
name = "PyPIS3Access"
description = "R/W Access to the PyPI S3 Buckets"

policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Effect = "Allow"
Action = "s3:ListAllMyBuckets"
Resource = "*"
},
{
Effect = "Allow"
Action = "s3:*"
Resource = [
"arn:aws:s3:::pypi-docs",
"arn:aws:s3:::pypi-docs/*"
]
},
{
Effect = "Allow"
Action = "s3:*"
Resource = [
"arn:aws:s3:::pypi-files",
"arn:aws:s3:::pypi-files/*",
"arn:aws:s3:::pypi-files-archive",
"arn:aws:s3:::pypi-files-archive/*"
]
},
{
Effect = "Deny"
Action = [
"s3:DeleteBucket",
"s3:DeleteBucketPolicy",
"s3:DeleteBucketWebsite",
"s3:DeleteObject",
"s3:DeleteObjectVersion"
]
Resource = [
"arn:aws:s3:::pypi-files",
"arn:aws:s3:::pypi-files/*",
"arn:aws:s3:::pypi-files-archive",
"arn:aws:s3:::pypi-files-archive/*"
]
}
]
})
}

# amazon sqs - unused 231 days
resource "aws_iam_policy" "pypi_worker_sqs" {
name = "PyPIWorkerSQS"
description = "R/W Access to PyPI's SQS Worker Queue"

policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Effect = "Allow"
Action = [
"sqs:ListQueues"
]
Resource = "*"
},
{
Effect = "Allow"
Action = [
"sqs:DeleteMessage",
"sqs:GetQueueAttributes",
"sqs:GetQueueUrl",
"sqs:PurgeQueue",
"sqs:ReceiveMessage",
"sqs:SendMessage",
"sqs:ChangeMessageVisibility"
]
Resource = [
"arn:aws:sqs:us-east-2:220435833635:pypi-worker",
"arn:aws:sqs:us-east-2:220435833635:pypi-worker-default",
"arn:aws:sqs:us-east-2:220435833635:pypi-worker-malware"
]
}
]
})
}
4 changes: 4 additions & 0 deletions terraform/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -284,6 +284,10 @@ module "inspector" {
ngwaf_percent_enabled = 100
}

module "aws-iam" {
source = "./aws-iam"
}

output "nameservers" { value = module.dns.nameservers }
output "pypi-ses_delivery_topic" { value = module.email.delivery_topic }
output "testpypi-ses_delivery_topic" { value = module.testpypi-email.delivery_topic }