IAMbic is Version-Control for IAM. It centralizes and simplifies cloud access and permissions. It maintains an eventually consistent, human-readable, bi-directional representation of IAM in Git.
Home Page: https://iambic.org
License: Apache License 2.0
![dependabot[bot] avatar](https://avatars.githubusercontent.com/in/29110?v=4 "dependabot[bot]")
Is your feature request related to a problem? Please describe.
During iambic setup, it will attempt to create IambicHubRole and IambicSpokeRole. As a user, I want to preview the permissions granted to these roles.
Describe the solution you'd like
It should link to the definition of permissions granted to IambicHubRole and IambicSpokeRole.
Describe alternatives you've considered
Print to standard out or offer to print to pdf
Additional context
(env) stevenmoy@steven-noqdev-mbp iambic % iambic setup
2023/04/11 16:08:59 [info ] Setting config metadata...
2023/04/11 16:08:59 [info ] Plugins loaded successfully...
? To get started with the IAMbic setup wizard, you'll need an AWS account.
This is where IAMbic will deploy its main role. If you have an AWS Organization, that account will be your hub account.
Review to-be-created IAMbic roles at https://iambic.org/reference/aws_hub_and_spoke_roles
Which Account ID should we use to deploy the IAMbic hub role?
Describe the bug
Attempting to add a 2nd AWS Account to an existing IAMBIC configuration
Traceback (most recent call last):
File "/Users/michael.woodside/repos/devops-iambic-controls/venv/bin/iambic", line 8, in <module>
sys.exit(cli())
^^^^^
File "/Users/michael.woodside/repos/devops-iambic-controls/venv/lib/python3.11/site-packages/click/core.py", line 1130, in __call__
return self.main(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/Users/michael.woodside/repos/devops-iambic-controls/venv/lib/python3.11/site-packages/click/core.py", line 1055, in main
rv = self.invoke(ctx)
^^^^^^^^^^^^^^^^
File "/Users/michael.woodside/repos/devops-iambic-controls/venv/lib/python3.11/site-packages/click/core.py", line 1657, in invoke
return _process_result(sub_ctx.command.invoke(sub_ctx))
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/Users/michael.woodside/repos/devops-iambic-controls/venv/lib/python3.11/site-packages/click/core.py", line 1404, in invoke
return ctx.invoke(self.callback, **ctx.params)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/Users/michael.woodside/repos/devops-iambic-controls/venv/lib/python3.11/site-packages/click/core.py", line 760, in invoke
return __callback(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/Users/michael.woodside/repos/devops-iambic-controls/venv/lib/python3.11/site-packages/iambic/main.py", line 475, in setup
ConfigurationWizard(repo_dir, is_more_options=is_more_options).run()
File "/Users/michael.woodside/repos/devops-iambic-controls/venv/lib/python3.11/site-packages/iambic/config/wizard.py", line 1933, in run
self.configuration_wizard_aws()
File "/Users/michael.woodside/repos/devops-iambic-controls/venv/lib/python3.11/site-packages/iambic/config/wizard.py", line 1302, in configuration_wizard_aws
self.configuration_wizard_aws_accounts()
File "/Users/michael.woodside/repos/devops-iambic-controls/venv/lib/python3.11/site-packages/iambic/config/wizard.py", line 1103, in configuration_wizard_aws_accounts
self.configuration_wizard_aws_account_add()
File "/Users/michael.woodside/repos/devops-iambic-controls/venv/lib/python3.11/site-packages/iambic/config/wizard.py", line 914, in configuration_wizard_aws_account_add
create_spoke_role_stack(
TypeError: create_spoke_role_stack() got an unexpected keyword argument 'hub_role_stack_name'
To Reproduce
Steps to reproduce the behavior:
Launch iambic setup, select AWS, then AWS accounts.
next in the wizard select add AWS account, and provide the details of the Identity, Account #, name, region, and finally the Role ARN (Optional).
select proceed then crash
Expected behavior
Spoke role be created for accessing the 2nd account from the primary hub account.
Screenshots
If applicable, add screenshots to help explain your problem.
Desktop (please complete the following information):
Is your feature request related to a problem? Please describe.
PR request from forked repo always red due to not able to run functional test
Describe the solution you'd like
A way to have gh action report green if make test passed
Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.
Additional context
Add any other context or screenshots about the feature request here.
Community Engagement
Help us prioritize this request and express your support by adding a ๐ reaction to the original issue. This will assist both the community and the maintainers in addressing this request.
Please avoid leaving "+1" or "me too" comments as they create extra noise for issue followers and do not assist in prioritizing the request. If you are considering working on this issue or have already submitted a pull request, kindly leave a comment.
When attempting to create an AWS StackSet and the following exception is raised, link the user to the IAMbic documentation for enabling org access to operate a service managed stack set.
botocore.exceptions.ClientError: An error occurred (ValidationError) when calling the CreateStackSet operation: You must enable organizations access to operate a service managed stack set
If a user attempt to provide a directory on iambic plan, return a message that plan does not support a directory and a list of template paths must be provided.
Community Engagement
Help us prioritize this request and express your support by adding a ๐ reaction to the original issue. This will assist both the community and the maintainers in addressing this request.
Please avoid leaving "+1" or "me too" comments as they create extra noise for issue followers and do not assist in prioritizing the request. If you are considering working on this issue or have already submitted a pull request, kindly leave a comment.
Describe the bug
With the release 0.3.0 of iambic-core, we run the sed to find and replace the templates to have compatible usage of variables. However, the git flow (during plan stage) is choking on the incompatible of prev version of the template.
Current git flow load the previous version and current version of the model backing the template. Since the 0.3.0 model rejects the previous version from git history, the git flow refuse to complete the plan.
To Reproduce
Steps to reproduce the behavior:
main is 0.2.0 of iambic.0.3.0 of iambic-core0.2.0 to 0.3.0.0.2.0 in the git history. Note, the current PR is using 0.3.0 but since git flow uses git history.See: noqdev/iambic-templates-examples#6
Expected behavior
It should not crash during plan.
Screenshots
If applicable, add screenshots to help explain your problem.
Desktop (please complete the following information):
iambic-core at 0.3.1Additional context
File "/app/iambic/request_handler/git_plan.py", line 26, in plan_git_changes
changes = await apply_git_changes(config_path, repo_dir)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/app/iambic/request_handler/git_apply.py", line 69, in apply_git_changes
modified_templates_doubles = create_templates_for_modified_files(
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/app/iambic/core/git.py", line 233, in create_templates_for_modified_files
main_template = template_cls(file_path=git_diff.path, **main_template_dict)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/app/iambic/core/models.py", line 84, in __init__
super().__init__(*args, **kwargs)
File "pydantic/main.py", line 341, in pydantic.main.BaseModel.__init__
pydantic.error_wrappers.ValidationError: 3 validation errors for AwsIamRoleTemplate
Properties -> PermissionsBoundary -> permissions_boundary_arn
string does not match regex "(^arn:([^:]*):([^:]*):([^:]*):(|\*|[\d]{12}|cloudfront|aws|{{var.account_id}}):(.+)$)|^\*$" (type=value_error.str.regex; pattern=(^arn:([^:]*):([^:]*):([^:]*):(|\*|[\d]{12}|cloudfront|aws|{{var.account_id}}):(.+)$)|^\*$)
Properties -> PermissionsBoundary
value is not a valid list (type=type_error.list)
Properties -> ManagedPolicies -> 1 -> PolicyArn
string does not match regex "(^arn:([^:]*):([^:]*):([^:]*):(|\*|[\d]{12}|cloudfront|aws|{{var.account_id}}):(.+)$)|^\*$" (type=value_error.str.regex; pattern=(^arn:([^:]*):([^:]*):([^:]*):(|\*|[\d]{12}|cloudfront|aws|{{var.account_id}}):(.+)$)|^\*$)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/app/iambic/plugins/v0_1_0/github/github.py", line 507, in handle_iambic_git_plan
template_changes = run_git_plan(proposed_changes_path, repo_dir)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/app/iambic/main.py", line 344, in run_git_plan
template_changes = asyncio.run(plan_git_changes(config_path, repo_dir))
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/Python-3.11.1/Lib/asyncio/runners.py", line 190, in run
return runner.run(main)
^^^^^^^^^^^^^^^^
File "/Python-3.11.1/Lib/asyncio/runners.py", line 118, in run
return self._loop.run_until_complete(task)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/Python-3.11.1/Lib/asyncio/base_events.py", line 653, in run_until_complete
return future.result()
^^^^^^^^^^^^^^^
File "/app/iambic/request_handler/git_plan.py", line 29, in plan_git_changes
return changes
^^^^^^^
UnboundLocalError: cannot access local variable 'changes' where it is not associated with a value
Is your feature request related to a problem? Please describe.
In enterprise setup, source-identity is checked against and IambicHubRole will face issue like no permission to perform sts:SetSourceIdentity on itself.
Describe the solution you'd like
Consider adding sts:SetSourceIdentity permissions to the trust policy on your Hub and Spoke roles.
Describe alternatives you've considered
N/A
Additional context
2023/04/24 17:00:50 [error ] Failed to assume role
assume_role_arn=arn:aws:iam::REDACTED:role/IambicHubRole
error=ClientError('An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:sts::REDACTED:assumed-role/REDACTED_ROLE_1/REDACTED_SESSION_NAME is not authorized to perform: sts:SetSourceIdentity on resource: arn:aws:iam::REDACTED:role/IambicHubRole')
When you assume a role with another role, called [role chaining](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-role-chaining), permissions for sts:SetSourceIdentity are required in both the permissions policy of the principal who is assuming the role and in the role trust policy of the target role. Otherwise, the assume role operation will fail.
Example role trust policy for source identity
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowDevUserAssumeRole",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:user/DevUser"
},
"Action": [
"sts:AssumeRole",
"sts:SetSourceIdentity"
],
"Condition": {
"StringEquals": {
"sts:SourceIdentity": "DevUser"
}
}
}
]
}
Describe the bug
iambic setup is not following the standard credentials provider chain. It will attempt to use default profile even when the environment variable already have the temporary credentials set.
To Reproduce
Steps to reproduce the behavior:
default aws profile whether it actually exists or not. Besides the point, if I have temporary credentials setup in environment variables, it should use that as higher priority.Expected behavior
If credentials is set in environment, it should not ask me which profile to use.
Screenshots
If applicable, add screenshots to help explain your problem.
โฏ iambic setup ๎ผ iambic-templates 15:56:37
2023/04/24 15:56:47 [info ] Setting config metadata...
2023/04/24 15:56:47 [info ] Plugins loaded successfully...
? To get started with the IAMbic setup wizard, you'll need an AWS account.
This is where IAMbic will deploy its main role. If you have an AWS Organization, that account will be your hub account.
Review to-be-created IAMbic roles at https://docs.iambic.org/reference/aws_hub_and_spoke_roles
Which Account ID should we use to deploy the IAMbic hub role? REDACTED
? IAMbic detected you are using arn:aws:iam::REDACTED:role/speedrun-Administrator for AWS access.
This identity will require the ability to createCloudFormation stacks, stack sets, and stack set instances.
Would you like to use this identity? Yes
? What would you like to configure? AWS
? What would you like to configure in AWS?
We recommend configuring IAMbic with AWS Organizations, but you may also manually configure accounts. AWS Accounts
? This requires that you have the ability to create CloudFormation stacks, stack sets, and stack set instances.
If you are using an AWS Organization, be sure that trusted access is enabled.
You can check this using the AWS Console:
https://us-east-1.console.aws.amazon.com/organizations/v2/home/services/CloudFormation%20StackSets
Proceed? Yes
? What is the name of the AWS Account? Noq Sandbox
? Create required Hub and Spoke roles via CloudFormation?
The templates that will be used can be found here:
https://github.com/noqdev/iambic/tree/main/iambic/plugins/v0_1_0/aws/cloud_formation/templates Yes
? Do you want to restrict IambicSpokeRole to read-only IAM and IdentityCenter service?
This will limit IAMbic capability to import No
2023/04/24 15:58:36 [info ] Using AWS default profile from environment
profile=default <-- it should not ask me
? Please specify the profile to use to access to the AWS Account. (Use arrow keys)
Additional context
Add any other context about the problem here.
Describe the bug
macOS default ulimit -n 256 is a problem when an AWS org contains a lot of accounts.
To Reproduce
Steps to reproduce the behavior:
ulimit -n 256 in your environment. Since IAMbic use multiprocessing, you should ensure your shell is not changing the ulimit value.2023/05/04 10:07:00 [info ] Beginning to retrieve AWS Identity Center Permission Sets.
org_accounts=[
"REACTED_ORG_ACCOUNT"
]
2023/05/04 10:07:00 [info ] Setting inline policies in role templates
accounts=[
"REACTED_ACCOUNT_N_MINUS_5"
]
2023/05/04 10:07:00 [info ] Setting inline policies in role templates
accounts=[
"REACTED_ACCOUNT_N_MINUS_4"
]
2023/05/04 10:07:00 [info ] Setting inline policies in role templates
accounts=[
"REACTED_ACCOUNT_N_MINUS_3"
]
2023/05/04 10:07:00 [info ] Setting inline policies in role templates
accounts=[
"REACTED_ACCOUNT_N_MINUS_2"
]
2023/05/04 10:07:01 [info ] Setting inline policies in role templates
accounts=[
"REACTED_ACCOUNT_N_MINUS_1"
]
2023/05/04 10:07:02 [info ] Setting inline policies in role templates
accounts=[
"REACTED_ACCOUNT_N"
]
2023/05/04 10:07:04 [info ] Failed to refresh AWS accounts
error=OSError(24, 'Too many open files')
? What would you like to configure in AWS? (Use arrow keys)
Expected behavior
A clear and concise description of what you expected to happen.
Screenshots
If applicable, add screenshots to help explain your problem.
Desktop (please complete the following information):
Additional context
Current workaround requires you to change your ulimit
(env) stevenmoy@steven-noqdev-mbp iambic % ulimit -n
256
(env) stevenmoy@steven-noqdev-mbp iambic % ulimit -n 1024
(env) stevenmoy@steven-noqdev-mbp iambic % ulimit -n
1024
The documentation should include the flow and impact of running the setup wizard.
Include common advanced configurations. Specifically, a read-only deployment for testing.
Also, make a note that AWS change detection is setup in us-east-1 because that's where IAM changes are funneled. This should be in the docs and the wizard.
Community Engagement
Help us prioritize this request and express your support by adding a ๐ reaction to the original issue. This will assist both the community and the maintainers in addressing this request.
Please avoid leaving "+1" or "me too" comments as they create extra noise for issue followers and do not assist in prioritizing the request. If you are considering working on this issue or have already submitted a pull request, kindly leave a comment.
Describe the bug
When importing Azure AD group error encountered regarding unexpected field.
Traceback (most recent call last):
File "/Users/sparkywood/miniconda3/envs/iambic/bin/iambic", line 8, in <module>
sys.exit(cli())
^^^^^
File "/Users/sparkywood/miniconda3/envs/iambic/lib/python3.11/site-packages/click/core.py", line 1130, in __call__
return self.main(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/Users/sparkywood/miniconda3/envs/iambic/lib/python3.11/site-packages/click/core.py", line 1055, in main
rv = self.invoke(ctx)
^^^^^^^^^^^^^^^^
File "/Users/sparkywood/miniconda3/envs/iambic/lib/python3.11/site-packages/click/core.py", line 1657, in invoke
return _process_result(sub_ctx.command.invoke(sub_ctx))
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/Users/sparkywood/miniconda3/envs/iambic/lib/python3.11/site-packages/click/core.py", line 1404, in invoke
return ctx.invoke(self.callback, **ctx.params)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/Users/sparkywood/miniconda3/envs/iambic/lib/python3.11/site-packages/click/core.py", line 760, in invoke
return __callback(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/Users/sparkywood/workbench/iambic/iambic/main.py", line 406, in import_
asyncio.run(config.run_import(exe_message, repo_dir))
File "/Users/sparkywood/miniconda3/envs/iambic/lib/python3.11/asyncio/runners.py", line 190, in run
return runner.run(main)
^^^^^^^^^^^^^^^^
File "/Users/sparkywood/miniconda3/envs/iambic/lib/python3.11/asyncio/runners.py", line 118, in run
return self._loop.run_until_complete(task)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/Users/sparkywood/miniconda3/envs/iambic/lib/python3.11/asyncio/base_events.py", line 653, in run_until_complete
return future.result()
^^^^^^^^^^^^^^^
File "/Users/sparkywood/workbench/iambic/iambic/config/dynamic_config.py", line 232, in run_import
await asyncio.gather(*tasks)
File "/Users/sparkywood/workbench/iambic/iambic/plugins/v0_1_0/azure_ad/handlers.py", line 65, in import_azure_ad_resources
await asyncio.gather(*collector_tasks)
File "/Users/sparkywood/workbench/iambic/iambic/plugins/v0_1_0/azure_ad/group/template_generation.py", line 61, in collect_org_groups
groups = await list_groups(azure_organization)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/Users/sparkywood/workbench/iambic/iambic/plugins/v0_1_0/azure_ad/group/utils.py", line 97, in list_groups
groups = [GroupTemplateProperties.from_azure_response(g) for g in groups]
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/Users/sparkywood/workbench/iambic/iambic/plugins/v0_1_0/azure_ad/group/utils.py", line 97, in <listcomp>
groups = [GroupTemplateProperties.from_azure_response(g) for g in groups]
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/Users/sparkywood/workbench/iambic/iambic/plugins/v0_1_0/azure_ad/group/models.py", line 219, in from_azure_response
return cls(
^^^^
File "/Users/sparkywood/workbench/iambic/iambic/plugins/v0_1_0/azure_ad/group/models.py", line 197, in __init__
super().__init__(**data)
File "/Users/sparkywood/workbench/iambic/iambic/core/models.py", line 84, in __init__
super().__init__(*args, **kwargs)
File "pydantic/main.py", line 341, in pydantic.main.BaseModel.__init__
pydantic.error_wrappers.ValidationError: 1 validation error for GroupTemplateProperties
extension_08bfb2ea400b4328805e4a0221abff48_s_amaccount_name
extra fields not permitted (type=value_error.extra)
To Reproduce
Steps to reproduce the behavior:
extension_08bfb2ea40deadb33ff48_s_amaccount_nameExpected behavior
iambic should ignore these fields as they are not a feature available to iambic
Screenshots
If applicable, add screenshots to help explain your problem.
Desktop (please complete the following information):
Additional context
Add any other context about the problem here.
Community Engagement
Your vote counts! Please support this bug report by adding a ๐ reaction to the original issue, which will aid the community and maintainers in addressing this problem.
Please refrain from adding "+1" or "me too" comments, as these create unnecessary noise for issue followers and do not help in prioritizing the issue. If you wish to contribute to solving this issue or have submitted a pull request, please leave a comment.
Describe the bug
User issues a PR and receives a plan or apply. At the bottom of the comment is a "RUN" hyper link. This link leads to a 404.
To Reproduce
Expected behavior
link directs to completed output or log.
Screenshots
Additional context
I had a large run that the apply was truncated for. it asked to navigate to the link which is broken.
Community Engagement
Your vote counts! Please support this bug report by adding a ๐ reaction to the original issue, which will aid the community and maintainers in addressing this problem.
Please refrain from adding "+1" or "me too" comments, as these create unnecessary noise for issue followers and do not help in prioritizing the issue. If you wish to contribute to solving this issue or have submitted a pull request, please leave a comment.
Describe the bug
PR #392 implemented tags for CloudFormation stacks. That seemed to have worked for all Stacks and StackSets except the IambicSpokeRole in the AWS Organization Management Account (IAMbic Hub Account)
To Reproduce
Steps to reproduce the behavior:
iambicaws CLI and credentials in the management account, run
aws cloudformation describe-stacks --stack-name IambicSpokeRoleStacks[0].Tags = []Expected behavior
The tags entered during setup should be present. The Hub role will have them
aws cloudformation describe-stacks --stack-name IambicHubRoleScreenshots
If applicable, add screenshots to help explain your problem.
Desktop (please complete the following information):
Additional context
Is your feature request related to a problem? Please describe.
Since a template can lead to multiple resources created, there needs a way to track the corresponding resource id. For example, in AwsIamRoleTemplate, the role resource created in each of the included account will have its unique arn (amazon resource name). That information is not uniformly available because the role name can have variables like {{var.account_name}} as part of the specification. This information is important for other tools that want to know what resources needs to be fleshed. (such as an external resource indexer).
In particular, permission sets information arn is not predictable.
Describe the solution you'd like
A library API to obtain resource id(s) that are covered by the template.
Describe alternatives you've considered
Currently, one can load the template text and then use jinja2 to render the template by passing in the variables. This method is brittle as shown by the 0.2 -> 0.3 upgrade when the variables spec is modified. (when account -> var.account_id). The variable substitution logic should not be replicated by an external program outside of iambic.
Additional context
The intend is an external program can have stable API to know what's resource-id(s) is represented by a template. An example is an indexer that catalogs resources in the cloud, and be able to informed of what a template change may affect what resource-id(s), such that the stale metadata can be refreshed.
Is your feature request related to a problem? Please describe.
It would be great if somehow I could evaluate iambic as a new user, using a more moderate read-only type spoke role, vs something that can create access keys, revoke permissions, etc. right off the bat.
Describe the solution you'd like
The permission should be much more restricted than iam:* and sso:*
- Effect: Allow
Action:
- identitystore:Describe*
- identitystore:Get*
- identitystore:List*
- organizations:describe*
- organizations:list*
- iam:Get*
- iam:List*
- sso:Describe*
- sso:Get*
- sso:List*
- sso:Search*
Resource:
- '*'
Describe alternatives you've considered
Supply my own SpokeRole to use in configuration
Additional context
accounts:
- account_id: 'REDACTED'
account_name: iambic_test_spoke_account_2
iambic_managed: read_and_write
org_id: 'REDACTED'
spoke_role_arn: arn:aws:iam::REDACTED:role/IambicSpokeRoleReadOnly
Describe the bug
An example reference elements using UpperCamelCase when the official examples use snake_case in template definition.
Docs:
Definitions
IambicManaged: An enumeration. Must be one of: ["undefined", "read_and_write", "import_only", "enforced", "disabled"].
Template Defintiion:
template_type: NOQ::Okta::Group
iambic_managed: enforced
idp_name: development
properties:
name: cloud_admins
description: Cloud Administrators
members:
- username: [email protected]
- username: [email protected]
To Reproduce
Steps to reproduce the behavior:
Expected behavior
Official docs should use snake_case in docs generation.
Screenshots
If applicable, add screenshots to help explain your problem.
Desktop (please complete the following information):
Additional context
Add any other context about the problem here.
Community Engagement
Your vote counts! Please support this bug report by adding a ๐ reaction to the original issue, which will aid the community and maintainers in addressing this problem.
Please refrain from adding "+1" or "me too" comments, as these create unnecessary noise for issue followers and do not help in prioritizing the issue. If you wish to contribute to solving this issue or have submitted a pull request, please leave a comment.
Describe the bug
A clear and concise description of what the bug is.
To Reproduce
Steps to reproduce the behavior:
iambic setup againExpected behavior
No error
Screenshots
โ iambic setup
2023/05/13 06:09:17 [info ] IAMBIC_DOCKER_CONTAINER is set, using /app as writable directory
2023/05/13 06:09:17 [info ] Found existing configuration file
config_path=/templates/iambic_config.yaml
2023/05/13 06:09:17 [info ] Loading config...
2023/05/13 06:09:17 [info ] Setting config metadata...
2023/05/13 06:09:21 [info ] Plugins loaded successfully...
? What would you like to configure? Setup AWS change detection
This requires that you have the ability to create CloudFormation stacks, stack sets, and stack set instances.
If you are using an AWS Organization, be sure that trusted access is enabled.
You can check this using the AWS Console:
https://ap-northeast-1.console.aws.amazon.com/organizations/v2/home/services/CloudFormation%20StackSets
? Proceed? Yes
2023/05/13 06:09:33 [info ] IAMbic change detection relies on CloudTrail being enabled all IAMbic aware accounts. You can check that you have CloudTrail setup by going to https://ap-northeast-1.console.aws.amazon.com/cloudtrail/home
If you do not have CloudTrail setup, you can set it up by going to https://ap-northeast-1.console.aws.amazon.com/cloudtrail/home?region=ap-northeast-1#/create
To setup change detection for iambic it requires creating CloudFormation stacks and a CloudFormation stack set.
To review the templates used or deploy them manually, the IdentityRule templates used can be found here:
https://github.com/noqdev/iambic/tree/main/iambic/plugins/v0_1_0/aws/cloud_formation/templates
If you have already manually deployed the templates, answer yes to proceed.
IAMbic will validate that your stacks have been deployed successfully and will not attempt to replace them.
? Proceed? Yes
Traceback (most recent call last):
File "<frozen runpy>", line 198, in _run_module_as_main
File "<frozen runpy>", line 88, in _run_code
File "/app/iambic/main.py", line 491, in <module>
cli()
File "/usr/local/lib/python3.11/site-packages/click/core.py", line 1130, in __call__
return self.main(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/site-packages/click/core.py", line 1055, in main
rv = self.invoke(ctx)
^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/site-packages/click/core.py", line 1657, in invoke
return _process_result(sub_ctx.command.invoke(sub_ctx))
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/site-packages/click/core.py", line 1404, in invoke
return ctx.invoke(self.callback, **ctx.params)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/site-packages/click/core.py", line 760, in invoke
return __callback(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/app/iambic/main.py", line 475, in setup
ConfigurationWizard(repo_dir, is_more_options=is_more_options).run()
File "/app/iambic/config/wizard.py", line 1960, in run
self.configuration_wizard_change_detection_setup(
File "/app/iambic/config/wizard.py", line 1849, in configuration_wizard_change_detection_setup
session, _ = self.get_boto3_session_for_account(aws_org.org_account_id)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/app/iambic/config/wizard.py", line 628, in get_boto3_session_for_account
if account_id == self.hub_account_id:
^^^^^^^^^^^^^^^^^^^
AttributeError: 'ConfigurationWizard' object has no attribute 'hub_account_id'
Desktop (please complete the following information):
The current implementation doesn't allow for all permutations of TemplateChangeDetails. This can be problematic when attempting to represent a message that occurs at the handler level like attempting to run apply on an AWS template when the spoke role is read only.
Is your feature request related to a problem? Please describe.
AWS Organizations SCP impacts how IAM policies are evaluated and one component of AWS IAM posture
Describe the solution you'd like
SCP become a resource type tracked by the AWS Plugin in IAMbic
Describe alternatives you've considered
A separate plugin seems overkill compared to a supported resource type within the current AWS Plugin
Describe the bug
This template crashed IAMbic due to the legit YAML comments not attached to a particular node
template_type: NOQ::AWS::IAM::Role
included_accounts:
# You will need to replace the "NAME_OF_AWS_ACCOUNT_THAT_HAS_IambicHubRole"
# with the account name of the AWS account holding the IambicHubRole.
# In the event you change the secret names, you need to update those values as well.
- NAME_OF_AWS_ACCOUNT_THAT_HAS_IambicHubRole
identifier: iambic_github_app_lambda_execution
properties:
description: Github App Lambda Execution
assume_role_policy_document:
statement:
- action: sts:AssumeRole
effect: Allow
principal:
service: lambda.amazonaws.com
version: '2012-10-17'
inline_policies:
- policy_name: github-app
statement:
- action:
- logs:CreateLogGroup
effect: Allow
resource:
- arn:aws:logs:*:{{var.account_id}}:log-group:*:log-stream:
sid: CreateLogGroup
- action:
- secretsmanager:GetSecretValue
effect: Allow
resource:
- arn:aws:secretsmanager:*:{{var.account_id}}:secret:iambic/github-app-private-key
- arn:aws:secretsmanager:*:{{var.account_id}}:secret:iambic/github-app-private-key-*
- arn:aws:secretsmanager:*:{{var.account_id}}:secret:iambic/github-app-webhook-secret
- arn:aws:secretsmanager:*:{{var.account_id}}:secret:iambic/github-app-webhook-secret-*
sid: SecretReading
- action:
- logs:CreateLogStream
- logs:PutLogEvents
effect: Allow
resource:
- arn:aws:logs:*:{{var.account_id}}:log-group:/aws/lambda/iambic_github_app_webhook*:*
sid: LogEvents
- action: sts:AssumeRole
effect: Allow
resource: arn:aws:iam::{{var.account_id}}:role/IambicHubRole
version: '2012-10-17'
role_name: iambic_github_app_lambda_execution
To Reproduce
Steps to reproduce the behavior:
Expected behavior
Legit YAML comments should not crash IAMbic
Screenshots
"""
Traceback (most recent call last):
File "/opt/homebrew/Cellar/[email protected]/3.9.16/Frameworks/Python.framework/Versions/3.9/lib/python3.9/multiprocessing/pool.py", line 125, in worker
result = (True, func(*args, **kwds))
File "/opt/homebrew/Cellar/[email protected]/3.9.16/Frameworks/Python.framework/Versions/3.9/lib/python3.9/multiprocessing/pool.py", line 48, in mapstar
return list(map(*args))
File "/Users/stevenmoy/noqdev/iambic/iambic/core/parser.py", line 82, in load_template
template_dict = transform_comments(yaml.load(open(template_path)))
File "/Users/stevenmoy/noqdev/iambic/iambic/core/utils.py", line 336, in transform_comments
comment_dict[key] = comment[2].value
AttributeError: 'NoneType' object has no attribute 'value'
"""
Desktop (please complete the following information):
Additional context
N/A
Describe the bug
Up until iambic 0.7.16 I was able to run iambic in a docker container using an alias.
docker run -it -u 1001:1001 -v /home/datfinesoul/.aws:/app/.aws:ro -e AWS_CONFIG_FILE=/app/.aws/config -e AWS_SHARED_CREDENTIALS_FILE=/app/.aws/credentials -e AWS_PROFILE -e HOME=/app -v /home/datfinesoul/github/undefined-io/iambic-templates:/templates:Z public.ecr.aws/iambic/iambic:0.7.16Unable to find image 'public.ecr.aws/iambic/iambic:0.7.16' locally
0.7.16: Pulling from iambic/iambic
044c2e2e5f7c: Already exists
9a5f39b6f74b: Already exists
5b52d63ce717: Already exists
5454bc441089: Already exists
06b9c4d322ba: Already exists
d477b118eba2: Already exists
d9c69844924e: Already exists
c0b9a7c8267e: Already exists
4f4fb700ef54: Pull complete
b714b12a3a87: Pull complete
d67c8cdacbcd: Pull complete
bc52b3ea96bd: Pull complete
6666f084a238: Pull complete
5210fd4eccc8: Pull complete
93af40e90805: Pull complete
133da388c909: Pull complete
9a2eb3717ff5: Pull complete
260a2a5ea3d6: Pull complete
690f9dff2eed: Pull complete
7c9eacad76df: Pull complete
2024a80f1cde: Pull complete
Digest: sha256:0002a1bd3cc7e4ff6c55f585fb9cee56a986d4747b41096fabf901b3fa77da07
Status: Downloaded newer image for public.ecr.aws/iambic/iambic:0.7.16
2023/05/24 06:11:40 [info ] IAMBIC_DOCKER_CONTAINER is set, using /app as writable directory
Usage: python -m iambic.main [OPTIONS] COMMAND [ARGS]...
Options:
--version Show the version and exit.
--help Show this message and exit.
Commands:
apply
clone-repos
config-discovery
convert Convert a string from AWS PascalCase JSON to IAMbic...
detect
expire
import
init
lint
plan
setup
In both iambic 0.7.17 and 0.7.18 I get the following error:
docker run -it -u 1001:1001 -v /home/datfinesoul/.aws:/app/.aws:ro -e AWS_CONFIG_FILE=/app/.aws/config -e AWS_SHARED_CREDENTIALS_FILE=/app/.aws/credentials -e AWS_PROFILE -e HOME=/app -v /home/datfinesoul/github/undefined-io/iambic-templates:/templates:Z public.ecr.aws/iambic/iambic:0.7.18Unable to find image 'public.ecr.aws/iambic/iambic:0.7.18' locally
0.7.18: Pulling from iambic/iambic
Digest: sha256:59010ba9a6a626d14652c43e8835eae0de5810d344a8530590c3ce449423960c
Status: Downloaded newer image for public.ecr.aws/iambic/iambic:0.7.18
Traceback (most recent call last):
File "<frozen runpy>", line 198, in _run_module_as_main
File "<frozen runpy>", line 88, in _run_code
File "/app/iambic/main.py", line 19, in <module>
from iambic.config.wizard import ConfigurationWizard
File "/app/iambic/config/wizard.py", line 87, in <module>
from iambic.plugins.v0_1_0.okta.iambic_plugin import OktaConfig, OktaOrganization
File "/app/iambic/plugins/v0_1_0/okta/iambic_plugin.py", line 5, in <module>
from okta.client import Client as OktaClient
File "/usr/local/lib/python3.11/site-packages/okta/client.py", line 25, in <module>
from okta.request_executor import RequestExecutor
File "/usr/local/lib/python3.11/site-packages/okta/request_executor.py", line 5, in <module>
from okta.api_response import OktaAPIResponse
File "/usr/local/lib/python3.11/site-packages/okta/api_response.py", line 3, in <module>
from okta.api_client import APIClient
File "/usr/local/lib/python3.11/site-packages/okta/api_client.py", line 1, in <module>
from pydash.strings import camel_case
File "/usr/local/lib/python3.11/site-packages/pydash/__init__.py", line 170, in <module>
from .objects import (
File "/usr/local/lib/python3.11/site-packages/pydash/objects.py", line 17, in <module>
from .utilities import PathToken, to_path, to_path_tokens
File "/usr/local/lib/python3.11/site-packages/pydash/utilities.py", line 577, in <module>
class MemoizedFunc(Protocol[P, T, T2]):
~~~~~~~~^^^^^^^^^^
File "/usr/local/lib/python3.11/typing.py", line 344, in inner
return func(*args, **kwds)
^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/site-packages/typing_extensions.py", line 672, in __class_getitem__
raise TypeError(
TypeError: Parameters to Protocol[...] must all be type variables. Parameter 1 is ~P
To Reproduce
See above
Expected behavior
The app should not crash
Screenshots
If applicable, add screenshots to help explain your problem.
Desktop (please complete the following information):
Additional context
Add any other context about the problem here.
Community Engagement
Your vote counts! Please support this bug report by adding a ๐ reaction to the original issue, which will aid the community and maintainers in addressing this problem.
Please refrain from adding "+1" or "me too" comments, as these create unnecessary noise for issue followers and do not help in prioritizing the issue. If you wish to contribute to solving this issue or have submitted a pull request, please leave a comment.
Is your feature request related to a problem? Please describe.
AWS IAM OIDC providers are part of AWS IAM and affects how others can identifies to AWS IAM
Describe the solution you'd like
Add a new resource type AWS::IAM::OIDCProvider in AWS plugin.
For example, in order to have GitHub Actions to assume AWS IAM role, one needs to add Github to AWS IAM OIDC provider. reference
Describe alternatives you've considered
N/A
Is your feature request related to a problem? Please describe.
Often time, new users want to see IAMbic in action in a single AWS account. If they use the normal wizard, they will create the IambicHubRole and IambicSpokeRole in just one aws account. The later upgrade path may be painful since they have to ensure to delete the stacks in order to setup organization mode.
Describe the solution you'd like
When user is adding the first aws account using the wizard, prompts to use demo mode. If using demo mode, IAMbic can name the stack IambicHubRoleDemo and IambicSpokeRoleDemo. (concern would be the IAM roles IambicSpokeRole will still prevent the typical organization CF StacksSet creation)
Describe alternatives you've considered
Has wizard to detect existing single account setup and upgrade it to an organization setup. The implementation would have to do a lot in-place update or go through removal because assume role statement will be incopmatible on existing IambicSpokeRole
Additional context
As a first time user, I will be shy to set it up for the entire organization before it operate on a single account.
Community Engagement
Help us prioritize this request and express your support by adding a ๐ reaction to the original issue. This will assist both the community and the maintainers in addressing this request.
Please avoid leaving "+1" or "me too" comments as they create extra noise for issue followers and do not assist in prioritizing the request. If you are considering working on this issue or have already submitted a pull request, kindly leave a comment.
Is your feature request related to a problem? Please describe.
IAMbic plugin to support managing Github users and teams
Describe the solution you'd like
Github has identities like users and teams. IAMbic plugin should support managing create, read, update, delete operations using the Github API.
Describe alternatives you've considered
There is no alternative at the moment.
Additional context
Github docs: https://docs.github.com/en/rest/orgs/members?apiVersion=2022-11-28
Describe the bug
error=ValidationError(model='ManagedPolicyProperties', errors=[{'loc': ('PolicyDocument',), 'msg': 'value is not a valid dict', 'type': 'type_error.dict'}, {'loc': ('PolicyDocument', 1, 'Statement'), 'msg': 'value is not a valid list', 'type': 'type_error.list'}])
minimum policy document to trigger the bug
{
"Version": "2012-10-17",
"Statement": {
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "sts:GetCallerIdentity",
"Resource": "*"
}
}
To Reproduce
Expected behavior
It should work since its from an import from AWS environment
Screenshots
If applicable, add screenshots to help explain your problem.
Desktop (please complete the following information):
Additional context
Add any other context about the problem here.
Is your feature request related to a problem? Please describe.
Not so much a problem, just a part of IAM that is important for most organizations that I don't see managed currently in iambic.
Describe the solution you'd like
When I import IAM policies for my account, every resource policy associated with an AWS resource in my account should be accounted for and managed.
Describe alternatives you've considered
I guess I would just have to not manage them and hope that I had a sane way of using resource policies?
Describe the bug
Deactivated Okta Users are not imported in IAMbic
To Reproduce
Expected behavior
Deactivated users should be represented in IAMbic templates
Describe the bug
I attempt to modify the value of spoke_role_arn to a custom value in the IAMbic config file. However, IAMbic doesn't actually quite work because it's expecting it to be a constant: https://github.com/noqdev/iambic/blob/eb9a41837d65c9e55b2c99ed800b6f898f6e6289/iambic/plugins/v0_1_0/aws/models.py#LL51C1-L51C1
To Reproduce
iambic setupExpected behavior
If spoke_role_arn is available on config, it seems reason I can configure it.
Additional context
The config file I am customizing
template_type: NOQ::Core::Config
version: '1'
aws:
accounts:
- account_id: '192455039954'
account_name: iambic_test_spoke_account_2
iambic_managed: read_and_write
org_id: o-8t0mt0ybdd
spoke_role_arn: arn:aws:iam::192455039954:role/MyLeetSpokeRole
- account_id: '333972133479'
account_name: iambic_test_spoke_account_3
iambic_managed: read_and_write
org_id: o-8t0mt0ybdd
spoke_role_arn: arn:aws:iam::333972133479:role/MyLeetSpokeRole
- account_id: '442632209887'
account_name: iambic_test_spoke_account_1
iambic_managed: read_and_write
org_id: o-8t0mt0ybdd
spoke_role_arn: arn:aws:iam::442632209887:role/MyLeetSpokeRole
- account_id: '580605962305'
account_name: iambic_test_org_account
iambic_managed: read_and_write
org_id: o-8t0mt0ybdd
spoke_role_arn: arn:aws:iam::580605962305:role/MyLeetSpokeRole
organizations:
- aws_profile: iambic_test_org_account/iambic_test_org_account_admin
default_rule:
iambic_managed: read_and_write
hub_role_arn: arn:aws:iam::580605962305:role/MyLeetHubRole
identity_center:
region: us-east-1
org_account_id: '580605962305'
org_id: o-8t0mt0ybdd
extends:
- assume_role_arn: arn:aws:iam::580605962305:role/MyLeetSpokeRole
key: AWS_SECRETS_MANAGER
value: arn:aws:secretsmanager:us-east-1:580605962305:secret:iambic-config-secrets-foo
Add help text to all commands to make the purpose of the command clearer.
Additional improvements to be made as part of this issue:
Is your feature request related to a problem? Please describe.
Not related to a problem, however with the frequency of the release schedule on Iambic in its current format, having a built in command would be helpful not only for local installs of iambic, but also to update the Lambda functions for the github app.
Adding in a workflow response for upgrade would also allow users to schedule or adhoc update their lambda function with a simple github action.
Describe the solution you'd like
iambic update or upgrade -- would be an inline execution of pip install --upgrade iambic-core promoting iambic core to the newest release. -- Potential for Beta flags in the future once iambic gets to a stable model.
Describe alternatives you've considered
scheduled task running pip install --upgrade, but that is a per machine setting.
Community Engagement
Help us prioritize this request and express your support by adding a ๐ reaction to the original issue. This will assist both the community and the maintainers in addressing this request.
Side note
If the lambda function does not currently auto update, you will need to create specific documentation on how to update existing github apps to the latest versions of iambic-core so they get the newest feature.
Is your feature request related to a problem? Please describe.
IAMbic Github installation is pretty manual according to docs. GitHub App Manifest maybe able to make the process much more seamless.
Describe the solution you'd like
A clear and concise description of what you want to happen.
Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.
Additional context
Add any other context or screenshots about the feature request here.
Describe the bug
Using iambic 0.9.1 I'm getting a couple of errors when importing my AWS Organisation with SSO, both during setup and also when running import.
During setup:
2023/06/15 16:40:35 [info ] Failed to refresh AWS accounts
error=ValidationError(model='RoleProperties', errors=[{'loc': ('InlinePolicies', 2, 'id'), 'msg': 'extra fields not permitted', 'type': 'value_error.extra'}])
? What would you like to configure in AWS? Go back
During import afterwards:
2023/06/15 16:45:22 [info ] Finished templated user generation
Traceback (most recent call last):
File "/Users/simon/.local/share/virtualenvs/iambic-templates-5HIzPko0/bin/iambic", line 8, in <module>
sys.exit(cli())
^^^^^
File "/Users/simon/.local/share/virtualenvs/iambic-templates-5HIzPko0/lib/python3.11/site-packages/click/core.py", line 1130, in __call__
return self.main(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/Users/simon/.local/share/virtualenvs/iambic-templates-5HIzPko0/lib/python3.11/site-packages/click/core.py", line 1055, in main
rv = self.invoke(ctx)
^^^^^^^^^^^^^^^^
File "/Users/simon/.local/share/virtualenvs/iambic-templates-5HIzPko0/lib/python3.11/site-packages/click/core.py", line 1657, in invoke
return _process_result(sub_ctx.command.invoke(sub_ctx))
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/Users/simon/.local/share/virtualenvs/iambic-templates-5HIzPko0/lib/python3.11/site-packages/click/core.py", line 1404, in invoke
return ctx.invoke(self.callback, **ctx.params)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/Users/simon/.local/share/virtualenvs/iambic-templates-5HIzPko0/lib/python3.11/site-packages/click/core.py", line 760, in invoke
return __callback(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/Users/simon/.local/share/virtualenvs/iambic-templates-5HIzPko0/lib/python3.11/site-packages/iambic/main.py", line 411, in import_
asyncio.run(config.run_import(exe_message, repo_dir))
File "/opt/homebrew/Cellar/[email protected]/3.11.4/Frameworks/Python.framework/Versions/3.11/lib/python3.11/asyncio/runners.py", line 190, in run
return runner.run(main)
^^^^^^^^^^^^^^^^
File "/opt/homebrew/Cellar/[email protected]/3.11.4/Frameworks/Python.framework/Versions/3.11/lib/python3.11/asyncio/runners.py", line 118, in run
return self._loop.run_until_complete(task)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/homebrew/Cellar/[email protected]/3.11.4/Frameworks/Python.framework/Versions/3.11/lib/python3.11/asyncio/base_events.py", line 653, in run_until_complete
return future.result()
^^^^^^^^^^^^^^^
File "/Users/simon/.local/share/virtualenvs/iambic-templates-5HIzPko0/lib/python3.11/site-packages/iambic/config/dynamic_config.py", line 245, in run_import
await asyncio.gather(*tasks)
File "/Users/simon/.local/share/virtualenvs/iambic-templates-5HIzPko0/lib/python3.11/site-packages/iambic/plugins/v0_1_0/aws/handlers.py", line 458, in import_aws_resources
await asyncio.gather(*tasks)
File "/Users/simon/.local/share/virtualenvs/iambic-templates-5HIzPko0/lib/python3.11/site-packages/iambic/plugins/v0_1_0/aws/handlers.py", line 335, in import_service_resources
await asyncio.gather(
File "/Users/simon/.local/share/virtualenvs/iambic-templates-5HIzPko0/lib/python3.11/site-packages/iambic/plugins/v0_1_0/aws/iam/role/template_generation.py", line 605, in generate_aws_role_templates
resource_template = await create_templated_role(
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/Users/simon/.local/share/virtualenvs/iambic-templates-5HIzPko0/lib/python3.11/site-packages/iambic/plugins/v0_1_0/aws/iam/role/template_generation.py", line 435, in create_templated_role
RoleProperties(**role_template_properties),
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/Users/simon/.local/share/virtualenvs/iambic-templates-5HIzPko0/lib/python3.11/site-packages/iambic/core/models.py", line 85, in __init__
super().__init__(*args, **kwargs)
File "pydantic/main.py", line 341, in pydantic.main.BaseModel.__init__
pydantic.error_wrappers.ValidationError: 1 validation error for RoleProperties
InlinePolicies -> 2 -> id
extra fields not permitted (type=value_error.extra)
To Reproduce
Steps to reproduce the behavior:
Run iambic import
Expected behavior
A successful import
Screenshots
If applicable, add screenshots to help explain your problem.
Additional context
Add any other context about the problem here.
Community Engagement
Your vote counts! Please support this bug report by adding a ๐ reaction to the original issue, which will aid the community and maintainers in addressing this problem.
Please refrain from adding "+1" or "me too" comments, as these create unnecessary noise for issue followers and do not help in prioritizing the issue. If you wish to contribute to solving this issue or have submitted a pull request, please leave a comment.
Overview
When using an iambic user template for Okta as the source for the user, setting the status to "deprovisioned" does not change the user's status. Trying to set the status to "suspended" throws an error.
To Reproduce
Create a new user yaml file:
template_type: NOQ::Okta::User
iambic_managed: enforced
idp_name: development
properties:
profile:
email: [email protected]
firstName: First
lastName: Last
login: [email protected]
username: [email protected]
Then run iambic apply --enforced-only --force
Once the user is created, the user will be in "provisioned" state, i.e., Okta sent them the activation email.
At this point, try to set the status to "deprovisioned":
template_type: NOQ::Okta::User
iambic_managed: enforced
idp_name: development
properties:
profile:
email: [email protected]
firstName: First
lastName: Last
status: deprovisioned
login: [email protected]
username: [email protected]
Run iambic apply --enforced-only --force, and iambic says nothing to apply.
Change the status to "suspended" and run the apply again, and iambic throws the following error:
Exception: Error updating user status. Invalid transition from provisioned to suspended
Some other observations:
Expected behavior
The status to change to be the same as the provided value in the yaml file.
Describe the bug
iambic import errors with stack trace during org import when there is no permission sets in the org
2023/06/13 15:26:07 [info ] Beginning to retrieve AWS Identity Center Permission Sets.
org_accounts=[
"1234567890"
]
Traceback (most recent call last):
File "/Users/simon/.local/share/virtualenvs/iambic-1jOSJHvi/bin/iambic", line 8, in <module>
sys.exit(cli())
^^^^^
File "/Users/simon/.local/share/virtualenvs/iambic-1jOSJHvi/lib/python3.11/site-packages/click/core.py", line 1130, in __call__
return self.main(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/Users/simon/.local/share/virtualenvs/iambic-1jOSJHvi/lib/python3.11/site-packages/click/core.py", line 1055, in main
rv = self.invoke(ctx)
^^^^^^^^^^^^^^^^
File "/Users/simon/.local/share/virtualenvs/iambic-1jOSJHvi/lib/python3.11/site-packages/click/core.py", line 1657, in invoke
return _process_result(sub_ctx.command.invoke(sub_ctx))
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/Users/simon/.local/share/virtualenvs/iambic-1jOSJHvi/lib/python3.11/site-packages/click/core.py", line 1404, in invoke
return ctx.invoke(self.callback, **ctx.params)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/Users/simon/.local/share/virtualenvs/iambic-1jOSJHvi/lib/python3.11/site-packages/click/core.py", line 760, in invoke
return __callback(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/Users/simon/.local/share/virtualenvs/iambic-1jOSJHvi/lib/python3.11/site-packages/iambic/main.py", line 411, in import_
asyncio.run(config.run_import(exe_message, repo_dir))
File "/opt/homebrew/Cellar/[email protected]/3.11.3/Frameworks/Python.framework/Versions/3.11/lib/python3.11/asyncio/runners.py", line 190, in run
return runner.run(main)
^^^^^^^^^^^^^^^^
File "/opt/homebrew/Cellar/[email protected]/3.11.3/Frameworks/Python.framework/Versions/3.11/lib/python3.11/asyncio/runners.py", line 118, in run
return self._loop.run_until_complete(task)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/homebrew/Cellar/[email protected]/3.11.3/Frameworks/Python.framework/Versions/3.11/lib/python3.11/asyncio/base_events.py", line 653, in run_until_complete
return future.result()
^^^^^^^^^^^^^^^
File "/Users/simon/.local/share/virtualenvs/iambic-1jOSJHvi/lib/python3.11/site-packages/iambic/config/dynamic_config.py", line 245, in run_import
await asyncio.gather(*tasks)
File "/Users/simon/.local/share/virtualenvs/iambic-1jOSJHvi/lib/python3.11/site-packages/iambic/plugins/v0_1_0/aws/handlers.py", line 458, in import_aws_resources
await asyncio.gather(*tasks)
File "/Users/simon/.local/share/virtualenvs/iambic-1jOSJHvi/lib/python3.11/site-packages/iambic/plugins/v0_1_0/aws/handlers.py", line 376, in import_identity_center_resources
await import_service_resources(
File "/Users/simon/.local/share/virtualenvs/iambic-1jOSJHvi/lib/python3.11/site-packages/iambic/plugins/v0_1_0/aws/handlers.py", line 332, in import_service_resources
await asyncio.gather(*tasks)
File "/Users/simon/.local/share/virtualenvs/iambic-1jOSJHvi/lib/python3.11/site-packages/iambic/plugins/v0_1_0/aws/identity_center/permission_set/template_generation.py", line 469, in collect_aws_permission_sets
) in aws_account.identity_center_details.permission_set_map.values():
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
AttributeError: 'NoneType' object has no attribute 'values'
To Reproduce
Steps to reproduce the behavior:
Expected behavior
Import should not fail when there is no permission set
Screenshots
If applicable, add screenshots to help explain your problem.
Desktop (please complete the following information):
Additional context
Add any other context about the problem here.
Community Engagement
Your vote counts! Please support this bug report by adding a ๐ reaction to the original issue, which will aid the community and maintainers in addressing this problem.
Please refrain from adding "+1" or "me too" comments, as these create unnecessary noise for issue followers and do not help in prioritizing the issue. If you wish to contribute to solving this issue or have submitted a pull request, please leave a comment.
Is your feature request related to a problem? Please describe.
AWS IAM docs typically present IAM policy in JSON Format. Reference docs is in JSON. Since iambic document is mostly yaml based, going back and forth has some friction. The ecosystem should make it easier to go back and forth.
Describe the solution you'd like
Proposal from Michael W.
ambic convert
that then has a small walk through like setup.
What is the input format?
csv
json
xml
what is the export format
yaml
json
what is the source file (full path)?
what is the export file name?
completed here is where your converted file is located.. Please check for consistency..
Describe alternatives you've considered
Existing js fiddle like solution such as https://www.json2yaml.com/ is mostly there. User would like to know no weird js logging is intercepted in some random website. Preferably, one that honors privacy because some existing JSON document may expose too much specific knowledge about an org.
Additional context
N/A
For secret based providers, if no secrets already exist, the user should be prompted where they would like their secret stored. The options will expand based on what providers that can store secrets have already been setup as well as the always supported "local_secrets.yaml".
Additional scope(?) of also allowing a user to migrate their secrets from local to a cloud provider.
Describe the bug
Delete a AWS IAM user via IAMbic fails when user has access keys
To Reproduce
Steps to reproduce the behavior:
Expected behavior
The targeted IAM user should be deleted successfully.
Screenshots
If applicable, add screenshots to help explain your problem.
Desktop (please complete the following information):
Additional context
AWS IAM control plane refuse to delete the IAM user if it has access key. So the delete action needs to be multi-part, first remove the access keys, before deleting the user.
In additional, the IAMbic tool should surface this type of apply error. Currently, it's difficult to pinpoint it without a cloud trail investigation.
Community Engagement
Your vote counts! Please support this bug report by adding a ๐ reaction to the original issue, which will aid the community and maintainers in addressing this problem.
Please refrain from adding "+1" or "me too" comments, as these create unnecessary noise for issue followers and do not help in prioritizing the issue. If you wish to contribute to solving this issue or have submitted a pull request, please leave a comment.
Is your feature request related to a problem? Please describe.
If I'm working with the CLI locally, I should know which version of the tool I'm using.
Describe the solution you'd like
iambic --version
iambic version 0.5.2
Describe alternatives you've considered
pip list | grep iambic
Is your feature request related to a problem? Please describe.
Current IAMBic AWS plugin implementation scales by number of AWS Accounts. If there are N accounts, the parent process will attempt to use (N + 1) * 50 TCP connections due to how it's using boto3 clients. If administrator needs to put a bound on how much resources (let's say ulimit of 1024), then IAMBic will not gracefully work within the limit. Yes, higher limit can make IAMbic work faster; lower limit should not lead to a crash. (Related to #386 ). lower limit should just mean it takes longer wall time to complete.
Describe the solution you'd like
IAMbic once consume allowed resources, it will queue pending work and consume the remaining work as resources are free up by previous work.
Describe alternatives you've considered
Knob tuning. One can just pre-tune all the parallelization parameters; however, no one like knob tuning. A typical work queue, producer, consumer is preferred.
Additional context
AWS managed resources should not be tracked in IAMbic by default. These are things like roles that are generated by IdentityCenter (SSO) or the AWSControlTowerAdminPolicy.
Describe the solution you'd like
Make it an attribute on the AWS config that can be enabled or disabled but is disabled by default. This update should not break existing installs. Options are to either preserve these resources on existing installs or perform a safe remove.
Many orgs have tagging requirements for their IAM roles. In the wizard, before actually creating the roles using CloudFormation, add an option to allow tags to be assigned to the resource. This will require changes to the HubRole and SpokeRole templates as well as the prompt(s) in the wizard.
Is your feature request related to a problem? Please describe.
Problem: I do not want IAMbic to sync AWS managed roles (Such as AWS SSO Roles), CDK/cloudformation managed resources, or other roles.
Describe the solution you'd like
I would like a configuration option that instructs IAMbic to ignore resources based on:
Community Engagement
Help us prioritize this request and express your support by adding a ๐ reaction to the original issue. This will assist both the community and the maintainers in addressing this request.
Please avoid leaving "+1" or "me too" comments as they create extra noise for issue followers and do not assist in prioritizing the request. If you are considering working on this issue or have already submitted a pull request, kindly leave a comment.
iambic version: 0.1.186
(env) smoy@smoy-mba noq-dev-iambic % pip freeze | grep iambic
iambic-core==0.1.186
I encounter the following exception during iambic setup when I use temporary credentials from AWS SSO
Traceback (most recent call last):
File "/Users/smoy/github/noq-dev-iambic/env/bin/iambic", line 8, in <module>
sys.exit(cli())
File "/Users/smoy/github/noq-dev-iambic/env/lib/python3.10/site-packages/click/core.py", line 1130, in __call__
return self.main(*args, **kwargs)
File "/Users/smoy/github/noq-dev-iambic/env/lib/python3.10/site-packages/click/core.py", line 1055, in main
rv = self.invoke(ctx)
File "/Users/smoy/github/noq-dev-iambic/env/lib/python3.10/site-packages/click/core.py", line 1657, in invoke
return _process_result(sub_ctx.command.invoke(sub_ctx))
File "/Users/smoy/github/noq-dev-iambic/env/lib/python3.10/site-packages/click/core.py", line 1404, in invoke
return ctx.invoke(self.callback, **ctx.params)
File "/Users/smoy/github/noq-dev-iambic/env/lib/python3.10/site-packages/click/core.py", line 760, in invoke
return __callback(*args, **kwargs)
File "/Users/smoy/github/noq-dev-iambic/env/lib/python3.10/site-packages/iambic/main.py", line 458, in setup
ConfigurationWizard(repo_dir).run()
File "/Users/smoy/github/noq-dev-iambic/env/lib/python3.10/site-packages/iambic/config/wizard.py", line 1716, in run
self.configuration_wizard_aws()
File "/Users/smoy/github/noq-dev-iambic/env/lib/python3.10/site-packages/iambic/config/wizard.py", line 1101, in configuration_wizard_aws
self.configuration_wizard_aws_organizations()
File "/Users/smoy/github/noq-dev-iambic/env/lib/python3.10/site-packages/iambic/config/wizard.py", line 1088, in configuration_wizard_aws_organizations
self.configuration_wizard_aws_organizations_add()
File "/Users/smoy/github/noq-dev-iambic/env/lib/python3.10/site-packages/iambic/config/wizard.py", line 1029, in configuration_wizard_aws_organizations_add
aws_org = AWSOrganization(
File "pydantic/main.py", line 341, in pydantic.main.BaseModel.__init__
pydantic.error_wrappers.ValidationError: 1 validation error for AWSOrganization
region
extra fields not permitted (type=value_error.extra)
Is your feature request related to a problem? Please describe.
During the iambic setup process for AWS Organizations, the following prompt appears:
If you would like to use AWS Organizations, the IAMbic hub account you configured must be the same AWS account as your AWS Organization.
? Is this the case? (Y/n)
This happens after the current Account ID has already been entered, and AWS Organizations has been selected.
Describe the solution you'd like
This prompt could be skipped since this information should be available at this step of the wizard already, and instead the SDK could be used to detect it, and issue a warning, that if the current account is not the same as the management account, the user needs to switch or provide alternate credentials.
aws organizations describe-organization returns the following kind of info that helps with this.
{
"Organization": {
"Id": "o-nnnnnnnnnn",
"Arn": "arn:aws:organizations::000000000000:organization/o-nnnnnnnnnn",
"FeatureSet": "ALL",
"MasterAccountArn": "arn:aws:organizations::000000000000:account/o-nnnnnnnnnn/000000000000",
"MasterAccountId": "000000000000",
"MasterAccountEmail": "[email protected]",
"AvailablePolicyTypes": [
{
"Type": "SERVICE_CONTROL_POLICY",
"Status": "ENABLED"
}
]
}
}Describe alternatives you've considered
You have previously selected AWS Organizations. Please make sure that selected IAMbic hub account ID 000000000000 is also the AWS Organization's management account
Additional context
Is your feature request related to a problem? Please describe.
When one is using the iambic setup to configure various iambic options, I would like to see backup files are created for the config, such that its easy to see what changes are made by the wizard.
Describe the solution you'd like
if the existing iambic config is on ~/iambic-config.yaml, when wizard needs to modify the config, it should first save a copy of original config to ~/iambic-config.yaml.backup-{datetime}. It is easier for me as the user to diff the two file to see how wizard is making changes to the configuration.
Describe alternatives you've considered
I need to create the git repository ahead of time to track changes committed vs uncommitted changes. However, if one makes multiple option changes in wizard, I only can tell aggregate changes. I like to see a backup file per change by the wizard.
Additional context
Add any other context or screenshots about the feature request here.
Community Engagement
Help us prioritize this request and express your support by adding a ๐ reaction to the original issue. This will assist both the community and the maintainers in addressing this request.
Please avoid leaving "+1" or "me too" comments as they create extra noise for issue followers and do not assist in prioritizing the request. If you are considering working on this issue or have already submitted a pull request, kindly leave a comment.
Hello team,
I would be very nice to get support for GCP, as I think managing IAM for GCP is a nightmare without a tool like iambic.
Is your feature request related to a problem? Please describe.
No.
Describe the solution you'd like
I want GCP IAM to be supported in iambic the same way AWS is.
Describe alternatives you've considered
Cannot find anything remotely related
Describe the bug
A Parameter validation failed, "Unknown parameter in PermissionBoundary: \"PolicyArn\", must be one of CustomerManagedPolicyReference, ManagedPolicyArn"
To Reproduce
Steps to reproduce the behavior:
Expected behavior
Permission Boundary should attached correctly.
Screenshots
Additional context
This is the documentation that claims to use policy_arn: https://docs.iambic.org/getting_started/aws#4-aws-identity-center-permission-sets
Is your feature request related to a problem? Please describe.
In a way yes, Could you provide detailed "Templates" or a singular template for Each provider that matches the schema pages.
Describe the solution you'd like
I Would like to see a schema example page for each provider such as AWS, where you have all the options in the correct format such as conditions, tags, etc.
inline_policies:
- policy_name: {NAME}
statement:
- action:
- {AWS:RESOURCE JSON STYLE}
effect: Deny
resource: "*" OR ARN with wildcard
- condition:
- IAM:ResourceTag/{Key}: {VALUE}
Describe alternatives you've considered
template builder or wizard
This includes:
This can be particularly useful if just testing out IAMbic or moving from a read-only configuration to a read/write configuration.
Community Engagement
Help us prioritize this request and express your support by adding a ๐ reaction to the original issue. This will assist both the community and the maintainers in addressing this request.
Please avoid leaving "+1" or "me too" comments as they create extra noise for issue followers and do not assist in prioritizing the request. If you are considering working on this issue or have already submitted a pull request, kindly leave a comment.
Is your feature request related to a problem? Please describe.
An easy way to update the stacks and stacksets rather than having to remove them and recreate them.
Describe the solution you'd like
iambic upgrade-cloudformation-stacksets
optionally
iambic upgraed-cloudformation-stacksets --to-read-write
Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.
Additional context
Another suggestion would be have an easy way to update the stacks and stacksets rather than having to remove them and recreate them. Originally because I went from read only to read/write, but would also be valid if/when the policies used by it change
https://noqcommunity.slack.com/archives/C052R22L3C6/p1686923423692889
suggestion by Simon Dick
Community Engagement
Help us prioritize this request and express your support by adding a ๐ reaction to the original issue. This will assist both the community and the maintainers in addressing this request.
Please avoid leaving "+1" or "me too" comments as they create extra noise for issue followers and do not assist in prioritizing the request. If you are considering working on this issue or have already submitted a pull request, kindly leave a comment.
Describe the bug
Deleted an AWS IAM role
To Reproduce
Steps to reproduce the behavior:
Expected behavior
create other accounts, "un-manage" the old account.
File "/app/iambic/core/models.py", line 553, in delete
repo = Repo(self.file_path, search_parent_directories=True)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/site-packages/git/repo/base.py", line 213, in __init__
raise NoSuchPathError(epath)
git.exc.NoSuchPathError: /tmp/lambdaws6b38a5/.iambic/repos/resources/aws/iam/role/xxx-xxxx/assume-ecs-roles2.yaml
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/app/iambic/plugins/v0_1_0/github/github.py", line 370, in handle_iambic_git_apply
template_changes = run_git_apply(
^^^^^^^^^^^^^^
File "/app/iambic/main.py", line 283, in run_git_apply
template_changes = asyncio.run(
^^^^^^^^^^^^
File "/Python-3.11.1/Lib/asyncio/runners.py", line 190, in run
return runner.run(main)
^^^^^^^^^^^^^^^^
File "/Python-3.11.1/Lib/asyncio/runners.py", line 118, in run
return self._loop.run_until_complete(task)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/Python-3.11.1/Lib/asyncio/base_events.py", line 653, in run_until_complete
return future.result()
^^^^^^^^^^^^^^^
File "/app/iambic/request_handler/git_apply.py", line 82, in apply_git_changes
template_changes = await config.run_apply(
^^^^^^^^^^^^^^^^^^^^^^^
File "/app/iambic/config/dynamic_config.py", line 277, in run_apply
template_changes = await asyncio.gather(*tasks)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/app/iambic/plugins/v0_1_0/aws/handlers.py", line 256, in apply
template_changes = list(chain.from_iterable(await asyncio.gather(*tasks)))
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/app/iambic/plugins/v0_1_0/aws/handlers.py", line 205, in apply_iam_templates
await async_batch_processor(
File "/app/iambic/core/utils.py", line 229, in async_batch_processor
return await asyncio.gather(*tasks, return_exceptions=return_exceptions)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/app/iambic/plugins/v0_1_0/aws/models.py", line 809, in apply
self.delete()
File "/app/iambic/core/models.py", line 569, in delete
os.remove(self.file_path)
FileNotFoundError: [Errno 2] No such file or directory: '/tmp/lambdaws6b38a5/.iambic/repos/resources/aws/iam/role/xxx-xxxx/assume-ecs-roles2.yaml'
Community Engagement
Your vote counts! Please support this bug report by adding a ๐ reaction to the original issue, which will aid the community and maintainers in addressing this problem.
Please refrain from adding "+1" or "me too" comments, as these create unnecessary noise for issue followers and do not help in prioritizing the issue. If you wish to contribute to solving this issue or have submitted a pull request, please leave a comment.
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google โค๏ธ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.