private createBoundaryRemediationAutomationDoc()

in lib/aws-region-restriction.ts [119:194]

• 60 lines of code
• 3 McCabe index (conditional complexity)

    private createBoundaryRemediationAutomationDoc() {
        
        
        const enforceBoundaryAutomationRole = new iam.Role(this, "enforceBoundaryAutomationRole", {
            assumedBy: new iam.ServicePrincipal('ssm.amazonaws.com'),
        });
        
        enforceBoundaryAutomationRole.addToPolicy(
            new iam.PolicyStatement({
                resources: ['*'],
                actions: ["iam:PutRolePermissionsBoundary", "iam:PutUserPermissionsBoundary", "config:GetResourceConfigHistory"],
                effect: iam.Effect.ALLOW,
            })
        );
        

        return new ssm.CfnDocument(this, 'remediateBoundaryDoc', {
            content: YAML.parse(`description: Used by AWS config to remediate roles and users which dont have a permission boundary.
schemaVersion: '0.3'
assumeRole: '${enforceBoundaryAutomationRole.roleArn}'
parameters:
  permissionBoundaryPolicyArn:
    type: String
  offendingIamPrincipal:
    type: String
mainSteps:
  - name: Apply_permission_boundary
    action: 'aws:executeScript'
    inputs:
      InputPayload:
        permissionBoundaryPolicyArn: '{{ permissionBoundaryPolicyArn }}'
        offendingIamPrincipal: '{{ offendingIamPrincipal }}'
      Runtime: python3.6
      Handler: script_handler
      Script: |-
        import boto3
        
        def script_handler(events, context):
            print(events)
            print(context)
        
            iam = boto3.client('iam')
            config = boto3.client('config')
            
            principalType = '';
            
            try: 
                principalHistory = config.get_resource_config_history(resourceType='AWS::IAM::User', resourceId=events['offendingIamPrincipal'])
                principalIsUser = 'AWS::IAM::User'
            
            except config.exceptions.ResourceNotDiscoveredException as err:
                principalHistory = config.get_resource_config_history(resourceType='AWS::IAM::Role', resourceId=events['offendingIamPrincipal'])
                principalIsUser = 'AWS::IAM::Role'
                
        
            if(principalIsUser == 'AWS::IAM::User'):
                response = iam.put_user_permissions_boundary(
                    UserName=principalHistory['configurationItems'][0]['resourceName'],
                    PermissionsBoundary=events['permissionBoundaryPolicyArn']
                )
                return response
            
            if(principalIsUser == 'AWS::IAM::Role'):
                response = iam.put_role_permissions_boundary(
                    RoleName=principalHistory['configurationItems'][0]['resourceName'],
                    PermissionsBoundary=events['permissionBoundaryPolicyArn']
                )
                return response
            
            raise Exception("Uknown principal type.")
            
	      
`),
            documentType: "Automation",
        });
    }