forked from kenazk/relay-workflows
-
Notifications
You must be signed in to change notification settings - Fork 0
/
s3-restrict-public-read-buckets.yaml
54 lines (51 loc) · 1.67 KB
/
s3-restrict-public-read-buckets.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
apiVersion: v1
summary: Restrict public S3 buckets with READ permissions
description: This workflow looks at all of the public S3 buckets in a given account and restricts those that provide 'READ' access. Requires an AWS account with permissions to modify S3 buckets.
homepage: https://github.com/puppetlabs/relay-workflows/tree/master/s3-restrict-public-read-buckets
tags:
- compliance
# Uncomment out this trigger to run this workflow hourly.
# triggers:
# - name: schedule
# source:
# type: schedule
# schedule: '0 * * * *'
# binding:
# parameters:
# dryRun: true
parameters:
dryRun:
description: True if this workflow should not actually modify buckets
default: 'true'
steps:
- name: list-buckets
image: relaysh/aws-s3-step-bucket-list
spec:
aws: &aws
connection: !Connection { type: aws, name: my-aws-account }
- name: get-bucket-acls
image: relaysh/aws-s3-step-bucket-get-acls
spec:
aws: *aws
buckets: !Output {from: list-buckets, name: buckets}
- name: filter-buckets
image: relaysh/core:latest-python
spec:
bucketACLs: !Output {from: get-bucket-acls, name: bucketACLs}
inputFile: https://raw.githubusercontent.com/puppetlabs/relay-workflows/master/s3-restrict-public-read-buckets/filter-buckets.py
- name: approval
description: Wait for approval to modify S3 buckets
type: approval
dependsOn: filter-buckets
when:
- !Fn.equals [!Parameter dryRun, 'false']
- name: modify-acls
image: relaysh/aws-s3-step-bucket-put-acls
dependsOn: approval
when:
- !Fn.equals [!Parameter dryRun, 'false']
spec:
aws: *aws
buckets: !Output {from: filter-buckets, name: buckets}
acl: private
confetti: true