Add a cross account role to fetch S3 uploads (#1319)

* feat(cross-acct service):  Create a cross acct role for uploads

* correct names

* deps

* Add getobjecttagging perms so we can honor the clean tags

deploy.sh

@@ -36,12 +36,12 @@ services=(
   'admin'
 )
 
-# Only deploy source service for higher envs
+# Only deploy for higher envs
 if [[ "$stage" == "develop" || "$stage" == "master" || "$stage" == "production" ]]; then
   services+=('source')
+  services+=('cross-acct')
 fi
 
-
 set -e
 for i in "${services[@]}"; do
     deploy $i

services/cross-acct/.gitignore

@@ -0,0 +1,57 @@
+# Logs
+logs
+*.log
+npm-debug.log*
+
+# Runtime data
+pids
+*.pid
+*.seed
+
+# Directory for instrumented libs generated by jscoverage/JSCover
+lib-cov
+
+# Coverage directory used by tools like istanbul
+coverage
+
+# nyc test coverage
+.nyc_output
+
+# Grunt intermediate storage (http://gruntjs.com/creating-plugins#storing-task-files)
+.grunt
+
+# node-waf configuration
+.lock-wscript
+
+# Compiled binary addons (http://nodejs.org/api/addons.html)
+build/Release
+
+# Dependency directories
+node_modules
+jspm_packages
+
+# Optional npm cache directory
+.npm
+
+# Optional REPL history
+.node_repl_history
+
+# vim
+.*.sw*
+Session.vim
+
+# Serverless
+.webpack
+.serverless
+
+# env
+env.yml
+.env
+
+# Jetbrains IDEs
+.idea
+
+# Serverless warmup plugin temp dir
+_warmup
+
+.dynamodb

services/cross-acct/README.md

@@ -0,0 +1,5 @@
+# Cross Account
+
+### Purpose
+
+This service exists to create a single IAM role. This role trusts certain IAM entities in MACPro platform account to assume it. The ultimate purpose is to allow a lambda function in MACPro micro to be able to create short lived presigned S3 urls to the uploads bucket in Onemac; in lieu of migrating the S3 data to platform account, we will simply reach back to the original bucket using this cross account role.

services/cross-acct/package.json

@@ -0,0 +1,12 @@
+{
+  "name": "cross-acct",
+  "description": "",
+  "version": "1.0.0",
+  "author": "",
+  "license": "CC0-1.0",
+  "devDependencies": {
+    "serverless-iam-helper": "file:../../plugins/serverless-iam-helper",
+    "lodash": "^4.17.20"
+  },
+  "dependencies": {}
+}

services/cross-acct/serverless.yml

@@ -0,0 +1,58 @@
+service: cross-acct
+
+frameworkVersion: "3"
+
+plugins:
+  - serverless-iam-helper
+  - serverless-s3-bucket-helper
+
+custom:
+  stage: ${opt:stage, self:provider.stage}
+  iamPath: ${ssm:/configuration/${self:custom.stage}/iam/path, ssm:/configuration/default/iam/path, "/"}
+  iamPermissionsBoundaryPolicy: ${ssm:/configuration/${self:custom.stage}/iam/permissionsBoundaryPolicy, ssm:/configuration/default/iam/permissionsBoundaryPolicy, ""}
+  attachmentsBucketArn: ${cf:uploads-${self:custom.stage}.AttachmentsBucketArn}
+  destinationAcct: ${ssm:/configuration/${self:custom.stage}/cross-acct/destinationAcct, ssm:/configuration/default/cross-acct/destinationAcct}
+
+provider:
+  name: aws
+  runtime: nodejs14.x
+  region: us-east-1
+  stage: dev
+  iam:
+    role:
+      path: ${self:custom.iamPath}
+      permissionsBoundary: !Sub 'arn:aws:iam::${AWS::AccountId}:policy${self:custom.iamPermissionsBoundaryPolicy, ""}'
+
+resources:
+  Resources:
+    CrossAccountS3:
+      Type: "AWS::IAM::Role"
+      Properties:
+        AssumeRolePolicyDocument:
+          Version: "2012-10-17"
+          Statement:
+            - Effect: "Allow"
+              Principal:
+                AWS: ${self:custom.destinationAcct}
+              Action: "sts:AssumeRole"
+        Path: ${self:custom.iamPath}
+        PermissionsBoundary:
+          Fn::If:
+            - CreatePermissionsBoundary
+            - Fn::Join:
+                - ""
+                - - "arn:aws:iam::"
+                  - Ref: AWS::AccountId
+                  - ":policy"
+                  - '${self:custom.iamPermissionsBoundaryPolicy, ""}'
+            - Ref: AWS::NoValue
+        Policies:
+          - PolicyName: "S3GetObjectPolicy"
+            PolicyDocument:
+              Version: "2012-10-17"
+              Statement:
+                - Effect: "Allow"
+                  Action:
+                    - s3:GetObject
+                    - s3:GetObjectTagging
+                  Resource: !Sub ${self:custom.attachmentsBucketArn}/*