UKHomeOffice
diff --git a/‎.drone.yml
+33 b/‎.drone.yml
+33
diff --git a/‎.gitignore
+6 b/‎.gitignore
+6
diff --git a/‎README.md
+46 b/‎README.md
+46
diff --git a/‎generate_cf_template.py
+231 b/‎generate_cf_template.py
+231
diff --git a/‎perf-test-inspec/README.md
+4 b/‎perf-test-inspec/README.md
+4
diff --git a/‎perf-test-inspec/controls/bucket_access_spec.rb
+28 b/‎perf-test-inspec/controls/bucket_access_spec.rb
+28
@@ -0,0 +1,33 @@
+pipeline:
+  lint:
+    image: python:3.7-alpine
+    commands:
+      - apk add --no-cache gcc musl-dev make
+      - python3 -m venv venv
+      - source venv/bin/activate
+      - pip install -r requirements.txt
+      - pip install -r requirements-dev.txt
+      - pylint *.py tests/*.py
+      - deactivate
+    when:
+      event:
+        - push
+
+  unit_test:
+    image: python:3.7-alpine
+    commands:
+      - apk add --no-cache make
+      - source venv/bin/activate
+      - python -m pytest --rootdir=tests
+      - deactivate
+    when:
+      event:
+        - push
+
+  inspec_check:
+    image: chef/inspec
+    commands:
+      - inspec check perf-test-inspec
+    when:
+      event:
+        - push
@@ -0,0 +1,6 @@
+venv/
+.DS_Store
+.idea/
+.vscode/
+attributes.yml
+__pycache__/
@@ -1,2 +1,48 @@
 # perf-testing-aws-resources
+
 CloudFormation template to create an S3 bucket for storing performance reports
+
+This repo contains a python script generating a CloudFormation template that can be used to create
+an S3 bucket for storing performance reports.
+
+An optional `PREFIX` environment variable can defined (if defined, it should end with `'-'` for naming consistency).
+An environment variable called `ENVIRONMENT` should also be defined. It represents the environment for which 
+the performance testing resources are created. For example, it could be the name of a Kubernetes namespace.
+
+The bucket created will be called:
+`${PREFIX}${ENVIRONMENT}-performance-tests`
+
+Managed policies are also created:
+
+* `${PREFIX}${ENVIRONMENT}-performance-test-bucket-writeonly` allowing to write to the S3 bucket and intended to be used by the
+performance tool
+* `${PREFIX}${ENVIRONMENT}-performance-tests-bucket-readonly` allowing a user to read the reports
+* `${PREFIX}${ENVIRONMENT}-performance-tests-bucket-admin` allowing an admin to read and delete S3 objets (but not write)
+
+## Creating the resources
+
+```bash
+# define PREFIX and ENVIRONMENT variables
+# PREFIX can be empty but ENVIRONMENT should not
+aws cloudformation create-change-set --stack-name "${PREFIX}${ENVIRONMENT}-perf-testing" \
+  --change-set-name=perf-testing-$RANDOM \
+  --change-set-type=CREATE \
+  --capabilities CAPABILITY_NAMED_IAM \
+  --template-body "$(python generate_cf_template.py)" \
+  --parameters ParameterKey=Prefix,ParameterValue=${PREFIX} \
+  ParameterKey=Environment,ParameterValue=${ENVIRONMENT}
+```
+
+## Testing
+
+Chef Inspec is used to test the resources.
+
+Assuming credentials are available as `AWS_*` environment variables, the following will test the AWS resources:
+
+```bash
+cat <<EOF > attributes.yml
+prefix: "${PREFIX}"
+environment: "${ENVIRONMENT}"
+EOF
+inspec exec perf-test-inspec --input-file=attributes.yml --target aws://
+```
@@ -0,0 +1,231 @@
+"""Script generating a CloudFormation template to create an S3 bucket destined to hold
+performance test reports.
+
+The template also contains IAM resources to control access to the bucket.
+"""
+
+from troposphere import Template, Parameter, Ref, Join
+from troposphere import iam
+from troposphere import s3
+
+
+class InvalidResourceName(Exception):
+    """Exception indicating that a resource name is invalid
+    """
+
+
+class PerfTestingTemplate(Template):
+    """Template class generating a CloudFormation template to create an S3 bucket destined to hold
+    performance test reports.
+    """
+
+    BUCKET_SHORT_NAME = 'performance-tests'
+
+    def __init__(self):
+        """Constructor building up the CloudFormation template
+        """
+        Template.__init__(self)
+        self.set_description('Template creating an S3 bucket destined to hold performance test '
+                             'reports. The template also contains IAM resources to control access '
+                             'to the bucket.')
+
+        self.environmnent_param = self.add_parameter(Parameter(
+            'Environment',
+            Description='Name of the environment the bucket is for (e.g. a k8s namespace)',
+            Type='String',
+        ))
+
+        self.prefix_param = self.add_parameter(Parameter(
+            'Prefix',
+            Description='A prefix to prepend all resource names with',
+            Type='String',
+            Default='',
+        ))
+
+        self.bucket = self.add_s3_bucket()
+        self.add_iam_resources()
+
+    def resource_name(self, *names):
+        """Gets the fully qualified resource name taking into account the Prefix and Environment
+        parameters.
+
+        :param names: a variadic argument (str...) specifying the suffixes to use to describe the
+        resource
+        :return: the fully qualified name of the resource, prepended with the prefix and environment
+        name
+        """
+        if not names:
+            raise InvalidResourceName('Provide at least one name parameter')
+        if len(names) == 1:
+            name = names[0]
+        else:
+            name = Join('-', names)
+        return Join('', [Ref(self.prefix_param), Ref(self.environmnent_param), '-', name])
+
+    def add_s3_bucket(self):
+        """Adds an S3 bucket to the template
+
+        :return: the (s3.Bucket) object that has been added
+        """
+        bucket = s3.Bucket(
+            'Bucket',
+            BucketName=self.resource_name(PerfTestingTemplate.BUCKET_SHORT_NAME),
+            BucketEncryption=s3.BucketEncryption(
+                ServerSideEncryptionConfiguration=[
+                    s3.ServerSideEncryptionRule(
+                        ServerSideEncryptionByDefault=s3.ServerSideEncryptionByDefault(
+                            SSEAlgorithm='AES256',  # alternative is 'aws:kms'
+                        )
+                    )
+                ]
+            ),
+            VersioningConfiguration=s3.VersioningConfiguration(
+                Status='Enabled',
+            )
+        )
+        self.add_resource(bucket)
+        return bucket
+
+    def add_iam_resources(self):
+        """Adds IAM resources to the template: roles and managed policies for read-only, write-only
+        and delete roles
+
+        :return: None
+        """
+        readonly_policy = self.add_managed_policy(
+            title='ReadOnlyPolicy',
+            description_verb='reading',
+            policy_name_suffix='readonly',
+            allowed_actions=[
+                "s3:Get*",
+                "s3:List*",
+            ],
+        )
+        self.add_role(
+            title='ReadOnlyRole',
+            role_name_suffix='readonly',
+            managed_policy=readonly_policy,
+        )
+
+        writeonly_policy = self.add_managed_policy(
+            title='WriteOnlyPolicy',
+            description_verb='writing',
+            policy_name_suffix='writeonly',
+            allowed_actions=[
+                "s3:PutObject",
+                "s3:AbortMultipartUpload",
+                "s3:ListMultipartUploadParts",
+            ],
+        )
+        self.add_role(
+            title='WriteOnlyRole',
+            role_name_suffix='writeonly',
+            managed_policy=writeonly_policy,
+        )
+
+        delete_policy = self.add_managed_policy(
+            title='DeletePolicy',
+            description_verb='deleting',
+            policy_name_suffix='delete',
+            allowed_actions=[
+                "s3:Get*",
+                "s3:List*",
+                "s3:DeleteObject*",
+            ],
+        )
+        self.add_role(
+            title='DeleteRole',
+            role_name_suffix='delete',
+            managed_policy=delete_policy,
+        )
+
+    def add_managed_policy(self, title, description_verb, policy_name_suffix, allowed_actions):
+        """
+        Creates a managed policy (iam.Policy) with the permissions required to interact with the S3
+        bucket used for performance testing data.
+
+        :param title: (str) the title of the resource
+        :param description_verb: (str) the verb to use in the description, e.g. 'reading'
+        :param policy_name_suffix: (str) the suffix to append to the policy name, e.g. 'readonly'
+        :param allowed_actions: (str[]) the IAM actions that should be allowed on the bucket or
+        its objects
+        :return: an iam.ManagedPolicy object
+        """
+        return self.add_resource(iam.ManagedPolicy(
+            title,
+            Description=Join(
+                ' ',
+                [
+                    f"Policy allowing {description_verb} objects from the S3 bucket containing "
+                    f"performance test data for",
+                    Ref(self.prefix_param),
+                    Ref(self.environmnent_param),
+                ]
+            ),
+            ManagedPolicyName=self.resource_name(
+                f"{PerfTestingTemplate.BUCKET_SHORT_NAME}-bucket-{policy_name_suffix}",
+            ),
+            PolicyDocument={
+                "Version": "2012-10-17",
+                "Statement": [
+                    {
+                        "Action": allowed_actions,
+                        "Effect": "Allow",
+                        "Resource": [
+                            Join('', [
+                                'arn:aws:s3:::',
+                                Ref(self.bucket),
+                            ]),
+                            Join('', [
+                                'arn:aws:s3:::',
+                                Ref(self.bucket),
+                                '/*',
+                            ]),
+                        ]
+                    },
+                ]
+            },
+        ))
+
+    def add_role(self, title, role_name_suffix, managed_policy):
+        """
+        Adds a iam.Role associated with the given managed policy to the template.
+
+        :param title: (str) the title of the resource
+        :param role_name_suffix: (str) the suffix to append to the role name, e.g. 'readonly'
+        :param managed_policy: the managed policy to associate with this role (iam.ManagedPolicy)
+
+        :return: an iam.Role object
+        """
+        return self.add_resource(iam.Role(
+            title,
+            RoleName=self.resource_name(
+                f"{PerfTestingTemplate.BUCKET_SHORT_NAME}-bucket-{role_name_suffix}",
+            ),
+            AssumeRolePolicyDocument={
+                "Statement": [{
+                    "Effect": "Allow",
+                    "Principal": {
+                        # arn:aws:iam::AWS-account-ID:role/role-name
+                        "AWS": [
+                            Ref("AWS::AccountId"),
+                        ]
+                    },
+                    "Action": ["sts:AssumeRole"]
+                }]
+            },
+            ManagedPolicyArns=[
+                Ref(managed_policy)
+            ],
+        ))
+
+    def get_cf_template(self):
+        """Returns the CloudFormation template as a string
+
+        :return: (str) the CloudFormation template
+        """
+        return self.to_yaml()
+
+
+if __name__ == "__main__":
+    print(PerfTestingTemplate().get_cf_template())
@@ -0,0 +1,4 @@
+# InSpec Profile for testing performance testings resources in AWS
+
+This InSpec profile checks the IAM resources created to manage and access  the S3 bucket
+containing the performance data.
@@ -0,0 +1,28 @@
+prefix = attribute('prefix')
+environment = attribute('environment')
+bucket_name = "#{prefix}#{environment}-performance-tests"
+
+bucket = aws_s3_bucket(bucket_name)
+
+control 'bucket-access-controls' do
+  impact 1.0                                # The criticality, if this control fails.
+  title 'Check access controls for the bucket'             # A human-readable title
+  desc 'Check that the bucket is not public and that all access is handled through IAM policies'
+
+  # http://inspec.io/docs/reference/resources/aws_s3_bucket
+  describe bucket do
+    it { should exist }
+
+    it { should_not be_public }
+
+    it { should have_default_encryption_enabled }
+
+    its(:bucket_policy) { should be_empty }
+  end
+
+  # http://inspec.io/docs/reference/resources/aws_s3_bucket
+  describe bucket.bucket_acl do
+    # only the canonical user should be listed in the ACLs
+    its(:length) { should be == 1 }
+  end
+end