def __init__(self, parameters): super(StackSetRole, self).__init__() self.AdministrationRole = iam.Role( "AdministrationRole", RoleName="AWSCloudFormationStackSetAdministrationRole", Path="/", AssumeRolePolicyDocument=aws.Policy( Version="2012-10-17", Statement=[ aws.Statement( Action=[aws.Action("sts", "AssumeRole")], Effect=aws.Allow, Principal=aws.Principal( "Service", "cloudformation.amazonaws.com" ) ) ], ), Policies=[ iam.Policy( PolicyName="AssumeRole-AWSCloudFormationStackSetExecutionRole", PolicyDocument=aws.Policy( Version="2012-10-17", Statement=[ aws.Statement( Action=[aws.Action("sts", "AssumeRole")], Effect=aws.Allow, Resource=["arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole"], ) ] ), ) ] ) self.ExecutionRole = iam.Role( "ExecutionRole", RoleName="AWSCloudFormationStackSetExecutionRole", Path="/", ManagedPolicyArns=["arn:aws:iam::aws:policy/AdministratorAccess"], AssumeRolePolicyDocument=aws.Policy( Version="2012-10-17", Statement=[ aws.Statement( Action=[aws.Action("sts", "AssumeRole")], Effect=aws.Allow, Principal=aws.Principal( "AWS", Ref(parameters.AdministratorAccountId) ) ) ] ) )
def _cloudformation_role() -> iam.Role: """Build and return the IAM Role resource to be used by the pipeline to interact with CloudFormation.""" policy = iam.Policy( "CloudFormationPolicy", PolicyName="CloudFormationPolicy", PolicyDocument=AWS.PolicyDocument(Statement=[AllowEverywhere(Action=[AWS.Action("*")])]), ) return iam.Role( "CloudFormationRole", AssumeRolePolicyDocument=_service_assume_role(CLOUDFORMATION.prefix), Policies=[policy] )
def _bind_role(self, t, r): r.Policies.append( iam.Policy('cloudwatch', PolicyName='cloudwatch', PolicyDocument=aws.Policy(Statement=[ aws.Statement(Effect=aws.Allow, Resource=['*'], Action=[ aws.Action("logs", "*"), ]) ])))
def allow(self, allowed): ''' Allow custom iam permissions to be added to policy Args: allowed (dict): Dict of "aws service" : "action" ''' actions = [] for service, action in allowed.items(): actions.append(aws.Action(service, action)) statement = aws.Statement(Effect=aws.Allow, Action=actions, Resource=['*']) self.add_statement(statement)
def _cloudformation_role() -> iam.Role: """Construct a role for use by CloudFormation. :return: Constructed Role """ assume_policy = AWS.PolicyDocument(Statement=[ AWS.Statement( Principal=AWS.Principal( "Service", make_service_domain_name(CLOUDFORMATION.prefix)), Effect=AWS.Allow, Action=[STS.AssumeRole], ) ]) # TODO: Figure out how to scope this down without breaking IAM # IAM policies break if there is a * in certain fields, # so this does not work: # arn:PARTITION:*:REGION:ACCOUNT:* # # _desired_policy = AWS.PolicyDocument( # Statement=[ # AWS.Statement( # Effect=AWS.Allow, # Action=[AWS.Action("*")], # Resource=[ # account_arn(service_prefix="*", resource="*"), # account_arn(service_prefix=S3.prefix, resource="*"), # account_arn(service_prefix=IAM.prefix, resource="*"), # ], # ) # ] # ) policy = AWS.PolicyDocument(Statement=[ AWS.Statement( Effect=AWS.Allow, Action=[AWS.Action("*")], Resource=["*"]) ]) return iam.Role( resource_name(iam.Role, "CloudFormation"), AssumeRolePolicyDocument=assume_policy, Policies=[ iam.Policy(PolicyName=_policy_name("CloudFormation"), PolicyDocument=policy) ], )
def _bind_role(self, t, r): r.Policies.append( iam.Policy( 'DynamoScaleRolePolicy', PolicyName='DynamoScaleRolePolicy', PolicyDocument=aws.Policy(Statement=[ aws.Statement(Effect=aws.Allow, Action=[ aws.Action("dynamodb", "DescribeTable"), aws.Action("dynamodb", "UpdateTable"), ], Resource=["*"]), aws.Statement( Effect=aws.Allow, Action=[ aws.Action("cloudwatch", "PutMetricAlarm"), aws.Action("cloudwatch", "DescribeAlarms"), aws.Action("cloudwatch", "GetMetricStatistics"), aws.Action("cloudwatch", "SetAlarmState"), aws.Action("cloudwatch", "DeleteAlarms"), ], Resource=["*"]), ])))
def __init__(self, parameters, groups): """ :type parameters Parameters :type groups Groups """ super(RolesAndPolicies, self).__init__() self.EC2Baseline = iam.Role( "EC2Baseline", AssumeRolePolicyDocument=aws.Policy( Version="2012-10-17", Statement=[ aws.Statement(Action=[aws.Action("sts", "AssumeRole")], Effect=aws.Allow, Principal=aws.Principal( "Service", "ec2.amazonaws.com")) ], )) self.LambdaBasicExecution = iam.Role( "LambdaBasicExecution", AssumeRolePolicyDocument=aws.Policy( Version="2012-10-17", Statement=[ aws.Statement(Action=[aws.Action("sts", "AssumeRole")], Effect=aws.Allow, Principal=aws.Principal( "Service", "lambda.amazonaws.com")) ], ), ) self.ECSClusterServiceRole = iam.Role( "ECSClusterServiceRole", Policies=[ iam.Policy( PolicyName=Join("", [Ref(AWS_STACK_NAME), "-ecs-service"]), PolicyDocument=aws.Policy( Version="2012-10-17", Statement=[ aws.Statement( Action=[ aws.Action( "ec2", "AuthorizeSecurityGroupIngress"), aws.Action("ec2", "Describe*"), aws.Action( "elasticloadbalancing", "DeregisterInstancesFromLoadBalancer"), aws.Action("elasticloadbalancing", "Describe*"), aws.Action( "elasticloadbalancing", "RegisterInstancesWithLoadBalancer"), aws.Action("elasticloadbalancing", "DeregisterTargets"), aws.Action("elasticloadbalancing", "DescribeTargetGroups" ), # todo: remove aws.Action("elasticloadbalancing", "DescribeTargetHealth" ), # todo: remove aws.Action("elasticloadbalancing", "RegisterTargets"), ], Resource=["*"], Effect=aws.Allow) ])) ], AssumeRolePolicyDocument=aws.Policy( Version="2012-10-17", Statement=[ aws.Statement(Action=[aws.Action("sts", "AssumeRole")], Effect=aws.Allow, Principal=aws.Principal( "Service", "ecs.amazonaws.com")) ], )) self.ForceMFA = iam.ManagedPolicy( "ForceMFA", PolicyDocument=aws.Policy( Version="2012-10-17", Statement=[ aws.Statement(Sid="AllowAllUsersToListAccounts", Action=[ aws.Action("iam", "ListAccountAliases"), aws.Action("iam", "ListUsers"), aws.Action("iam", "GetAccountSummary"), ], Resource=["*"], Effect=aws.Allow), aws.Statement( Sid= "AllowIndividualUserToSeeAndManageOnlyTheirOwnAccountInformation", Action=[ aws.Action("iam", "ChangePassword"), aws.Action("iam", "CreateAccessKey"), aws.Action("iam", "CreateLoginProfile"), aws.Action("iam", "DeleteAccessKey"), aws.Action("iam", "DeleteLoginProfile"), aws.Action("iam", "GetAccountPasswordPolicy"), aws.Action("iam", "GetLoginProfile"), aws.Action("iam", "ListAccessKeys"), aws.Action("iam", "UpdateAccessKey"), aws.Action("iam", "UpdateLoginProfile"), aws.Action("iam", "ListSigningCertificates"), aws.Action("iam", "DeleteSigningCertificate"), aws.Action("iam", "UpdateSigningCertificate"), aws.Action("iam", "UploadSigningCertificate"), aws.Action("iam", "ListSSHPublicKeys"), aws.Action("iam", "GetSSHPublicKey"), aws.Action("iam", "DeleteSSHPublicKey"), aws.Action("iam", "UpdateSSHPublicKey"), aws.Action("iam", "UploadSSHPublicKey"), ], Resource=[ Join("", [ "arn:aws:iam::", AccountId, ":user/${aws:username}" ]) ], Effect=aws.Allow), aws.Statement( Sid="AllowIndividualUserToListOnlyTheirOwnMFA", Action=[ aws.Action("iam", "ListVirtualMFADevices"), aws.Action("iam", "ListMFADevices"), ], Resource=[ Join("", ["arn:aws:iam::", AccountId, ":mfa/*"]), Join("", [ "arn:aws:iam::", AccountId, ":user/${aws:username}" ]) ], Effect=aws.Allow), aws.Statement( Sid= "AllowIndividualUserToDeactivateOnlyTheirOwnMFAOnlyWhenUsingMFA", Action=[ aws.Action("iam", "DeactivateMFADevice"), ], Condition=aws.Condition( aws.Bool("aws:MultiFactorAuthPresent", True)), Resource=[ Join("", [ "arn:aws:iam::", AccountId, ":mfa/${aws:username}" ]), Join("", [ "arn:aws:iam::", AccountId, ":user/${aws:username}" ]) ], Effect=aws.Allow), aws.Statement( Sid="BlockAnyAccessOtherThanAboveUnlessSignedInWithMFA", Condition=aws.Condition( aws.BoolIfExists("aws:MultiFactorAuthPresent", False)), NotAction=[ aws.Action("iam", "*"), ], Resource=["*"], Effect=aws.Deny), ], ), Description="Forces MFA usage on all users in assigned groups", Groups=[ Ref(groups.AWSEngineers.title), Ref(groups.ReadOnlyUsers.title), ], ) self.FullAdministrator = iam.ManagedPolicy( "FullAdministrator", PolicyDocument=aws.Policy(Version="2012-10-17", Statement=[ aws.Statement( Action=[aws.Action("*")], Resource=["*"], Effect=aws.Allow) ]), Description="Allows full access to all AWS", Groups=[ Ref(groups.AWSEngineers.title), ], ) self.CIDeploymentPolicy = iam.ManagedPolicy( "CIDeploymentPolicy", PolicyDocument=aws.Policy( Version="2012-10-17", Statement=[ aws.Statement(Action=[ aws.Action("cloudformation", "DescribeStacks"), aws.Action("cloudformation", "DescribeStackEvents"), aws.Action("cloudformation", "DescribeStackResources"), aws.Action("cloudformation", "DescribeChangeSet"), aws.Action("cloudformation", "GetTemplate"), aws.Action("cloudformation", "GetTemplateSummary"), aws.Action("cloudformation", "List*"), aws.Action("cloudformation", "PreviewStackUpdate"), aws.Action("cloudformation", "CancelUpdateStack"), aws.Action("cloudformation", "ContinueUpdateRollback"), aws.Action("cloudformation", "CreateChangeSet"), aws.Action("cloudformation", "CreateStack"), aws.Action("cloudformation", "CreateUploadBucket"), aws.Action("cloudformation", "ExecuteChangeSet"), aws.Action("cloudformation", "SignalResource"), aws.Action("cloudformation", "UpdateStack"), aws.Action("cloudformation", "ValidateTemplate"), aws.Action("cloudformation", "SetStackPolicy"), aws.Action("ecs", "Describe*"), aws.Action("ecs", "RegisterTaskDefinition"), aws.Action("ecs", "UpdateService"), aws.Action("ecs", "List*"), aws.Action("ecs", "DeregisterTaskDefinition"), aws.Action("ecs", "DiscoverPollEndpoint"), aws.Action("ecs", "Poll"), aws.Action("ecr", "DescribeRepositories"), aws.Action("ecr", "ListImages"), aws.Action("ecr", "BatchCheckLayerAvailability"), aws.Action("ecr", "BatchGetImage"), aws.Action("ecr", "GetAuthorizationToken"), aws.Action("ecr", "GetDownloadUrlForLayer"), aws.Action("ecr", "GetRepositoryPolicy"), aws.Action("ecr", "CompleteLayerUpload"), aws.Action("ecr", "InitiateLayerUpload"), aws.Action("ecr", "PutImage"), aws.Action("ecr", "UploadLayerPart"), aws.Action("logs", "Describe*"), ], Resource=["*"], Effect=aws.Allow) ]), Description="Allows access to cloudformation for CircleCI", Groups=[ Ref(groups.CIDeploymentServices.title), ], ) self.S3Administrator = iam.ManagedPolicy( "S3Administrator", PolicyDocument=aws.Policy(Version="2012-10-17", Statement=[ aws.Statement(Action=[ aws.Action("s3", "*"), ], Resource=["*"], Effect=aws.Allow) ]), Description="Allows full management of S3", Groups=[Ref(groups.AWSEngineers.title)], Users=[], ) self.LoggingAndMonitoring = iam.ManagedPolicy( "LoggingAndMonitoring", PolicyDocument=aws.Policy( Version="2012-10-17", Statement=[ aws.Statement(Action=[ aws.Action("cloudwatch", "GetMetricStatistics"), aws.Action("cloudwatch", "ListMetrics"), aws.Action("cloudwatch", "PutMetricData"), aws.Action("ec2", "DescribeTags"), aws.Action("logs", "CreateLogGroup"), aws.Action("logs", "CreateLogStream"), aws.Action("logs", "DescribeLogGroups"), aws.Action("logs", "DescribeLogStreams"), aws.Action("logs", "PutLogEvents"), aws.Action("sns", "Publish"), ], Resource=["*"], Effect=aws.Allow) ]), Description= "Allows ingestion of logs and metrics into CloudWatch and publishing to SNS topics", Roles=[Ref(self.EC2Baseline)], )
lambda_role = template.add_resource( iam.Role( "LambaRole", AssumeRolePolicyDocument=aws.Policy(Statement=[ aws.Statement(Effect=aws.Allow, Action=[sts.AssumeRole], Principal=aws.Principal("Service", ["lambda.amazonaws.com"])) ]), Policies=[ iam.Policy( PolicyName="LambdaPolicy", PolicyDocument=aws.Policy(Statement=[ aws.Statement(Effect=aws.Allow, Action=[ aws.Action("logs", "CreateLogGroup"), aws.Action("logs", "CreateLogStream"), aws.Action("logs", "PutLogEvents"), ], Resource=["arn:aws:logs:*:*:*"]) ])) ])) lambda_function = template.add_resource( awslambda.Function("Lambda", Code=awslambda.Code( S3Bucket=Ref(param_lambda_source_bucket), S3Key=Ref(param_lambda_file_name)), Handler="lambda.lambda_handler", MemorySize=128, Role=GetAtt(lambda_role, "Arn"),
def main(): t = Template("A template to create a load balanced autoscaled Web flask deployment using ansible.") addMapping(t) ### VPC CONFIGURATION ### vpc = ec2.VPC( "MainVPC", CidrBlock="10.1.0.0/16" ) t.add_resource(vpc) vpc_id = Ref(vpc) subnet_1 = ec2.Subnet( "WebAppSubnet1", t, AvailabilityZone="us-east-1a", CidrBlock="10.1.0.0/24", MapPublicIpOnLaunch=True, VpcId=vpc_id, ) subnet_1_id = Ref(subnet_1) subnet_2 = ec2.Subnet( "WebAppSubnet2", t, AvailabilityZone="us-east-1b", CidrBlock="10.1.1.0/24", MapPublicIpOnLaunch=True, VpcId=vpc_id, ) subnet_2_id = Ref(subnet_2) ### NETWORKING ### igw = ec2.InternetGateway("internetGateway", t) gateway_to_internet = ec2.VPCGatewayAttachment( "GatewayToInternet", t, VpcId=vpc_id, InternetGatewayId=Ref(igw) ) route_table = ec2.RouteTable( "subnetRouteTable", t, VpcId=vpc_id ) route_table_id = Ref(route_table) internet_route = ec2.Route( "routeToInternet", t, DependsOn=gateway_to_internet, DestinationCidrBlock="0.0.0.0/0", GatewayId=Ref(igw), RouteTableId=route_table_id ) subnet_1_route_assoc = ec2.SubnetRouteTableAssociation( "Subnet1RouteAssociation", t, RouteTableId=route_table_id, SubnetId=Ref(subnet_1) ) subnet_2_route_assoc = ec2.SubnetRouteTableAssociation( "Subnet2RouteAssociation", t, RouteTableId=route_table_id, SubnetId=Ref(subnet_2) ) http_ingress = { "CidrIp": "0.0.0.0/0", "Description": "Allow HTTP traffic in from internet.", "IpProtocol": "tcp", "FromPort": 80, "ToPort": 80, } ssh_ingress = { "CidrIp": "0.0.0.0/0", "Description": "Allow SSH traffic in from internet.", "IpProtocol": "tcp", "FromPort": 22, "ToPort": 22, } elb_sg = ec2.SecurityGroup( "elbSecurityGroup", t, GroupName="WebGroup", GroupDescription="Allow web traffic in from internet to ELB", VpcId=vpc_id, SecurityGroupIngress=[ http_ingress ]) ssh_sg = ec2.SecurityGroup( "sshSecurityGroup", t, GroupName="SSHGroup", GroupDescription="Allow SSH traffic in from internet", VpcId=vpc_id, SecurityGroupIngress=[ ssh_ingress ] ) elb_sg_id = Ref(elb_sg) ssh_sg_id = Ref(ssh_sg) autoscale_ingress = { "SourceSecurityGroupId": elb_sg_id, "Description": "Allow web traffic in from ELB", "IpProtocol": "tcp", "FromPort": 80, "ToPort": 80 } autoscale_sg = ec2.SecurityGroup( "WebAutoscaleSG", t, GroupName="AutoscaleGroup", GroupDescription="Allow web traffic in from elb on port 80", VpcId=vpc_id, SecurityGroupIngress=[ autoscale_ingress ] ) autoscale_sg_id = Ref(autoscale_sg) # BUCKETS app_bucket = s3.Bucket( "CodeDeployApplicationBucket", t, ) ### LOAD BALANCING ### Web_elb = elb.LoadBalancer( "WebElb", t, Name="WebElb", # TODO: Fix for name conflict Subnets=[subnet_1_id, subnet_2_id], SecurityGroups=[elb_sg_id] ) Web_target_group = elb.TargetGroup( "WebTargetGroup", t, DependsOn=Web_elb, HealthCheckPath="/health", HealthCheckPort=80, HealthCheckProtocol="HTTP", Matcher=elb.Matcher(HttpCode="200"), Name="NginxTargetGroup", Port=80, Protocol="HTTP", VpcId=vpc_id ) Web_listener = elb.Listener( "WebListener", t, LoadBalancerArn=Ref(Web_elb), DefaultActions=[ elb.Action("forwardAction", TargetGroupArn=Ref(Web_target_group), Type="forward" ) ], Port=80, Protocol="HTTP" ) ### AUTOSCALING ### # Everything after sudo -u ubuntu is one command # The sudo command is required to properly set file permissions when # running the ansible script as it assumes running from non root user lc_user_data = Base64(Join("\n", [ "#!/bin/bash", "apt-add-repository -y ppa:ansible/ansible", "apt-get update && sudo apt-get -y upgrade", "apt-get -y install git", "apt-get -y install ansible", "cd /home/ubuntu/", "sudo -H -u ubuntu bash -c '" "export LC_ALL=C.UTF-8 && " "export LANG=C.UTF-8 && " "ansible-pull -U https://github.com/DameonSmith/aws-meetup-ansible.git --extra-vars \"user=ubuntu\"'" ])) web_instance_role = iam.Role( "webInstanceCodeDeployRole", t, AssumeRolePolicyDocument={ 'Statement': [{ 'Effect': 'Allow', 'Principal': { 'Service': 'ec2.amazonaws.com' }, 'Action': 'sts:AssumeRole' }] }, Policies=[ iam.Policy( PolicyName="CodeDeployS3Policy", PolicyDocument=aws.Policy( Version='2012-10-17', Statement=[ aws.Statement( Sid='CodeDeployS3', Effect=aws.Allow, Action=[ aws_s3.PutObject, aws_s3.GetObject, aws_s3.GetObjectVersion, aws_s3.DeleteObject, aws_s3.ListObjects, aws_s3.ListBucket, aws_s3.ListBucketVersions, aws_s3.ListAllMyBuckets, aws_s3.ListMultipartUploadParts, aws_s3.ListBucketMultipartUploads, aws_s3.ListBucketByTags, ], Resource=[ GetAtt(app_bucket, 'Arn'), Join('', [ GetAtt(app_bucket, 'Arn'), '/*', ]), "arn:aws:s3:::aws-codedeploy-us-east-2/*", "arn:aws:s3:::aws-codedeploy-us-east-1/*", "arn:aws:s3:::aws-codedeploy-us-west-1/*", "arn:aws:s3:::aws-codedeploy-us-west-2/*", "arn:aws:s3:::aws-codedeploy-ca-central-1/*", "arn:aws:s3:::aws-codedeploy-eu-west-1/*", "arn:aws:s3:::aws-codedeploy-eu-west-2/*", "arn:aws:s3:::aws-codedeploy-eu-west-3/*", "arn:aws:s3:::aws-codedeploy-eu-central-1/*", "arn:aws:s3:::aws-codedeploy-ap-northeast-1/*", "arn:aws:s3:::aws-codedeploy-ap-northeast-2/*", "arn:aws:s3:::aws-codedeploy-ap-southeast-1/*", "arn:aws:s3:::aws-codedeploy-ap-southeast-2/*", "arn:aws:s3:::aws-codedeploy-ap-south-1/*", "arn:aws:s3:::aws-codedeploy-sa-east-1/*", ] ) ] ) ) ] ) web_instance_profile = iam.InstanceProfile( "webInstanceProfile", t, Path='/', Roles=[Ref(web_instance_role)], ) Web_launch_config = autoscaling.LaunchConfiguration( "webLaunchConfig", t, ImageId=FindInMap("RegionMap", Ref("AWS::Region"), "AMI"), # TODO: Remove magic string SecurityGroups=[ssh_sg_id, autoscale_sg_id], IamInstanceProfile=Ref(web_instance_profile), InstanceType="t2.micro", BlockDeviceMappings= [{ "DeviceName": "/dev/sdk", "Ebs": {"VolumeSize": "10"} }], UserData= lc_user_data, KeyName="advanced-cfn", ) Web_autoscaler = autoscaling.AutoScalingGroup( "WebAutoScaler", t, LaunchConfigurationName=Ref(Web_launch_config), MinSize="2", # TODO: Change to parameter MaxSize="2", VPCZoneIdentifier=[subnet_2_id, subnet_1_id], TargetGroupARNs= [Ref(Web_target_group)] ) t.add_output([ Output( "ALBDNS", Description="The DNS name for the application load balancer.", Value=GetAtt(Web_elb, "DNSName") ) ]) # DEVTOOLS CONFIG codebuild_service_role = iam.Role( "CMSCodeBuildServiceRole", t, AssumeRolePolicyDocument={ 'Statement': [{ 'Effect': 'Allow', 'Principal': { 'Service': ['codebuild.amazonaws.com'] }, 'Action': ['sts:AssumeRole'] }] }, Policies=[ iam.Policy( PolicyName="CloudWatchLogsPolicy", PolicyDocument=aws.Policy( Version="2012-10-17", Statement=[ aws.Statement( Sid='logs', Effect=aws.Allow, Action=[ aws_logs.CreateLogGroup, aws_logs.CreateLogStream, aws_logs.PutLogEvents ], Resource=['*'] ) ] ) ), iam.Policy( PolicyName="s3AccessPolicy", PolicyDocument=aws.Policy( Version="2012-10-17", Statement=[ aws.Statement( Sid='codebuilder', Effect=aws.Allow, Action=[ aws_s3.PutObject, aws_s3.GetObject, aws_s3.GetObjectVersion, aws_s3.DeleteObject ], Resource=[ GetAtt(app_bucket, 'Arn'), Join('', [ GetAtt(app_bucket, 'Arn'), '/*', ]) ] ) ] ) ) ] ) github_repo = Parameter( "GithubRepoLink", Description="Name of the repository you wish to connect to codebuild.", Type="String" ) artifact_key = Parameter( "ArtifactKey", Description="The key for the artifact that codebuild creates.", Type="String" ) t.add_parameter(github_repo) t.add_parameter(artifact_key) cms_code_build_project = codebuild.Project( "CMSBuild", t, Name="CMS-Build", Artifacts=codebuild.Artifacts( Location=Ref(app_bucket), Name=Ref(artifact_key), NamespaceType="BUILD_ID", Type="S3", Packaging="ZIP" ), Description="Code build for CMS", Environment=codebuild.Environment( ComputeType="BUILD_GENERAL1_SMALL", Image="aws/codebuild/python:3.6.5", Type="LINUX_CONTAINER", ), ServiceRole=GetAtt(codebuild_service_role, 'Arn'), Source=codebuild.Source( "CMSSourceCode", Auth=codebuild.SourceAuth( "GitHubAuth", Type="OAUTH" ), Location=Ref(github_repo), Type="GITHUB" ), Triggers=codebuild.ProjectTriggers( Webhook=True ) ) codedeploy_service_role = iam.Role( "CMSDeploymentGroupServiceRole", t, AssumeRolePolicyDocument={ 'Statement': [{ 'Effect': 'Allow', 'Principal': { 'Service': ['codedeploy.amazonaws.com'] }, 'Action': ['sts:AssumeRole'] }] }, Policies=[ iam.Policy( PolicyName="CloudWatchLogsPolicy", PolicyDocument=aws.Policy( Version="2012-10-17", Statement=[ aws.Statement( Sid='logs', Effect=aws.Allow, Action=[ aws_logs.CreateLogGroup, aws_logs.CreateLogStream, aws_logs.PutLogEvents ], Resource=['*'] ) ] ) ), iam.Policy( PolicyName="s3AccessPolicy", PolicyDocument=aws.Policy( Version="2012-10-17", Statement=[ aws.Statement( Sid='codebuilder', Effect=aws.Allow, Action=[ aws_s3.PutObject, aws_s3.GetObject, aws_s3.GetObjectVersion, aws_s3.DeleteObject ], Resource=[ GetAtt(app_bucket, 'Arn'), Join('', [ GetAtt(app_bucket, 'Arn'), '/*' ]) ] ) ] ) ), iam.Policy( PolicyName="autoscalingAccess", PolicyDocument=aws.Policy( Version="2012-10-17", Statement=[ aws.Statement( Sid='codebuilder', Effect=aws.Allow, Action=[ aws.Action('autoscaling', '*'), aws.Action('elasticloadbalancing', '*') ], Resource=[ '*' ] ) ] ) ) ] ) cms_codedeploy_application = codedeploy.Application( "CMSCodeDeployApplication", t, ) cms_deployment_group = codedeploy.DeploymentGroup( "CMSDeploymentGroup", t, DependsOn=[cms_codedeploy_application], ApplicationName=Ref(cms_codedeploy_application), AutoScalingGroups=[Ref(Web_autoscaler)], LoadBalancerInfo=codedeploy.LoadBalancerInfo( "CodeDeployLBInfo", TargetGroupInfoList=[ codedeploy.TargetGroupInfoList( "WebTargetGroup", Name=GetAtt(Web_target_group, "TargetGroupName") ) ] ), ServiceRoleArn=GetAtt(codedeploy_service_role, 'Arn') ) print(t.to_yaml())
])) event = t.add_resource( events.Rule("EventsRule", Condition="IsMaster", EventPattern={"source": ["aws.guardduty"]}, State="ENABLED", Targets=[events.Target( Arn=Ref(snstopic), Id="sns", )])) # Allow events to send notifications to SNS t.add_resource( sns.TopicPolicy( "SNSTopicPolicy", Condition="IsMaster", PolicyDocument=aws.Policy(Statement=[ aws.Statement( Effect=aws.Allow, Action=[ aws.Action("sns", "Publish"), ], Principal=aws.Principal("Service", "events.amazonaws.com"), Resource=[Ref(snstopic)], ), ]), Topics=[Ref(snstopic)])) print(t.to_json())
"LambdaBackupRDSRole", AssumeRolePolicyDocument=aws.Policy(Statement=[ aws.Statement(Effect=aws.Allow, Action=[sts.AssumeRole], Principal=aws.Principal("Service", ["lambda.amazonaws.com"])) ]), Policies=[ iam.Policy( "LambdaBackupRDSPolicy", PolicyName="AccessToRDSAndLogs", PolicyDocument=aws.Policy(Statement=[ aws.Statement( Effect=aws.Allow, Action=[ aws.Action('rds', 'DescribeDbSnapshots'), aws.Action('rds', 'CopyDbSnapshot'), aws.Action('rds', 'DeleteDbSnapshot'), aws.Action('rds', 'DeleteDbClusterSnapshot'), aws.Action('rds', 'DescribeDbClusters'), aws.Action('rds', 'DescribeDbClusterSnapshots'), aws.Action('rds', 'CopyDBClusterSnapshot'), ], Resource=['*']), aws.Statement(Effect=aws.Allow, Action=[ aws.Action('logs', 'CreateLogGroup'), aws.Action('logs', 'CreateLogStream'), aws.Action('logs', 'PutLogEvents'), ], Resource=['arn:aws:logs:*:*:*']),
"LambdaRole", AssumeRolePolicyDocument=aws.Policy(Statement=[ aws.Statement(Effect=aws.Allow, Action=[sts.AssumeRole], Principal=aws.Principal("Service", ["lambda.amazonaws.com"])) ]), Policies=[ iam.Policy( "LambdaBackupRDSPolicy", PolicyName="AccessToEC2Snapshots", PolicyDocument=aws.Policy(Statement=[ aws.Statement( Effect=aws.Allow, Action=[ aws.Action("ec2", "Describe*"), aws.Action("ec2", "CreateSnapshot"), aws.Action("ec2", "DeleteSnapshot"), aws.Action("ec2", "CreateTags"), aws.Action("ec2", "ModifySnapshotAttribute"), aws.Action("ec2", "ResetSnapshotAttribute"), ], Resource=["*"]), aws.Statement(Effect=aws.Allow, Action=[ aws.Action("logs", "CreateLogGroup"), aws.Action("logs", "CreateLogStream"), aws.Action("logs", "PutLogEvents"), ], Resource=["arn:aws:logs:*:*:*"]), ]))
def _bind_role(self, t, r): r.Policies.append( iam.Policy( 'codedeploy', PolicyName='codedeploy', PolicyDocument=aws.Policy(Statement=[ aws.Statement( Effect=aws.Allow, Resource=['*'], Action=[ aws.Action('autoscaling', '*'), aws.Action('elasticloadbalancing', 'DescribeLoadBalancers'), # noqa aws.Action('elasticloadbalancing', 'DescribeInstanceHealth'), # noqa aws.Action('elasticloadbalancing', 'RegisterInstancesWithLoadBalancer'), aws.Action('elasticloadbalancing', 'DeregisterInstancesFromLoadBalancer'), aws.Action('ec2', 'Describe*'), aws.Action('ec2', 'TerminateInstances'), aws.Action('tag', 'GetTags'), aws.Action('tag', 'GetResources'), aws.Action('tag', 'GetTagsForResource'), aws.Action('tag', 'GetTagsForResourceList'), aws.Action('lambda', '*') ]), ])))
jicketloopmode = "singleshot" # Execution Role # ================ lambdaexecutionrole = iam.Role("APILambdaExecutionRole") lambdaexecutionrole.AssumeRolePolicyDocument = aws_awacs.PolicyDocument( Version="2012-10-17", Id="S3-Account-Permissions", Statement=[ aws_awacs.Statement( Sid="1", Effect=aws_awacs.Allow, Principal=aws_awacs.Principal("Service", "lambda.amazonaws.com"), Action=[aws_awacs.Action("sts", "AssumeRole")] ) ], ) lambdaexecutionrole.RoleName = "GeolocatorLambdaExecutionRole" lambdaexecutionrole.ManagedPolicyArns = [] lambdaexecutionrole.Policies = [iam.Policy( PolicyName="LambdaExecutionPolicy", PolicyDocument=aws_awacs.PolicyDocument( Version="2012-10-17", Statement=[ ] ) )] t.add_resource(lambdaexecutionrole)
def __init__(self, parameters, vpc, loadbalancer): """ :type parameters Parameters :type vpc VPC :type loadbalancer LoadBalancer """ super(EC2, self).__init__() # Ec2 instance self.instance_role = iam.Role( "InstanceRole", AssumeRolePolicyDocument=aws.Policy(Statement=[ aws.Statement(Effect=aws.Allow, Action=[sts.AssumeRole], Principal=aws.Principal("Service", ["ec2.amazonaws.com"])) ]), Path="/", ) self.instance_role_policy = iam.PolicyType( "InstanceRolePolicy", PolicyName=Join("-", [Ref("AWS::StackName"), "instance-policy"]), PolicyDocument=aws.Policy(Statement=[ aws.Statement(Effect=aws.Allow, Action=[ aws.Action("logs", "CreateLogGroup"), aws.Action("logs", "CreateLogStream"), aws.Action("logs", "PutLogEvents"), aws.Action("logs", "DescribeLogStreams"), ], Resource=["arn:aws:logs:*:*:*"]) ]), Roles=[Ref(self.instance_role)]) self.instance_profile = iam.InstanceProfile( "InstanceProfile", Path="/", Roles=[Ref(self.instance_role)]) self.launch_configuration = autoscaling.LaunchConfiguration( "LaunchConfiguration", ImageId=FindInMap("AMIMap", Ref(AWS_REGION), "AMI"), InstanceType=Ref(parameters.ec2_instance_type), KeyName=Ref(parameters.key_pair), InstanceMonitoring=True, SecurityGroups=[ GetAtt(loadbalancer.instance_security_group, "GroupId"), ], IamInstanceProfile=Ref(self.instance_profile), ) self.auto_scaling_group = autoscaling.AutoScalingGroup( "AutoScalingGroup", LaunchConfigurationName=Ref(self.launch_configuration), MinSize=1, DesiredCapacity=1, MaxSize=10, HealthCheckType='ELB', HealthCheckGracePeriod=300, VPCZoneIdentifier=[ Ref(vpc.public_subnet_1), Ref(vpc.public_subnet_2) ], LoadBalancerNames=[Ref(loadbalancer.load_balancer)], Tags=[autoscaling.Tag("Name", Ref("AWS::StackName"), True)], UpdatePolicy=policies.UpdatePolicy( AutoScalingRollingUpdate=policies.AutoScalingRollingUpdate( PauseTime="PT30S", MinInstancesInService=1, MaxBatchSize=10, WaitOnResourceSignals=False)), TerminationPolicies=[ 'OldestLaunchConfiguration', 'ClosestToNextInstanceHour', 'Default' ], MetricsCollection=[ autoscaling.MetricsCollection(Granularity="1Minute") ]) self.scale_up_policy = autoscaling.ScalingPolicy( "ScaleUPPolicy", AdjustmentType='ChangeInCapacity', AutoScalingGroupName=Ref(self.auto_scaling_group), PolicyType='StepScaling', MetricAggregationType='Average', StepAdjustments=[ autoscaling.StepAdjustments(MetricIntervalLowerBound=0, ScalingAdjustment=1) ], ) self.scale_down_policy = autoscaling.ScalingPolicy( "ScaleDOWNPolicy", AdjustmentType='ChangeInCapacity', AutoScalingGroupName=Ref(self.auto_scaling_group), PolicyType='StepScaling', MetricAggregationType='Average', StepAdjustments=[ autoscaling.StepAdjustments(MetricIntervalUpperBound=0, ScalingAdjustment=-1) ], ) self.ec2_high_cpu_usage_alarm = cloudwatch.Alarm( "EC2HighCPUUsageAlarm", ActionsEnabled=True, AlarmActions=[Ref(self.scale_up_policy)], ComparisonOperator='GreaterThanThreshold', Dimensions=[ cloudwatch.MetricDimension(Name='AutoScalingGroupName', Value=Ref(self.auto_scaling_group)) ], EvaluationPeriods=3, MetricName='CPUUtilization', Namespace='AWS/EC2', Period=300, Statistic='Average', Threshold='70', ) self.ec2_low_cpu_usage_alarm = cloudwatch.Alarm( "EC2LowCPUUsageAlarm", ActionsEnabled=True, AlarmActions=[Ref(self.scale_down_policy)], ComparisonOperator='LessThanThreshold', Dimensions=[ cloudwatch.MetricDimension(Name='AutoScalingGroupName', Value=Ref(self.auto_scaling_group)) ], EvaluationPeriods=3, MetricName='CPUUtilization', Namespace='AWS/EC2', Period=300, Statistic='Average', Threshold='20', )
"""Resources for lambda function.""" import troposphere from awacs import aws from troposphere import awslambda from troposphere import cloudformation from troposphere import iam _ROLE = iam.Role( title="LambdaRole", AssumeRolePolicyDocument=aws.PolicyDocument( Statement=[ aws.Statement( Action=[aws.Action("sts", "AssumeRole")], Effect="Allow", Principal=aws.Principal( principal="Service", resources=["lambda.amazonaws.com"] ), ) ] ), ManagedPolicyArns=[ "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" ], RoleName="cloudformation-kubernetes-lambda", ) with open("cloudformation/lambda_function/index.py") as in_file: _CODE = awslambda.Code(ZipFile=in_file.read()) _LAMBDA = awslambda.Function( title="Lambda",