def getAWSPolicyDocument(ctx, policyName):
meta = aws_policies.getPolicyMeta(ctx, policyName)
if meta == None:
ctx.log('AWS policy %s was not found' % policyName)
else:
policyDoc = aws_policies.getDefaultPolicyVersion(ctx, policyName)
return policyDoc
def detachPolicy(ctx, roleName, policyName):
iam = ctx.iam
meta = aws_policies.getPolicyMeta(ctx, policyName)
if meta == None:
ctx.log("detachPolicy: Error- %s does not exist in cached AWS policies" % policyName)
return
policyArn = meta["Arn"]
if ctx.dry_run:
ctx.log("iam.detach_role_policy(RoleName=%s, PolicyArn=%s)" % (roleName, policyArn))
else:
msp = iam.detach_role_policy(RoleName=roleName, PolicyArn=policyArn)
ctx.audit("Detached policy %s from role %s" % (policyName, roleName))
def comparePolicy(ctx, policyName, no_diff, diff_type, context_lines, offset):
ctx.log('%s%-43s' % (offset, policyName),nl=False)
meta = aws_policies.getPolicyMeta(ctx, policyName)
if meta == None:
ctx.log(' not found at AWS!', fg='cyan')
return
matched, diff = compareModel2AWS(ctx,policyName, meta, diff_type, context_lines)
if matched:
ctx.log(' MATCHED')
else:
ctx.log(' NOT MATCHED', fg='cyan')
if not no_diff and diff != None:
ctx.log('%sDiff output...' % offset, fg='cyan')
for line in diff:
ctx.log('%s %s' % (offset, line), fg='cyan')
def createPolicy(ctx, targetRegion, targetEnv, targetService, targetPolicy):
policies = ctx.modelPolicies
ctx.vlog('createPolicy(targetRegion: %s targetEnv: %s targetService: %s targetPolicy: %s)' % (targetRegion, targetEnv, targetService, targetPolicy))
for policyName in ctx.modelPolicies:
if isValidTarget(ctx,policyName, targetRegion, targetEnv, targetService, targetPolicy) == False:
continue
# See if this policy is already in aws
if aws_policies.getPolicyMeta(ctx,policyName) != None:
ctx.log('%s already exists' % policyName)
continue
modelPolicy = getModelPolicyDocument(ctx, policyName)
if modelPolicy == None:
ctx.log('Error: %s does not exist in the model' % policyName)
continue
policyDocument = json.dumps(modelPolicy, indent=4)
ctx.log('Creating policy : %s' % policyName)
aws_policies.createPolicy(ctx, policyName, policyDocument)
def updatePolicies(ctx, targetRegion, targetEnv, targetService, targetPolicy, constrainToModel, force):
for policyName in ctx.modelPolicies:
if isValidTarget(ctx,policyName, targetRegion, targetEnv, targetService, targetPolicy) == False:
continue
meta = aws_policies.getPolicyMeta(ctx, policyName)
if meta == None:
ctx.log('Adding model policy not found in AWS: %s' % policyName)
createPolicy(ctx, None, None, None, policyName)
continue
ctx.log('Model policy found in AWS: %s. Comparing policy document' % policyName)
policyArn = meta['Arn']
if force:
ctx.log('Forcing an update. No compare necessary.')
else:
matched, diff = compareModel2AWS(ctx,policyName, meta,'unified',0)
if matched:
ctx.log('%s: MATCHED. Noting to update.' % policyName)
continue
ctx.log('%s: DID NOT MATCH' % policyName)
if force or constrainToModel:
# Need to update the policy. Get the number of
versions = aws_policies.getPolicyVersions(ctx,meta['Arn'])
if len(versions) >= 5:
# Too many versions, gotta delete 1
versions.sort()
defaultVersionId = meta['DefaultVersionId']
for version in versions:
if version != defaultVersionId:
aws_policies.deletePolicyVersion(ctx,policyArn, version)
break
modelPolicy = getModelPolicyDocument(ctx, policyName)
policyDocument = json.dumps(modelPolicy,indent=4)
aws_policies.createPolicyVersion(ctx, policyArn, policyDocument)