Beispiel #1
0
 def setUpClass(cls):
     code_build = CodeBuild(project_name=project_name, role_name=project_name)
     iam        = IAM(role_name=project_name)
     if delete_on_setup:
         code_build.project_delete()
         iam.role_delete()
     if code_build.project_exists() is False:
         assert code_build.project_exists() is False
         iam.role_create(assume_policy)                                # create role
         assert iam.role_info().get('Arn') == service_role             # confirm the role exists
         sleep(1)
         code_build.project_create(project_repo, service_role)         # in a non-deterministic way, this sometimes throws the error: CodeBuild is not authorized to perform: sts:AssumeRole
Beispiel #2
0
class IAM_Role:
    def __init__(self, role_name=None):
        self.role_name = role_name or f"osbot_temp_role_{random_string()}"
        self.iam = IAM(role_name=self.role_name)

    def add_policy_for__lambda(self):
        temp_policy_name = 'policy_{0}'.format(self.role_name)
        cloud_watch_arn = f'arn:aws:logs:{AWS_Config().aws_session_region_name()}:{AWS_Config().aws_session_account_id()}:log-group:/aws/lambda/*'
        iam_policy = IAM_Policy(temp_policy_name)
        policy_arn = iam_policy.add_cloud_watch(cloud_watch_arn).create().get(
            'policy_arn')
        self.iam.role_policy_attach(policy_arn)
        return policy_arn

    def arn(self):
        return self.iam.role_arn()

    def attach_policy(self, policy_name, policy_document):
        self.delete_policy(policy_name=policy_name)
        result_create = self.iam.policy_create(policy_name=policy_name,
                                               policy_document=policy_document)
        policy_arn = result_create.get('policy_arn')
        self.iam.role_policy_attach(policy_arn=policy_arn)
        return policy_arn

    def create(self, policy_document, skip_if_exists=True):
        self.iam.role_create(policy_document=policy_document,
                             skip_if_exists=skip_if_exists)
        return self.exists()

    def create_for__lambda(self):
        result = self.create_for_service__assume_role('lambda.amazonaws.com')
        if result.get('status') == 'ok':
            self.add_policy_for__lambda()
        return result

    def create_for__code_build(self):
        return self.create_for_service__assume_role('codebuild.amazonaws.com')

    def create_for_service__assume_role(self, service):
        statement = {
            'Action': 'sts:AssumeRole',
            'Effect': 'Allow',
            'Principal': {
                'Service': service
            }
        }
        return self.create_from_statement(statement)

    def create_for_service(self, service, statement):
        statement['Principal'] = {'Service': service}
        return self.create_from_statement(statement)

    def create_for_service_with_policies(self,
                                         service,
                                         policies,
                                         project_name,
                                         recreate_policy=False):
        role = self.create_for_service__assume_role(service)
        role_arn = role.get('role_arn')
        policies_arns = self.iam.policies_create(policies, project_name,
                                                 recreate_policy)
        self.iam.role_policies_attach(policies_arns)
        return {"role_arn": role_arn, "policies_arns": policies_arns}

    def create_from_statement(self, statement):
        return self.create_from_statements([statement])

    def create_from_statements(self, statement):
        role_arn = self.iam.role_arn()
        if role_arn:
            return {
                'status': 'warning',
                'data': 'role already exists',
                'role_name': self.iam.role_name,
                'role_arn': role_arn
            }
        else:
            policy_document = {'Statement': statement}
            data = self.iam.role_create(policy_document)
            return {
                'status': 'ok',
                'data': data,
                'role_name': self.iam.role_name,
                'role_arn': data.get('Arn')
            }

    def delete(self):
        return self.iam.role_delete()

    def delete_policy(self, policy_arn=None, policy_name=None):
        return self.iam.policy_delete(policy_arn=policy_arn,
                                      policy_name=policy_name)

    def exists(self):
        return self.iam.role_exists()

    def info(self):
        return self.iam.role_info()

    def not_exists(self):
        return self.iam.role_not_exists()

    def policies_statements(self):
        return self.iam.role_policies_statements()