def policy_create_for_task_role(self, role_name, skip_if_exists=True):
policy = { "Version" : "2008-10-17",
"Statement" : [ { "Effect": "Allow",
"Principal": { "Service": "ecs-tasks.amazonaws.com"},
"Action": "sts:AssumeRole" }]}
iam_role = IAM_Role(role_name=role_name)
iam_role.create(policy,skip_if_exists=skip_if_exists)
return iam_role
def test_create_function(self):
role_arn = IAM_Role(self.lambda_name +
'__tmp_role').create_for__lambda().get('role_arn')
tmp_folder = Temp_Folder_With_Lambda_File(
self.lambda_name).create_temp_file()
(self.aws_lambda.set_role(role_arn).set_s3_bucket(
self.s3_bucket).set_s3_key(self.s3_key).set_folder_code(
tmp_folder.folder))
create_kwargs = self.aws_lambda.create_kwargs()
assert create_kwargs == {
'Code': {
'S3Bucket': self.s3_bucket,
'S3Key': self.s3_key
},
'FunctionName': self.lambda_name,
'Handler': self.lambda_name + '.run',
'MemorySize': 10240,
'PackageType': 'Zip',
'Role': role_arn,
'Runtime': 'python3.8',
'Tags': {},
'Timeout': 900,
'TracingConfig': {
'Mode': 'PassThrough'
}
}
assert self.aws_lambda.upload() is True
result = self.aws_lambda.create()
data = result.get('data')
name = result.get('name')
status = result.get('status')
assert status == 'ok'
assert name == self.lambda_name
expected_arn = 'arn:aws:lambda:{0}:{1}:function:{2}'.format(
self.region, self.account_id,
self.lambda_name) # expected arn value
(Assert(data).field_is_equal('CodeSize',
242) # confirm lambda creation details
.field_is_equal('FunctionArn', expected_arn).field_is_equal(
'FunctionName', self.lambda_name).field_is_equal(
'Handler', self.lambda_name + '.run').field_is_equal(
'MemorySize',
10240).field_is_equal('Role', role_arn).field_is_equal(
'Runtime', 'python3.8').field_is_equal(
'Timeout',
900).field_is_equal('TracingConfig', {
'Mode': 'PassThrough'
}).field_is_equal('Version', '$LATEST'))
assert self.aws_lambda.invoke() == 'hello None'
assert self.aws_lambda.delete() is True # confirm Lambda was deleted
def policy_create_for_execution_role(self, role_name, skip_if_exists=True):
#cloud_watch_arn = "arn:aws:logs:{0}:{1}:log-group:awslogs-*".format(self.region, self.account_id)
cloud_watch_arn = f"arn:aws:logs:{self.region}:{self.account_id}:log-group:*"
role_document = { "Version" : "2008-10-17",
"Statement" : [ { "Effect": "Allow",
"Principal": { "Service": "ecs-tasks.amazonaws.com"},
"Action": "sts:AssumeRole" }]}
policy_document = { "Version" : "2012-10-17",
"Statement": [{ "Effect" : "Allow" ,
"Action" : [ "ecr:GetAuthorizationToken" ,
"ecr:BatchCheckLayerAvailability" ,
"ecr:GetDownloadUrlForLayer" ,
"ecr:GetRepositoryPolicy" ,
"ecr:DescribeRepositories" ,
"ecr:ListImages" ,
"ecr:DescribeImages" ,
"ecr:BatchGetImage" ],
"Resource": "*" },
{ "Effect" : "Allow",
"Action" : [ "logs:CreateLogStream" ,
"logs:PutLogEvents" ],
"Resource": [ cloud_watch_arn ]}]}
policy_name = 'policy_for_{0}'.format(role_name)
iam_role = IAM_Role(role_name=role_name)
if iam_role.exists() and skip_if_exists:
return iam_role
if iam_role.create(policy_document=role_document, skip_if_exists=skip_if_exists):
iam_role.attach_policy(policy_name=policy_name, policy_document=policy_document)
if policy_name in iam_role.iam.role_policies():
return iam_role
def test_create_function(self):
role_arn = IAM_Role(self.lambda_name + '__tmp_role').create_for__lambda().get('role_arn')
tmp_folder = Temp_Folder_Code(self.lambda_name)
(
self.aws_lambda.set_role (role_arn)
.set_s3_bucket (self.s3_bucket )
.set_s3_key (self.s3_key )
.set_folder_code(tmp_folder.folder)
)
assert self.aws_lambda.create_params() == (self.lambda_name, 'python3.7' ,
role_arn , self.lambda_name + '.run',
3008 , 60 ,
{ 'Mode' : 'PassThrough' },
{ 'S3Bucket': self.s3_bucket ,
'S3Key' : self.s3_key }) # confirm values that will be passed to the boto3's create_function
assert self.aws_lambda.upload() is True
result = self.aws_lambda.create()
data = result.get('data')
name = result.get('name')
status = result.get('status')
assert status == 'ok'
assert name == self.lambda_name
expected_arn = 'arn:aws:lambda:{0}:{1}:function:{2}'.format(self.region,self.account_id,self.lambda_name) # expected arn value
(Assert(data).field_is_equal('CodeSize' , 209 ) # confirm lambda creation details
.field_is_equal('FunctionArn' , expected_arn )
.field_is_equal('FunctionName' , self.lambda_name )
.field_is_equal('Handler' , self.lambda_name + '.run')
.field_is_equal('MemorySize' , 3008 )
.field_is_equal('Role' , role_arn )
.field_is_equal('Runtime' , 'python3.7' )
.field_is_equal('Timeout' , 60 )
.field_is_equal('TracingConfig', {'Mode': 'PassThrough'} )
.field_is_equal('Version' , '$LATEST' )
)
assert self.aws_lambda.delete() is True # confirm Lambda was deleted
def test_policy_add_sqs_permissions_to_lambda_role(self):
policy_name = self.iam_utils.arn_aws_policy_service_sqs_lambda.split(
'/').pop(-1)
with Temp_Lambda() as temp_lambda:
lambda_name = temp_lambda.lambda_name
iam_role_name = self.iam_utils.policy_add_sqs_permissions_to_lambda_role(
lambda_name)
iam_role = IAM_Role(role_name=iam_role_name)
pprint(iam_role.info())
assert policy_name in iam_role.policies_statements()
assert iam_role.exists() is True
self.iam_utils.policy_remove_sqs_permissions_to_lambda_role(
lambda_name)
assert policy_name not in iam_role.policies_statements()
def create__for_lambda_invocation(self, delete_existing=False):
iam_role = IAM_Role(self.role_name__for_lambda_invocation)
if delete_existing:
iam_role.iam.role_delete()
return iam_role.create_for__lambda().get('role_arn')
def setUp(self):
self.temp_role_name = 'test_IAM_Role__temp_role'
self.iam_role = IAM_Role(role_name=self.temp_role_name)
class test_IAM_Role(TestCase):
def setUp(self):
self.temp_role_name = 'test_IAM_Role__temp_role'
self.iam_role = IAM_Role(role_name=self.temp_role_name)
def test___init__(self):
assert self.iam_role.iam.role_name == self.temp_role_name
def test_create_for__code_build(self):
self.iam_role.iam.role_delete()
result = self.iam_role.create_for__code_build()
status = result.get('status')
data = result.get('data')
role_arn = result.get('role_arn')
role_name = result.get('role_name')
create_date = data.get('CreateDate')
del data['RoleId']
del data['CreateDate']
expected_service = 'codebuild.amazonaws.com'
expected_arn = 'arn:aws:iam::{0}:role/test_IAM_Role__temp_role'.format(
account_id)
expected_data = {
'Arn': expected_arn,
'AssumeRolePolicyDocument': {
'Statement': [{
'Action': 'sts:AssumeRole',
'Effect': 'Allow',
'Principal': {
'Service': expected_service
}
}]
},
'Path': '/',
'RoleName': 'test_IAM_Role__temp_role'
}
assert status == 'ok'
assert role_arn == expected_arn
assert role_name == self.temp_role_name
assert data == expected_data
Temp_Assert(create_date).is_today()
assert self.iam_role.create_for__code_build() == {
'data': 'role already exists',
'role_name': self.temp_role_name,
'role_arn': expected_arn,
'status': 'warning'
}
assert self.iam_role.iam.role_delete() is True
def test_create_for__lambda(self):
self.iam_role.create_for__lambda().get('role_arn')
role_info = self.iam_role.iam.role_info()
service = role_info.get('AssumeRolePolicyDocument').get(
'Statement')[0].get('Principal').get('Service')
assert service == 'lambda.amazonaws.com'
policy_statement = list(
self.iam_role.iam.role_policies_statements().values()).pop()
assert policy_statement == [{
'Action': [
'logs:CreateLogGroup', 'logs:CreateLogStream',
'logs:PutLogEvents'
],
'Effect':
'Allow',
'Resource': [
'arn:aws:logs:{0}:{1}:log-group:/aws/lambda/*'.format(
region, account_id)
]
}]
assert self.iam_role.iam.role_delete(
) is True # delete role and policies
def for_lambda_invocation_exists(self):
iam_role = IAM_Role(self.role_name__for_lambda_invocation)
return iam_role.iam.role_exists()
def setUp(self):
self.temp_role_name = 'test_IAM_Role__temp_role'
self.iam_role = IAM_Role(role_name=self.temp_role_name)
with AWS_Config() as aws_config:
self.account_id = aws_config.aws_session_account_id()
self.region = aws_config.aws_session_region_name()
class test_IAM_Role(TestCase):
def setUp(self):
self.temp_role_name = 'test_IAM_Role__temp_role'
self.iam_role = IAM_Role(role_name=self.temp_role_name)
with AWS_Config() as aws_config:
self.account_id = aws_config.aws_session_account_id()
self.region = aws_config.aws_session_region_name()
def tearDown(self) -> None:
if self.iam_role.exists():
assert self.iam_role.delete()
def test___init__(self):
assert self.iam_role.iam.role_name == self.temp_role_name
def test_create_for__code_build(self):
result = self.iam_role.create_for__code_build()
status = result.get('status')
data = result.get('data')
role_arn = result.get('role_arn')
role_name = result.get('role_name')
create_date = data.get('CreateDate')
del data['RoleId']
del data['CreateDate']
expected_service = 'codebuild.amazonaws.com'
expected_arn = 'arn:aws:iam::{0}:role/test_IAM_Role__temp_role'.format(
self.account_id)
expected_data = {
'Arn': expected_arn,
'AssumeRolePolicyDocument': {
'Statement': [{
'Action': 'sts:AssumeRole',
'Effect': 'Allow',
'Principal': {
'Service': expected_service
}
}]
},
'Path': '/',
'RoleName': 'test_IAM_Role__temp_role'
}
assert status == 'ok'
assert role_arn == expected_arn
assert role_name == self.temp_role_name
assert data == expected_data
Assert(create_date).is_today()
assert self.iam_role.create_for__code_build() == {
'data': 'role already exists',
'role_name': self.temp_role_name,
'role_arn': expected_arn,
'status': 'warning'
}
def test_create_for__lambda(self):
self.iam_role.create_for__lambda().get('role_arn')
role_info = self.iam_role.info()
service = role_info.get('AssumeRolePolicyDocument').get(
'Statement')[0].get('Principal').get('Service')
assert service == 'lambda.amazonaws.com'
policy_statement = list(
self.iam_role.policies_statements().values()).pop()
assert policy_statement == [{
'Action': [
'logs:CreateLogGroup', 'logs:CreateLogStream',
'logs:PutLogEvents'
],
'Effect':
'Allow',
'Resource': [
'arn:aws:logs:{0}:{1}:log-group:/aws/lambda/*'.format(
self.region, self.account_id)
]
}]
def test_create_for_service_with_policies(self):
policy_name = "Cloud_Watch"
policies = {
policy_name: {
"Version":
"2012-10-17",
"Statement": [{
"Effect":
"Allow",
"Action": [
"logs:CreateLogGroup", "logs:CreateLogStream",
"logs:DescribeLogGroups", "logs:DescribeLogStreams",
"logs:PutLogEvents", "logs:GetLogEvents",
"logs:FilterLogEvents"
],
"Resource":
"*"
}]
}
}
service = 'apigateway.amazonaws.com'
recreate_policy = True
project_name = self.temp_role_name
result = self.iam_role.create_for_service_with_policies(
service, policies, project_name, recreate_policy)
assert result == {
'policies_arns': [
f'arn:aws:iam::{self.account_id}:policy/{policy_name}_{project_name}'
],
'role_arn':
f'arn:aws:iam::{self.account_id}:role/{project_name}'
}
temp_policies_arns = result['policies_arns']
temp_policy_arn = result['policies_arns'][0]
assert len(temp_policies_arns) == 1
assert self.iam_role.exists()
assert self.iam_role.iam.policy_exists(temp_policy_arn)
self.iam_role.delete() # will also delete all associated policies
assert self.iam_role.iam.policy_not_exists(temp_policy_arn)
assert self.iam_role.not_exists()