def processed_document(self):
if self._document != None:
return self._document
# resolve variable references and replace with resolved value
# ToDo: only looks up Stack output values?
for key, var in self.iotpolicy.variables.items():
if references.is_ref(var):
ref_value = references.resolve_ref(var, self.project)
if isinstance(ref_value, Stack):
output_key = ref_value.get_outputs_key_from_ref(
references.Reference(var))
ref_value = ref_value.get_outputs_value(output_key)
self.iotpolicy.variables[key] = ref_value
# replace ${variable} strings
def var_replace(match):
value = match.groups()[0]
if value.lower() == 'AWS::Region'.lower():
return self.aws_region
elif value.lower() == 'AWS::AccountId'.lower():
return self.account_ctx.id
elif value.find(':') != -1:
return "${" + value + "}"
else:
return self.iotpolicy.variables[value]
self._document = re.sub('\${(.+?)}', var_replace,
self.iotpolicy.policy_json)
return self._document
def get_ref(self, paco_ref, account_ctx=None):
"""Takes a Paco reference string (paco.ref <type>.<part>) and returns
the object or value that is being referenced.
Note that for `paco.ref accounts.<account-name>` references, the acount id is returned
and not the object.
"""
return references.resolve_ref(
paco_ref,
self.project,
account_ctx=account_ctx
)
def get_bucket_arn(self, resource_ref, *args, **kwargs):
if not resource_ref.startswith('paco.ref '):
resource_ref = 'paco.ref ' + resource_ref
references.resolve_ref(resource_ref, self.paco_ctx.project)
return self.contexts[resource_ref].get_bucket_arn(*args, **kwargs)
