def create_iam_resources(self):
# We create a master role, and attach some policies for it, and allow all egress.
self.master_role = iam.Role(self.cluster_name + "-master-role",
assume_role_policy=ASSUME_ROLE_POLICY_DOC,
opts=pulumi.ResourceOptions(parent=self))
iam.RolePolicyAttachment(
self.cluster_name + "-master-AmazonEKSClusterPolicy",
policy_arn="arn:aws:iam::aws:policy/AmazonEKSClusterPolicy",
role=self.master_role,
opts=pulumi.ResourceOptions(parent=self))
iam.RolePolicyAttachment(
self.cluster_name + "-master-AmazonEKSServicePolicy",
policy_arn="arn:aws:iam::aws:policy/AmazonEKSServicePolicy",
role=self.master_role,
opts=pulumi.ResourceOptions(parent=self))
def default_iam_role(service_naming_convention, lambda_name):
current = get_partition()
lambda_role = iam.Role(
lambda_name + '_' + service_naming_convention,
assume_role_policy="""{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}"""
)
iam.RolePolicyAttachment(
lambda_name + '_' + service_naming_convention + '_default_policy',
role=lambda_role.name,
policy_arn=f"arn:{current.partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
)
return lambda_role
def generate_role(name, resources, **ropts):
role = iam.Role(
f'{name}',
assume_role_policy={
"Version":
"2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Principal": {
"Service": "lambda.amazonaws.com",
}
}]
},
**ropts,
)
iam.RolePolicyAttachment(f'{name}-base',
role=role,
policy_arn=BASIC_POLICY.arn,
**opts(parent=role))
if resources:
iam.RolePolicy(
f'{name}-policy',
role=role,
policy={
"Version":
"2012-10-17",
# FIXME: Reduce this
"Statement": [{
"Effect":
"Allow",
"Action":
"*", # FIXME: More reasonable permissions
"Resource":
pulumi.Output.all(
*[res[0].arn for res in resources.values()])
}]
},
**opts(parent=role))
return role
def update_iam(self):
aws = self.model.aws
if self.model.okta.users:
policy = iam.Policy(
"sari",
name="SARIPolicy",
description=MANAGED_BY_SARI_NOTICE,
policy=_aws_make_policy(
[{
"Effect": "Allow",
"Action": "rds-db:connect",
"Resource":
f"arn:aws:rds-db:*:{aws.account}:dbuser:*/{login}",
"Condition": {
"StringEquals": {
"aws:PrincipalTag/User": login
}
},
} for login, user in self.model.okta.users.items()
if user.status == "ACTIVE" and user.permissions]))
iam.RolePolicyAttachment("sari",
role=SARI_ROLE_NAME,
policy_arn=policy.arn)
"Statement": [{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Principal": {
"Service": "glue.amazonaws.com"
}
}]
}),
description="datalake mart crawler",
force_detach_policies=True,
path='/glue/',
name_prefix=f"{project}-{env}-mart-crawler")
# attach policies to crawler role
iam.RolePolicyAttachment('crawler-kms-policy',
role=crawler_role,
policy_arn=infra.policy_kms_full_usage.arn)
iam.RolePolicyAttachment('crawler-glue-service-policy',
role=crawler_role,
policy_arn=infra.policy_glue_service.arn)
iam.RolePolicy(
'crawler-read-mart-policy',
role=crawler_role,
policy=infra.mart_location.apply(lambda p: json.dumps({
"Version":
"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": f"arn:aws:s3:::{p[5:]}/*", #strip s3:// prefix
def __init__(self,
name,
scripts_bucket: s3.Bucket = None,
managed_policy_arns: List[str] = [],
tags: Dict[str, str] = None,
opts: pulumi.ResourceOptions = None):
super().__init__('hca:ScriptArchiveLambda', name, None, opts)
merged_tags = tags.copy() if tags else {}
merged_tags.update({'hca:dataclassification': 'pii'})
role = iam.Role(f"{name}-role",
path="/lambda/",
description=f"role for script archive lambda",
assume_role_policy=json.dumps({
"Version":
"2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Principal": {
"Service": "lambda.amazonaws.com"
}
}]
}),
force_detach_policies=True,
tags=merged_tags,
opts=pulumi.ResourceOptions(parent=self))
# attach managed policies
if managed_policy_arns:
for index, policy in enumerate(managed_policy_arns):
iam.RolePolicyAttachment(
f"{name}-attach-policy-{index}",
policy_arn=policy,
role=role,
opts=pulumi.ResourceOptions(parent=self))
fileprocpolicy = iam.RolePolicy(
f"{name}-inline-policy",
role=role,
policy=scripts_bucket.bucket.apply(inline_policy),
opts=pulumi.ResourceOptions(parent=self))
print(
f"archive function => {os.path.abspath(os.path.join(os.getcwd(),'../../src/lambdas/scripts_archive.py'))}"
)
self.function = lambda_.Function(
f"{name}-function",
runtime='python3.6',
description=
'copy files from fileproc bucket to datalake raw bucket and trigger glue jobs',
handler='index.main',
memory_size=128,
timeout=30,
code=pulumi.AssetArchive({
# NOTE use relative path from pulumi root
'index.py':
pulumi.FileAsset(
os.path.abspath(
os.path.join(os.getcwd(),
'../../src/lambdas/scripts_archive.py'))),
}),
#code=pulumi.FileAsset(os.path.abspath(os.path.join(os.getcwd(),'../../src/lambdas/scripts_archive.py'))),
role=role.arn,
tags=merged_tags,
opts=pulumi.ResourceOptions(parent=self))
lambda_.Permission(f"{name}-permission",
action='lambda:InvokeFunction',
principal='s3.amazonaws.com',
function=self.function,
source_arn=scripts_bucket.arn,
opts=pulumi.ResourceOptions(parent=self))
"Action": "sts:AssumeRole",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}""")
lambda_role_policy = iam.RolePolicy('lambdaRolePolicy',
role=lambda_role.id,
policy="""{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:*:*:*"
}]
}""")
lamdba_vpc_enabled = iam.RolePolicyAttachment(
'lamdba_vpc_enabled',
role=lambda_role.id,
policy_arn=
"arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole")
get_secret_resource_policy_document
noaccess_role = iam.Role("noaccess-role",
name="NoAccessRole",
assume_role_policy=get_assume_role_policy_document())
trusted_role = iam.Role("trusted-role",
name="TrustedRole",
assume_role_policy=get_assume_role_policy_document())
identity_policy = iam.Policy("identity-policy",
name="IdentityPolicy",
policy=get_identity_policy_document())
noaccess_role_attachment = iam.RolePolicyAttachment(
"noaccess-role-attachment",
role=noaccess_role,
policy_arn=identity_policy.arn)
trusted_role_attachment = iam.RolePolicyAttachment(
"trusted-role-attachment",
role=trusted_role,
policy_arn=identity_policy.arn)
secret_resource_policy_document = trusted_role.unique_id.apply(
lambda it: get_secret_resource_policy_document(it))
secret = secretsmanager.Secret("secret",
name="Secret",
policy=secret_resource_policy_document)
secret_value = secretsmanager.SecretVersion(
def __init__(self, name,
# optional list of iam.policy to attach to role
iam_policies:List[str]=None,
# encrypt logs
security_config:glue.SecurityConfiguration=None,
# required
script_location:str=None,
job_args:Dict[str,str]=None,
job_db_connections:List[Union[str,glue.Connection]]=None,
job_name_prefix:str='',
target_table:str='',
data_classification:str='nonsensitive',
tags:Dict[str,str]=None,
opts=None):
super().__init__('hca:GlueEtlJob', name, None, opts)
merged_tags = tags.copy() if tags else {}
merged_tags.update({
'hca:dataclassification': data_classification,
'hca:job_name': name,
'hca:target_table': target_table,
})
self.role = iam.Role(
resource_name=f"{name}-role",
path="/glue/",
description=f"role for glue etl job => {name}",
assume_role_policy=json.dumps({
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Principal": {
"Service": "glue.amazonaws.com"
}
}]
}),
force_detach_policies=True,
opts=pulumi.ResourceOptions(parent=self),
tags=merged_tags)
if iam_policies:
for i, iam_policy in enumerate(iam_policies):
iam.RolePolicyAttachment(f"{name}-policy-{i}",
policy_arn=iam_policy,
role=self.role,
opts=pulumi.ResourceOptions(parent=self))
self.glue_job = glue.Job(f"{job_name_prefix}_{name}",
glue_version='1.0',
command={
'name': 'glueetl',
'pythonVersion': '3',
'scriptLocation': script_location
},
role_arn=self.role.arn,
default_arguments=job_args,
max_capacity=2,
security_configuration=security_config,
tags=merged_tags,
connections=job_db_connections,
opts=pulumi.ResourceOptions(parent=self))
'Statement': [
{
'Action': 'sts:AssumeRole',
'Principal': {
'Service': 'eks.amazonaws.com'
},
'Effect': 'Allow',
'Sid': ''
}
],
}),
)
iam.RolePolicyAttachment(
'eks-service-policy-attachment',
role=eks_role.id,
policy_arn='arn:aws:iam::aws:policy/AmazonEKSServicePolicy',
)
iam.RolePolicyAttachment(
'eks-cluster-policy-attachment',
role=eks_role.id,
policy_arn='arn:aws:iam::aws:policy/AmazonEKSClusterPolicy',
)
## Ec2 NodeGroup Role
ec2_role = iam.Role(
'ec2-nodegroup-iam-role',
assume_role_policy=json.dumps({
def __init__(self,
name,
datalake_bucket: s3.Bucket = None,
datalake_raw_path: str = None,
fileproc_bucket: s3.Bucket = None,
managed_policy_arns: List[str] = None,
package_dir: str = None,
tags: Dict[str, str] = None,
opts: pulumi.ResourceOptions = None):
super().__init__('hca:GlueNotificationLambda', name, None, opts)
merged_tags = tags.copy() if tags else {}
merged_tags.update({'hca:dataclassification': 'pii'})
role = iam.Role(f"{name}-role",
path="/lambda/",
description=f"role for glue notification lambda",
assume_role_policy=json.dumps({
"Version":
"2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Principal": {
"Service": "lambda.amazonaws.com"
}
}]
}),
force_detach_policies=True,
tags=merged_tags,
opts=pulumi.ResourceOptions(parent=self))
# attach managed policies
if managed_policy_arns:
for index, policy in enumerate(managed_policy_arns):
iam.RolePolicyAttachment(
f"{name}-attach-policy-{index}",
policy_arn=policy,
role=role,
opts=pulumi.ResourceOptions(parent=self))
fileprocpolicy = iam.RolePolicy(
f"{name}-inline-policy",
role=role,
policy=pulumi.Output.all(datalake_bucket.bucket,
fileproc_bucket.bucket).apply(
lambda b: inline_policy(b[0], b[1])),
opts=pulumi.ResourceOptions(parent=self))
self.function = lambda_.Function(
f"{name}-function",
runtime='python3.6',
description=
'copy files from fileproc bucket to datalake raw bucket and trigger glue jobs',
handler='glue_notification.main',
environment={
'variables': {
'S3_DATALAKE_BUCKET': datalake_bucket,
'S3_RAW_PATH': datalake_raw_path,
'PULUMI_STACK': pulumi.get_stack(),
'PULUMI_PROJECT': pulumi.get_project()
}
},
memory_size=256,
timeout=60,
code=pulumi.AssetArchive({
# use lambda-glue-notification created with build.py
'.': pulumi.FileArchive(package_dir),
}),
role=role.arn,
tags=merged_tags,
opts=pulumi.ResourceOptions(parent=self))
lambda_.Permission(f"{name}-permission",
action='lambda:InvokeFunction',
principal='s3.amazonaws.com',
function=self.function,
source_arn=fileproc_bucket.arn,
opts=pulumi.ResourceOptions(parent=self))
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Principal": {"Service": ["lambda.amazonaws.com"]},
}
],
}
),
)
# Attach the basic Lambda execution policy to our Role
iam.RolePolicyAttachment(
resource_name="policy-attachment",
policy_arn="arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",
role=role.name,
)
lambda_layer = lambda_.LayerVersion(
resource_name="layer",
layer_name="example-layer",
compatible_runtimes=["python3.6"],
code=lambda_package.layer_archive_path,
source_code_hash=lambda_package.layer_hash,
)
# Create Lambda function
function = lambda_.Function(
resource_name="function",
role=role.arn,
"Version":
"2012-10-17",
"Statement": [{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Effect": "Allow",
"Sid": "",
}],
}),
)
lambda_role_policy_exec = iam.RolePolicyAttachment(
"ce-lambda-role-policy-exec",
role=lambda_role.id,
policy_arn=
"arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",
)
lambda_role_policy_ec2 = iam.RolePolicyAttachment(
"ce-lambda-role-policy-ec2",
role=lambda_role.id,
policy_arn="arn:aws:iam::aws:policy/AmazonEC2FullAccess",
)
sfn_role = iam.Role(
"ce-sfn-role",
assume_role_policy=json.dumps({
"Version":
"2012-10-17",
"Statement": [{
"Effect": "Allow",
}]
}))
policy = iam.Policy("mypolicy",
policy=json.dumps({
"Version":
"2012-10-17",
"Statement": [{
"Action": ["ec2:Describe*"],
"Effect": "Allow",
"Resource": "*"
}]
}))
role_policy_attachment = iam.RolePolicyAttachment("myrolepolicyattachment",
role=role.id,
policy_arn=policy.arn)
user = iam.User("myuser")
group = iam.Group("mygroup")
## Kinesis
stream = kinesis.Stream("mystream", shard_count=1)
## SQS
queue = sqs.Queue("myqueue")
## SNS
topic = sns.Topic("mytopic")
role = iam.Role(
f"{APP}-flowlog-role",
assume_role_policy=assume_role_policy_doc,
name=f"{APP}-flowlog-role",
path="/",
tags={
'Name': f"{APP}-flowlog-role",
'Environment': _env
}
)
attach_info = Output.all(role.name, policy.arn)
role_attach = attach_info.apply(
lambda info: iam.RolePolicyAttachment(
f"{APP}-flowlog-role-attach",
policy_arn=info[1],
role=info[0]
)
)
flowlog_info = Output.all(role.arn, log_group.arn)
flowlog = flowlog_info.apply(
lambda info: ec2.FlowLog(
f"{APP}-flowlog",
iam_role_arn=info[0],
log_destination=info[1],
traffic_type="ALL",
vpc_id=vpc.id,
tags={
'Name': f"{APP}-flowlog",
'Environment': _env
'compressionFormat': 'GZIP'
})
firehoseRolePolicy = iam.RolePolicy(
'ReplicationDeliveryStreamPolicy',
role=firehoseRole.name,
policy=getFirehoseRolePolicyDocument(
region, accountId, bucket.arn,
deliveryStream.name).apply(lambda d: json.dumps(d)))
lambdaRole = iam.Role('ReplicationLambdaRole',
assume_role_policy=getLambdaRoleTrustPolicyDocument())
lambdaRoleBasicExecutionPolicy = iam.RolePolicyAttachment(
'ReplicationLambdaBasicExecPolicy',
role=lambdaRole.name,
policy_arn=
'arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole')
lambdaRoleAllowDynamoStreamPolicy = iam.RolePolicy(
"ReplicationLambdaAllowDynamoPolicy",
role=lambdaRole.name,
policy=getAllowDynamoStreamPolicyDocument(
dynamoTable.stream_arn).apply(lambda d: json.dumps(d)))
lambdaRoleAllowFirehosePutPolicy = iam.RolePolicy(
"ReplicationLambdaAllowFirehosePolicy",
role=lambdaRole.name,
policy=getAllowFirehosePutPolicyDocument(
deliveryStream.arn).apply(lambda d: json.dumps(d)))
}))
policy = iam.Policy(
"iam-policy",
policy=table.arn.apply(lambda arn: json.dumps({
"Version":
"2012-10-17",
"Statement": [{
"Action": ["dynamodb:PutItem", "dynamodb:GetItem"],
"Effect": "Allow",
"Resource": [arn]
}]
})))
attachment = iam.RolePolicyAttachment("iam-policy-attachment",
role=role,
policy_arn=policy.arn)
## GraphQL Schema
schema = """
type Query {
getTenantById(id: ID!): Tenant
}
type Mutation {
addTenant(id: ID!, name: String!): Tenant!
}
type Tenant {
id: ID!
name: String
max_session_duration='3600',
path='/',
force_detach_policies=False,
)
ec2_role = iam.Role(
'ec2-role',
assume_role_policy=
'{\"Version\":\"2012-10-17\",\"Statement\":[{\"Action\":[\"sts:AssumeRole\"],\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"ec2.amazonaws.com\"]}}]}',
max_session_duration='3600',
path='/',
force_detach_policies=False,
)
eks_role_policy_0 = iam.RolePolicyAttachment(
'eks-role-policy-0',
policy_arn='arn:aws:iam::aws:policy/AmazonEKSClusterPolicy',
role=eks_role.name)
eks_role_policy_1 = iam.RolePolicyAttachment(
'eks-role-policy-1',
policy_arn='arn:aws:iam::aws:policy/AmazonEKSServicePolicy',
role=eks_role.name)
instance_role_policy_0 = iam.RolePolicyAttachment(
'instance-role-policy-0',
policy_arn='arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly',
role=ec2_role.name)
instance_role_policy_1 = iam.RolePolicyAttachment(
'instance-role-policy-1',
policy_arn='arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy',
"Action": ["s3:GetObject"],
"Resource": f"{bucket_arn}/*",
},
],
})
iam.RolePolicy(
f"{MODULE_NAME}-role-policy",
role=role.id,
policy=bucket.arn.apply(lambda_role_policy),
)
iam.RolePolicyAttachment(
f"{MODULE_NAME}-xray",
policy_arn="arn:aws:iam::aws:policy/AWSXrayWriteOnlyAccess",
role=role.id,
)
aws_lambda = lambda_.Function(
f"{MODULE_NAME}",
role=role.arn,
runtime="python3.6",
handler="lambda_handler.morgue_stalker",
s3_key=config.require("artifact_name"),
s3_bucket="morgue-artifacts",
tracing_config={"mode": "Active"},
timeout=900,
layers=[dependency_layer.arn],
environment={"variables": {
"MORGUE_BUCKETNAME": bucket.id
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}""")
iam.RolePolicyAttachment(
"VpcAccessPolicyAttach",
policy_arn=
"arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole",
role=example_role.name)
# Lambda
mount_location = "/mnt/efs"
example_function = lambda_.Function(
"exampleFunction",
code="lambda.zip",
source_code_hash=filebase64sha256("lambda.zip"),
handler="handler.my_handler",
role=example_role.arn,
runtime="python3.8",
vpc_config={
