def test_with_list_role_policies_access_denied_error(
self, mock_delete_role, mock_delete_role_policy,
mock_list_role_policies):
id_data = {
'AbstractRoleMappings': {
self.logical_role_name: self.role_name
}
}
role_utils.delete_access_control_role(id_data, self.logical_role_name)
self.assertEquals(id_data, {'AbstractRoleMappings': {}})
mock_list_role_policies.assert_called_once_with(
RoleName=self.role_name)
mock_delete_role.assert_called_once_with(RoleName=self.role_name)
def test_with_delete_role_no_such_entity_error(self, mock_delete_role,
mock_delete_role_policy,
mock_list_role_policies):
id_data = {
'AbstractRoleMappings': {
self.logical_role_name: self.role_name
}
}
role_utils.delete_access_control_role(id_data, self.logical_role_name)
self.assertEquals(id_data, {'AbstractRoleMappings': {}})
mock_list_role_policies.assert_called_once_with(
RoleName=self.role_name)
mock_delete_role_policy.assert_any_call(RoleName=self.role_name,
PolicyName=self.policy_name_1)
mock_delete_role_policy.assert_any_call(RoleName=self.role_name,
PolicyName=self.policy_name_2)
mock_delete_role.assert_called_once_with(RoleName=self.role_name)
def test_with_list_role_policies_other_error(self, mock_list_role_policies,
mock_delete_role,
mock_delete_role_policy):
id_data = {
'AbstractRoleMappings': {
self.logical_role_name: self.role_name
}
}
with self.assertRaisesRegexp(ClientError, self.unknown_error_code):
role_utils.delete_access_control_role(id_data,
self.logical_role_name)
self.assertEquals(
id_data,
{'AbstractRoleMappings': {
self.logical_role_name: self.role_name
}})
mock_list_role_policies.assert_called_once_with(
RoleName=self.role_name)
def handler(event, context):
props = properties.load(
event, {
'ConfigurationBucket':
properties.String(),
'ConfigurationKey':
properties.String(),
'FunctionName':
properties.String(),
'Settings':
properties.Object(default={}, schema={'*': properties.String()}),
'Runtime':
properties.String()
})
request_type = event['RequestType']
stack_arn = event['StackId']
logical_role_name = props.FunctionName
id_data = aws_utils.get_data_from_custom_physical_resource_id(
event.get('PhysicalResourceId', None))
if request_type == 'Delete':
role_utils.delete_access_control_role(id_data, logical_role_name)
response_data = {}
else:
if request_type == 'Create':
project_service_lambda_arn = _get_project_service_lambda_arn(
stack_arn)
assume_role_service = 'lambda.amazonaws.com'
role_arn = role_utils.create_access_control_role(
id_data,
stack_arn,
logical_role_name,
assume_role_service,
default_policy=get_default_policy(project_service_lambda_arn))
elif request_type == 'Update':
role_arn = role_utils.get_access_control_role_arn(
id_data, logical_role_name)
else:
raise RuntimeError(
'Unexpected request type: {}'.format(request_type))
_add_built_in_settings(props.Settings.__dict__, stack_arn)
# Check if we have a folder just for this function, if not use the default
input_key = _get_input_key(props)
output_key = _inject_settings(props.Settings.__dict__, props.Runtime,
props.ConfigurationBucket, input_key,
props.FunctionName)
response_data = {
'ConfigurationBucket':
props.ConfigurationBucket,
'ConfigurationKey':
output_key,
'Runtime':
props.Runtime,
'Role':
role_arn,
'RoleName':
role_utils.get_access_control_role_name(stack_arn,
logical_role_name)
}
physical_resource_id = aws_utils.construct_custom_physical_resource_id_with_data(
stack_arn, event['LogicalResourceId'], id_data)
custom_resource_response.succeed(event, context, response_data,
physical_resource_id)
def handler(event, context):
request_type = event['RequestType']
logical_resource_id = event['LogicalResourceId']
logical_role_name = logical_resource_id
owning_stack_info = stack_info.get_stack_info(event['StackId'])
rest_api_resource_name = owning_stack_info.stack_name + '-' + logical_resource_id
id_data = aws_utils.get_data_from_custom_physical_resource_id(
event.get('PhysicalResourceId', None))
response_data = {}
if request_type == 'Create':
props = properties.load(event, PROPERTY_SCHEMA)
role_arn = role_utils.create_access_control_role(
id_data, owning_stack_info.stack_arn, logical_role_name,
API_GATEWAY_SERVICE_NAME)
swagger_content = get_configured_swagger_content(
owning_stack_info, props, role_arn, rest_api_resource_name)
rest_api_id = create_api_gateway(props, swagger_content)
response_data['Url'] = get_api_url(rest_api_id,
owning_stack_info.region)
id_data['RestApiId'] = rest_api_id
elif request_type == 'Update':
rest_api_id = id_data.get('RestApiId', None)
if not rest_api_id:
raise RuntimeError(
'No RestApiId found in id_data: {}'.format(id_data))
props = properties.load(event, PROPERTY_SCHEMA)
role_arn = role_utils.get_access_control_role_arn(
id_data, logical_role_name)
swagger_content = get_configured_swagger_content(
owning_stack_info, props, role_arn, rest_api_resource_name)
update_api_gateway(rest_api_id, props, swagger_content)
response_data['Url'] = get_api_url(rest_api_id,
owning_stack_info.region)
elif request_type == 'Delete':
if not id_data:
# The will be no data in the id if Cloud Formation cancels a resource creation
# (due to a failure in another resource) before it processes the resource create
# response. Appearently Cloud Formation has an internal temporary id for the
# resource and uses it for the delete request.
#
# Unfortunalty there isn't a good way to deal with this case. We don't have the
# id data, so we can't clean up the things it identifies. At best we can allow the
# stack cleanup to continue, leaving the rest API behind and role behind.
print 'WARNING: No id_data provided on delete.'.format(id_data)
else:
rest_api_id = id_data.get('RestApiId', None)
if not rest_api_id:
raise RuntimeError(
'No RestApiId found in id_data: {}'.format(id_data))
delete_api_gateway(rest_api_id)
del id_data['RestApiId']
role_utils.delete_access_control_role(id_data, logical_role_name)
else:
raise RuntimeError('Invalid RequestType: {}'.format(request_type))
physical_resource_id = aws_utils.construct_custom_physical_resource_id_with_data(
event['StackId'], logical_resource_id, id_data)
custom_resource_response.succeed(event, context, response_data,
physical_resource_id)
