def _add_cloudwatch_event_rule(
builder: Template, replication_bucket: Parameter,
listener_workflow: stepfunctions.StateMachine) -> events.Rule:
base_name = "ReplicationListenerEvent"
trigger_role = events_trigger_stepfuntions_role(
f"{base_name}Role", statemachine=listener_workflow)
builder.add_resource(trigger_role)
rule = events.Rule(
f"{base_name}Rule",
State="ENABLED",
EventPattern={
"source": ["aws.s3"],
"detail-type": ["AWS API Call via CloudTrail"],
"detail": {
"eventSource": ["s3.amazonaws.com"],
"eventName": ["PutObject"],
"requestParameters": {
"bucketName": [replication_bucket.ref()]
},
},
},
Targets=[
events.Target(Arn=listener_workflow.ref(),
Id=f"{base_name}TriggerWorkflow",
RoleArn=trigger_role.get_att("Arn"))
],
)
return builder.add_resource(rule)
def lambda_function(
*,
bucket_name: Parameter,
workers_key: Parameter,
name: str,
role: iam.Role,
runtime: str,
namespace: str,
module: str,
memory_size: int,
timeout: int,
tags: Tags,
source_bucket: Optional[Parameter] = None,
) -> awslambda.Function:
if source_bucket is None:
source_bucket = bucket_name
return awslambda.Function(
name,
Role=role.get_att("Arn"),
Code=awslambda.Code(S3Bucket=source_bucket.ref(),
S3Key=workers_key.ref()),
Handler=f"accretion_workers.{namespace}.{module}.lambda_handler",
Environment=_lambda_environment(bucket_name),
Runtime=runtime,
MemorySize=memory_size,
Timeout=timeout,
Tags=tags,
)
def _codebuild_role(artifacts_bucket: Parameter, resources_bucket: Parameter,
cmk: Parameter) -> iam.Role:
"""Construct a role for use by CodeBuild.
:param artifacts_bucket: Artifacts bucket parameter
:param resources_bucket: Resources bucket parameter
:param cmk: KMS CMK parameter
:return: Constructed Role
"""
assume_policy = AWS.PolicyDocument(Statement=[
AWS.Statement(
Principal=AWS.Principal(
"Service", make_service_domain_name(CODEBUILD.prefix)),
Effect=AWS.Allow,
Action=[STS.AssumeRole],
)
])
policy = AWS.PolicyDocument(Statement=[
AWS.Statement(
Effect=AWS.Allow,
Action=[
LOGS.CreateLogGroup, LOGS.CreateLogStream, LOGS.PutLogEvents
],
Resource=[account_arn(service_prefix=LOGS.prefix, resource="*")],
),
AWS.Statement(
Effect=AWS.Allow,
Action=[S3.GetObject, S3.GetObjectVersion, S3.PutObject],
Resource=[
Sub(f"${{{artifacts_bucket.title}}}/*"),
Sub(f"${{{resources_bucket.title}}}/*")
],
),
AWS.Statement(Effect=AWS.Allow,
Action=[KMS.Encrypt, KMS.Decrypt, KMS.GenerateDataKey],
Resource=[cmk.ref()]),
])
return iam.Role(
resource_name(iam.Role, "CodeBuild"),
AssumeRolePolicyDocument=assume_policy,
Policies=[
iam.Policy(PolicyName=_policy_name("CodeBuild"),
PolicyDocument=policy)
],
)
def test_ref_can_be_requested(self):
param = Parameter('title', Type='String')
reference = param.ref()
self.assertIsInstance(reference, Ref)
self.assertDictEqual(reference.data, {'Ref': 'title'})
def _codepipeline_role(artifacts_bucket: Parameter,
resources_bucket: Parameter,
cmk: Parameter) -> iam.Role:
"""Construct a role for use by CodePipeline.
:param artifacts_bucket: Artifacts bucket parameter
:param resources_bucket: Resources bucket parameter
:param cmk: KMS CMK parameter
:return: Constructed Role
"""
assume_policy = AWS.PolicyDocument(Statement=[
AWS.Statement(
Principal=AWS.Principal(
"Service", make_service_domain_name(CODEPIPELINE.prefix)),
Effect=AWS.Allow,
Action=[STS.AssumeRole],
)
])
policy = AWS.PolicyDocument(Statement=[
AWS.Statement(
Effect=AWS.Allow,
Action=[S3.GetBucketVersioning, S3.PutBucketVersioning],
Resource=[artifacts_bucket.ref(),
resources_bucket.ref()],
),
AWS.Statement(
Effect=AWS.Allow,
Action=[S3.GetObject, S3.PutObject],
Resource=[
Sub(f"${{{artifacts_bucket.title}}}/*"),
Sub(f"${{{resources_bucket.title}}}/*")
],
),
AWS.Statement(Effect=AWS.Allow,
Action=[KMS.Encrypt, KMS.Decrypt, KMS.GenerateDataKey],
Resource=[cmk.ref()]),
AWS.Statement(
Effect=AWS.Allow,
Action=[CLOUDWATCH.Action("*")],
Resource=[
account_arn(service_prefix=CLOUDWATCH.prefix, resource="*")
],
),
AWS.Statement(
Effect=AWS.Allow,
Action=[IAM.PassRole],
Resource=[
account_arn(service_prefix=IAM.prefix, resource="role/*")
],
),
AWS.Statement(
Effect=AWS.Allow,
Action=[LAMBDA.InvokeFunction, LAMBDA.ListFunctions],
Resource=[account_arn(service_prefix=LAMBDA.prefix, resource="*")],
),
AWS.Statement(
Effect=AWS.Allow,
Action=[
CLOUDFORMATION.CreateStack,
CLOUDFORMATION.DeleteStack,
CLOUDFORMATION.DescribeStacks,
CLOUDFORMATION.UpdateStack,
CLOUDFORMATION.CreateChangeSet,
CLOUDFORMATION.DeleteChangeSet,
CLOUDFORMATION.DescribeChangeSet,
CLOUDFORMATION.ExecuteChangeSet,
CLOUDFORMATION.SetStackPolicy,
CLOUDFORMATION.ValidateTemplate,
],
Resource=[
account_arn(service_prefix=CLOUDFORMATION.prefix, resource="*")
],
),
AWS.Statement(
Effect=AWS.Allow,
Action=[CODEBUILD.BatchGetBuilds, CODEBUILD.StartBuild],
Resource=[
account_arn(service_prefix=CODEBUILD.prefix, resource="*")
],
),
])
return iam.Role(
resource_name(iam.Role, "CodePipeline"),
AssumeRolePolicyDocument=assume_policy,
Policies=[
iam.Policy(PolicyName=_policy_name("CodePipeline"),
PolicyDocument=policy)
],
)
def test_ref_can_be_requested(self):
param = Parameter("title", Type="String")
reference = param.ref()
self.assertIsInstance(reference, Ref)
self.assertDictEqual(reference.data, {"Ref": "title"})
def _lambda_environment(bucket_name: Parameter) -> awslambda.Environment:
return awslambda.Environment(Variables=dict(S3_BUCKET=bucket_name.ref()))
