def codebuild_policy_document(input_kwargs, build_data):
user = "******"
account = build_data["account_id"]
region = build_data["region"]
logs_arn = f"arn:aws:logs:{region}:{account}:log-group:/aws/lambda/*"
ec2_arn = [
"arn:aws:s3:::product-images-*", "arn:aws:s3:::product-images-*/*"
]
pd = PolicyDocument(
Version="2012-10-17",
Id="Lambda-Common-Permissions",
Statement=[
Statement(Effect=Allow,
Principal=Principal("AWS", [IAM_ARN(user, '', account)]),
Action=[logs.CreateLogStream, logs.PutLogEvents],
Resource=[logs_arn]),
Statement(
Effect=Allow,
Principal=Principal("AWS", [IAM_ARN(user, '', account)]),
Action=[
ec2.CreateNetworkInterface, ec2.DescribeNetworkInterfaces,
ec2.DeleteNetworkInterface, "ec2:Describe*",
ec2.CreateSnapshot, ec2.DeleteSnapshot, ec2.CreateImage,
ec2.CopyImage, ec2.DeregisterImage, ce.GetCostAndUsage,
events.EnableRule, secretsmanager.GetSecretValue,
secretsmanager.DescribeSecret, "kms:*", "cloudwatch:*",
"s3:*"
],
Resource=ec2_arn),
Statement(Effect=Allow,
Principal=Principal("AWS", [IAM_ARN(user, '', account)]),
Action=[
rds.DescribeDBClusterSnapshots,
rds.DescribeDBClusters, rds.CopyDBClusterSnapshot,
rds.ModifyDBClusterSnapshotAttribute,
rds.ListTagsForResource
],
Resource=['*'])
])
input_kwargs["policy"] = pd.to_json()
return input_kwargs
def codepipeline_policy_document(input_kwargs, build_data):
user = "******"
account = build_data["account_id"]
bucket_arn = "arn:aws:s3:::{0}".format(input_kwargs["name"])
pd = PolicyDocument(
Version="2012-10-17",
Id="CodePipeline-Permissions",
Statement=[
Statement(Effect=Allow,
Principal=Principal("AWS", [IAM_ARN(user, '', account)]),
Action=[
codebuild.StartBuild, codebuild.BatchGetBuilds,
codedeploy.CreateDeployment,
codedeploy.GetApplicationRevision,
codedeploy.GetDeployment,
codedeploy.GetDeploymentConfig,
codedeploy.RegisterApplicationRevision, iam.PassRole,
iam.GetRole, codecommit.GitPull
],
Resource=['*']),
Statement(Effect=Allow,
Principal=Principal("AWS", [IAM_ARN(user, '', account)]),
Action=[
s3.CreateBucket, s3.GetObject, s3.ListAccessPoints,
s3.ListAllMyBuckets, s3.ListBucket,
s3.ListBucketByTags, s3.ListBucketMultipartUploads,
s3.ListBucketVersions, s3.ListJobs,
s3.ListMultipartUploadParts, s3.ListObjects,
s3.PutObject, s3.GetBucketAcl, s3.GetBucketLocation,
s3.GetObjectVersion
],
Resource=[bucket_arn])
])
input_kwargs["policy"] = pd.to_json()
return input_kwargs
def codebuild_policy_document(input_kwargs, build_data):
user = "******"
account = build_data["account_id"]
region = build_data["region"]
logs_arn = [
"arn:aws:logs:*:*:log-group:/aws/rds/*:log-stream:*",
"arn:aws:logs:*:*:log-group:/aws/docdb/*:log-stream:*",
"arn:aws:logs:*:*:log-group:/aws/neptune/*:log-stream:*"
]
ec2_arn = ["arn:aws:kinesis:*:*:stream/aws-rds-das-*"]
pd = PolicyDocument(
Version="2012-10-17",
Id="RDS-Monitoring-Permissions",
Statement=[
Statement(Effect=Allow,
Principal=Principal("AWS", [IAM_ARN(user, '', account)]),
Action=[
logs.CreateLogDelivery, logs.GetLogDelivery,
logs.UpdateLogDelivery, logs.DeleteLogDelivery,
logs.ListLogDeliveries
],
Resource=[logs_arn]),
Statement(Effect=Allow,
Principal=Principal("AWS", [IAM_ARN(user, '', account)]),
Action=[
kinesis.CreateStream, kinesis.PutRecord,
kinesis.PutRecords, kinesis.DescribeStream,
kinesis.SplitShard, kinesis.MergeShards,
kinesis.DeleteStream, kinesis.UpdateShardCount
],
Resource=["arn:aws:kinesis:*:*:stream/aws-rds-das-*"])
])
input_kwargs["policy"] = pd.to_json()
return input_kwargs
def codebuild_policy_document(input_kwargs, build_data):
user = "******"
account = build_data["account_id"]
region = build_data["region"]
table_name = build_data["table_name"]
db_arn = f"arn:aws:dynamodb:{region}:${account}:table/${table_name}"
ec2_arn = ["arn:aws:kinesis:*:*:stream/aws-rds-das-*"]
pd = PolicyDocument(
Version="2012-10-17",
Id="Dynamodb-Permissions",
Statement=[
Statement(Effect=Allow,
Principal=Principal("AWS", [IAM_ARN(user, '', account)]),
Action=[
dynamodb.DescribeLimits, dynamodb.DescribeTimeToLive,
dynamodb.ListTagsOfResource,
dynamodb.DescribeReservedCapacityOfferings,
dynamodb.DescribeReservedCapacity,
dynamodb.ListTables, dynamodb.BatchGetItem,
dynamodb.BatchWriteItem, dynamodb.CreateTable,
dynamodb.DeleteItem, dynamodb.GetItem,
dynamodb.GetRecords, dynamodb.PutItem,
dynamodb.Query, dynamodb.UpdateItem, dynamodb.Scan,
dynamodb.DescribeTable
],
Resource=[db_arn]),
Statement(Effect=Allow,
Principal=Principal("AWS", [IAM_ARN(user, '', account)]),
Action=[kms.Encrypt, kms.Decrypt, kms.DescribeKey],
Resource=["*"])
])
input_kwargs["policy"] = pd.to_json()
return input_kwargs
def kms_policy_document(input_kwargs, build_data):
user = "******"
account = build_data["account_id"]
pd = PolicyDocument(
Version="2012-10-17",
Id="KMS-Account-Permissions",
Statement=[
Statement(
Effect=Allow,
Principal=Principal("AWS", [IAM_ARN(user, '', account)]),
Action=[
kms.CancelKeyDeletion, kms.ConnectCustomKeyStore,
kms.CreateAlias, kms.CreateCustomKeyStore, kms.CreateGrant,
kms.CreateKey, kms.Decrypt, kms.DeleteAlias,
kms.DeleteCustomKeyStore, kms.DeleteImportedKeyMaterial,
kms.DescribeCustomKeyStores, kms.DescribeKey,
kms.DisableKey, kms.DisableKeyRotation,
kms.DisconnectCustomKeyStore, kms.EnableKey,
kms.EnableKeyRotation, kms.Encrypt, kms.GenerateDataKey,
kms.GenerateDataKeyWithoutPlaintext, kms.GenerateRandom,
kms.GetKeyPolicy, kms.GetKeyRotationStatus,
kms.GetParametersForImport, kms.ImportKeyMaterial,
kms.ListAliases, kms.ListGrants, kms.ListKeyPolicies,
kms.ListKeys, kms.ListResourceTags,
kms.ListRetirableGrants, kms.PutKeyPolicy, kms.ReEncrypt,
kms.ReEncryptFrom, kms.ReEncryptTo, kms.RetireGrant,
kms.RevokeGrant, kms.ScheduleKeyDeletion, kms.TagResource,
kms.UntagResource, kms.UpdateAlias,
kms.UpdateCustomKeyStore, kms.UpdateKeyDescription
],
Resource=['*'])
])
input_kwargs["policy"] = pd.to_json()
return input_kwargs
def efs_policy_document(input_kwargs, build_data):
user = "******"
account = build_data["account_id"]
pd = PolicyDocument(
Version="2012-10-17",
Id="EFS-Permissions",
Statement=[
Statement(Effect=Allow,
Principal=Principal("AWS", [IAM_ARN(user, '', account)]),
Action=[
elasticfilesystem.DescribeFileSystems,
elasticfilesystem.CreateFileSystem,
elasticfilesystem.CreateTags,
elasticfilesystem.DescribeMountTargets,
elasticfilesystem.CreateMountTarget
],
Resource=['*'])
])
input_kwargs["policy"] = pd.to_json()
return input_kwargs
def codebuild_policy_document(input_kwargs, build_data):
user = "******"
account = build_data["account_id"]
pd = PolicyDocument(
Version="2012-10-17",
Id="Codebuild-Permissions",
Statement=[
Statement(
Effect=Allow,
Principal=Principal("AWS", [IAM_ARN(user, '', account)]),
Action=[
codebuild.BatchDeleteBuilds, codebuild.BatchGetBuilds,
codebuild.BatchGetProjects, codebuild.BatchGetReportGroups,
codebuild.BatchGetReports, codebuild.BatchPutTestCases,
codebuild.CreateProject, codebuild.CreateReport,
codebuild.CreateReportGroup, codebuild.CreateWebhook,
codebuild.DeleteOAuthToken, codebuild.DeleteProject,
codebuild.DeleteReport, codebuild.DeleteReportGroup,
codebuild.DeleteResourcePolicy,
codebuild.DeleteSourceCredentials, codebuild.DeleteWebhook,
codebuild.DescribeTestCases, codebuild.GetResourcePolicy,
codebuild.ImportSourceCredentials,
codebuild.InvalidateProjectCache, codebuild.ListBuilds,
codebuild.ListBuildsForProject,
codebuild.ListConnectedOAuthAccounts,
codebuild.ListCuratedEnvironmentImages,
codebuild.ListProjects, codebuild.ListReportGroups,
codebuild.ListReports, codebuild.ListReportsForReportGroup,
codebuild.ListRepositories, codebuild.ListSharedProjects,
codebuild.ListSharedReportGroups,
codebuild.ListSourceCredentials,
codebuild.PersistOAuthToken, codebuild.PutResourcePolicy,
codebuild.StartBuild, codebuild.StopBuild,
codebuild.UpdateProject, codebuild.UpdateReport,
codebuild.UpdateReportGroup, codebuild.UpdateWebhook,
iam.PassRole, codecommit.GitPull
],
Resource=['*']),
Statement(Effect=Allow,
Principal=Principal("AWS", [IAM_ARN(user, '', account)]),
Action=[
logs.FilterLogEventlogs, logs.GetLogEvents,
logs.CreateLogGroup, logs.CreateLogStream,
logs.PutLogEvents
],
Resource=['*']),
Statement(Effect=Allow,
Principal=Principal("AWS", [IAM_ARN(user, '', account)]),
Action=[
s3.CreateBucket, s3.ListAccessPoints,
s3.ListAllMyBuckets, s3.ListBucket,
s3.ListBucketByTags, s3.ListBucketMultipartUploads,
s3.ListBucketVersions, s3.ListJobs,
s3.ListMultipartUploadParts, s3.ListObjects,
s3.PutObject, s3.GetObject, s3.GetBucketAcl,
s3.GetBucketLocation, s3.GetObjectVersion
],
Resource=['*']),
Statement(Effect=Allow,
Principal=Principal("AWS", [IAM_ARN(user, '', account)]),
Action=[
ecr.BatchCheckLayerAvailability,
ecr.GetDownloadUrlForLayer, ecr.BatchGetImage,
ecr.PutImage, ecr.InitiateLayerUpload,
ecr.UploadLayerPart, ecr.CompleteLayerUpload,
ecr.GetAuthorizationToken
],
Resource=['*']),
Statement(Effect=Allow,
Principal=Principal("AWS", [IAM_ARN(user, '', account)]),
Action=[ec2.DescribeSecurityGroups, ec2.DescribeSubnets],
Resource=['*']),
Statement(Effect=Allow,
Principal=Principal("AWS", [IAM_ARN(user, '', account)]),
Action=[
ecs.RegisterTaskDefinition,
ecs.DescribeTaskDefinition, ecs.DescribeServices,
ecs.CreateService, ecs.ListServices,
ecs.UpdateService
],
Resource=['*']),
])
input_kwargs["policy"] = pd.to_json()
return input_kwargs
