def codebuild_policy_document(input_kwargs, build_data): user = "******" account = build_data["account_id"] region = build_data["region"] logs_arn = f"arn:aws:logs:{region}:{account}:log-group:/aws/lambda/*" ec2_arn = [ "arn:aws:s3:::product-images-*", "arn:aws:s3:::product-images-*/*" ] pd = PolicyDocument( Version="2012-10-17", Id="Lambda-Common-Permissions", Statement=[ Statement(Effect=Allow, Principal=Principal("AWS", [IAM_ARN(user, '', account)]), Action=[logs.CreateLogStream, logs.PutLogEvents], Resource=[logs_arn]), Statement( Effect=Allow, Principal=Principal("AWS", [IAM_ARN(user, '', account)]), Action=[ ec2.CreateNetworkInterface, ec2.DescribeNetworkInterfaces, ec2.DeleteNetworkInterface, "ec2:Describe*", ec2.CreateSnapshot, ec2.DeleteSnapshot, ec2.CreateImage, ec2.CopyImage, ec2.DeregisterImage, ce.GetCostAndUsage, events.EnableRule, secretsmanager.GetSecretValue, secretsmanager.DescribeSecret, "kms:*", "cloudwatch:*", "s3:*" ], Resource=ec2_arn), Statement(Effect=Allow, Principal=Principal("AWS", [IAM_ARN(user, '', account)]), Action=[ rds.DescribeDBClusterSnapshots, rds.DescribeDBClusters, rds.CopyDBClusterSnapshot, rds.ModifyDBClusterSnapshotAttribute, rds.ListTagsForResource ], Resource=['*']) ]) input_kwargs["policy"] = pd.to_json() return input_kwargs
def codepipeline_policy_document(input_kwargs, build_data): user = "******" account = build_data["account_id"] bucket_arn = "arn:aws:s3:::{0}".format(input_kwargs["name"]) pd = PolicyDocument( Version="2012-10-17", Id="CodePipeline-Permissions", Statement=[ Statement(Effect=Allow, Principal=Principal("AWS", [IAM_ARN(user, '', account)]), Action=[ codebuild.StartBuild, codebuild.BatchGetBuilds, codedeploy.CreateDeployment, codedeploy.GetApplicationRevision, codedeploy.GetDeployment, codedeploy.GetDeploymentConfig, codedeploy.RegisterApplicationRevision, iam.PassRole, iam.GetRole, codecommit.GitPull ], Resource=['*']), Statement(Effect=Allow, Principal=Principal("AWS", [IAM_ARN(user, '', account)]), Action=[ s3.CreateBucket, s3.GetObject, s3.ListAccessPoints, s3.ListAllMyBuckets, s3.ListBucket, s3.ListBucketByTags, s3.ListBucketMultipartUploads, s3.ListBucketVersions, s3.ListJobs, s3.ListMultipartUploadParts, s3.ListObjects, s3.PutObject, s3.GetBucketAcl, s3.GetBucketLocation, s3.GetObjectVersion ], Resource=[bucket_arn]) ]) input_kwargs["policy"] = pd.to_json() return input_kwargs
def codebuild_policy_document(input_kwargs, build_data): user = "******" account = build_data["account_id"] region = build_data["region"] logs_arn = [ "arn:aws:logs:*:*:log-group:/aws/rds/*:log-stream:*", "arn:aws:logs:*:*:log-group:/aws/docdb/*:log-stream:*", "arn:aws:logs:*:*:log-group:/aws/neptune/*:log-stream:*" ] ec2_arn = ["arn:aws:kinesis:*:*:stream/aws-rds-das-*"] pd = PolicyDocument( Version="2012-10-17", Id="RDS-Monitoring-Permissions", Statement=[ Statement(Effect=Allow, Principal=Principal("AWS", [IAM_ARN(user, '', account)]), Action=[ logs.CreateLogDelivery, logs.GetLogDelivery, logs.UpdateLogDelivery, logs.DeleteLogDelivery, logs.ListLogDeliveries ], Resource=[logs_arn]), Statement(Effect=Allow, Principal=Principal("AWS", [IAM_ARN(user, '', account)]), Action=[ kinesis.CreateStream, kinesis.PutRecord, kinesis.PutRecords, kinesis.DescribeStream, kinesis.SplitShard, kinesis.MergeShards, kinesis.DeleteStream, kinesis.UpdateShardCount ], Resource=["arn:aws:kinesis:*:*:stream/aws-rds-das-*"]) ]) input_kwargs["policy"] = pd.to_json() return input_kwargs
def codebuild_policy_document(input_kwargs, build_data): user = "******" account = build_data["account_id"] region = build_data["region"] table_name = build_data["table_name"] db_arn = f"arn:aws:dynamodb:{region}:${account}:table/${table_name}" ec2_arn = ["arn:aws:kinesis:*:*:stream/aws-rds-das-*"] pd = PolicyDocument( Version="2012-10-17", Id="Dynamodb-Permissions", Statement=[ Statement(Effect=Allow, Principal=Principal("AWS", [IAM_ARN(user, '', account)]), Action=[ dynamodb.DescribeLimits, dynamodb.DescribeTimeToLive, dynamodb.ListTagsOfResource, dynamodb.DescribeReservedCapacityOfferings, dynamodb.DescribeReservedCapacity, dynamodb.ListTables, dynamodb.BatchGetItem, dynamodb.BatchWriteItem, dynamodb.CreateTable, dynamodb.DeleteItem, dynamodb.GetItem, dynamodb.GetRecords, dynamodb.PutItem, dynamodb.Query, dynamodb.UpdateItem, dynamodb.Scan, dynamodb.DescribeTable ], Resource=[db_arn]), Statement(Effect=Allow, Principal=Principal("AWS", [IAM_ARN(user, '', account)]), Action=[kms.Encrypt, kms.Decrypt, kms.DescribeKey], Resource=["*"]) ]) input_kwargs["policy"] = pd.to_json() return input_kwargs
def kms_policy_document(input_kwargs, build_data): user = "******" account = build_data["account_id"] pd = PolicyDocument( Version="2012-10-17", Id="KMS-Account-Permissions", Statement=[ Statement( Effect=Allow, Principal=Principal("AWS", [IAM_ARN(user, '', account)]), Action=[ kms.CancelKeyDeletion, kms.ConnectCustomKeyStore, kms.CreateAlias, kms.CreateCustomKeyStore, kms.CreateGrant, kms.CreateKey, kms.Decrypt, kms.DeleteAlias, kms.DeleteCustomKeyStore, kms.DeleteImportedKeyMaterial, kms.DescribeCustomKeyStores, kms.DescribeKey, kms.DisableKey, kms.DisableKeyRotation, kms.DisconnectCustomKeyStore, kms.EnableKey, kms.EnableKeyRotation, kms.Encrypt, kms.GenerateDataKey, kms.GenerateDataKeyWithoutPlaintext, kms.GenerateRandom, kms.GetKeyPolicy, kms.GetKeyRotationStatus, kms.GetParametersForImport, kms.ImportKeyMaterial, kms.ListAliases, kms.ListGrants, kms.ListKeyPolicies, kms.ListKeys, kms.ListResourceTags, kms.ListRetirableGrants, kms.PutKeyPolicy, kms.ReEncrypt, kms.ReEncryptFrom, kms.ReEncryptTo, kms.RetireGrant, kms.RevokeGrant, kms.ScheduleKeyDeletion, kms.TagResource, kms.UntagResource, kms.UpdateAlias, kms.UpdateCustomKeyStore, kms.UpdateKeyDescription ], Resource=['*']) ]) input_kwargs["policy"] = pd.to_json() return input_kwargs
def efs_policy_document(input_kwargs, build_data): user = "******" account = build_data["account_id"] pd = PolicyDocument( Version="2012-10-17", Id="EFS-Permissions", Statement=[ Statement(Effect=Allow, Principal=Principal("AWS", [IAM_ARN(user, '', account)]), Action=[ elasticfilesystem.DescribeFileSystems, elasticfilesystem.CreateFileSystem, elasticfilesystem.CreateTags, elasticfilesystem.DescribeMountTargets, elasticfilesystem.CreateMountTarget ], Resource=['*']) ]) input_kwargs["policy"] = pd.to_json() return input_kwargs
def codebuild_policy_document(input_kwargs, build_data): user = "******" account = build_data["account_id"] pd = PolicyDocument( Version="2012-10-17", Id="Codebuild-Permissions", Statement=[ Statement( Effect=Allow, Principal=Principal("AWS", [IAM_ARN(user, '', account)]), Action=[ codebuild.BatchDeleteBuilds, codebuild.BatchGetBuilds, codebuild.BatchGetProjects, codebuild.BatchGetReportGroups, codebuild.BatchGetReports, codebuild.BatchPutTestCases, codebuild.CreateProject, codebuild.CreateReport, codebuild.CreateReportGroup, codebuild.CreateWebhook, codebuild.DeleteOAuthToken, codebuild.DeleteProject, codebuild.DeleteReport, codebuild.DeleteReportGroup, codebuild.DeleteResourcePolicy, codebuild.DeleteSourceCredentials, codebuild.DeleteWebhook, codebuild.DescribeTestCases, codebuild.GetResourcePolicy, codebuild.ImportSourceCredentials, codebuild.InvalidateProjectCache, codebuild.ListBuilds, codebuild.ListBuildsForProject, codebuild.ListConnectedOAuthAccounts, codebuild.ListCuratedEnvironmentImages, codebuild.ListProjects, codebuild.ListReportGroups, codebuild.ListReports, codebuild.ListReportsForReportGroup, codebuild.ListRepositories, codebuild.ListSharedProjects, codebuild.ListSharedReportGroups, codebuild.ListSourceCredentials, codebuild.PersistOAuthToken, codebuild.PutResourcePolicy, codebuild.StartBuild, codebuild.StopBuild, codebuild.UpdateProject, codebuild.UpdateReport, codebuild.UpdateReportGroup, codebuild.UpdateWebhook, iam.PassRole, codecommit.GitPull ], Resource=['*']), Statement(Effect=Allow, Principal=Principal("AWS", [IAM_ARN(user, '', account)]), Action=[ logs.FilterLogEventlogs, logs.GetLogEvents, logs.CreateLogGroup, logs.CreateLogStream, logs.PutLogEvents ], Resource=['*']), Statement(Effect=Allow, Principal=Principal("AWS", [IAM_ARN(user, '', account)]), Action=[ s3.CreateBucket, s3.ListAccessPoints, s3.ListAllMyBuckets, s3.ListBucket, s3.ListBucketByTags, s3.ListBucketMultipartUploads, s3.ListBucketVersions, s3.ListJobs, s3.ListMultipartUploadParts, s3.ListObjects, s3.PutObject, s3.GetObject, s3.GetBucketAcl, s3.GetBucketLocation, s3.GetObjectVersion ], Resource=['*']), Statement(Effect=Allow, Principal=Principal("AWS", [IAM_ARN(user, '', account)]), Action=[ ecr.BatchCheckLayerAvailability, ecr.GetDownloadUrlForLayer, ecr.BatchGetImage, ecr.PutImage, ecr.InitiateLayerUpload, ecr.UploadLayerPart, ecr.CompleteLayerUpload, ecr.GetAuthorizationToken ], Resource=['*']), Statement(Effect=Allow, Principal=Principal("AWS", [IAM_ARN(user, '', account)]), Action=[ec2.DescribeSecurityGroups, ec2.DescribeSubnets], Resource=['*']), Statement(Effect=Allow, Principal=Principal("AWS", [IAM_ARN(user, '', account)]), Action=[ ecs.RegisterTaskDefinition, ecs.DescribeTaskDefinition, ecs.DescribeServices, ecs.CreateService, ecs.ListServices, ecs.UpdateService ], Resource=['*']), ]) input_kwargs["policy"] = pd.to_json() return input_kwargs