def test_get_default_assumerole_policy(self):
default_policy = get_default_assumerole_policy('us-east-1')
cn_policy = get_default_assumerole_policy('cn-north-1')
self.assertEqual(get_policy_service(default_policy),
'ec2.amazonaws.com')
self.assertEqual(get_policy_service(cn_policy), 'ec2.amazonaws.com.cn')
def test_get_default_assumerole_policy(self):
default_policy = get_default_assumerole_policy("us-east-1")
cn_policy = get_default_assumerole_policy("cn-north-1")
self.assertEqual(get_policy_service(default_policy),
"ec2.amazonaws.com")
self.assertEqual(get_policy_service(cn_policy), "ec2.amazonaws.com.cn")
def test_get_default_assumerole_policy(self):
default_policy = get_default_assumerole_policy('us-east-1')
cn_policy = get_default_assumerole_policy('cn-north-1')
self.assertEqual(get_policy_service(default_policy),
['ec2.amazonaws.com'])
self.assertEqual(get_policy_service(cn_policy),
['ec2.amazonaws.com.cn'])
def create_iam_profile(self):
t = self.template
# Create EC2 Container Service Role
t.add_resource(
Role("ecsServiceRole",
AssumeRolePolicyDocument=get_ecs_assumerole_policy(),
Path="/",
Policies=[
Policy(PolicyName="ecsServiceRolePolicy",
PolicyDocument=service_role_policy())
]))
# Role for Empire Controllers
t.add_resource(
Role("EmpireControllerRole",
AssumeRolePolicyDocument=get_default_assumerole_policy(),
Path="/",
Policies=[
Policy(PolicyName="EmpireControllerPolicy",
PolicyDocument=empire_policy())
]))
t.add_resource(
InstanceProfile("EmpireControllerProfile",
Path="/",
Roles=[Ref("EmpireControllerRole")]))
def create_iam_profile(self):
t = self.template
# Create EC2 Container Service Role
t.add_resource(
Role(
"ecsServiceRole",
AssumeRolePolicyDocument=get_ecs_assumerole_policy(),
Path="/",
Policies=[
Policy(PolicyName="ecsServiceRolePolicy",
PolicyDocument=service_role_policy())
]))
# Role for Empire Controllers
t.add_resource(
Role(
"EmpireControllerRole",
AssumeRolePolicyDocument=get_default_assumerole_policy(),
Path="/",
Policies=[
Policy(PolicyName="EmpireControllerPolicy",
PolicyDocument=empire_policy())]))
t.add_resource(
InstanceProfile(
"EmpireControllerProfile",
Path="/",
Roles=[Ref("EmpireControllerRole")]))
def create_iam_profile(self):
t = self.template
# Create EC2 Container Service Role
t.add_resource(
Role("ecsServiceRole",
AssumeRolePolicyDocument=get_ecs_assumerole_policy(),
Path="/",
Policies=[
Policy(PolicyName="ecsServiceRolePolicy",
PolicyDocument=service_role_policy())
]))
# Role for Empire Controllers
t.add_resource(
Role("EmpireControllerRole",
AssumeRolePolicyDocument=get_default_assumerole_policy(),
Path="/",
Policies=[
Policy(PolicyName="EmpireControllerPolicy",
PolicyDocument=empire_policy())
]))
# Add SNS Events policy if Events are enabled
t.add_resource(
PolicyType("SNSEventsPolicy",
PolicyName="EmpireSNSEventsPolicy",
Condition="EnableSNSEvents",
PolicyDocument=sns_events_policy(Ref("EventTopic")),
Roles=[Ref("EmpireControllerRole")]))
t.add_resource(
InstanceProfile("EmpireControllerProfile",
Path="/",
Roles=[Ref("EmpireControllerRole")]))
t.add_output(
Output("EmpireControllerRole", Value=Ref("EmpireControllerRole")))
def create_iam_profile(self):
t = self.template
ec2_role_policy = get_default_assumerole_policy()
t.add_resource(
Role("EmpireMinionRole",
AssumeRolePolicyDocument=ec2_role_policy,
Path="/",
Policies=self.generate_iam_policies()))
t.add_resource(
InstanceProfile("EmpireMinionProfile",
Path="/",
Roles=[Ref("EmpireMinionRole")]))
def create_iam_profile(self):
t = self.template
# Role for Empire Controllers
t.add_resource(
Role("EmpireControllerRole",
AssumeRolePolicyDocument=get_default_assumerole_policy(),
Path="/",
Policies=self.generate_iam_policies()))
t.add_resource(
InstanceProfile("EmpireControllerProfile",
Path="/",
Roles=[Ref("EmpireControllerRole")]))
t.add_output(Output("IAMRole", Value=Ref("EmpireControllerRole")))
def create_iam_profile(self):
t = self.template
ec2_role_policy = get_default_assumerole_policy()
t.add_resource(
Role(
"EmpireMinionRole",
AssumeRolePolicyDocument=ec2_role_policy,
Path="/",
Policies=self.generate_iam_policies()))
t.add_resource(
InstanceProfile(
"EmpireMinionProfile",
Path="/",
Roles=[Ref("EmpireMinionRole")]))
def create_iam_profile(self):
t = self.template
# Role for Empire Controllers
t.add_resource(
Role(
"EmpireControllerRole",
AssumeRolePolicyDocument=get_default_assumerole_policy(),
Path="/",
Policies=self.generate_iam_policies()))
t.add_resource(
InstanceProfile(
"EmpireControllerProfile",
Path="/",
Roles=[Ref("EmpireControllerRole")]))
t.add_output(Output("IAMRole", Value=Ref("EmpireControllerRole")))
def create_iam_profile(self):
t = self.template
ns = self.context.namespace
# Create the EmpireMinionRole - this has all the permissions
# that the ECS Agent needs.
ec2_role_policy = get_default_assumerole_policy()
t.add_resource(
Role("EmpireMinionRole",
AssumeRolePolicyDocument=ec2_role_policy,
Path="/",
Policies=[
Policy(PolicyName="%s-ecs-agent" % ns,
PolicyDocument=ecs_agent_policy()),
]))
t.add_resource(
InstanceProfile("EmpireMinionProfile",
Path="/",
Roles=[Ref("EmpireMinionRole")]))
def create_iam_profile(self):
t = self.template
ns = self.context.namespace
# Create the EmpireMinionRole - this has all the permissions
# that the ECS Agent needs.
ec2_role_policy = get_default_assumerole_policy()
t.add_resource(
Role(
"EmpireMinionRole",
AssumeRolePolicyDocument=ec2_role_policy,
Path="/",
Policies=[
Policy(
PolicyName="%s-ecs-agent" % ns,
PolicyDocument=ecs_agent_policy()),
]))
t.add_resource(
InstanceProfile(
"EmpireMinionProfile",
Path="/",
Roles=[Ref("EmpireMinionRole")]))
def create_iam_profile(self):
t = self.template
# Create EC2 Container Service Role
t.add_resource(
Role(
"ecsServiceRole",
AssumeRolePolicyDocument=get_ecs_assumerole_policy(),
Path="/",
Policies=[
Policy(PolicyName="ecsServiceRolePolicy",
PolicyDocument=service_role_policy())
]))
# Role for Empire Controllers
t.add_resource(
Role(
"EmpireControllerRole",
AssumeRolePolicyDocument=get_default_assumerole_policy(),
Path="/",
Policies=[
Policy(PolicyName="EmpireControllerPolicy",
PolicyDocument=empire_policy())]))
# Add SNS Events policy if Events are enabled
t.add_resource(
PolicyType(
"SNSEventsPolicy",
PolicyName="EmpireSNSEventsPolicy",
Condition="EnableSNSEvents",
PolicyDocument=sns_events_policy(Ref("EventTopic")),
Roles=[Ref("EmpireControllerRole")]))
t.add_resource(
InstanceProfile(
"EmpireControllerProfile",
Path="/",
Roles=[Ref("EmpireControllerRole")]))
t.add_output(
Output("EmpireControllerRole",
Value=Ref("EmpireControllerRole")))
def create_ec2_role(self, name):
return self.create_role(name, get_default_assumerole_policy())
awacs_logs.DescribeLogStreams,
],
Effect=Allow,
Resource=["arn:aws:logs:*:*:*"],
),
]
)
logs_writer_policy = iam.Policy(
'LogsWriterPolicy',
PolicyName='LogsWriterPolicy',
PolicyDocument=logs_writer_policy_doc
)
our_only_role = stack.add_resource(iam.Role('OurOnlyRole',
AssumeRolePolicyDocument=trust.get_default_assumerole_policy(),
Policies=[logs_writer_policy],
))
instance_profile = stack.add_resource(iam.InstanceProfile(
'OurOnlyInstanceProfile',
Roles=[Ref(our_only_role)],
))
default_instance_sg = stack.add_resource(ec2.SecurityGroup(
'DefaultInstanceSG',
GroupDescription='Default group for instances to be in',
SecurityGroupIngress=[
ec2.SecurityGroupRule(
IpProtocol='6',
CidrIp='172.31.22.10/32',
ToPort=22,
def create_ec2_role(self, name):
return self.create_role(name, get_default_assumerole_policy())
