def _get_metadata_for_role(resource, policy_name, policy_metadata_filter):
metadata = discovery_utils.get_cloud_canvas_metadata(resource, policy_name)
if metadata is None:
return None
if isinstance(metadata, dict):
metadata = [metadata]
if not isinstance(metadata, list):
raise ValidationError(
'{} metadata not an object or list on resource {} in stack {}.'.
format(policy_name, resource['LogicalResourceId'], stack_arn))
entry_found = None
for entry in metadata:
try:
entry_accepted = policy_metadata_filter(entry)
except ValidationError as e:
raise ValidationError(
'Invalid {} metadata entry was found on resource {} in stack {}. {}'
.format(policy_name, logical_resource_name, stack_arn,
e.message))
if entry_accepted:
if entry_found is not None:
raise ValidationError(
'More than one applicable {} metadata entry was found on resource {} in stack {}.'
.format(policy_name, logical_resource_name, stack_arn))
entry_found = entry
return entry_found
def _make_resource_statement(resource_group_info, logical_resource_name,
metadata_key):
try:
response = discovery_utils.try_with_backoff(
lambda: resource_group_info.get_client().describe_stack_resource(
StackName=resource_group_info.stack_arn,
LogicalResourceId=logical_resource_name))
print 'describe_stack_resource(LogicalResourceId="{}", StackName="{}") response: {}'.format(
logical_resource_name, resource_group_info.stack_arn, response)
except Exception as e:
print 'describe_stack_resource(LogicalResourceId="{}", StackName="{}") error: {}'.format(
logical_resource_name, resource_group_info.stack_arn,
getattr(e, 'response', e))
raise e
resource = response['StackResourceDetail']
metadata = discovery_utils.get_cloud_canvas_metadata(
resource, metadata_key)
if metadata is None:
return None
metadata_actions = metadata.get('Action', None)
if metadata_actions is None:
raise ValidationError(
'No Action was specified for CloudCanvas Access metdata on the {} resource in stack {}.'
.format(logical_resource_name, resource_group_info.stack_arn))
if not isinstance(metadata_actions, list):
metadata_actions = [metadata_actions]
for action in metadata_actions:
if not isinstance(action, basestring):
raise ValidationError(
'Non-string Action specified for CloudCanvas Access metadata on the {} resource in stack {}.'
.format(logical_resource_name, resource_group_info.stack_arn))
if 'PhysicalResourceId' not in resource:
return None
if 'ResourceType' not in resource:
return None
resource = discovery_utils.get_resource_arn(resource_group_info.stack_arn,
resource['ResourceType'],
resource['PhysicalResourceId'])
resource_suffix = metadata.get('ResourceSuffix', None)
if resource_suffix is not None:
resource += resource_suffix
return {
'Sid': logical_resource_name + 'Access',
'Effect': 'Allow',
'Action': metadata_actions,
'Resource': resource
}
def _make_resource_statement(feature_info, logical_resource_name):
try:
response = feature_info.get_client().describe_stack_resource(
StackName=feature_info.stack_arn,
LogicalResourceId=logical_resource_name)
print 'describe_stack_resource(LogicalResourceId="{}", StackName="{}") response: {}'.format(
logical_resource_name, feature_info.stack_arn, response)
except Exception as e:
print 'describe_stack_resource(LogicalResourceId="{}", StackName="{}") error: {}'.format(
logical_resource_name, feature_info.stack_arn, e)
raise e
resource = response['StackResourceDetail']
metadata = discovery_utils.get_cloud_canvas_metadata(
resource, 'PlayerAccess')
if metadata is None:
return None
metadata_actions = metadata.get('Action', None)
if metadata_actions is None:
raise ValidationError(
'No Action was specified for CloudCanvas PlayerAccess metdata on the {} resource in stack {}.'
.format(logical_resource_name, feature_info.stack_arn))
if not isinstance(metadata_actions, list):
metadata_actions = [metadata_actions]
for action in metadata_actions:
if not isinstance(action, basestring):
raise ValidationError(
'Non-string Action specified for CloudCanvas PlayerAccess metadata on the {} resource in stack {}.'
.format(logical_resource_name, feature_info.stack_arn))
if 'PhysicalResourceId' not in resource:
return None
return {
'Sid':
logical_resource_name + 'Access',
'Effect':
'Allow',
'Action':
metadata_actions,
'Resource':
discovery_utils.get_resource_arn(feature_info.stack_arn,
resource['ResourceType'],
resource['PhysicalResourceId'])
}
def _make_resource_statement(feature_info, logical_resource_name):
try:
response = discovery_utils.try_with_backoff(lambda : feature_info.get_client().describe_stack_resource(StackName=feature_info.stack_arn, LogicalResourceId=logical_resource_name))
print 'describe_stack_resource(LogicalResourceId="{}", StackName="{}") response: {}'.format(logical_resource_name, feature_info.stack_arn, response)
except Exception as e:
print 'describe_stack_resource(LogicalResourceId="{}", StackName="{}") error: {}'.format(logical_resource_name, feature_info.stack_arn, getattr(e, 'response', e))
raise e
resource = response['StackResourceDetail']
metadata = discovery_utils.get_cloud_canvas_metadata(resource, 'PlayerAccess')
if metadata is None:
return None
metadata_actions = metadata.get('Action', None)
if metadata_actions is None:
raise ValidationError('No Action was specified for CloudCanvas PlayerAccess metdata on the {} resource in stack {}.'.format(
logical_resource_name,
feature_info.stack_arn))
if not isinstance(metadata_actions, list):
metadata_actions = [ metadata_actions ]
for action in metadata_actions:
if not isinstance(action, basestring):
raise ValidationError('Non-string Action specified for CloudCanvas PlayerAccess metadata on the {} resource in stack {}.'.format(
logical_resource_name,
feature_info.stack_arn))
if 'PhysicalResourceId' not in resource:
return None
if 'ResourceType' not in resource:
return None
resource = discovery_utils.get_resource_arn(feature_info.stack_arn, resource['ResourceType'], resource['PhysicalResourceId'])
resource_suffix = metadata.get('ResourceSuffix', None)
if resource_suffix is not None:
resource += resource_suffix
return {
'Sid': logical_resource_name + 'Access',
'Effect': 'Allow',
'Action': metadata_actions,
'Resource': resource
}
def _get_metadata_for_function(resource, function_name):
metadata = discovery_utils.get_cloud_canvas_metadata(resource, POLICY_NAME)
if metadata is None:
return None
if isinstance(metadata, dict):
metadata = [ metadata ]
if not isinstance(metadata, list):
raise ValidationError('FunctionAccess metadata not an object or list on resource {} in stack {}.'.format(
logical_resource_name,
stack_arn))
entry_found = None
for entry in metadata:
metadata_function_name = entry.get('FunctionName', None)
if not metadata_function_name:
raise ValidationError('No FunctionName specified for CloudCanvas FunctionAccess metdata on the {} resource in stack {}.'.format(
logical_resource_name,
stack_arn))
if not isinstance(metadata_function_name, basestring):
raise ValidationError('Non-string FunctionName specified for CloudCanvas FunctionAccess metadata on the {} resource in stack {}.'.format(
logical_resource_name,
stack_arn))
if metadata_function_name == function_name:
if entry_found is not None:
raise ValidationError('More than one FunctionAccess metadata entry was found for function {} on resource {} in stack {}.'.format(
function_name,
logical_resource_name,
stack_arn))
entry_found = entry
return entry_found
def _get_metadata_for_function(resource, function_name):
metadata = discovery_utils.get_cloud_canvas_metadata(resource, POLICY_NAME)
if metadata is None:
return None
if isinstance(metadata, dict):
metadata = [metadata]
if not isinstance(metadata, list):
raise ValidationError(
'FunctionAccess metadata not an object or list on resource {} in stack {}.'
.format(logical_resource_name, stack_arn))
entry_found = None
for entry in metadata:
metadata_function_name = entry.get('FunctionName', None)
if not metadata_function_name:
raise ValidationError(
'No FunctionName specified for CloudCanvas FunctionAccess metdata on the {} resource in stack {}.'
.format(logical_resource_name, stack_arn))
if not isinstance(metadata_function_name, basestring):
raise ValidationError(
'Non-string FunctionName specified for CloudCanvas FunctionAccess metadata on the {} resource in stack {}.'
.format(logical_resource_name, stack_arn))
if metadata_function_name == function_name:
if entry_found is not None:
raise ValidationError(
'More than one FunctionAccess metadata entry was found for function {} on resource {} in stack {}.'
.format(function_name, logical_resource_name, stack_arn))
entry_found = entry
return entry_found
