def ecs_agent_policy():
p = Policy(Statement=[
Statement(Effect=Allow,
Resource=["*"],
Action=[
ecs.CreateCluster, ecs.RegisterContainerInstance, ecs.
DeregisterContainerInstance, ecs.DiscoverPollEndpoint,
ecs.Action("Submit*"), ecs.Poll,
ecs.Action("StartTelemetrySession")
])
])
return p
def create_ecs_service_role(region, namespace, mappings, parameters, **kwargs):
"""Used to create the ecsServieRole, which has to be named exactly that
currently, so cannot be created via CloudFormation. See:
http://docs.aws.amazon.com/AmazonECS/latest/developerguide/IAM_policies.html#service_IAM_role
"""
role_name = kwargs.get("role_name", "ecsServiceRole")
client = boto3.client("iam", region_name=region)
try:
client.create_role(
RoleName=role_name,
AssumeRolePolicyDocument=get_ecs_assumerole_policy().to_json())
except ClientError as e:
if "already exists" in e.message:
pass
else:
raise
policy = Policy(Statement=[
Statement(Effect=Allow,
Resource=["*"],
Action=[
ecs.CreateCluster, ecs.DeregisterContainerInstance,
ecs.DiscoverPollEndpoint, ecs.Poll,
ecs.Action("Submit*")
])
])
client.put_role_policy(RoleName=role_name,
PolicyName="AmazonEC2ContainerServiceRolePolicy",
PolicyDocument=policy.to_json())
return True
def create_ecs_service_role(provider, context, **kwargs):
"""Create ecsServieRole, which has to be named exactly that currently.
http://docs.aws.amazon.com/AmazonECS/latest/developerguide/IAM_policies.html#service_IAM_role
Args:
provider (:class:`runway.cfngin.providers.base.BaseProvider`): Provider
instance. (passed in by CFNgin)
context (:class:`runway.cfngin.context.Context`): Context instance.
(passed in by CFNgin)
Keyword Args:
role_name (str): Name of the role to create.
(*default: ecsServiceRole*)
Returns:
bool: Whether or not the hook succeeded.
"""
role_name = kwargs.get("role_name", "ecsServiceRole")
client = get_session(provider.region).client("iam")
try:
client.create_role(
RoleName=role_name,
AssumeRolePolicyDocument=get_ecs_assumerole_policy().to_json(),
)
except ClientError as err:
if "already exists" in str(err):
pass
else:
raise
policy = Policy(
Version="2012-10-17",
Statement=[
Statement(
Effect=Allow,
Resource=["*"],
Action=[
ecs.CreateCluster,
ecs.DeregisterContainerInstance,
ecs.DiscoverPollEndpoint,
ecs.Poll,
ecs.Action("Submit*"),
],
)
],
)
client.put_role_policy(
RoleName=role_name,
PolicyName="AmazonEC2ContainerServiceRolePolicy",
PolicyDocument=policy.to_json(),
)
return True
def ecs_agent_policy():
p = Policy(Statement=[
Statement(Effect=Allow,
Resource=["*"],
Action=[
ecs.CreateCluster, ecs.RegisterContainerInstance, ecs.
DeregisterContainerInstance, ecs.DiscoverPollEndpoint,
ecs.Action("Submit*"), ecs.Poll,
ecs.Action("StartTelemetrySession")
]),
Statement(
Effect=Allow,
Action=[
ecr.GetAuthorizationToken,
ecr.BatchCheckLayerAvailability,
ecr.GetDownloadUrlForLayer,
ecr.BatchGetImage,
],
Resource=["*"],
),
])
return p
def create_ecs_service_role(context: CfnginContext,
*,
role_name: str = "ecsServiceRole",
**_: Any) -> bool:
"""Create ecsServiceRole IAM role.
https://docs.aws.amazon.com/AmazonECS/latest/developerguide/using-service-linked-roles.html
Args:
context: Context instance. (passed in by CFNgin)
role_name: Name of the role to create.
"""
client = context.get_session().client("iam")
try:
client.create_role(
RoleName=role_name,
AssumeRolePolicyDocument=get_ecs_assumerole_policy().to_json(),
)
except ClientError as err:
if "already exists" not in str(err):
raise
policy = Policy(
Version="2012-10-17",
Statement=[
Statement(
Effect=Allow,
Resource=["*"],
Action=[
ecs.CreateCluster,
ecs.DeregisterContainerInstance,
ecs.DiscoverPollEndpoint,
ecs.Poll,
ecs.Action("Submit*"),
],
)
],
)
client.put_role_policy(
RoleName=role_name,
PolicyName="AmazonEC2ContainerServiceRolePolicy",
PolicyDocument=policy.to_json(),
)
return True
def create_ecs_service_role(provider, context, **kwargs):
"""Used to create the ecsServieRole, which has to be named exactly that
currently, so cannot be created via CloudFormation. See:
http://docs.aws.amazon.com/AmazonECS/latest/developerguide/IAM_policies.html#service_IAM_role
Args:
provider (:class:`stacker.providers.base.BaseProvider`): provider
instance
context (:class:`stacker.context.Context`): context instance
Returns: boolean for whether or not the hook succeeded.
"""
role_name = kwargs.get("role_name", "ecsServiceRole")
client = get_session(provider.region).client('iam')
try:
client.create_role(
RoleName=role_name,
AssumeRolePolicyDocument=get_ecs_assumerole_policy().to_json())
except ClientError as e:
if "already exists" in str(e):
pass
else:
raise
policy = Policy(Version='2012-10-17',
Statement=[
Statement(Effect=Allow,
Resource=["*"],
Action=[
ecs.CreateCluster,
ecs.DeregisterContainerInstance,
ecs.DiscoverPollEndpoint, ecs.Poll,
ecs.Action("Submit*")
])
])
client.put_role_policy(RoleName=role_name,
PolicyName="AmazonEC2ContainerServiceRolePolicy",
PolicyDocument=policy.to_json())
return True
def empire_policy(resources):
p = Policy(Statement=[
Statement(Effect=Allow,
Resource=[resources['CustomResourcesTopic']],
Action=[sns.Publish]),
Statement(Effect=Allow,
Resource=[resources['CustomResourcesQueue']],
Action=[sqs.ReceiveMessage, sqs.DeleteMessage]),
Statement(Effect=Allow,
Resource=[resources['TemplateBucket']],
Action=[
s3.PutObject, s3.PutObjectAcl, s3.PutObjectVersionAcl,
s3.GetObject, s3.GetObjectVersion, s3.GetObjectAcl,
s3.GetObjectVersionAcl
]),
Statement(Effect=Allow,
Resource=[
Join('', [
'arn:aws:cloudformation:',
Ref('AWS::Region'), ':',
Ref('AWS::AccountId'), ':stack/',
resources['Environment'], '-*'
])
],
Action=[
cloudformation.CreateStack, cloudformation.UpdateStack,
cloudformation.DeleteStack, cloudformation.
ListStackResources, cloudformation.DescribeStackResource,
cloudformation.DescribeStacks
]),
Statement(Effect=Allow,
Resource=['*'],
Action=[cloudformation.ValidateTemplate]),
Statement(Effect=Allow,
Resource=["*"],
Action=[
ecs.CreateService, ecs.DeleteService,
ecs.DeregisterTaskDefinition,
ecs.Action("Describe*"),
ecs.Action("List*"), ecs.RegisterTaskDefinition,
ecs.RunTask, ecs.StartTask, ecs.StopTask,
ecs.SubmitTaskStateChange, ecs.UpdateService
]),
Statement(
Effect=Allow,
# TODO: Limit to specific ELB?
Resource=["*"],
Action=[
elb.DeleteLoadBalancer, elb.CreateLoadBalancer,
elb.DescribeLoadBalancers, elb.DescribeTags,
elb.ConfigureHealthCheck, elb.ModifyLoadBalancerAttributes,
elb.SetLoadBalancerListenerSSLCertificate,
elb.SetLoadBalancerPoliciesOfListener
]),
Statement(Effect=Allow,
Resource=["*"],
Action=[ec2.DescribeSubnets, ec2.DescribeSecurityGroups]),
Statement(Effect=Allow,
Action=[
iam.GetServerCertificate, iam.UploadServerCertificate,
iam.DeleteServerCertificate, iam.PassRole
],
Resource=["*"]),
Statement(
Effect=Allow,
Action=[
Action("route53", "ListHostedZonesByName"),
route53.ChangeResourceRecordSets,
route53.ListHostedZones,
route53.GetHostedZone,
route53.GetChange,
],
# TODO: Limit to specific zones
Resource=["*"]),
Statement(Effect=Allow,
Action=[
kinesis.DescribeStream,
Action(kinesis.prefix, "Get*"),
Action(kinesis.prefix, "List*")
],
Resource=["*"]),
])
return p
# Example taken from AWS docs:
# http://docs.aws.amazon.com/AmazonECS/latest/developerguide/IAM_policies.html#instance_IAM_role
from awacs.aws import Allow
from awacs.aws import Policy, Statement
import awacs.ecs as ecs
pd = Policy(Statement=[
Statement(Effect=Allow,
Action=[
ecs.CreateCluster, ecs.RegisterContainerInstance,
ecs.DeregisterContainerInstance, ecs.DiscoverPollEndpoint,
ecs.Action("Submit*"), ecs.Poll
],
Resource=["*"])
])
print(pd.to_json())
def empire_policy(resources):
p = Policy(Statement=[
Statement(Effect=Allow,
Resource=[resources['CustomResourcesTopic']],
Action=[sns.Publish]),
Statement(Effect=Allow,
Resource=[resources['CustomResourcesQueue']],
Action=[
sqs.ReceiveMessage, sqs.DeleteMessage,
sqs.ChangeMessageVisibility
]),
Statement(Effect=Allow,
Resource=[resources['TemplateBucket']],
Action=[
s3.PutObject, s3.PutObjectAcl, s3.PutObjectVersionAcl,
s3.GetObject, s3.GetObjectVersion, s3.GetObjectAcl,
s3.GetObjectVersionAcl
]),
Statement(Effect=Allow,
Resource=["*"],
Action=[
awslambda.CreateFunction, awslambda.DeleteFunction,
awslambda.UpdateFunctionCode,
awslambda.GetFunctionConfiguration,
awslambda.AddPermission, awslambda.RemovePermission
]),
Statement(Effect=Allow,
Resource=["*"],
Action=[
events.PutRule, events.DeleteRule, events.DescribeRule,
events.EnableRule, events.DisableRule, events.PutTargets,
events.RemoveTargets
]),
Statement(Effect=Allow,
Resource=[
Join('', [
'arn:aws:cloudformation:',
Ref('AWS::Region'), ':',
Ref('AWS::AccountId'), ':stack/',
resources['Environment'], '-*'
])
],
Action=[
cloudformation.CreateStack, cloudformation.UpdateStack,
cloudformation.DeleteStack, cloudformation.
ListStackResources, cloudformation.DescribeStackResource,
cloudformation.DescribeStacks
]),
Statement(Effect=Allow,
Resource=['*'],
Action=[cloudformation.ValidateTemplate]),
Statement(Effect=Allow,
Resource=["*"],
Action=[
ecs.CreateService, ecs.DeleteService,
ecs.DeregisterTaskDefinition,
ecs.Action("Describe*"),
ecs.Action("List*"), ecs.RegisterTaskDefinition,
ecs.RunTask, ecs.StartTask, ecs.StopTask,
ecs.SubmitTaskStateChange, ecs.UpdateService
]),
Statement(
Effect=Allow,
# TODO: Limit to specific ELB?
Resource=["*"],
Action=[
elb.Action("Describe*"),
elb.AddTags,
elb.CreateLoadBalancer,
elb.CreateLoadBalancerListeners,
elb.DescribeTags,
elb.DeleteLoadBalancer,
elb.ConfigureHealthCheck,
elb.ModifyLoadBalancerAttributes,
elb.SetLoadBalancerListenerSSLCertificate,
elb.SetLoadBalancerPoliciesOfListener,
elb.Action("CreateTargetGroup"),
elb.Action("CreateListener"),
elb.Action("DeleteListener"),
elb.Action("DeleteTargetGroup"),
elb.Action("ModifyTargetGroup"),
elb.Action("ModifyTargetGroupAttributes"),
]),
Statement(Effect=Allow,
Resource=["*"],
Action=[ec2.DescribeSubnets, ec2.DescribeSecurityGroups]),
Statement(Effect=Allow,
Action=[
iam.GetServerCertificate, iam.UploadServerCertificate,
iam.DeleteServerCertificate, iam.PassRole
],
Resource=["*"]),
Statement(
Effect=Allow,
Action=[
Action("route53", "ListHostedZonesByName"),
route53.ChangeResourceRecordSets,
route53.ListHostedZones,
route53.GetHostedZone,
route53.GetChange,
],
# TODO: Limit to specific zones
Resource=["*"]),
Statement(Effect=Allow,
Action=[
kinesis.DescribeStream,
Action(kinesis.prefix, "Get*"),
Action(kinesis.prefix, "List*"),
kinesis.PutRecord,
],
Resource=["*"]),
Statement(
Effect=Allow,
Action=[
ecr.GetAuthorizationToken,
ecr.BatchCheckLayerAvailability,
ecr.GetDownloadUrlForLayer,
ecr.BatchGetImage,
],
Resource=["*"],
),
])
return p
# Example taken from AWS docs:
# http://docs.aws.amazon.com/AmazonECS/latest/developerguide/instance_IAM_role.html
import awacs.ecr as aecr
import awacs.ecs as aecs
import awacs.logs as alogs
from awacs.aws import Allow, Policy, Statement
pd = Policy(Statement=[
Statement(
Effect=Allow,
Action=[
aecs.CreateCluster,
aecs.DeregisterContainerInstance,
aecs.DiscoverPollEndpoint,
aecs.Poll,
aecs.RegisterContainerInstance,
aecs.StartTelemetrySession,
aecr.GetAuthorizationToken,
aecr.BatchCheckLayerAvailability,
aecr.GetDownloadUrlForLayer,
aecr.BatchGetImage,
alogs.CreateLogStream,
alogs.PutLogEvents,
aecs.Action("Submit*"),
],
Resource=["*"],
)
])
print(pd.to_json())