def iam_purge_instance_profiles():
""" Instance profiles are not well-exposed in the AWS Console (the online management tool),
this command will delete the instance profiles that are defined in this codebase. Note: you
will probably have to go and manually delete a service role, though the error message should
provide sufficient information for you to work out what to do. """
iam_client = create_iam_client()
try:
iam_client.delete_instance_profile(InstanceProfileName=EB_INSTANCE_PROFILE_ROLE)
print("Deleted", EB_INSTANCE_PROFILE_ROLE)
except Exception as e:
print e
try:
iam_client.delete_instance_profile(InstanceProfileName=EB_INSTANCE_PROFILE_NAME)
print("Deleted", EB_INSTANCE_PROFILE_NAME)
except Exception as e:
print e
try:
iam_client.delete_role(RoleName=EB_INSTANCE_PROFILE_ROLE)
print("Deleted", EB_INSTANCE_PROFILE_ROLE)
except Exception as e:
print e
try:
iam_client.delete_role(RoleName=EB_SERVICE_ROLE)
print("Deleted", EB_SERVICE_ROLE)
except Exception as e:
print e
def get_or_create_automation_policy():
iam_client = create_iam_client()
for policy in iam_client.list_policies(MaxItems=1000)["Policies"]:
if BEIWE_AUTOMATION_POLICY_NAME == policy['PolicyName']:
return policy
return iam_client.create_policy(
PolicyName="beiwe_automation_policy",
PolicyDocument=get_automation_policy(),
Description="permissions the beiwe elastic beanstalk application."
)['Policy']
def get_or_create_eb_instance_profile():
# """ This function creates the appropriate roles that apply to the instances in an elastic
# beanstalk environment, based of of the roles created when using the online AWS console. """
iam_client = create_iam_client()
try:
return iam_find_instance_profile(iam_client, EB_INSTANCE_PROFILE_NAME)
except IamEntityMissingError:
log.info("eb instance _profile_ not found, creating...")
iam_client.create_instance_profile(
InstanceProfileName=EB_INSTANCE_PROFILE_NAME)
_ = iam_client.add_role_to_instance_profile(
InstanceProfileName=EB_INSTANCE_PROFILE_NAME,
RoleName=get_or_create_eb_instance_profile_role()['RoleName'])
return iam_find_instance_profile(iam_client, EB_INSTANCE_PROFILE_NAME)
def get_or_create_eb_instance_profile_role():
""" This function creates the appropriate roles that apply to the instances in an elastic
beanstalk environment, based of of the roles created when using the online AWS console. """
iam_client = create_iam_client()
try:
iam_find_role(iam_client, EB_INSTANCE_PROFILE_ROLE)
except IamEntityMissingError:
log.info("eb instance profile _role_ not found, creating...")
iam_create_role(iam_client, EB_INSTANCE_PROFILE_ROLE, get_instance_assume_role_policy_document())
# This first one is in the original role, but it is almost definitely not required.
iam_attach_role_policy(iam_client, EB_INSTANCE_PROFILE_ROLE, AWS_EB_MULTICONTAINER_DOCKER)
iam_attach_role_policy(iam_client, EB_INSTANCE_PROFILE_ROLE, AWS_EB_WEB_TIER)
iam_attach_role_policy(iam_client, EB_INSTANCE_PROFILE_ROLE, AWS_EB_WORKER_TIER)
return iam_find_role(iam_client, EB_INSTANCE_PROFILE_ROLE)
def get_or_create_eb_service_role():
""" This function creates the appropriate roles that apply to the elastic beanstalk environment,
based of of the roles created when using the online AWS console. """
iam_client = create_iam_client()
try:
iam_find_role(iam_client, EB_SERVICE_ROLE)
except IamEntityMissingError:
log.info("eb service role not found, creating...")
iam_create_role(iam_client, EB_SERVICE_ROLE, get_elasticbeanstalk_assume_role_policy_document())
iam_attach_role_policy(iam_client, EB_SERVICE_ROLE, AWS_EB_SERVICE)
iam_attach_role_policy(iam_client, EB_SERVICE_ROLE, AWS_EB_ENHANCED_HEALTH)
return iam_find_role(iam_client, EB_SERVICE_ROLE)
def get_or_create_s3_access_policy(s3_bucket_name):
iam_client = create_iam_client()
policy_name = "s3-data-access-" + s3_bucket_name
for policy in iam_client.list_policies(MaxItems=1000)["Policies"]:
if policy_name == policy['PolicyName']:
return policy
policy = get_s3_bucket_access_policy() % s3_bucket_name
return iam_client.create_policy(
PolicyName=policy_name,
PolicyDocument=policy,
Description="allows read and write access to s3 bucket %s" % s3_bucket_name
)['Policy']
def create_s3_access_credentials(s3_bucket_name):
iam_client = create_iam_client()
user_name = "s3-data-access-user-" + s3_bucket_name
user_name = user_name[:63] # limited to 63 characters
user_info = iam_client.create_user(UserName=user_name)
s3_policy = get_or_create_s3_access_policy(s3_bucket_name)
iam_client.attach_user_policy(UserName=user_name, PolicyArn=s3_policy['Arn'])
iam_resource = create_iam_resource()
iam_user = iam_resource.User(user_name)
access_key_pair = iam_user.create_access_key_pair()
return {
"S3_ACCESS_CREDENTIALS_USER": access_key_pair.access_key_id,
"S3_ACCESS_CREDENTIALS_KEY": access_key_pair.secret_access_key,
}
