def create_wsgi_api(self): """Create/Update api definition for wsgi app""" swagger_api = False # If there is already an exsiting swagger api template, # fetch it so we won't duplicate it #if os.path.isfile(self.get_swagger_template()) and self.get_apigateway_name(): swagger_api = self.if_api_exist_by_name(self.get_apigateway_name()) iam = IAM() for lm_func in self._config.get('Lambda'): if lm_func.get('Type') != AWSLambda.FUNCTION_TYPE_WSGI or lm_func.get('DisableApiGateway'): continue function_name = self.get_lmdo_format_name(lm_func.get('FunctionName')) role = iam.get_lambda_apigateway_default_role(function_name) Oprint.info('Create/Update API Gateway for wsgi function {}'.format(lm_func.get('FunctionName')), 'apigateway') to_replace = { "$title": self.get_apigateway_name(), "$version": str(datetime.datetime.utcnow()), "$basePath": lm_func.get('ApiBasePath') or '/res', "$apiRegion": self.get_region(), "$functionRegion": self.get_region(), "$accountId": self.get_account_id(), "$functionName": function_name, "$credentials": role['Role'].get('Arn') } # Enable cognito user pool as authorizer if lm_func.get('CognitoUserPoolId'): se_replace = { "$apiRegion": self.get_region(), "$accountId": self.get_account_id(), "$userPoolId": lm_func.get('CognitoUserPoolId'), "$CognitoUserPool": 'CognitoUserPool-{}'.format(lm_func.get('FunctionName')) } to_replace["$securityDefinitions"] = self.get_apigateway_authorizer(se_replace) to_replace["$authorizer"] = '{"' + str(se_replace['$CognitoUserPool'])+'":[]}' else: to_replace["$securityDefinitions"] = '' to_replace["$authorizer"] = '' template_dir = get_template(APIGATEWAY_SWAGGER_WSGI) if not template_dir: Oprint.err('Template {} for creating wsgi APIGateway hasn\'t been installed or missing'.format(APIGATEWAY_SWAGGER_WSGI), 'apigateway') with open(template_dir, 'r') as outfile: body = update_template(outfile.read(), to_replace) if not swagger_api: swagger_api = self.import_rest_api(body) else: # Always overwrite for update self.put_rest_api(swagger_api.get('id'), body, 'merge') return swagger_api
def create_api_by_swagger(self): """Create/Update api definition by swagger""" # Exist if no swagger definition if not os.path.isfile(self.get_swagger_template()): return True api = self.if_api_exist_by_name(self.get_apigateway_name()) with open(self.get_swagger_template(), 'r') as outfile: to_replace = { "$title": self.get_apigateway_name(), "$version": str(datetime.datetime.utcnow()) } # Replace variable in swagger template with content in a file. var_to_file = self._config.get('ApiVarMapToFile') if (var_to_file): for var_name, file_name in var_to_file.iteritems(): with open('{}/{}'.format(SWAGGER_DIR, file_name), 'r') as ofile: file_content = ofile.read() to_replace[var_name] = file_content.replace('\n', '\\n').replace('"', '\\"') var_to_var = self._config.get('ApiVarMapToVar') if var_to_var: for var_name, replacement in var_to_var.iteritems(): to_replace[var_name] = replacement body = update_template(outfile.read(), to_replace) if not api: return self.import_rest_api(body) else: # Always overwrite for update return self.put_rest_api(api.get('id'), body, 'overwrite') return False
def get_apigateway_authorizer(self, to_replace): template = ',"securityDefinitions": {' \ '"$CognitoUserPool": {' \ '"type": "apiKey",' \ '"name": "Authorization",'\ '"in": "header",' \ '"x-amazon-apigateway-authtype": "cognito_user_pools",' \ '"x-amazon-apigateway-authorizer": {' \ '"type": "cognito_user_pools",' \ '"providerARNs": [' \ '"arn:aws:cognito-idp:$apiRegion:$accountId:userpool/$userPoolId"' \ ']' \ '}' \ '}' \ '}' return update_template(template, to_replace)
def create_lambda_role(self, role_name, role_policy): """ Create role for Lambda, all policies store in the assume role policy doc so that we can do update If not set, will using default which enables Lambda for invoking and logging """ try: Oprint.info( 'Start creating role {} and policie for Lambda'.format( role_name), 'iam') assume_roles = [] if role_policy: assume_roles = role_policy.get('AssumeRoles') role_doc = self.get_lambda_default_assume_role_doc( extra_services=assume_roles) role = self.get_role(role_name) if not role: role = self._client.create_role( RoleName=role_name, AssumeRolePolicyDocument=json.dumps(role_doc)) else: self._client.update_assume_role_policy( RoleName=role_name, PolicyDocument=json.dumps(role_doc)) to_replace = { "$region": self.get_region(), "$accountId": self.get_account_id() } policy_doc = [] if role_policy and role_policy.get('PolicyDocument'): _, policy_doc = FileLoader( file_path=role_policy.get('PolicyDocument')).process() policy_doc = policy_doc['Statement'] policy_doc = self.get_lambda_default_policy_doc( extra_statement=policy_doc) policy_doc = update_template(json.dumps(policy_doc), to_replace) # Do inline policy so that when deleting the role, it'll be deleted self._client.put_role_policy( RoleName=role_name, PolicyName='{}-policy'.format(role_name), PolicyDocument=policy_doc) if role_policy and role_policy is dict and role_policy.get( 'ManagedPolicyArns'): for m_policy_arn in role_policy.get('ManagedPolicyArns'): self._client.attach_role_policy(RoleName=role_name, PolicyArn=m_policy_arn) Oprint.info( 'Complete creating role {} and policie for Lambda'.format( role_name), 'iam') except Exception as e: Oprint.err(e, 'iam') return role