def get_deploy_templates():
return {
"create": [
{
"function":
"create_elasticsearch_domain",
"parameters":
select_parameters(
"AccessPolicies",
"AdvancedOptions",
"CognitoOptions",
"DomainName",
"EBSOptions",
"ElasticsearchClusterConfig",
"ElasticsearchVersion",
"EncryptionAtRestOptions",
"LogPublishingOptions",
"NodeToNodeEncryptionOptions",
"SnapshotOptions",
"VPCOptions",
),
},
{
"function": "add_tags",
"parameters": es_add_tags_params
},
],
"delete": {
"function": "delete_elasticsearch_domain",
"parameters": {
"DomainName": "DomainName"
},
},
}
def get_deploy_templates():
return {
"create": {
"function": "publish_version",
"parameters": select_parameters("FunctionName", "CodeSha256", "Description"),
}
}
def events_put_rule_params(params, **kwargs):
attrs = [
"ScheduleExpression",
"EventPattern",
"State",
"Description",
"Name",
"EventBusName",
]
result = select_parameters(*attrs)(params, **kwargs)
# TODO: remove this when refactoring events (prefix etc. was excluded here already to avoid most of the wrong behavior)
def wrap_in_lists(o, **kwargs):
if isinstance(o, dict):
for k, v in o.items():
if not isinstance(v, (dict, list)) and k not in [
"prefix",
"cidr",
"exists",
]:
o[k] = [v]
return o
pattern = result.get("EventPattern")
if isinstance(pattern, dict):
wrapped = common.recurse_object(pattern, wrap_in_lists)
result["EventPattern"] = json.dumps(wrapped)
return result
def get_deploy_templates():
return {
"create": {
"function":
"create_delivery_stream",
"parameters":
select_parameters(
"DeliveryStreamName",
"DeliveryStreamType",
"S3DestinationConfiguration",
"ElasticsearchDestinationConfiguration",
),
},
"delete": {
"function": "delete_delivery_stream",
"parameters": {
"DeliveryStreamName": "DeliveryStreamName"
},
},
}
def get_deploy_templates():
return {
"create": {
"function": "put_parameter",
"parameters": merge_parameters(
params_dict_to_list("Tags", wrapper="Tags"),
select_parameters(
"Name",
"Type",
"Value",
"Description",
"AllowedPattern",
"Policies",
"Tier",
),
),
"types": {"Value": str},
},
"delete": {"function": "delete_parameter", "parameters": ["Name"]},
}
def get_deploy_templates(cls):
return {
"create": [
{
"function":
"create_role",
"parameters":
param_defaults(
dump_json_params(
select_parameters(
"Path",
"RoleName",
"AssumeRolePolicyDocument",
"Description",
"MaxSessionDuration",
"PermissionsBoundary",
"Tags",
),
"AssumeRolePolicyDocument",
),
{"RoleName": PLACEHOLDER_RESOURCE_NAME},
),
},
{
"function": IAMRole._post_create
},
],
"delete": [
{
"function": IAMRole._pre_delete
},
{
"function": "delete_role",
"parameters": {
"RoleName": "RoleName"
}
},
],
}
def events_put_rule_params(params, **kwargs):
attrs = [
"ScheduleExpression",
"EventPattern",
"State",
"Description",
"Name",
"EventBusName",
]
result = select_parameters(*attrs)(params, **kwargs)
def wrap_in_lists(o, **kwargs):
if isinstance(o, dict):
for k, v in o.items():
if not isinstance(v, (dict, list)):
o[k] = [v]
return o
pattern = result.get("EventPattern")
if isinstance(pattern, dict):
wrapped = common.recurse_object(pattern, wrap_in_lists)
result["EventPattern"] = json.dumps(wrapped)
return result
def get_deploy_templates():
return {
"create": {
"function": "create_delivery_stream",
"parameters": select_parameters(
"DeliveryStreamName",
"DeliveryStreamType",
"S3DestinationConfiguration",
"ElasticsearchDestinationConfiguration",
"AmazonopensearchserviceDestinationConfiguration",
"DeliveryStreamEncryptionConfigurationInput",
"ExtendedS3DestinationConfiguration",
"HttpEndpointDestinationConfiguration",
"KinesisStreamSourceConfiguration",
"RedshiftDestinationConfiguration",
"SplunkDestinationConfiguration",
"Tags",
),
},
"delete": {
"function": "delete_delivery_stream",
"parameters": {"DeliveryStreamName": "DeliveryStreamName"},
},
}
def lambda_permission_params(params, **kwargs):
result = select_parameters("FunctionName", "Action",
"Principal")(params, **kwargs)
result["StatementId"] = short_uid()
return result
def get_deploy_templates(cls):
def _post_create(resource_id, resources, resource_type, func,
stack_name):
"""attaches managed policies from the template to the role"""
iam = aws_stack.connect_to_service("iam")
resource = resources[resource_id]
props = resource["Properties"]
role_name = props["RoleName"]
# attach managed policies
policy_arns = props.get("ManagedPolicyArns", [])
for arn in policy_arns:
iam.attach_role_policy(RoleName=role_name, PolicyArn=arn)
# add inline policies
inline_policies = props.get("Policies", [])
for policy in inline_policies:
assert not isinstance(
policy, list
) # remove if this doesn't make any problems for a while
if policy == PLACEHOLDER_AWS_NO_VALUE:
continue
if not isinstance(policy, dict):
LOG.info('Invalid format of policy for IAM role "%s": %s' %
(props.get("RoleName"), policy))
continue
pol_name = policy.get("PolicyName")
doc = dict(policy["PolicyDocument"])
doc["Version"] = doc.get("Version") or IAM_POLICY_VERSION
statements = ensure_list(doc["Statement"])
for statement in statements:
if isinstance(statement.get("Resource"), list):
# filter out empty resource strings
statement["Resource"] = [
r for r in statement["Resource"] if r
]
doc = json.dumps(doc)
iam.put_role_policy(
RoleName=props["RoleName"],
PolicyName=pol_name,
PolicyDocument=doc,
)
def _pre_delete(resource_id, resources, resource_type, func,
stack_name):
"""detach managed policies from role before deleting"""
iam_client = aws_stack.connect_to_service("iam")
resource = resources[resource_id]
props = resource["Properties"]
role_name = props["RoleName"]
# TODO: this should probably only remove the policies that are specified in the stack (verify with AWS)
# detach managed policies
for policy in iam_client.list_attached_role_policies(
RoleName=role_name).get("AttachedPolicies", []):
iam_client.detach_role_policy(RoleName=role_name,
PolicyArn=policy["PolicyArn"])
# delete inline policies
for inline_policy_name in iam_client.list_role_policies(
RoleName=role_name).get("PolicyNames", []):
iam_client.delete_role_policy(RoleName=role_name,
PolicyName=inline_policy_name)
# TODO: potentially remove this when stack resource deletion order is fixed (check AWS behavior first)
# cleanup instance profile
try:
rs = iam_client.list_instance_profiles_for_role(
RoleName=role_name)
for instance_profile in rs["InstanceProfiles"]:
ip_name = instance_profile["InstanceProfileName"]
iam_client.remove_role_from_instance_profile(
InstanceProfileName=ip_name, RoleName=role_name)
except Exception as e:
if "NoSuchEntity" not in str(e):
raise
return {
"create": [
{
"function":
"create_role",
"parameters":
param_defaults(
dump_json_params(
select_parameters(
"Path",
"RoleName",
"AssumeRolePolicyDocument",
"Description",
"MaxSessionDuration",
"PermissionsBoundary",
"Tags",
),
"AssumeRolePolicyDocument",
),
{"RoleName": PLACEHOLDER_RESOURCE_NAME},
),
},
{
"function": _post_create
},
],
"delete": [
{
"function": _pre_delete
},
{
"function": "delete_role",
"parameters": {
"RoleName": "RoleName"
}
},
],
}
