def add_cd_applications(self):
cdapp_index = 0
for cdapp in self.aws['cd_application.names'].split(','):
name, tags = self._name_tags('cd_application')
cdapp_name = name + str(cdapp_index)
self.cd_application = self.t.add_resource(
codedeploy.Application(
cdapp_name,
ApplicationName=cdapp,
# Doesn't support: Tags=Tags(**tags),
))
cdapp_output_name = "CDApp" + str(cdapp_index)
self.t.add_output(Output(
cdapp_output_name, Value=Ref(self.cd_application)
))
cd_role_name = cdapp + "CDRole"
self.cd_role = self.t.add_resource(
iam.Role(
cd_role_name,
AssumeRolePolicyDocument=Policy(
Statement=[
Statement(
Action=[awacs.sts.AssumeRole],
Effect=Allow,
Principal=Principal('Service', 'codedeploy.amazonaws.com'),
Sid=cd_role_name, # redundant?
),
],
),
ManagedPolicyArns=['arn:aws:iam::aws:policy/service-role/AWSCodeDeployRole'],
Path='/',
))
cd_role_output_name = "CDRole" + str(cdapp_index)
self.t.add_output(Output(
cd_role_output_name, Value=Ref(self.cd_role)
))
cd_iam_user_name = cdapp + "CDUser"
self.cd_iam_user = self.t.add_resource(
iam.User(
cd_iam_user_name,
# Can't attach policy here,
# must create policy and attach to user from app stack
# ManagedPolicyArns=[Ref(self.cd_iam_user_policy.name)]
))
cd_iam_user_output_name = "CDUser" + str(cdapp_index)
self.t.add_output(Output(
cd_iam_user_output_name, Value=Ref(self.cd_iam_user)
))
cdapp_index += 1
def create_template(self) -> None:
"""Create template."""
template = self.template
bucket_arn = Sub("arn:aws:s3:::${CFNginBucket}*")
objects_arn = Sub("arn:aws:s3:::${CFNginBucket}*/*")
cloudformation_scope = Sub(
"arn:aws:cloudformation:*:${AWS::AccountId}:stack/${Namespace}-*")
changeset_scope = "*"
# This represents the precise IAM permissions that cfngin itself
# needs.
cfngin_policy = iam.Policy(
PolicyName="CFNgin",
PolicyDocument=Policy(Statement=[
Statement(
Effect="Allow",
Resource=["*"],
Action=[awacs.s3.ListAllMyBuckets],
),
Statement(
Effect="Allow",
Resource=[bucket_arn],
Action=[
awacs.s3.ListBucket,
awacs.s3.GetBucketLocation,
awacs.s3.CreateBucket,
awacs.s3.DeleteBucket,
],
),
Statement(
Effect="Allow",
Resource=[bucket_arn],
Action=[
awacs.s3.GetObject,
awacs.s3.GetObjectAcl,
awacs.s3.PutObject,
awacs.s3.PutObjectAcl,
],
),
Statement(
Effect="Allow",
Resource=[objects_arn],
Action=[awacs.s3.DeleteObject],
),
Statement(
Effect="Allow",
Resource=[changeset_scope],
Action=[
awacs.cloudformation.DescribeChangeSet,
awacs.cloudformation.ExecuteChangeSet,
awacs.cloudformation.DeleteChangeSet,
],
),
Statement(
Effect="Deny",
Resource=[Ref("AWS::StackId")],
Action=[awacs.cloudformation.Action("*")],
),
Statement(
Effect="Allow",
Resource=[cloudformation_scope],
Action=[
awacs.cloudformation.GetTemplate,
awacs.cloudformation.CreateChangeSet,
awacs.cloudformation.DeleteChangeSet,
awacs.cloudformation.DeleteStack,
awacs.cloudformation.CreateStack,
awacs.cloudformation.UpdateStack,
awacs.cloudformation.SetStackPolicy,
awacs.cloudformation.DescribeStacks,
awacs.cloudformation.DescribeStackEvents,
],
),
]),
)
principal = AWSPrincipal(Ref("AWS::AccountId"))
role = template.add_resource(
iam.Role(
"FunctionalTestRole",
AssumeRolePolicyDocument=Policy(Statement=[
Statement(
Effect="Allow",
Action=[awacs.sts.AssumeRole],
Principal=principal,
)
]),
Policies=[cfngin_policy],
))
assumerole_policy = iam.Policy(
PolicyName="AssumeRole",
PolicyDocument=Policy(Statement=[
Statement(
Effect="Allow",
Resource=[GetAtt(role, "Arn")],
Action=[awacs.sts.AssumeRole],
)
]),
)
user = template.add_resource(
iam.User("FunctionalTestUser",
Policies=[cfngin_policy, assumerole_policy]))
key = template.add_resource(
iam.AccessKey("FunctionalTestKey", Serial=1, UserName=Ref(user)))
template.add_output(Output("User", Value=Ref(user)))
template.add_output(Output("AccessKeyId", Value=Ref(key)))
template.add_output(
Output("SecretAccessKey",
Value=GetAtt("FunctionalTestKey", "SecretAccessKey")))
template.add_output(
Output("FunctionalTestRole", Value=GetAtt(role, "Arn")))