def getDeployResources(t: Template) -> Tuple[ActionTypeID, Role]:
statements = [
awacs.aws.Statement(Action=[
awacs.ec2.Action("*"), awacs.awslambda.GetFunction,
awacs.awslambda.CreateFunction,
awacs.awslambda.GetFunctionConfiguration,
awacs.awslambda.DeleteFunction, awacs.awslambda.UpdateFunctionCode,
awacs.awslambda.UpdateFunctionConfiguration,
awacs.awslambda.CreateAlias, awacs.awslambda.DeleteAlias,
awacs.s3.GetObject
],
Resource=["*"],
Effect=awacs.aws.Allow),
awacs.aws.Statement(Action=[
awacs.iam.DeleteRole, awacs.iam.DeleteRolePolicy,
awacs.iam.GetRole, awacs.iam.PutRolePolicy, awacs.iam.CreateRole,
awacs.iam.PassRole
],
Resource=["*"],
Effect=awacs.aws.Allow)
]
policy_doc = awacs.aws.Policy(Statement=statements)
policy = Policy(PolicyDocument=policy_doc,
PolicyName="CloudFormationDeployPolicy")
assume = defaultAssumeRolePolicyDocument("cloudformation.amazonaws.com")
role = t.add_resource(
Role("CFDeployRole",
RoleName=Sub("${AWS::StackName}-CFDeployRole"),
AssumeRolePolicyDocument=assume,
Policies=[policy]))
actionId = ActionTypeID(Category="Deploy",
Owner="AWS",
Version="1",
Provider="CloudFormation")
return (actionId, role)
def get_iam(ref_name: str) -> Role:
assume = defaultAssumeRolePolicyDocument("lambda.amazonaws.com")
return Role(ref_name,
RoleName=ref_name,
AssumeRolePolicyDocument=assume,
Policies=[oneClickCreateLogsPolicy(),
get_dynamoDB()])
def getBuildRole() -> Role:
statement = Statement(Action=[Action("*")], Effect=Allow, Resource=["*"])
policy_doc = awacs.aws.Policy(Statement=[statement])
policy = Policy(PolicyName=Sub("${AWS::StackName}-CodeBuildPolicy"),
PolicyDocument=policy_doc)
assume = defaultAssumeRolePolicyDocument("codebuild.amazonaws.com")
return Role("CodeBuildRole",
RoleName=Sub("${AWS::StackName}-LambdaCodeBuildRole"),
AssumeRolePolicyDocument=assume,
Policies=[policy])
def getBuildRole(stage: str = "") -> Role:
statement = Statement(Action=[Action("*")], Effect=Allow, Resource=["*"])
policy_doc = awacs.aws.Policy(Statement=[statement])
policy = Policy(PolicyName=Sub("${AWS::StackName}-TestBuilderPolicy"),
PolicyDocument=policy_doc)
assume = defaultAssumeRolePolicyDocument("codebuild.amazonaws.com")
return Role("TestBuilderRole" + stage,
RoleName=Sub("LambdaTestBuilderRole-${AWS::StackName}" +
stage),
AssumeRolePolicyDocument=assume,
Policies=[policy])