"data-engineering-database-access-deploy"
),
)
GIT_CRYPT_KEY = Config().require("git_crypt_key")
GITHUB_TOKEN = Config().require("github_token")
account_id = get_caller_identity().account_id
assume_role_policy = get_policy_document(
statements=[
GetPolicyDocumentStatementArgs(
actions=["sts:AssumeRole"],
effect="Allow",
principals=[
GetPolicyDocumentStatementPrincipalArgs(
identifiers=["codebuild.amazonaws.com"], type="Service"
)
],
)
]
)
serviceRole = Role(
resource_name="this",
name="database-access-codebuild-service-role",
assume_role_policy=assume_role_policy.json,
force_detach_policies=True,
tags=tagger.create_tags("database-access-codebuild-service-role"),
)
get_policy,
GetPolicyDocumentStatementArgs,
GetPolicyDocumentStatementPrincipalArgs,
)
from pulumi import ResourceOptions
from data_engineering_pulumi_components.utils import Tagger
tagger = Tagger(environment_name="dev")
execution_role_assume_role_policy = get_policy_document(statements=[
GetPolicyDocumentStatementArgs(
effect="Allow",
actions=["sts:AssumeRole"],
principals=[
GetPolicyDocumentStatementPrincipalArgs(
type="Service",
identifiers=[
"airflow-env.amazonaws.com", "airflow.amazonaws.com"
],
)
],
)
])
executionRole = Role(
resource_name="airflow",
assume_role_policy=execution_role_assume_role_policy.json,
description="Execution role for Airflow",
name="AmazonMWAAExecutionRole",
tags=tagger.create_tags("AmazonMWAAExecutionRole"),
)
def __init__(self):
resource_specs = ParseYAML(resource_type).getSpecs()
for sqs_queue_name, sqs_queue_configuration in resource_specs.items():
sqs_queue_configuration = sqs_queue_configuration if sqs_queue_configuration else {}
resource_name = sqs_queue_name
resource_tags = None
resource_tags = sqs_queue_configuration[
"tags"] if "tags" in sqs_queue_configuration else None
# Getting list of tags from configuration file
tags_list = {}
if resource_tags is not None:
for each_tag_name, each_tag_value in resource_tags.items():
tags_list.update({each_tag_name: each_tag_value})
# Adding mandatory tags
tags_list.update({"Name": resource_name})
tags_list.update({
"Project/Stack":
pulumi.get_project() + "/" + pulumi.get_stack()
})
tags_list.update(resource_mandatory_tags)
fifo_queue = sqs_queue_configuration[
"fifo_queue"] if "fifo_queue" in sqs_queue_configuration else None
content_based_deduplication = sqs_queue_configuration[
"content_based_deduplication"] if "content_based_deduplication" in sqs_queue_configuration else None
delay_seconds = sqs_queue_configuration[
"delay_seconds"] if "delay_seconds" in sqs_queue_configuration else None
max_message_size = sqs_queue_configuration[
"max_message_size_bytes"] if "max_message_size_bytes" in sqs_queue_configuration else None
message_retention_seconds = sqs_queue_configuration[
"message_retention_seconds"] if "message_retention_seconds" in sqs_queue_configuration else None
receive_wait_time_seconds = sqs_queue_configuration[
"receive_wait_time_seconds"] if "receive_wait_time_seconds" in sqs_queue_configuration else None
visibility_timeout_seconds = sqs_queue_configuration[
"visibility_timeout_seconds"] if "visibility_timeout_seconds" in sqs_queue_configuration else None
source_sns_topic_arn = sqs_queue_configuration[
"source_sns_topic_arn"] if "source_sns_topic_arn" in sqs_queue_configuration else None
# Create SQSs
queue = sqs.Queue(
resource_name,
fifo_queue=fifo_queue,
content_based_deduplication=content_based_deduplication,
delay_seconds=delay_seconds,
max_message_size=max_message_size,
message_retention_seconds=message_retention_seconds,
receive_wait_time_seconds=receive_wait_time_seconds,
visibility_timeout_seconds=visibility_timeout_seconds,
tags=tags_list)
sqs_queue_by_name[resource_name] = queue
# Export
pulumi.export(queue._name, queue.id)
if source_sns_topic_arn is not None:
arn = sqs_queue_by_name[resource_name].arn
sqs_policy = iam.get_policy_document(
policy_id="__default_policy_ID",
statements=[
iam.GetPolicyDocumentStatementArgs(
actions=["sqs:SendMessage"],
resources=[arn],
effect="Allow",
principals=[
iam.GetPolicyDocumentStatementPrincipalArgs(
type="Service",
identifiers=["sns.amazonaws.com"])
],
conditions=[
iam.GetPolicyDocumentStatementConditionArgs(
test="ArnEquals",
variable="aws:SourceArn",
values=source_sns_topic_arn,
)
],
)
])
policy = sqs.QueuePolicy(resource_name,
queue_url=queue.id,
policy=sqs_policy.json)
pulumi.export(resource_name + "-policy", policy.policy)
def create_lambda_execution_roles(region, account):
# Create lambda execution role
lambda_assume_role_policy = iam.get_policy_document(statements=[{
"actions": ["sts:AssumeRole"],
"principals": [{
"identifiers": ["lambda.amazonaws.com"],
"type": "Service",
}],
}])
lambda_execution_role = iam.Role(
"sendMessagelambda", assume_role_policy=lambda_assume_role_policy.json)
iam.RolePolicy("RolePolicyAttachment",
role=lambda_execution_role.id,
policy=f"""{{
"Version": "2012-10-17",
"Statement": [
{{
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterface",
"logs:CreateLogStream",
"ec2:DescribeNetworkInterfaces",
"ec2:DeleteNetworkInterface",
"logs:CreateLogGroup",
"logs:PutLogEvents"
],
"Resource": "*"
}},
{{
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:{region.name}:{account}:log-group:*"
}},
{{
"Effect": "Allow",
"Action": "logs:CreateLogGroup",
"Resource": "arn:aws:logs:{region.name}:{account}:*"
}},
{{
"Effect": "Allow",
"Action": [
"execute-api:ManageConnections",
"execute-api:Invoke"
],
"Resource": [
"arn:aws:execute-api:{region.name}:{account}:*"
]
}},
{{
"Action": "ec2:*",
"Effect": "Allow",
"Resource": "*"
}}
]
}}
""")
return {"role": lambda_execution_role}
def Topic(self):
resource_specs = ParseYAML(resource_type).getSpecs()
for sns_topic_name, sns_topic_configuration in resource_specs[
"topic"].items():
sns_topic_configuration = sns_topic_configuration if sns_topic_configuration else {}
resource_name = sns_topic_name
resource_tags = sns_topic_configuration.get("tags")
# Getting list of tags from configuration file
tags_list = {}
if resource_tags is not None:
for each_tag_name, each_tag_value in resource_tags.items():
tags_list.update({each_tag_name: each_tag_value})
# Adding mandatory tags
tags_list.update({"Name": resource_name})
tags_list.update({
"Project/Stack":
pulumi.get_project() + "/" + pulumi.get_stack()
})
tags_list.update(resource_mandatory_tags)
# Create SNSs
topic = sns.Topic(resource_name, tags=tags_list)
sns_topic_by_name[resource_name] = topic
# Export
pulumi.export(topic._name, topic.id)
# Attach policy if needed
cross_account_source_id = sns_topic_configuration.get(
"cross_account_source_id")
cross_account_target_id = sns_topic_configuration.get(
"cross_account_target_id")
if cross_account_source_id and cross_account_target_id:
arn = sns_topic_by_name[resource_name].arn
sns_topic_policy = iam.get_policy_document(
policy_id="__default_policy_ID",
statements=[
iam.GetPolicyDocumentStatementArgs(
actions=["SNS:Subscribe"],
resources=[arn],
effect="Allow",
principals=[
iam.GetPolicyDocumentStatementPrincipalArgs(
type="AWS",
identifiers=[cross_account_target_id])
],
),
iam.GetPolicyDocumentStatementArgs(
actions=[
"SNS:Subscribe",
"SNS:SetTopicAttributes",
"SNS:RemovePermission",
"SNS:Receive",
"SNS:Publish",
"SNS:ListSubscriptionsByTopic",
"SNS:GetTopicAttributes",
"SNS:DeleteTopic",
"SNS:AddPermission",
],
conditions=[
iam.GetPolicyDocumentStatementConditionArgs(
test="StringEquals",
variable="AWS:SourceOwner",
values=[cross_account_source_id],
)
],
effect="Allow",
principals=[
iam.GetPolicyDocumentStatementPrincipalArgs(
type="AWS",
identifiers=["*"],
)
],
resources=[arn],
sid="__default_statement_ID",
)
])
policy = sns.TopicPolicy(resource_name,
arn=topic.arn,
policy=sns_topic_policy.json)
pulumi.export(resource_name + "-policy", policy.id)