def create_iam_profile(self):
t = self.template
# Create EC2 Container Service Role
t.add_resource(
Role("ecsServiceRole",
AssumeRolePolicyDocument=get_ecs_assumerole_policy(),
Path="/",
Policies=[
Policy(PolicyName="ecsServiceRolePolicy",
PolicyDocument=service_role_policy())
]))
# Role for Empire Controllers
t.add_resource(
Role("EmpireControllerRole",
AssumeRolePolicyDocument=get_default_assumerole_policy(),
Path="/",
Policies=[
Policy(PolicyName="EmpireControllerPolicy",
PolicyDocument=empire_policy())
]))
# Add SNS Events policy if Events are enabled
t.add_resource(
PolicyType("SNSEventsPolicy",
PolicyName="EmpireSNSEventsPolicy",
Condition="EnableSNSEvents",
PolicyDocument=sns_events_policy(Ref("EventTopic")),
Roles=[Ref("EmpireControllerRole")]))
t.add_resource(
InstanceProfile("EmpireControllerProfile",
Path="/",
Roles=[Ref("EmpireControllerRole")]))
t.add_output(
Output("EmpireControllerRole", Value=Ref("EmpireControllerRole")))
def policy(name, statements):
if not isinstance(statements, list):
statements = [statements]
policy = Policy()
policy.PolicyName = aws_name(name)
policy.PolicyDocument = awacs.aws.Policy(Statement=statements)
return policy
def create_iam_profile(self):
t = self.template
# Create EC2 Container Service Role
t.add_resource(
Role("ecsServiceRole",
AssumeRolePolicyDocument=get_ecs_assumerole_policy(),
Path="/",
Policies=[
Policy(PolicyName="ecsServiceRolePolicy",
PolicyDocument=service_role_policy())
]))
# Role for Empire Controllers
t.add_resource(
Role("EmpireControllerRole",
AssumeRolePolicyDocument=get_default_assumerole_policy(),
Path="/",
Policies=[
Policy(PolicyName="EmpireControllerPolicy",
PolicyDocument=empire_policy())
]))
t.add_resource(
InstanceProfile("EmpireControllerProfile",
Path="/",
Roles=[Ref("EmpireControllerRole")]))
def add_policy(self, policy_name, effect, action="*", resource="*"):
# Troposphere object
policy = Policy(title=policy_name)
policy.PolicyName = policy_name
policy_document = PolicyDocument()
statement = Statement(effect, action, resource=resource)
policy_document.add_statement(statement)
policy.PolicyDocument = transform_policy_document(policy_document)
self.Policies.append(policy)
def add_multi_statement_policy(self, policy_name, statements):
# Troposphere object
policy = Policy(title=policy_name)
policy.PolicyName = policy_name
policy_document = PolicyDocument()
for statement in statements:
policy_document.add_statement(statement)
policy.PolicyDocument = transform_policy_document(policy_document)
self.Policies.append(policy)
def generate_iam_policies(self):
ns = self.context.namespace
base_policies = [
Policy(PolicyName="%s-ecs-agent" % ns,
PolicyDocument=ecs_agent_policy()),
]
with_logging = copy.deepcopy(base_policies)
with_logging.append(
Policy(PolicyName="%s-kinesis-logging" % ns,
PolicyDocument=logstream_policy()))
policies = If("EnableStreamingLogs", with_logging, base_policies)
return policies
def generate_iam_policies(self):
# Referencing NS like this within a resource name is deprecated, it's
# only done here to maintain backwards compatability for minion
# clusters.
ns = self.context.namespace
base_policies = [
Policy(PolicyName="%s-ecs-agent" % ns,
PolicyDocument=ecs_agent_policy()),
]
with_logging = copy.deepcopy(base_policies)
with_logging.append(
Policy(PolicyName="%s-kinesis-logging" % ns,
PolicyDocument=logstream_policy()))
policies = If("EnableStreamingLogs", with_logging, base_policies)
return policies
def vpc_role_adder(self):
self.k8_master_role = self.template.add_resource(
Role('k8master',
AssumeRolePolicyDocument=PolicyDocument(Statement=[
Statement(Effect=Allow,
Action=[AssumeRole],
Principal=Principal("Service",
["ec2.amazonaws.com"]))
]),
Policies=[
Policy(
PolicyName='k8master',
PolicyDocument=PolicyDocument(Statement=[
Statement(Effect=Allow,
Action=[
Action('s3', 'List*'),
Action('s3', 'Get*'),
Action('ecr', '*'),
Action('elasticloadbalancing', '*'),
cloudformation.SignalResource,
Action('ec2', 'Describe*'),
],
Resource=['*'])
]))
]))
self.k8_worker_role = self.template.add_resource(
Role('k8worker',
AssumeRolePolicyDocument=PolicyDocument(Statement=[
Statement(Effect=Allow,
Action=[AssumeRole],
Principal=Principal("Service",
["ec2.amazonaws.com"]))
]),
Policies=[
Policy(PolicyName='worker',
PolicyDocument=PolicyDocument(Statement=[
Statement(Effect=Allow,
Action=[
Action('s3', 'List*'),
Action('s3', 'Get*'),
Action('ecr', '*'),
cloudformation.SignalResource,
Action('ec2', 'Describe*'),
Action('sns', '*')
],
Resource=['*'])
]))
]))
def pass_policy(to_services, name=None, resource=None):
services = []
if not isinstance(to_services, list):
raise TypeError('services must be of type', list)
for service in to_services:
if service.endswith('.com') or service.endswith('.com.cn'):
services.append(service)
else:
services.append(Sub(f'{service}.${{URLSuffix}}'))
statement = {
"Action": ["iam:PassRole"],
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEqualsIfExists": {
"iam:PassedToService": services
}
}
}
policy = Policy(PolicyName='AllowPassRoleTo'.join('', to_services),
PolicyDocument={
"Version": "2012-10-17",
"Statement": [statement]
})
return policy
def create_lambda_role(self):
t = self.template
self.LambdaExecutionRole = t.add_resource(Role(
"ddbElasticsearchBridge",
Path="/",
Policies=[Policy(
PolicyName="root",
PolicyDocument={
"Version": "2012-10-17",
"Statement": [{
"Action": ["es:ESHttpPost"],
"Resource": ES DOMAIN HERE + "/*",
"Effect": "Allow"
},
{
"Action": [
"dynamodb:DescribeStream",
"dynamodb:GetRecords",
"dynamodb:GetShardIterator",
"dynamodb:ListStreams"],
"Effect": "Allow",
"Resource": GetAtt(self.dynamoTable, "StreamArn")
}]
})],
AssumeRolePolicyDocument={
"Version": "2012-10-17",
"Statement": [{
"Action": ["sts:AssumeRole"],
"Effect": "Allow",
"Principal": {
"Service": ["lambda.amazonaws.com"]
}
}]
},
))
def build_cw_cb_role(template=None, role_name="s2nEventsInvokeCodeBuildRole"):
"""
Create a role for CloudWatch events to trigger Codebuild jobs.
"""
role_id = template.add_resource(
Role(
role_name,
Path='/',
AssumeRolePolicyDocument=PolicyDocument(Statement=[
Statement(Effect=Allow,
Action=[
Action("sts", "AssumeRole"),
],
Principal=Principal("Service",
["events.amazonaws.com"]))
]),
Policies=[
Policy(
PolicyName=f"EventsInvokeCBRole",
PolicyDocument=PolicyDocument(Statement=[
Statement(
Effect=Allow,
Action=[Action("codebuild", "StartBuild")],
Resource=[
"arn:aws:codebuild:us-west-2:024603541914:project/*",
])
]))
]))
return role_id
def build_cw_cb_role(template,
config,
role_name="s2nEventsInvokeCodeBuildRole"):
"""
Create a role for CloudWatch events to trigger scheduled CodeBuild jobs.
"""
role_id = template.add_resource(
Role(
role_name,
Path='/',
AssumeRolePolicyDocument=PolicyDocument(Statement=[
Statement(Effect=Allow,
Action=[
Action("sts", "AssumeRole"),
],
Principal=Principal("Service",
["events.amazonaws.com"]))
]),
Policies=[
Policy(
PolicyName=f"EventsInvokeCBRole",
PolicyDocument=PolicyDocument(Statement=[
Statement(
Effect=Allow,
Action=[Action("codebuild", "StartBuild")],
Resource=[
"arn:aws:codebuild:{region}:{account_number}:project/*"
.format(region=config.get(
'Global', 'aws_region'),
account_number=config.get(
'CFNRole', 'account_number')),
])
]))
]))
return role_id
def getDeployResources(t: Template) -> Tuple[ActionTypeID, Role]:
statements = [
awacs.aws.Statement(Action=[
awacs.ec2.Action("*"), awacs.awslambda.GetFunction,
awacs.awslambda.CreateFunction,
awacs.awslambda.GetFunctionConfiguration,
awacs.awslambda.DeleteFunction, awacs.awslambda.UpdateFunctionCode,
awacs.awslambda.UpdateFunctionConfiguration,
awacs.awslambda.CreateAlias, awacs.awslambda.DeleteAlias,
awacs.s3.GetObject
],
Resource=["*"],
Effect=awacs.aws.Allow),
awacs.aws.Statement(Action=[
awacs.iam.DeleteRole, awacs.iam.DeleteRolePolicy,
awacs.iam.GetRole, awacs.iam.PutRolePolicy, awacs.iam.CreateRole,
awacs.iam.PassRole
],
Resource=["*"],
Effect=awacs.aws.Allow)
]
policy_doc = awacs.aws.Policy(Statement=statements)
policy = Policy(PolicyDocument=policy_doc,
PolicyName="CloudFormationDeployPolicy")
assume = defaultAssumeRolePolicyDocument("cloudformation.amazonaws.com")
role = t.add_resource(
Role("CFDeployRole",
RoleName=Sub("${AWS::StackName}-CFDeployRole"),
AssumeRolePolicyDocument=assume,
Policies=[policy]))
actionId = ActionTypeID(Category="Deploy",
Owner="AWS",
Version="1",
Provider="CloudFormation")
return (actionId, role)
def add_vpc_flow(template, vpc, boundary=None):
"""
Function to add VPC Flow Log to log VPC
:param troposphere.Template template:
:param vpc: The VPC Object
:param str boundary:
"""
if boundary and boundary.startswith("arn:aws"):
perm_boundary = boundary
elif boundary and not boundary.startswith("arn:aws"):
perm_boundary = Sub(
f"arn:${{{AWS_PARTITION}}}:iam:${{{AWS_REGION}}}:${{{AWS_ACCOUNT_ID}}}:policy/{boundary}"
)
else:
perm_boundary = Ref(AWS_NO_VALUE)
log_group = template.add_resource(
LogGroup(
"FlowLogsGroup",
RetentionInDays=14,
LogGroupName=Sub(f"flowlogs/vpc/${{{vpc.title}}}"),
))
role = template.add_resource(
Role(
"FlowLogsRole",
AssumeRolePolicyDocument=service_role_trust_policy("ec2"),
PermissionsBoundary=perm_boundary,
Policies=[
Policy(
PolicyName="CloudWatchAccess",
PolicyDocument={
"Version":
"2012-10-17",
"Statement": [{
"Sid":
"AllowCloudWatchLoggingToSpecificLogGroup",
"Effect":
"Allow",
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents",
],
"Resource":
GetAtt(log_group, "Arn"),
}],
},
)
],
))
template.add_resource(
FlowLog(
"VpcFlowLogs",
DeliverLogsPermissionArn=GetAtt(role, "Arn"),
LogGroupName=Ref(log_group),
LogDestinationType="cloud-watch-logs",
MaxAggregationInterval=600,
ResourceId=Ref(vpc),
ResourceType="VPC",
TrafficType="ALL",
))
def role(template):
role = Role(
"sgdemorole",
AssumeRolePolicyDocument=awacs.aws.Policy(Statement=[
Statement(Effect=Allow,
Principal=Principal("Service", ["ec2.amazonaws.com"]),
Action=[AssumeRole])
],
Version="2012-10-17"),
Path="/",
Policies=[
Policy(
PolicyName="sgdemopolicy",
PolicyDocument=awacs.aws.Policy(
Statement=[
Statement(Effect=Allow,
Resource=["*"],
Action=[Action("ec2", "DescribeInstances")])
]
#Statement = map(allow_stmt, ["ec2", "SNS", "elasticloadbalancing", "cloudwatch", "autoscaling", "iam", "ecr", "s3", "cloudformation"])
))
])
template.add_resource(role)
return role
def __init__(self, prefix: str, lambda_under_deployment: Function) -> None:
"""
Constructor.
:param prefix: A prefix for deployment lambda resource names.
:param lambda_under_deployment: An AWS Lambda function to execute deployments against.
"""
self.lambda_role = Role(
prefix + "DeploymentLambdaRole",
Path="/",
Policies=[Policy(
PolicyName=prefix + "DeploymentLambdaRole",
PolicyDocument={
"Version": "2012-10-17",
"Statement": [{
"Action": ["logs:*"],
"Resource": "arn:aws:logs:*:*:*",
"Effect": "Allow"
}, {
"Action": ["lambda:UpdateFunctionCode"],
"Resource": "*",
"Effect": "Allow"
}, {
"Action": ["s3:*"],
"Resource": "*",
"Effect": "Allow"
}]
})],
AssumeRolePolicyDocument={"Version": "2012-10-17", "Statement": [
{
"Action": ["sts:AssumeRole"],
"Effect": "Allow",
"Principal": {
"Service": [
"lambda.amazonaws.com",
]
}
}
]},
)
self.function = Function(
prefix + "DeploymentLambda",
Code=Code(ZipFile=self.__read_template()),
Handler='index.handler',
Role=GetAtt(self.lambda_role, "Arn"),
Runtime='python3.6',
MemorySize='128',
FunctionName=prefix + 'DeploymentLambda',
Timeout='10',
Environment=Environment(
Variables={
'LAMBDA_FUNCTION_NAME': Ref(lambda_under_deployment)
}
),
Description=(
f'Deployment lambda which updates lambda under deployment function code '
f'from an output from a ci/cd pipeline for {prefix.lower()}.'
)
)
def __init__(self, affiliatename, defaulttemplate=False):
if defaulttemplate == False:
self.template = Template()
## Update the template to accept serverless functions.
self.template.set_transform('AWS::Serverless-2016-10-31')
self.affiliatename = affiliatename
## TODO: Check that the affiliate name is all lowercase
## Declare the logical name for the bucket resource.
self.bucket_logname = 'UserBucket' + affiliatename
bucket = Bucket(self.bucket_logname,
AccessControl='Private',
BucketName=affiliatename)
self.bucket = self.template.add_resource(bucket)
## Now define a new user policy:
policy = Policy(PolicyDocument=self.customize_userpolicy(),
PolicyName=self.affiliatename + 'policy')
## Now define an iam user group to which we can attach this policy:
self.group_logname = 'UserGroup' + affiliatename
self.groupname = self.affiliatename + 'group'
usergroup = Group(self.group_logname,
GroupName=self.groupname,
Policies=[policy])
self.usergroup = self.template.add_resource(usergroup)
self.users = []
self.usercount = 0
else:
'Implement me! and remember to implement getting of resources as attributes!'
def role_build(bucket_name):
"""
returns:
iam.Role
"""
bucket_name = filter_s3bucket(bucket_name)
role = Role("CodeBuildRole",
Path='/cicd/codebuild/',
AssumeRolePolicyDocument=role_trust_policy('codebuild'),
ManagedPolicyArns=[AWS_LAMBDA_BASIC_EXEC],
Policies=[
Policy(PolicyName="S3Access",
PolicyDocument={
"Version":
"2012-10-17",
"Statement": [{
'Effect':
'Allow',
'Resource': [bucket_name],
'Action': [
's3:PutObject', 's3:PutObjectVersion',
's3:GetObject', 's3:GetObjectVersion'
]
}]
})
])
return role
def __create_lambda_edge_function_service_role(template):
role = template.add_resource(resource=Role(
title='SampleLambdaEdgeServiceRole',
RoleName='sample-lambda-edge-service-role',
Path='/',
AssumeRolePolicyDocument={
"Statement": [{
"Effect": "Allow",
"Principal": {
"Service":
['lambda.amazonaws.com', 'edgelambda.amazonaws.com']
},
"Action": ["sts:AssumeRole"]
}]
},
Policies=[
Policy(PolicyName="sample-policy",
PolicyDocument={
"Version":
"2012-10-17",
"Statement": [{
"Action": ['lambda:*', 'logs:*'],
"Resource": ['*'],
"Effect": "Allow"
}]
})
]))
add_export(template, role.title + 'Arn', GetAtt(role, 'Arn'))
def add_apigateway_role(template: Template) -> Role:
# Create a role for the lambda function
return template.add_resource(
Role(
"LambdaExecutionRole",
Path="/",
Policies=[
Policy(PolicyName="root",
PolicyDocument={
"Version":
"2012-10-17",
"Statement": [{
"Action": ["logs:*"],
"Resource": "arn:aws:logs:*:*:*",
"Effect": "Allow"
}, {
"Action": ["lambda:*"],
"Resource": "*",
"Effect": "Allow"
}]
})
],
AssumeRolePolicyDocument={
"Version":
"2012-10-17",
"Statement": [{
"Action": ["sts:AssumeRole"],
"Effect": "Allow",
"Principal": {
"Service":
["lambda.amazonaws.com", "apigateway.amazonaws.com"]
}
}]
},
))
def add_use_dynamodb_role(template: Template) -> Role:
return template.add_resource(
Role("usedynamodbrole",
AssumeRolePolicyDocument=PolicyDocument(Statement=[
Statement(Effect=Allow,
Action=[AssumeRole],
Principal=Principal("Service",
["lambda.amazonaws.com"])),
Statement(Effect=Allow,
Action=[AssumeRole],
Principal=Principal("Service",
["apigateway.amazonaws.com"]))
]),
Policies=[
Policy(PolicyName="policy_use_dynamodb",
PolicyDocument=PolicyDocument(
Id="policy_use_dynamodb",
Version="2012-10-17",
Statement=[
Statement(Effect=Allow,
Action=[
DescribeTable, PutItem,
GetRecords, GetItem, DeleteItem,
Scan
],
Resource=["*"]),
Statement(Effect=Allow,
Action=[
CreateLogGroup, CreateLogStream,
PutLogEvents
],
Resource=["*"])
]))
]))
def __create_codebuild_service_role(template):
role = template.add_resource(resource=Role(
title='SampleCodeBuildServiceRole',
RoleName='sample-codebuild-service-role',
Path='/',
AssumeRolePolicyDocument={
'Statement': [{
'Effect': 'Allow',
'Principal': {
'Service': 'codebuild.amazonaws.com'
},
'Action': ['sts:AssumeRole']
}]
},
Policies=[
Policy(PolicyName='sample-codebuild-policy',
PolicyDocument={
'Version':
'2012-10-17',
'Statement': [{
"Action": [
'logs:*',
's3:*',
],
"Resource": ['*'],
"Effect": "Allow"
}]
})
]))
add_export(template, role.title + 'Arn', GetAtt(role, 'Arn'))
def build(self) -> Policy:
checkForNoneValues(self)
policyDocument = PolicyDocumentBuilder()
for s in self._statements:
policyDocument.addStatement(s)
return Policy(PolicyName=Sub(self._name + "-${AWS::StackName}"),
PolicyDocument=policyDocument.build())
def logging_from_defined_region(family: ComposeFamily,
service: ComposeService) -> None:
"""
If the region for a log group is given, we just take the shortcut to granting all access
to logs in all regions, for any log group / stream.
:param family:
:param service:
:return:
"""
LOG.warning(
f"{family.name}.logging.awslogs driver "
"- When defining awslogs-region, Compose-X does not create the CW Log Group"
)
family.iam_manager.exec_role.cfn_resource.Policies.append(
Policy(
PolicyName=f"CloudWatchAccessFor{family.logical_name}",
PolicyDocument={
"Version":
"2012-10-17",
"Statement": [{
"Sid":
"AllowCloudWatchLoggingToSpecificLogGroup",
"Effect":
"Allow",
"Action":
LOGGING_ACTIONS,
"Resource":
Sub("arn:${AWS::Partition}:logs:*:${AWS::AccountId}:log-group:*"
),
}],
},
))
service.logging.log_options.update({"awslogs-create-group": True})
def add_instance_role(self):
'''
Add Instance role
'''
self.cfn_template.add_resource(Role(
title=constants.INST_ROLE,
AssumeRolePolicyDocument=PolicyDocument(
Statement=[
Statement(
Effect=Allow,
Action=[AssumeRole],
Principal=Principal('Service', ['ec2.amazonaws.com'])
)
]
),
Policies=[
Policy(
PolicyName='Demo-ECS-Cluster',
PolicyDocument=PolicyDocument(
Statement=[
Statement(
Effect=Allow,
Action=[
Action('*')
],
Resource=['*']
)
]
)
)
]
))
return self.cfn_template
def generate_iam_policies(self):
return [
Policy(
PolicyName="ecs-agent",
PolicyDocument=ecs_agent_policy(),
)
]
def get_s3_access() -> Policy:
statements = [
awacs.aws.Statement(Action=[s3.PutObject, s3.PutObjectAcl],
Effect=awacs.aws.Allow,
Resource=["arn:aws:s3:::iotweatherdata-prod/*"])
]
policyDoc = awacs.aws.Policy(Statement=statements)
return Policy(PolicyName=Sub("S3Access-${AWS::StackName}"),
PolicyDocument=policyDoc)
def getBuildRole() -> Role:
statement = Statement(Action=[Action("*")], Effect=Allow, Resource=["*"])
policy_doc = awacs.aws.Policy(Statement=[statement])
policy = Policy(PolicyName=Sub("${AWS::StackName}-CodeBuildPolicy"),
PolicyDocument=policy_doc)
assume = defaultAssumeRolePolicyDocument("codebuild.amazonaws.com")
return Role("CodeBuildRole",
RoleName=Sub("${AWS::StackName}-LambdaCodeBuildRole"),
AssumeRolePolicyDocument=assume,
Policies=[policy])
def add_ecs_task_role(self):
'''
Add ECS Task Role to template
'''
self.cfn_template.add_resource(
Role(
title=constants.TASK_ROLE,
AssumeRolePolicyDocument=PolicyDocument(Statement=[
Statement(Effect=Allow,
Action=[AssumeRole],
Principal=Principal('Service',
['ecs-tasks.amazonaws.com']))
]),
Policies=[
Policy(PolicyName='ECSTaskDefinitionContainerRole',
PolicyDocument=PolicyDocument(Statement=[
Statement(Effect=Allow,
Action=[
Action('s3', 'GetObject'),
Action('kms', 'Encrypt'),
Action('kms', 'Decrypt')
],
Resource=['*'])
])),
Policy(
PolicyName='DemoAppContainerRole',
PolicyDocument=PolicyDocument(Statement=[
Statement(Effect=Allow,
Action=[
Action('dynamodb', 'BatchGetItem'),
Action('dynamodb', 'BatchWriteItem'),
Action('dynamodb', 'GetItem'),
Action('dynamodb', 'ListTables'),
Action('dynamodb', 'PutItem'),
Action('dynamodb', 'Query'),
Action('dynamodb', 'Scan'),
Action('dynamodb', 'UpdateItem'),
Action('dynamodb', 'DeleteItem')
],
Resource=['*'])
]))
]))
return self.cfn_template
def get_secret_manager() -> Policy:
statements = [
awacs.aws.Statement(
Action=[awacs.aws.Action("secretsmanager", "GetSecretValue")],
Effect=awacs.aws.Allow,
Resource=["arn:aws:secretsmanager:*:*:secret:iot/prod*"])
]
policyDoc = awacs.aws.Policy(Statement=statements)
return Policy(PolicyName=Sub("SecretManagerAccess-${AWS::StackName}"),
PolicyDocument=policyDoc)