def create_iam_profile(self):
t = self.template
# Create EC2 Container Service Role
t.add_resource(
Role(
"ecsServiceRole",
AssumeRolePolicyDocument=get_ecs_assumerole_policy(),
Path="/",
Policies=[
Policy(PolicyName="ecsServiceRolePolicy",
PolicyDocument=service_role_policy())
]))
# Role for Empire Controllers
t.add_resource(
Role(
"EmpireControllerRole",
AssumeRolePolicyDocument=get_default_assumerole_policy(),
Path="/",
Policies=[
Policy(PolicyName="EmpireControllerPolicy",
PolicyDocument=empire_policy())]))
t.add_resource(
InstanceProfile(
"EmpireControllerProfile",
Path="/",
Roles=[Ref("EmpireControllerRole")]))
def create_iam_profile(self):
t = self.template
# Create EC2 Container Service Role
t.add_resource(
Role("ecsServiceRole",
AssumeRolePolicyDocument=get_ecs_assumerole_policy(),
Path="/",
Policies=[
Policy(PolicyName="ecsServiceRolePolicy",
PolicyDocument=service_role_policy())
]))
# Role for Empire Controllers
t.add_resource(
Role("EmpireControllerRole",
AssumeRolePolicyDocument=get_default_assumerole_policy(),
Path="/",
Policies=[
Policy(PolicyName="EmpireControllerPolicy",
PolicyDocument=empire_policy())
]))
t.add_resource(
InstanceProfile("EmpireControllerProfile",
Path="/",
Roles=[Ref("EmpireControllerRole")]))
def test_create_service_role_already_exists(self):
role_name = "ecsServiceRole"
policy_name = "AmazonEC2ContainerServiceRolePolicy"
with mock_iam():
client = boto3.client("iam", region_name=REGION)
client.create_role(
RoleName=role_name,
AssumeRolePolicyDocument=get_ecs_assumerole_policy().to_json()
)
self.assertTrue(
create_ecs_service_role(
context=self.context,
provider=self.provider,
)
)
role = client.get_role(RoleName=role_name)
self.assertIn("Role", role)
self.assertEqual(role_name, role["Role"]["RoleName"])
client.get_role_policy(
RoleName=role_name,
PolicyName=policy_name
)
def create_iam_profile(self):
t = self.template
# Create EC2 Container Service Role
t.add_resource(
Role("ecsServiceRole",
AssumeRolePolicyDocument=get_ecs_assumerole_policy(),
Path="/",
Policies=[
Policy(PolicyName="ecsServiceRolePolicy",
PolicyDocument=service_role_policy())
]))
# Role for Empire Controllers
t.add_resource(
Role("EmpireControllerRole",
AssumeRolePolicyDocument=get_default_assumerole_policy(),
Path="/",
Policies=[
Policy(PolicyName="EmpireControllerPolicy",
PolicyDocument=empire_policy())
]))
# Add SNS Events policy if Events are enabled
t.add_resource(
PolicyType("SNSEventsPolicy",
PolicyName="EmpireSNSEventsPolicy",
Condition="EnableSNSEvents",
PolicyDocument=sns_events_policy(Ref("EventTopic")),
Roles=[Ref("EmpireControllerRole")]))
t.add_resource(
InstanceProfile("EmpireControllerProfile",
Path="/",
Roles=[Ref("EmpireControllerRole")]))
t.add_output(
Output("EmpireControllerRole", Value=Ref("EmpireControllerRole")))
def create_ecs_service_role(region, namespace, mappings, parameters, **kwargs):
"""Used to create the ecsServieRole, which has to be named exactly that
currently, so cannot be created via CloudFormation. See:
http://docs.aws.amazon.com/AmazonECS/latest/developerguide/IAM_policies.html#service_IAM_role
"""
role_name = kwargs.get("role_name", "ecsServiceRole")
client = boto3.client("iam", region_name=region)
try:
client.create_role(
RoleName=role_name,
AssumeRolePolicyDocument=get_ecs_assumerole_policy().to_json())
except ClientError as e:
if "already exists" in e.message:
pass
else:
raise
policy = Policy(Statement=[
Statement(Effect=Allow,
Resource=["*"],
Action=[
ecs.CreateCluster, ecs.DeregisterContainerInstance,
ecs.DiscoverPollEndpoint, ecs.Poll,
ecs.Action("Submit*")
])
])
client.put_role_policy(RoleName=role_name,
PolicyName="AmazonEC2ContainerServiceRolePolicy",
PolicyDocument=policy.to_json())
return True
def create_ecs_service_role(provider, context, **kwargs):
"""Create ecsServieRole, which has to be named exactly that currently.
http://docs.aws.amazon.com/AmazonECS/latest/developerguide/IAM_policies.html#service_IAM_role
Args:
provider (:class:`runway.cfngin.providers.base.BaseProvider`): Provider
instance. (passed in by CFNgin)
context (:class:`runway.cfngin.context.Context`): Context instance.
(passed in by CFNgin)
Keyword Args:
role_name (str): Name of the role to create.
(*default: ecsServiceRole*)
Returns:
bool: Whether or not the hook succeeded.
"""
role_name = kwargs.get("role_name", "ecsServiceRole")
client = get_session(provider.region).client("iam")
try:
client.create_role(
RoleName=role_name,
AssumeRolePolicyDocument=get_ecs_assumerole_policy().to_json(),
)
except ClientError as err:
if "already exists" in str(err):
pass
else:
raise
policy = Policy(
Version="2012-10-17",
Statement=[
Statement(
Effect=Allow,
Resource=["*"],
Action=[
ecs.CreateCluster,
ecs.DeregisterContainerInstance,
ecs.DiscoverPollEndpoint,
ecs.Poll,
ecs.Action("Submit*"),
],
)
],
)
client.put_role_policy(
RoleName=role_name,
PolicyName="AmazonEC2ContainerServiceRolePolicy",
PolicyDocument=policy.to_json(),
)
return True
def create_ecs_service_role(context: CfnginContext,
*,
role_name: str = "ecsServiceRole",
**_: Any) -> bool:
"""Create ecsServiceRole IAM role.
https://docs.aws.amazon.com/AmazonECS/latest/developerguide/using-service-linked-roles.html
Args:
context: Context instance. (passed in by CFNgin)
role_name: Name of the role to create.
"""
client = context.get_session().client("iam")
try:
client.create_role(
RoleName=role_name,
AssumeRolePolicyDocument=get_ecs_assumerole_policy().to_json(),
)
except ClientError as err:
if "already exists" not in str(err):
raise
policy = Policy(
Version="2012-10-17",
Statement=[
Statement(
Effect=Allow,
Resource=["*"],
Action=[
ecs.CreateCluster,
ecs.DeregisterContainerInstance,
ecs.DiscoverPollEndpoint,
ecs.Poll,
ecs.Action("Submit*"),
],
)
],
)
client.put_role_policy(
RoleName=role_name,
PolicyName="AmazonEC2ContainerServiceRolePolicy",
PolicyDocument=policy.to_json(),
)
return True
def create_ecs_service_role(provider, context, **kwargs):
"""Used to create the ecsServieRole, which has to be named exactly that
currently, so cannot be created via CloudFormation. See:
http://docs.aws.amazon.com/AmazonECS/latest/developerguide/IAM_policies.html#service_IAM_role
Args:
provider (:class:`stacker.providers.base.BaseProvider`): provider
instance
context (:class:`stacker.context.Context`): context instance
Returns: boolean for whether or not the hook succeeded.
"""
role_name = kwargs.get("role_name", "ecsServiceRole")
client = get_session(provider.region).client('iam')
try:
client.create_role(
RoleName=role_name,
AssumeRolePolicyDocument=get_ecs_assumerole_policy().to_json()
)
except ClientError as e:
if "already exists" in str(e):
pass
else:
raise
policy = Policy(
Statement=[
Statement(
Effect=Allow,
Resource=["*"],
Action=[ecs.CreateCluster, ecs.DeregisterContainerInstance,
ecs.DiscoverPollEndpoint, ecs.Poll,
ecs.Action("Submit*")]
)
])
client.put_role_policy(
RoleName=role_name,
PolicyName="AmazonEC2ContainerServiceRolePolicy",
PolicyDocument=policy.to_json()
)
return True
def create_ecs_service_role(provider, context, **kwargs):
"""Used to create the ecsServieRole, which has to be named exactly that
currently, so cannot be created via CloudFormation. See:
http://docs.aws.amazon.com/AmazonECS/latest/developerguide/IAM_policies.html#service_IAM_role
Args:
provider (:class:`stacker.providers.base.BaseProvider`): provider
instance
context (:class:`stacker.context.Context`): context instance
Returns: boolean for whether or not the hook succeeded.
"""
role_name = kwargs.get("role_name", "ecsServiceRole")
client = get_session(provider.region).client('iam')
try:
client.create_role(
RoleName=role_name,
AssumeRolePolicyDocument=get_ecs_assumerole_policy().to_json())
except ClientError as e:
if "already exists" in str(e):
pass
else:
raise
policy = Policy(Version='2012-10-17',
Statement=[
Statement(Effect=Allow,
Resource=["*"],
Action=[
ecs.CreateCluster,
ecs.DeregisterContainerInstance,
ecs.DiscoverPollEndpoint, ecs.Poll,
ecs.Action("Submit*")
])
])
client.put_role_policy(RoleName=role_name,
PolicyName="AmazonEC2ContainerServiceRolePolicy",
PolicyDocument=policy.to_json())
return True
def test_create_service_role_already_exists(self):
role_name = "ecsServiceRole"
policy_name = "AmazonEC2ContainerServiceRolePolicy"
with mock_iam():
client = boto3.client("iam", region_name=REGION)
client.create_role(
RoleName=role_name,
AssumeRolePolicyDocument=get_ecs_assumerole_policy().to_json())
self.assertTrue(
create_ecs_service_role(
context=self.context,
provider=self.provider,
))
role = client.get_role(RoleName=role_name)
self.assertIn("Role", role)
self.assertEqual(role_name, role["Role"]["RoleName"])
client.get_role_policy(RoleName=role_name, PolicyName=policy_name)
def create_iam_profile(self):
t = self.template
# Create EC2 Container Service Role
t.add_resource(
Role(
"ecsServiceRole",
AssumeRolePolicyDocument=get_ecs_assumerole_policy(),
Path="/",
Policies=[
Policy(PolicyName="ecsServiceRolePolicy",
PolicyDocument=service_role_policy())
]))
# Role for Empire Controllers
t.add_resource(
Role(
"EmpireControllerRole",
AssumeRolePolicyDocument=get_default_assumerole_policy(),
Path="/",
Policies=[
Policy(PolicyName="EmpireControllerPolicy",
PolicyDocument=empire_policy())]))
# Add SNS Events policy if Events are enabled
t.add_resource(
PolicyType(
"SNSEventsPolicy",
PolicyName="EmpireSNSEventsPolicy",
Condition="EnableSNSEvents",
PolicyDocument=sns_events_policy(Ref("EventTopic")),
Roles=[Ref("EmpireControllerRole")]))
t.add_resource(
InstanceProfile(
"EmpireControllerProfile",
Path="/",
Roles=[Ref("EmpireControllerRole")]))
t.add_output(
Output("EmpireControllerRole",
Value=Ref("EmpireControllerRole")))
def create_ecs_resources(self):
t = self.template
# Give the instances access that the Empire daemon needs.
t.add_resource(
PolicyType(
"AccessPolicy",
PolicyName="empire",
PolicyDocument=empire_policy({
"Environment":
Ref("Environment"),
"CustomResourcesTopic":
Ref("CustomResourcesTopic"),
"CustomResourcesQueue": (GetAtt("CustomResourcesQueue",
"Arn")),
"TemplateBucket":
(Join("", ["arn:aws:s3:::",
Ref("TemplateBucket"), "/*"]))
}),
Roles=[Ref("InstanceRole")]))
t.add_resource(
sns.Topic(
EVENTS_TOPIC,
DisplayName="Empire events",
Condition="CreateSNSTopic",
))
t.add_output(
Output("EventsSNSTopic",
Value=Ref(EVENTS_TOPIC),
Condition="CreateSNSTopic"))
# Add SNS Events policy if Events are enabled
t.add_resource(
PolicyType("SNSEventsPolicy",
PolicyName="EmpireSNSEventsPolicy",
Condition="EnableSNSEvents",
PolicyDocument=sns_events_policy(
If("CreateSNSTopic", Ref(EVENTS_TOPIC),
Ref("EventsSNSTopicName"))),
Roles=[Ref("InstanceRole")]))
# Add run logs policy if run logs are enabled
t.add_resource(
PolicyType("RunLogsPolicy",
PolicyName="EmpireRunLogsPolicy",
Condition="EnableCloudwatchLogs",
PolicyDocument=runlogs_policy(
If("CreateRunLogsGroup", Ref(RUN_LOGS),
Ref("RunLogsCloudwatchGroup"))),
Roles=[Ref("InstanceRole")]))
# Allow the controller to write empire events to kinesis if kinesis is
# enabled.
t.add_resource(
PolicyType("AppEventStreamPolicy",
PolicyName="EmpireAppEventStreamPolicy",
Condition="EnableAppEventStream",
PolicyDocument=logstream_policy(),
Roles=[Ref("InstanceRole")]))
t.add_resource(
ecs.TaskDefinition(
"TaskDefinition",
Volumes=[
ecs.Volume(
Name="dockerSocket",
Host=ecs.Host(SourcePath="/var/run/docker.sock")),
ecs.Volume(Name="dockerCfg",
Host=ecs.Host(SourcePath="/root/.dockercfg"))
],
ContainerDefinitions=[
ecs.ContainerDefinition(
Command=["server", "-automigrate=true"],
Name="empire",
Environment=self.get_empire_environment(),
Essential=True,
Image=Ref("DockerImage"),
MountPoints=[
ecs.MountPoint(
SourceVolume="dockerSocket",
ContainerPath="/var/run/docker.sock",
ReadOnly=False),
ecs.MountPoint(SourceVolume="dockerCfg",
ContainerPath="/root/.dockercfg",
ReadOnly=False)
],
PortMappings=[
ecs.PortMapping(HostPort=8081, ContainerPort=8081)
],
Cpu=Ref("TaskCPU"),
Memory=Ref("TaskMemory"))
]))
t.add_resource(
Role("ServiceRole",
AssumeRolePolicyDocument=get_ecs_assumerole_policy(),
Path="/",
Policies=[
Policy(PolicyName="ecs-service-role",
PolicyDocument=service_role_policy())
]))
t.add_resource(
ecs.Service(
"Service",
Cluster=Ref("ControllerCluster"),
DeploymentConfiguration=ecs.DeploymentConfiguration(
MaximumPercent=Ref("ServiceMaximumPercent"),
MinimumHealthyPercent=Ref("ServiceMinimumHealthyPercent"),
),
DesiredCount=Ref("DesiredCount"),
LoadBalancers=[
ecs.LoadBalancer(ContainerName="empire",
ContainerPort=8081,
LoadBalancerName=Ref("LoadBalancer"))
],
Role=Ref("ServiceRole"),
TaskDefinition=Ref("TaskDefinition")))
def create_ecs_resources(self):
t = self.template
# Give the instances access that the Empire daemon needs.
t.add_resource(
PolicyType(
"AccessPolicy",
PolicyName="empire",
PolicyDocument=empire_policy({
"Environment": Ref("Environment"),
"CustomResourcesTopic": Ref("CustomResourcesTopic"),
"CustomResourcesQueue": (
GetAtt("CustomResourcesQueue", "Arn")
),
"TemplateBucket": (
Join("", ["arn:aws:s3:::", Ref("TemplateBucket"), "/*"])
)}),
Roles=[Ref("InstanceRole")]))
t.add_resource(sns.Topic(
EVENTS_TOPIC,
DisplayName="Empire events",
Condition="CreateSNSTopic",
))
t.add_output(
Output(
"EventsSNSTopic",
Value=Ref(EVENTS_TOPIC),
Condition="CreateSNSTopic"))
# Add SNS Events policy if Events are enabled
t.add_resource(
PolicyType(
"SNSEventsPolicy",
PolicyName="EmpireSNSEventsPolicy",
Condition="EnableSNSEvents",
PolicyDocument=sns_events_policy(
If("CreateSNSTopic",
Ref(EVENTS_TOPIC),
Ref("EventsSNSTopicName"))),
Roles=[Ref("InstanceRole")]))
# Add run logs policy if run logs are enabled
t.add_resource(
PolicyType(
"RunLogsPolicy",
PolicyName="EmpireRunLogsPolicy",
Condition="EnableCloudwatchLogs",
PolicyDocument=runlogs_policy(
If(
"CreateRunLogsGroup",
Ref(RUN_LOGS),
Ref("RunLogsCloudwatchGroup"))),
Roles=[Ref("InstanceRole")]))
# Allow the controller to write empire events to kinesis if kinesis is
# enabled.
t.add_resource(
PolicyType(
"AppEventStreamPolicy",
PolicyName="EmpireAppEventStreamPolicy",
Condition="EnableAppEventStream",
PolicyDocument=logstream_policy(),
Roles=[Ref("InstanceRole")]))
t.add_resource(
ecs.TaskDefinition(
"TaskDefinition",
Volumes=[
ecs.Volume(
Name="dockerSocket",
Host=ecs.Host(SourcePath="/var/run/docker.sock")),
ecs.Volume(
Name="dockerCfg",
Host=ecs.Host(SourcePath="/root/.dockercfg"))],
ContainerDefinitions=[
ecs.ContainerDefinition(
Command=["server", "-automigrate=true"],
Name="empire",
Environment=self.get_empire_environment(),
Essential=True,
Image=Ref("DockerImage"),
MountPoints=[
ecs.MountPoint(
SourceVolume="dockerSocket",
ContainerPath="/var/run/docker.sock",
ReadOnly=False),
ecs.MountPoint(
SourceVolume="dockerCfg",
ContainerPath="/root/.dockercfg",
ReadOnly=False)],
PortMappings=[
ecs.PortMapping(
HostPort=8081,
ContainerPort=8081)],
Cpu=Ref("TaskCPU"),
Memory=Ref("TaskMemory"))]))
t.add_resource(
Role(
"ServiceRole",
AssumeRolePolicyDocument=get_ecs_assumerole_policy(),
Path="/",
Policies=[
Policy(
PolicyName="ecs-service-role",
PolicyDocument=service_role_policy())]))
t.add_resource(
ecs.Service(
"Service",
Cluster=Ref("ControllerCluster"),
DeploymentConfiguration=ecs.DeploymentConfiguration(
MaximumPercent=Ref("ServiceMaximumPercent"),
MinimumHealthyPercent=Ref("ServiceMinimumHealthyPercent"),
),
DesiredCount=Ref("DesiredCount"),
LoadBalancers=[
ecs.LoadBalancer(
ContainerName="empire",
ContainerPort=8081,
LoadBalancerName=Ref("LoadBalancer"))],
Role=Ref("ServiceRole"),
TaskDefinition=Ref("TaskDefinition")))
