Esempio n. 1
0
def test_create_statements():
    """Various statement creations."""
    s1 = Deny(
        apply_to=Principal(PrincipalKind.SERVICE, "myservice"),
        to="do_something",
        not_on="resource",
    )
    assert s1.properties

    s2 = Allow(
        apply_to=Principal(PrincipalKind.SERVICE, "myservice"),
        sid="id1",
        to="do_something",
        on="allowed_resource",
    )
    assert s2.properties

    pd1 = PolicyDocument()
    pd2 = PolicyDocument()
    pd1.append(s1)
    pd2.append(s2)
    pd3 = pd1 + pd2
    assert len(pd3.statements) == 2
    pd1 += [s2]
    assert len(pd3.statements) == 2
Esempio n. 2
0
    def add_bucket_access(self, bucket_list):
        """Authorize access to a list of buckets using vpc endpoint.

        Note that this just allow an instance in the vpc to ask access
        to a given bucket through the endpoint. This does not change
        the bucket policy.

        The function creates also automatically the S3 VPC endpoint
        on the first call.

        :param bucket_list: list of bucket names
        :type bucket_list: list[Bucket] | list[str]
        """
        if self.name + 'S3EndPoint' not in self:
            self.add(VPCEndpoint(self.name + 'S3EndPoint',
                                 's3',
                                 self.subnet.vpc,
                                 [self.route_table],
                                 PolicyDocument()))
        for bucket in bucket_list:
            if isinstance(bucket, Bucket):
                bucket_name = bucket.ref
            else:
                bucket_name = bucket
            self.s3_endpoint.policy_document.append(
                Allow(to='s3:*',
                      on=[Join(['arn:aws:s3:::', bucket_name]),
                          Join(['arn:aws:s3:::', bucket_name, '/*'])],
                      apply_to=Principal(PrincipalKind.EVERYONE)))
Esempio n. 3
0
    def add_secret_access(self, secret_arn):
        """Give read access to a given secret.

        :param secret_name: arn identifying the secret to give access to
        :type secret_name: str
        """
        endpoint_name = f"{self.name}SecretsManagerEndPoint"
        if endpoint_name not in self:
            self.add(
                VPCInterfaceEndpoint(
                    name=endpoint_name,
                    service="secretsmanager",
                    vpc=self.vpc,
                    subnet=self.aws_endpoints_subnet.subnet,
                    policy_document=PolicyDocument(),
                    security_group=self.aws_endpoints_security_group,
                ))
        self.secretsmanager_endpoint.policy_document.append(
            Allow(
                to=[
                    "secretsmanager:GetResourcePolicy",
                    "secretsmanager:GetSecretValue",
                    "secretsmanager:DescribeSecret",
                    "secretsmanager:ListSecretVersionIds",
                ],
                on=[secret_arn],
                apply_to=Principal(PrincipalKind.EVERYONE),
            ))
Esempio n. 4
0
def test_principal_star():
    """Create a list of principal with one principal being '*'."""
    pl = [Principal(PrincipalKind.SERVICE, 'ec2.amazonaws.com'),
          Principal(PrincipalKind.EVERYONE)]
    with pytest.raises(AssertionError):
        Principal.property_list(pl)

    pl = [Principal(PrincipalKind.EVERYONE)]
    assert Principal.property_list(pl)
Esempio n. 5
0
def test_create_network():
    s = Stack(name="teststack")

    s = Stack(name="MyStack")
    s += VPC("BuildVPC", "10.10.0.0/16")
    s += InternetGateway("Gate")
    s += Subnet("BuildPublicSubnet", s["BuildVPC"], "10.10.10.0/24")
    s += Subnet("BuildPrivateSubnet", s["BuildVPC"], "10.10.20.0/24")
    s += VPCGatewayAttachment("GateAttach", s["BuildVPC"], s["Gate"])
    s += RouteTable("RT", s["BuildVPC"])
    s += Route("PRoute", s["RT"], "0.0.0.0/0", s["Gate"], s["GateAttach"])
    s += SubnetRouteTableAssociation("RTSAssoc", s["BuildPublicSubnet"], s["RT"])
    p = PolicyDocument().append(
        Allow(
            to="GetObject",
            on="arn:aws:s3:::abucket/*",
            apply_to=Principal(PrincipalKind.SERVICE, "ec2.amazonaws.com"),
        )
    )

    s += VPCEndpoint("S3EndPoint", "s3", s["BuildVPC"], [s["RT"]], policy_document=p)
    assert s.body
Esempio n. 6
0
def test_create_network():
    s = Stack(name='teststack')

    s = Stack(name='MyStack')
    s += VPC('BuildVPC', '10.10.0.0/16')
    s += InternetGateway('Gate')
    s += Subnet('BuildPublicSubnet', s['BuildVPC'], '10.10.10.0/24')
    s += Subnet('BuildPrivateSubnet', s['BuildVPC'], '10.10.20.0/24')
    s += VPCGatewayAttachment('GateAttach', s['BuildVPC'], s['Gate'])
    s += RouteTable('RT', s['BuildVPC'])
    s += Route('PRoute', s['RT'], '0.0.0.0/0', s['Gate'], s['GateAttach'])
    s += SubnetRouteTableAssociation('RTSAssoc', s['BuildPublicSubnet'],
                                     s['RT'])
    p = PolicyDocument().append(
        Allow(to='GetObject',
              on='arn:aws:s3:::abucket/*',
              apply_to=Principal(PrincipalKind.SERVICE, 'ec2.amazonaws.com')))

    s += VPCEndpoint('S3EndPoint',
                     's3',
                     s['BuildVPC'], [s['RT']],
                     policy_document=p)
    assert s.body
Esempio n. 7
0
    def add_lambda_access(self, lambda_arns):
        """Add a lambda interface endpoint with permissions to invoke given lambdas.

        :param lambda_arns: arn identifying the lambda to give access to
        :type lambda_arns: list[str]
        """
        endpoint_name = f"{self.name}LambdaEndPoint"
        if endpoint_name not in self:
            self.add(
                VPCInterfaceEndpoint(
                    name=endpoint_name,
                    service="lambda",
                    vpc=self.vpc,
                    subnet=self.aws_endpoints_subnet.subnet,
                    policy_document=PolicyDocument(),
                    security_group=self.aws_endpoints_security_group,
                ))
        self.lambda_endpoint.policy_document.append(
            Allow(
                to=["lambda:InvokeFunction"],
                on=chain.from_iterable(((lambda_arn, lambda_arn + ":*")
                                        for lambda_arn in lambda_arns)),
                apply_to=Principal(PrincipalKind.EVERYONE),
            ))