def policy_create_for_task_role(self, role_name, skip_if_exists=True): policy = { "Version" : "2008-10-17", "Statement" : [ { "Effect": "Allow", "Principal": { "Service": "ecs-tasks.amazonaws.com"}, "Action": "sts:AssumeRole" }]} iam_role = IAM_Role(role_name=role_name) iam_role.create(policy,skip_if_exists=skip_if_exists) return iam_role
def test_create_function(self): role_arn = IAM_Role(self.lambda_name + '__tmp_role').create_for__lambda().get('role_arn') tmp_folder = Temp_Folder_With_Lambda_File( self.lambda_name).create_temp_file() (self.aws_lambda.set_role(role_arn).set_s3_bucket( self.s3_bucket).set_s3_key(self.s3_key).set_folder_code( tmp_folder.folder)) create_kwargs = self.aws_lambda.create_kwargs() assert create_kwargs == { 'Code': { 'S3Bucket': self.s3_bucket, 'S3Key': self.s3_key }, 'FunctionName': self.lambda_name, 'Handler': self.lambda_name + '.run', 'MemorySize': 10240, 'PackageType': 'Zip', 'Role': role_arn, 'Runtime': 'python3.8', 'Tags': {}, 'Timeout': 900, 'TracingConfig': { 'Mode': 'PassThrough' } } assert self.aws_lambda.upload() is True result = self.aws_lambda.create() data = result.get('data') name = result.get('name') status = result.get('status') assert status == 'ok' assert name == self.lambda_name expected_arn = 'arn:aws:lambda:{0}:{1}:function:{2}'.format( self.region, self.account_id, self.lambda_name) # expected arn value (Assert(data).field_is_equal('CodeSize', 242) # confirm lambda creation details .field_is_equal('FunctionArn', expected_arn).field_is_equal( 'FunctionName', self.lambda_name).field_is_equal( 'Handler', self.lambda_name + '.run').field_is_equal( 'MemorySize', 10240).field_is_equal('Role', role_arn).field_is_equal( 'Runtime', 'python3.8').field_is_equal( 'Timeout', 900).field_is_equal('TracingConfig', { 'Mode': 'PassThrough' }).field_is_equal('Version', '$LATEST')) assert self.aws_lambda.invoke() == 'hello None' assert self.aws_lambda.delete() is True # confirm Lambda was deleted
def policy_create_for_execution_role(self, role_name, skip_if_exists=True): #cloud_watch_arn = "arn:aws:logs:{0}:{1}:log-group:awslogs-*".format(self.region, self.account_id) cloud_watch_arn = f"arn:aws:logs:{self.region}:{self.account_id}:log-group:*" role_document = { "Version" : "2008-10-17", "Statement" : [ { "Effect": "Allow", "Principal": { "Service": "ecs-tasks.amazonaws.com"}, "Action": "sts:AssumeRole" }]} policy_document = { "Version" : "2012-10-17", "Statement": [{ "Effect" : "Allow" , "Action" : [ "ecr:GetAuthorizationToken" , "ecr:BatchCheckLayerAvailability" , "ecr:GetDownloadUrlForLayer" , "ecr:GetRepositoryPolicy" , "ecr:DescribeRepositories" , "ecr:ListImages" , "ecr:DescribeImages" , "ecr:BatchGetImage" ], "Resource": "*" }, { "Effect" : "Allow", "Action" : [ "logs:CreateLogStream" , "logs:PutLogEvents" ], "Resource": [ cloud_watch_arn ]}]} policy_name = 'policy_for_{0}'.format(role_name) iam_role = IAM_Role(role_name=role_name) if iam_role.exists() and skip_if_exists: return iam_role if iam_role.create(policy_document=role_document, skip_if_exists=skip_if_exists): iam_role.attach_policy(policy_name=policy_name, policy_document=policy_document) if policy_name in iam_role.iam.role_policies(): return iam_role
def test_create_function(self): role_arn = IAM_Role(self.lambda_name + '__tmp_role').create_for__lambda().get('role_arn') tmp_folder = Temp_Folder_Code(self.lambda_name) ( self.aws_lambda.set_role (role_arn) .set_s3_bucket (self.s3_bucket ) .set_s3_key (self.s3_key ) .set_folder_code(tmp_folder.folder) ) assert self.aws_lambda.create_params() == (self.lambda_name, 'python3.7' , role_arn , self.lambda_name + '.run', 3008 , 60 , { 'Mode' : 'PassThrough' }, { 'S3Bucket': self.s3_bucket , 'S3Key' : self.s3_key }) # confirm values that will be passed to the boto3's create_function assert self.aws_lambda.upload() is True result = self.aws_lambda.create() data = result.get('data') name = result.get('name') status = result.get('status') assert status == 'ok' assert name == self.lambda_name expected_arn = 'arn:aws:lambda:{0}:{1}:function:{2}'.format(self.region,self.account_id,self.lambda_name) # expected arn value (Assert(data).field_is_equal('CodeSize' , 209 ) # confirm lambda creation details .field_is_equal('FunctionArn' , expected_arn ) .field_is_equal('FunctionName' , self.lambda_name ) .field_is_equal('Handler' , self.lambda_name + '.run') .field_is_equal('MemorySize' , 3008 ) .field_is_equal('Role' , role_arn ) .field_is_equal('Runtime' , 'python3.7' ) .field_is_equal('Timeout' , 60 ) .field_is_equal('TracingConfig', {'Mode': 'PassThrough'} ) .field_is_equal('Version' , '$LATEST' ) ) assert self.aws_lambda.delete() is True # confirm Lambda was deleted
def test_policy_add_sqs_permissions_to_lambda_role(self): policy_name = self.iam_utils.arn_aws_policy_service_sqs_lambda.split( '/').pop(-1) with Temp_Lambda() as temp_lambda: lambda_name = temp_lambda.lambda_name iam_role_name = self.iam_utils.policy_add_sqs_permissions_to_lambda_role( lambda_name) iam_role = IAM_Role(role_name=iam_role_name) pprint(iam_role.info()) assert policy_name in iam_role.policies_statements() assert iam_role.exists() is True self.iam_utils.policy_remove_sqs_permissions_to_lambda_role( lambda_name) assert policy_name not in iam_role.policies_statements()
def create__for_lambda_invocation(self, delete_existing=False): iam_role = IAM_Role(self.role_name__for_lambda_invocation) if delete_existing: iam_role.iam.role_delete() return iam_role.create_for__lambda().get('role_arn')
def setUp(self): self.temp_role_name = 'test_IAM_Role__temp_role' self.iam_role = IAM_Role(role_name=self.temp_role_name)
class test_IAM_Role(TestCase): def setUp(self): self.temp_role_name = 'test_IAM_Role__temp_role' self.iam_role = IAM_Role(role_name=self.temp_role_name) def test___init__(self): assert self.iam_role.iam.role_name == self.temp_role_name def test_create_for__code_build(self): self.iam_role.iam.role_delete() result = self.iam_role.create_for__code_build() status = result.get('status') data = result.get('data') role_arn = result.get('role_arn') role_name = result.get('role_name') create_date = data.get('CreateDate') del data['RoleId'] del data['CreateDate'] expected_service = 'codebuild.amazonaws.com' expected_arn = 'arn:aws:iam::{0}:role/test_IAM_Role__temp_role'.format( account_id) expected_data = { 'Arn': expected_arn, 'AssumeRolePolicyDocument': { 'Statement': [{ 'Action': 'sts:AssumeRole', 'Effect': 'Allow', 'Principal': { 'Service': expected_service } }] }, 'Path': '/', 'RoleName': 'test_IAM_Role__temp_role' } assert status == 'ok' assert role_arn == expected_arn assert role_name == self.temp_role_name assert data == expected_data Temp_Assert(create_date).is_today() assert self.iam_role.create_for__code_build() == { 'data': 'role already exists', 'role_name': self.temp_role_name, 'role_arn': expected_arn, 'status': 'warning' } assert self.iam_role.iam.role_delete() is True def test_create_for__lambda(self): self.iam_role.create_for__lambda().get('role_arn') role_info = self.iam_role.iam.role_info() service = role_info.get('AssumeRolePolicyDocument').get( 'Statement')[0].get('Principal').get('Service') assert service == 'lambda.amazonaws.com' policy_statement = list( self.iam_role.iam.role_policies_statements().values()).pop() assert policy_statement == [{ 'Action': [ 'logs:CreateLogGroup', 'logs:CreateLogStream', 'logs:PutLogEvents' ], 'Effect': 'Allow', 'Resource': [ 'arn:aws:logs:{0}:{1}:log-group:/aws/lambda/*'.format( region, account_id) ] }] assert self.iam_role.iam.role_delete( ) is True # delete role and policies
def for_lambda_invocation_exists(self): iam_role = IAM_Role(self.role_name__for_lambda_invocation) return iam_role.iam.role_exists()
def setUp(self): self.temp_role_name = 'test_IAM_Role__temp_role' self.iam_role = IAM_Role(role_name=self.temp_role_name) with AWS_Config() as aws_config: self.account_id = aws_config.aws_session_account_id() self.region = aws_config.aws_session_region_name()
class test_IAM_Role(TestCase): def setUp(self): self.temp_role_name = 'test_IAM_Role__temp_role' self.iam_role = IAM_Role(role_name=self.temp_role_name) with AWS_Config() as aws_config: self.account_id = aws_config.aws_session_account_id() self.region = aws_config.aws_session_region_name() def tearDown(self) -> None: if self.iam_role.exists(): assert self.iam_role.delete() def test___init__(self): assert self.iam_role.iam.role_name == self.temp_role_name def test_create_for__code_build(self): result = self.iam_role.create_for__code_build() status = result.get('status') data = result.get('data') role_arn = result.get('role_arn') role_name = result.get('role_name') create_date = data.get('CreateDate') del data['RoleId'] del data['CreateDate'] expected_service = 'codebuild.amazonaws.com' expected_arn = 'arn:aws:iam::{0}:role/test_IAM_Role__temp_role'.format( self.account_id) expected_data = { 'Arn': expected_arn, 'AssumeRolePolicyDocument': { 'Statement': [{ 'Action': 'sts:AssumeRole', 'Effect': 'Allow', 'Principal': { 'Service': expected_service } }] }, 'Path': '/', 'RoleName': 'test_IAM_Role__temp_role' } assert status == 'ok' assert role_arn == expected_arn assert role_name == self.temp_role_name assert data == expected_data Assert(create_date).is_today() assert self.iam_role.create_for__code_build() == { 'data': 'role already exists', 'role_name': self.temp_role_name, 'role_arn': expected_arn, 'status': 'warning' } def test_create_for__lambda(self): self.iam_role.create_for__lambda().get('role_arn') role_info = self.iam_role.info() service = role_info.get('AssumeRolePolicyDocument').get( 'Statement')[0].get('Principal').get('Service') assert service == 'lambda.amazonaws.com' policy_statement = list( self.iam_role.policies_statements().values()).pop() assert policy_statement == [{ 'Action': [ 'logs:CreateLogGroup', 'logs:CreateLogStream', 'logs:PutLogEvents' ], 'Effect': 'Allow', 'Resource': [ 'arn:aws:logs:{0}:{1}:log-group:/aws/lambda/*'.format( self.region, self.account_id) ] }] def test_create_for_service_with_policies(self): policy_name = "Cloud_Watch" policies = { policy_name: { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:DescribeLogGroups", "logs:DescribeLogStreams", "logs:PutLogEvents", "logs:GetLogEvents", "logs:FilterLogEvents" ], "Resource": "*" }] } } service = 'apigateway.amazonaws.com' recreate_policy = True project_name = self.temp_role_name result = self.iam_role.create_for_service_with_policies( service, policies, project_name, recreate_policy) assert result == { 'policies_arns': [ f'arn:aws:iam::{self.account_id}:policy/{policy_name}_{project_name}' ], 'role_arn': f'arn:aws:iam::{self.account_id}:role/{project_name}' } temp_policies_arns = result['policies_arns'] temp_policy_arn = result['policies_arns'][0] assert len(temp_policies_arns) == 1 assert self.iam_role.exists() assert self.iam_role.iam.policy_exists(temp_policy_arn) self.iam_role.delete() # will also delete all associated policies assert self.iam_role.iam.policy_not_exists(temp_policy_arn) assert self.iam_role.not_exists()