def create_iam_profile(self): t = self.template # Create EC2 Container Service Role t.add_resource( Role( "ecsServiceRole", AssumeRolePolicyDocument=get_ecs_assumerole_policy(), Path="/", Policies=[ Policy(PolicyName="ecsServiceRolePolicy", PolicyDocument=service_role_policy()) ])) # Role for Empire Controllers t.add_resource( Role( "EmpireControllerRole", AssumeRolePolicyDocument=get_default_assumerole_policy(), Path="/", Policies=[ Policy(PolicyName="EmpireControllerPolicy", PolicyDocument=empire_policy())])) t.add_resource( InstanceProfile( "EmpireControllerProfile", Path="/", Roles=[Ref("EmpireControllerRole")]))
def create_iam_profile(self): t = self.template # Create EC2 Container Service Role t.add_resource( Role("ecsServiceRole", AssumeRolePolicyDocument=get_ecs_assumerole_policy(), Path="/", Policies=[ Policy(PolicyName="ecsServiceRolePolicy", PolicyDocument=service_role_policy()) ])) # Role for Empire Controllers t.add_resource( Role("EmpireControllerRole", AssumeRolePolicyDocument=get_default_assumerole_policy(), Path="/", Policies=[ Policy(PolicyName="EmpireControllerPolicy", PolicyDocument=empire_policy()) ])) t.add_resource( InstanceProfile("EmpireControllerProfile", Path="/", Roles=[Ref("EmpireControllerRole")]))
def test_create_service_role_already_exists(self): role_name = "ecsServiceRole" policy_name = "AmazonEC2ContainerServiceRolePolicy" with mock_iam(): client = boto3.client("iam", region_name=REGION) client.create_role( RoleName=role_name, AssumeRolePolicyDocument=get_ecs_assumerole_policy().to_json() ) self.assertTrue( create_ecs_service_role( context=self.context, provider=self.provider, ) ) role = client.get_role(RoleName=role_name) self.assertIn("Role", role) self.assertEqual(role_name, role["Role"]["RoleName"]) client.get_role_policy( RoleName=role_name, PolicyName=policy_name )
def create_iam_profile(self): t = self.template # Create EC2 Container Service Role t.add_resource( Role("ecsServiceRole", AssumeRolePolicyDocument=get_ecs_assumerole_policy(), Path="/", Policies=[ Policy(PolicyName="ecsServiceRolePolicy", PolicyDocument=service_role_policy()) ])) # Role for Empire Controllers t.add_resource( Role("EmpireControllerRole", AssumeRolePolicyDocument=get_default_assumerole_policy(), Path="/", Policies=[ Policy(PolicyName="EmpireControllerPolicy", PolicyDocument=empire_policy()) ])) # Add SNS Events policy if Events are enabled t.add_resource( PolicyType("SNSEventsPolicy", PolicyName="EmpireSNSEventsPolicy", Condition="EnableSNSEvents", PolicyDocument=sns_events_policy(Ref("EventTopic")), Roles=[Ref("EmpireControllerRole")])) t.add_resource( InstanceProfile("EmpireControllerProfile", Path="/", Roles=[Ref("EmpireControllerRole")])) t.add_output( Output("EmpireControllerRole", Value=Ref("EmpireControllerRole")))
def create_ecs_service_role(region, namespace, mappings, parameters, **kwargs): """Used to create the ecsServieRole, which has to be named exactly that currently, so cannot be created via CloudFormation. See: http://docs.aws.amazon.com/AmazonECS/latest/developerguide/IAM_policies.html#service_IAM_role """ role_name = kwargs.get("role_name", "ecsServiceRole") client = boto3.client("iam", region_name=region) try: client.create_role( RoleName=role_name, AssumeRolePolicyDocument=get_ecs_assumerole_policy().to_json()) except ClientError as e: if "already exists" in e.message: pass else: raise policy = Policy(Statement=[ Statement(Effect=Allow, Resource=["*"], Action=[ ecs.CreateCluster, ecs.DeregisterContainerInstance, ecs.DiscoverPollEndpoint, ecs.Poll, ecs.Action("Submit*") ]) ]) client.put_role_policy(RoleName=role_name, PolicyName="AmazonEC2ContainerServiceRolePolicy", PolicyDocument=policy.to_json()) return True
def create_ecs_service_role(provider, context, **kwargs): """Create ecsServieRole, which has to be named exactly that currently. http://docs.aws.amazon.com/AmazonECS/latest/developerguide/IAM_policies.html#service_IAM_role Args: provider (:class:`runway.cfngin.providers.base.BaseProvider`): Provider instance. (passed in by CFNgin) context (:class:`runway.cfngin.context.Context`): Context instance. (passed in by CFNgin) Keyword Args: role_name (str): Name of the role to create. (*default: ecsServiceRole*) Returns: bool: Whether or not the hook succeeded. """ role_name = kwargs.get("role_name", "ecsServiceRole") client = get_session(provider.region).client("iam") try: client.create_role( RoleName=role_name, AssumeRolePolicyDocument=get_ecs_assumerole_policy().to_json(), ) except ClientError as err: if "already exists" in str(err): pass else: raise policy = Policy( Version="2012-10-17", Statement=[ Statement( Effect=Allow, Resource=["*"], Action=[ ecs.CreateCluster, ecs.DeregisterContainerInstance, ecs.DiscoverPollEndpoint, ecs.Poll, ecs.Action("Submit*"), ], ) ], ) client.put_role_policy( RoleName=role_name, PolicyName="AmazonEC2ContainerServiceRolePolicy", PolicyDocument=policy.to_json(), ) return True
def create_ecs_service_role(context: CfnginContext, *, role_name: str = "ecsServiceRole", **_: Any) -> bool: """Create ecsServiceRole IAM role. https://docs.aws.amazon.com/AmazonECS/latest/developerguide/using-service-linked-roles.html Args: context: Context instance. (passed in by CFNgin) role_name: Name of the role to create. """ client = context.get_session().client("iam") try: client.create_role( RoleName=role_name, AssumeRolePolicyDocument=get_ecs_assumerole_policy().to_json(), ) except ClientError as err: if "already exists" not in str(err): raise policy = Policy( Version="2012-10-17", Statement=[ Statement( Effect=Allow, Resource=["*"], Action=[ ecs.CreateCluster, ecs.DeregisterContainerInstance, ecs.DiscoverPollEndpoint, ecs.Poll, ecs.Action("Submit*"), ], ) ], ) client.put_role_policy( RoleName=role_name, PolicyName="AmazonEC2ContainerServiceRolePolicy", PolicyDocument=policy.to_json(), ) return True
def create_ecs_service_role(provider, context, **kwargs): """Used to create the ecsServieRole, which has to be named exactly that currently, so cannot be created via CloudFormation. See: http://docs.aws.amazon.com/AmazonECS/latest/developerguide/IAM_policies.html#service_IAM_role Args: provider (:class:`stacker.providers.base.BaseProvider`): provider instance context (:class:`stacker.context.Context`): context instance Returns: boolean for whether or not the hook succeeded. """ role_name = kwargs.get("role_name", "ecsServiceRole") client = get_session(provider.region).client('iam') try: client.create_role( RoleName=role_name, AssumeRolePolicyDocument=get_ecs_assumerole_policy().to_json() ) except ClientError as e: if "already exists" in str(e): pass else: raise policy = Policy( Statement=[ Statement( Effect=Allow, Resource=["*"], Action=[ecs.CreateCluster, ecs.DeregisterContainerInstance, ecs.DiscoverPollEndpoint, ecs.Poll, ecs.Action("Submit*")] ) ]) client.put_role_policy( RoleName=role_name, PolicyName="AmazonEC2ContainerServiceRolePolicy", PolicyDocument=policy.to_json() ) return True
def create_ecs_service_role(provider, context, **kwargs): """Used to create the ecsServieRole, which has to be named exactly that currently, so cannot be created via CloudFormation. See: http://docs.aws.amazon.com/AmazonECS/latest/developerguide/IAM_policies.html#service_IAM_role Args: provider (:class:`stacker.providers.base.BaseProvider`): provider instance context (:class:`stacker.context.Context`): context instance Returns: boolean for whether or not the hook succeeded. """ role_name = kwargs.get("role_name", "ecsServiceRole") client = get_session(provider.region).client('iam') try: client.create_role( RoleName=role_name, AssumeRolePolicyDocument=get_ecs_assumerole_policy().to_json()) except ClientError as e: if "already exists" in str(e): pass else: raise policy = Policy(Version='2012-10-17', Statement=[ Statement(Effect=Allow, Resource=["*"], Action=[ ecs.CreateCluster, ecs.DeregisterContainerInstance, ecs.DiscoverPollEndpoint, ecs.Poll, ecs.Action("Submit*") ]) ]) client.put_role_policy(RoleName=role_name, PolicyName="AmazonEC2ContainerServiceRolePolicy", PolicyDocument=policy.to_json()) return True
def test_create_service_role_already_exists(self): role_name = "ecsServiceRole" policy_name = "AmazonEC2ContainerServiceRolePolicy" with mock_iam(): client = boto3.client("iam", region_name=REGION) client.create_role( RoleName=role_name, AssumeRolePolicyDocument=get_ecs_assumerole_policy().to_json()) self.assertTrue( create_ecs_service_role( context=self.context, provider=self.provider, )) role = client.get_role(RoleName=role_name) self.assertIn("Role", role) self.assertEqual(role_name, role["Role"]["RoleName"]) client.get_role_policy(RoleName=role_name, PolicyName=policy_name)
def create_iam_profile(self): t = self.template # Create EC2 Container Service Role t.add_resource( Role( "ecsServiceRole", AssumeRolePolicyDocument=get_ecs_assumerole_policy(), Path="/", Policies=[ Policy(PolicyName="ecsServiceRolePolicy", PolicyDocument=service_role_policy()) ])) # Role for Empire Controllers t.add_resource( Role( "EmpireControllerRole", AssumeRolePolicyDocument=get_default_assumerole_policy(), Path="/", Policies=[ Policy(PolicyName="EmpireControllerPolicy", PolicyDocument=empire_policy())])) # Add SNS Events policy if Events are enabled t.add_resource( PolicyType( "SNSEventsPolicy", PolicyName="EmpireSNSEventsPolicy", Condition="EnableSNSEvents", PolicyDocument=sns_events_policy(Ref("EventTopic")), Roles=[Ref("EmpireControllerRole")])) t.add_resource( InstanceProfile( "EmpireControllerProfile", Path="/", Roles=[Ref("EmpireControllerRole")])) t.add_output( Output("EmpireControllerRole", Value=Ref("EmpireControllerRole")))
def create_ecs_resources(self): t = self.template # Give the instances access that the Empire daemon needs. t.add_resource( PolicyType( "AccessPolicy", PolicyName="empire", PolicyDocument=empire_policy({ "Environment": Ref("Environment"), "CustomResourcesTopic": Ref("CustomResourcesTopic"), "CustomResourcesQueue": (GetAtt("CustomResourcesQueue", "Arn")), "TemplateBucket": (Join("", ["arn:aws:s3:::", Ref("TemplateBucket"), "/*"])) }), Roles=[Ref("InstanceRole")])) t.add_resource( sns.Topic( EVENTS_TOPIC, DisplayName="Empire events", Condition="CreateSNSTopic", )) t.add_output( Output("EventsSNSTopic", Value=Ref(EVENTS_TOPIC), Condition="CreateSNSTopic")) # Add SNS Events policy if Events are enabled t.add_resource( PolicyType("SNSEventsPolicy", PolicyName="EmpireSNSEventsPolicy", Condition="EnableSNSEvents", PolicyDocument=sns_events_policy( If("CreateSNSTopic", Ref(EVENTS_TOPIC), Ref("EventsSNSTopicName"))), Roles=[Ref("InstanceRole")])) # Add run logs policy if run logs are enabled t.add_resource( PolicyType("RunLogsPolicy", PolicyName="EmpireRunLogsPolicy", Condition="EnableCloudwatchLogs", PolicyDocument=runlogs_policy( If("CreateRunLogsGroup", Ref(RUN_LOGS), Ref("RunLogsCloudwatchGroup"))), Roles=[Ref("InstanceRole")])) # Allow the controller to write empire events to kinesis if kinesis is # enabled. t.add_resource( PolicyType("AppEventStreamPolicy", PolicyName="EmpireAppEventStreamPolicy", Condition="EnableAppEventStream", PolicyDocument=logstream_policy(), Roles=[Ref("InstanceRole")])) t.add_resource( ecs.TaskDefinition( "TaskDefinition", Volumes=[ ecs.Volume( Name="dockerSocket", Host=ecs.Host(SourcePath="/var/run/docker.sock")), ecs.Volume(Name="dockerCfg", Host=ecs.Host(SourcePath="/root/.dockercfg")) ], ContainerDefinitions=[ ecs.ContainerDefinition( Command=["server", "-automigrate=true"], Name="empire", Environment=self.get_empire_environment(), Essential=True, Image=Ref("DockerImage"), MountPoints=[ ecs.MountPoint( SourceVolume="dockerSocket", ContainerPath="/var/run/docker.sock", ReadOnly=False), ecs.MountPoint(SourceVolume="dockerCfg", ContainerPath="/root/.dockercfg", ReadOnly=False) ], PortMappings=[ ecs.PortMapping(HostPort=8081, ContainerPort=8081) ], Cpu=Ref("TaskCPU"), Memory=Ref("TaskMemory")) ])) t.add_resource( Role("ServiceRole", AssumeRolePolicyDocument=get_ecs_assumerole_policy(), Path="/", Policies=[ Policy(PolicyName="ecs-service-role", PolicyDocument=service_role_policy()) ])) t.add_resource( ecs.Service( "Service", Cluster=Ref("ControllerCluster"), DeploymentConfiguration=ecs.DeploymentConfiguration( MaximumPercent=Ref("ServiceMaximumPercent"), MinimumHealthyPercent=Ref("ServiceMinimumHealthyPercent"), ), DesiredCount=Ref("DesiredCount"), LoadBalancers=[ ecs.LoadBalancer(ContainerName="empire", ContainerPort=8081, LoadBalancerName=Ref("LoadBalancer")) ], Role=Ref("ServiceRole"), TaskDefinition=Ref("TaskDefinition")))
def create_ecs_resources(self): t = self.template # Give the instances access that the Empire daemon needs. t.add_resource( PolicyType( "AccessPolicy", PolicyName="empire", PolicyDocument=empire_policy({ "Environment": Ref("Environment"), "CustomResourcesTopic": Ref("CustomResourcesTopic"), "CustomResourcesQueue": ( GetAtt("CustomResourcesQueue", "Arn") ), "TemplateBucket": ( Join("", ["arn:aws:s3:::", Ref("TemplateBucket"), "/*"]) )}), Roles=[Ref("InstanceRole")])) t.add_resource(sns.Topic( EVENTS_TOPIC, DisplayName="Empire events", Condition="CreateSNSTopic", )) t.add_output( Output( "EventsSNSTopic", Value=Ref(EVENTS_TOPIC), Condition="CreateSNSTopic")) # Add SNS Events policy if Events are enabled t.add_resource( PolicyType( "SNSEventsPolicy", PolicyName="EmpireSNSEventsPolicy", Condition="EnableSNSEvents", PolicyDocument=sns_events_policy( If("CreateSNSTopic", Ref(EVENTS_TOPIC), Ref("EventsSNSTopicName"))), Roles=[Ref("InstanceRole")])) # Add run logs policy if run logs are enabled t.add_resource( PolicyType( "RunLogsPolicy", PolicyName="EmpireRunLogsPolicy", Condition="EnableCloudwatchLogs", PolicyDocument=runlogs_policy( If( "CreateRunLogsGroup", Ref(RUN_LOGS), Ref("RunLogsCloudwatchGroup"))), Roles=[Ref("InstanceRole")])) # Allow the controller to write empire events to kinesis if kinesis is # enabled. t.add_resource( PolicyType( "AppEventStreamPolicy", PolicyName="EmpireAppEventStreamPolicy", Condition="EnableAppEventStream", PolicyDocument=logstream_policy(), Roles=[Ref("InstanceRole")])) t.add_resource( ecs.TaskDefinition( "TaskDefinition", Volumes=[ ecs.Volume( Name="dockerSocket", Host=ecs.Host(SourcePath="/var/run/docker.sock")), ecs.Volume( Name="dockerCfg", Host=ecs.Host(SourcePath="/root/.dockercfg"))], ContainerDefinitions=[ ecs.ContainerDefinition( Command=["server", "-automigrate=true"], Name="empire", Environment=self.get_empire_environment(), Essential=True, Image=Ref("DockerImage"), MountPoints=[ ecs.MountPoint( SourceVolume="dockerSocket", ContainerPath="/var/run/docker.sock", ReadOnly=False), ecs.MountPoint( SourceVolume="dockerCfg", ContainerPath="/root/.dockercfg", ReadOnly=False)], PortMappings=[ ecs.PortMapping( HostPort=8081, ContainerPort=8081)], Cpu=Ref("TaskCPU"), Memory=Ref("TaskMemory"))])) t.add_resource( Role( "ServiceRole", AssumeRolePolicyDocument=get_ecs_assumerole_policy(), Path="/", Policies=[ Policy( PolicyName="ecs-service-role", PolicyDocument=service_role_policy())])) t.add_resource( ecs.Service( "Service", Cluster=Ref("ControllerCluster"), DeploymentConfiguration=ecs.DeploymentConfiguration( MaximumPercent=Ref("ServiceMaximumPercent"), MinimumHealthyPercent=Ref("ServiceMinimumHealthyPercent"), ), DesiredCount=Ref("DesiredCount"), LoadBalancers=[ ecs.LoadBalancer( ContainerName="empire", ContainerPort=8081, LoadBalancerName=Ref("LoadBalancer"))], Role=Ref("ServiceRole"), TaskDefinition=Ref("TaskDefinition")))