def normalise(self, meta, val):
if "use" in val:
template = val["use"]
if template not in meta.everything["templates"]:
available = list(meta.everything["templates"].keys())
raise BadTemplate("Template doesn't exist!", wanted=template, available=available, meta=meta)
val = MergedOptions.using(meta.everything["templates"][template], val)
formatted_string = sb.formatted(
sb.string_or_int_as_string_spec(), MergedOptionStringFormatter, expected_type=six.string_types
)
key_name = meta.key_names()["_key_name_0"]
key = sb.create_spec(
EncryptionKey,
name=sb.overridden(key_name),
location=sb.required(formatted_string),
description=formatted_string,
grant=sb.listof(grant_statement_spec("key", key_name)),
admin_users=sb.listof(sb.any_spec()),
).normalise(meta, val)
statements = [{"principal": {"iam": "root"}, "action": "kms:*", "resource": "*", "Sid": ""}]
if key.admin_users:
for admin_user in key.admin_users:
statements.append(
{"principal": admin_user, "action": "kms:*", "resource": {"kms": "__self__"}, "Sid": ""}
)
key.policy = sb.container_spec(Document, sb.listof(resource_policy_statement_spec("key", key_name))).normalise(
meta.at("admin_users"), statements
)
return key
def normalise(self, meta, val):
if 'use' in val:
template = val['use']
if template not in meta.everything['templates']:
available = list(meta.everything['templates'].keys())
raise BadTemplate("Template doesn't exist!", wanted=template, available=available, meta=meta)
val = MergedOptions.using(meta.everything['templates'][template], val)
formatted_string = sb.formatted(sb.string_or_int_as_string_spec(), MergedOptionStringFormatter, expected_type=six.string_types)
key_name = meta.key_names()['_key_name_0']
key = sb.create_spec(EncryptionKey
, name = sb.overridden(key_name)
, location = sb.required(formatted_string)
, description = formatted_string
, grant = sb.listof(grant_statement_spec('key', key_name))
, admin_users = sb.listof(sb.any_spec())
, permission = sb.listof(sb.dictionary_spec())
, no_root_access = sb.defaulted(sb.boolean(), False)
).normalise(meta, val)
statements = key.permission
if not key.no_root_access:
statements.append({"principal": {"iam": "root"}, "action": "kms:*", "resource": "*", "Sid": ""})
if key.admin_users:
for admin_user in key.admin_users:
statements.append({"principal": admin_user, "action": "kms:*", "resource": { "kms": "__self__" }, "Sid": ""})
key.policy = sb.container_spec(Document, sb.listof(resource_policy_statement_spec('key', key_name))).normalise(meta.at("admin_users"), statements)
return key
def normalise(self, meta, val):
if 'use' in val:
template = val['use']
if template not in meta.everything['templates']:
available = list(meta.everything['templates'].keys())
raise BadTemplate("Template doesn't exist!", wanted=template, available=available, meta=meta)
val = MergedOptions.using(meta.everything['templates'][template], val)
formatted_string = sb.formatted(sb.string_or_int_as_string_spec(), MergedOptionStringFormatter, expected_type=six.string_types)
bucket_name = meta.key_names()['_key_name_0']
original_permission = sb.listof(resource_policy_dict()).normalise(meta.at("permission"), NotSpecified if "permission" not in val else val["permission"])
deny_permission = sb.listof(resource_policy_dict(effect='Deny')).normalise(meta.at("deny_permission"), NotSpecified if "deny_permission" not in val else val["deny_permission"])
allow_permission = sb.listof(resource_policy_dict(effect='Allow')).normalise(meta.at("allow_permission"), NotSpecified if "allow_permission" not in val else val["allow_permission"])
# require_mfa_to_delete is an alias for this permission
if val.get("require_mfa_to_delete") is True:
delete_policy = {"action": "s3:DeleteBucket", "resource": { "s3": "__self__" }, "Condition": { "Bool": { "aws:MultiFactorAuthPresent": True } } }
normalised_delete_policy = resource_policy_dict(effect='Allow').normalise(meta.at("require_mfa_to_delete"), delete_policy)
allow_permission.append(normalised_delete_policy)
val = val.wrapped()
val['permission'] = original_permission + deny_permission + allow_permission
return sb.create_spec(Bucket
, acl = sb.defaulted(sb.match_spec((six.string_types, canned_acl_spec()), (dict, acl_statement_spec('acl', 'acl'))), None)
, name = sb.overridden(bucket_name)
, location = sb.defaulted(formatted_string, None)
, permission = sb.container_spec(Document, sb.listof(resource_policy_statement_spec('bucket', bucket_name)))
, tags = sb.dictof(sb.string_spec(), formatted_string)
, website = sb.defaulted(website_statement_spec("website", "website"), None)
, logging = sb.defaulted(logging_statement_spec("logging", "logging"), None)
, lifecycle = sb.defaulted(sb.listof(lifecycle_statement_spec("lifecycle", "lifecycle")), None)
).normalise(meta, val)
def normalise(self, meta, val):
if 'use' in val:
template = val['use']
if template not in meta.everything['templates']:
available = list(meta.everything['templates'].keys())
raise BadTemplate("Template doesn't exist!",
wanted=template,
available=available,
meta=meta)
val = MergedOptions.using(meta.everything['templates'][template],
val)
formatted_string = sb.formatted(sb.string_or_int_as_string_spec(),
MergedOptionStringFormatter,
expected_type=six.string_types)
bucket_name = meta.key_names()['_key_name_0']
original_permission = sb.listof(resource_policy_dict()).normalise(
meta.at("permission"),
NotSpecified if "permission" not in val else val["permission"])
deny_permission = sb.listof(
resource_policy_dict(effect='Deny')).normalise(
meta.at("deny_permission"), NotSpecified
if "deny_permission" not in val else val["deny_permission"])
allow_permission = sb.listof(
resource_policy_dict(effect='Allow')).normalise(
meta.at("allow_permission"), NotSpecified
if "allow_permission" not in val else val["allow_permission"])
val = val.wrapped()
val['permission'] = original_permission + deny_permission + allow_permission
return sb.create_spec(
Bucket,
name=sb.overridden(bucket_name),
location=sb.required(formatted_string),
permission=sb.container_spec(
Document,
sb.listof(resource_policy_statement_spec(
'bucket', bucket_name))),
tags=sb.dictof(sb.string_spec(),
formatted_string)).normalise(meta, val)
def normalise(self, meta, val):
if 'use' in val:
template = val['use']
if template not in meta.everything['templates']:
available = list(meta.everything['templates'].keys())
raise BadTemplate("Template doesn't exist!", wanted=template, available=available, meta=meta)
val = MergedOptions.using(meta.everything['templates'][template], val)
formatted_string = sb.formatted(sb.string_or_int_as_string_spec(), MergedOptionStringFormatter, expected_type=six.string_types)
bucket_name = meta.key_names()['_key_name_0']
original_permission = sb.listof(resource_policy_dict()).normalise(meta.at("permission"), NotSpecified if "permission" not in val else val["permission"])
deny_permission = sb.listof(resource_policy_dict(effect='Deny')).normalise(meta.at("deny_permission"), NotSpecified if "deny_permission" not in val else val["deny_permission"])
allow_permission = sb.listof(resource_policy_dict(effect='Allow')).normalise(meta.at("allow_permission"), NotSpecified if "allow_permission" not in val else val["allow_permission"])
val = val.wrapped()
val['permission'] = original_permission + deny_permission + allow_permission
return sb.create_spec(Bucket
, name = sb.overridden(bucket_name)
, location = sb.required(formatted_string)
, permission = sb.container_spec(Document, sb.listof(resource_policy_statement_spec('bucket', bucket_name)))
, tags = sb.dictof(sb.string_spec(), formatted_string)
).normalise(meta, val)
def normalise(self, meta, val):
if 'use' in val:
template = val['use']
if template not in meta.everything['templates']:
available = list(meta.everything['templates'].keys())
raise BadTemplate("Template doesn't exist!",
wanted=template,
available=available,
meta=meta)
val = MergedOptions.using(meta.everything['templates'][template],
val)
formatted_string = sb.formatted(sb.string_or_int_as_string_spec(),
MergedOptionStringFormatter,
expected_type=six.string_types)
bucket_name = meta.key_names()['_key_name_0']
original_permission = sb.listof(resource_policy_dict()).normalise(
meta.at("permission"),
NotSpecified if "permission" not in val else val["permission"])
deny_permission = sb.listof(
resource_policy_dict(effect='Deny')).normalise(
meta.at("deny_permission"), NotSpecified
if "deny_permission" not in val else val["deny_permission"])
allow_permission = sb.listof(
resource_policy_dict(effect='Allow')).normalise(
meta.at("allow_permission"), NotSpecified
if "allow_permission" not in val else val["allow_permission"])
# require_mfa_to_delete is an alias for this permission
if val.get("require_mfa_to_delete") is True:
delete_policy = {
"action": "s3:DeleteBucket",
"resource": {
"s3": "__self__"
},
"Condition": {
"Bool": {
"aws:MultiFactorAuthPresent": True
}
}
}
normalised_delete_policy = resource_policy_dict(
effect='Allow').normalise(meta.at("require_mfa_to_delete"),
delete_policy)
allow_permission.append(normalised_delete_policy)
val = val.wrapped()
val['permission'] = original_permission + deny_permission + allow_permission
return sb.create_spec(
Bucket,
acl=sb.defaulted(
sb.match_spec((six.string_types, canned_acl_spec()),
(dict, acl_statement_spec('acl', 'acl'))), None),
name=sb.overridden(bucket_name),
location=sb.defaulted(formatted_string, None),
permission=sb.container_spec(
Document,
sb.listof(resource_policy_statement_spec(
'bucket', bucket_name))),
tags=sb.dictof(sb.string_spec(), formatted_string),
website=sb.defaulted(website_statement_spec("website", "website"),
None),
logging=sb.defaulted(logging_statement_spec("logging", "logging"),
None),
lifecycle=sb.defaulted(
sb.listof(lifecycle_statement_spec("lifecycle", "lifecycle")),
None)).normalise(meta, val)
