def _create_role_reference(self, config, stage_name, function_name):
# type: (Config, str, str) -> models.IAMRole
# First option, the user doesn't want us to manage
# the role at all.
if not config.manage_iam_role:
# We've already validated the iam_role_arn is provided
# if manage_iam_role is set to False.
return models.PreCreatedIAMRole(role_arn=config.iam_role_arn, )
policy = models.IAMPolicy(document=models.Placeholder.BUILD_STAGE)
if not config.autogen_policy:
resource_name = '%s_role' % function_name
role_name = '%s-%s-%s' % (config.app_name, stage_name,
function_name)
if config.iam_policy_file is not None:
filename = os.path.join(config.project_dir, '.chalice',
config.iam_policy_file)
else:
filename = os.path.join(config.project_dir, '.chalice',
'policy-%s.json' % stage_name)
policy = models.FileBasedIAMPolicy(
filename=filename, document=models.Placeholder.BUILD_STAGE)
else:
resource_name = 'default-role'
role_name = '%s-%s' % (config.app_name, stage_name)
policy = models.AutoGenIAMPolicy(
document=models.Placeholder.BUILD_STAGE)
return models.ManagedIAMRole(
resource_name=resource_name,
role_name=role_name,
trust_policy=LAMBDA_TRUST_POLICY,
policy=policy,
)
def test_can_create_plan_for_filebased_role(self):
self.remote_state.declare_no_resources_exists()
resource = models.ManagedIAMRole(
resource_name='default-role',
role_name='myrole',
trust_policy={'trust': 'policy'},
policy=models.FileBasedIAMPolicy(filename='foo.json',
document={'iam': 'policy'}),
)
plan = self.determine_plan(resource)
expected = models.APICall(
method_name='create_role',
params={
'name': 'myrole',
'trust_policy': {
'trust': 'policy'
},
'policy': {
'iam': 'policy'
}
},
)
self.assert_apicall_equals(plan[0], expected)
assert list(self.last_plan.messages.values()) == [
'Creating IAM role: myrole\n'
]
def test_error_raised_if_file_policy_not_exists(self):
p = self.create_policy_generator()
policy = models.FileBasedIAMPolicy(
filename='foo.json', document=models.Placeholder.BUILD_STAGE)
self.osutils.get_file_contents.side_effect = IOError()
with pytest.raises(RuntimeError):
p.handle(Config.create(), policy)
def test_policy_loaded_from_file_if_needed(self):
p = self.create_policy_generator()
policy = models.FileBasedIAMPolicy(
filename='foo.json', document=models.Placeholder.BUILD_STAGE)
self.osutils.get_file_contents.return_value = '{"iam": "policy"}'
p.handle(Config.create(), policy)
assert policy.document == {'iam': 'policy'}
self.osutils.get_file_contents.assert_called_with('foo.json')
def _create_rest_api_model(
self,
config, # type: Config
deployment, # type: models.DeploymentPackage
stage_name, # type: str
):
# type: (...) -> models.RestAPI
# Need to mess with the function name for back-compat.
lambda_function = self._create_lambda_model(config=config,
deployment=deployment,
name='api_handler',
handler_name='app.app',
stage_name=stage_name)
# For backwards compatibility with the old deployer, the
# lambda function for the API handler doesn't have the
# resource_name appended to its complete function_name,
# it's just <app>-<stage>.
function_name = '%s-%s' % (config.app_name, config.chalice_stage)
lambda_function.function_name = function_name
if config.minimum_compression_size is None:
minimum_compression = ''
else:
minimum_compression = str(config.minimum_compression_size)
authorizers = []
for auth in config.chalice_app.builtin_auth_handlers:
auth_lambda = self._create_lambda_model(
config=config,
deployment=deployment,
name=auth.name,
handler_name=auth.handler_string,
stage_name=stage_name,
)
authorizers.append(auth_lambda)
policy = None
policy_path = config.api_gateway_policy_file
if (config.api_gateway_endpoint_type == 'PRIVATE' and not policy_path):
policy = models.IAMPolicy(
document=self._get_default_private_api_policy(config))
elif policy_path:
policy = models.FileBasedIAMPolicy(
document=models.Placeholder.BUILD_STAGE,
filename=os.path.join(config.project_dir, '.chalice',
policy_path))
return models.RestAPI(resource_name='rest_api',
swagger_doc=models.Placeholder.BUILD_STAGE,
endpoint_type=config.api_gateway_endpoint_type,
minimum_compression=minimum_compression,
api_gateway_stage=config.api_gateway_stage,
lambda_function=lambda_function,
authorizers=authorizers,
policy=policy)
def test_error_raised_when_filebased_policy_not_exist(self):
self.remote_state.declare_no_resources_exists()
resource = models.ManagedIAMRole(
resource_name='default-role',
role_name='myrole',
trust_policy={'trust': 'policy'},
policy=models.FileBasedIAMPolicy(filename='foo.json'),
)
self.osutils.get_file_contents.side_effect = IOError(
"File does not exist")
with pytest.raises(RuntimeError):
self.determine_plan(resource)
def test_can_set_variables_when_needed(self):
function = create_function_resource('function_name')
self.remote_state.declare_no_resources_exists()
function.role = models.ManagedIAMRole(
resource_name='myrole',
role_name='myrole-dev',
trust_policy={'trust': 'policy'},
policy=models.FileBasedIAMPolicy(filename='foo.json'),
)
plan = self.determine_plan(function)
call = plan[0]
assert call.method_name == 'create_function'
# The params are verified in test_can_create_function,
# we just care about how the role_arn Variable is constructed.
role_arn = call.params['role_arn']
assert isinstance(role_arn, Variable)
assert role_arn.name == 'myrole-dev_role_arn'
def test_can_update_file_based_policy(self):
role = models.ManagedIAMRole(
resource_name='resource_name',
role_name='myrole',
trust_policy={},
policy=models.FileBasedIAMPolicy(filename='foo.json',
document={'iam': 'policy'}),
)
self.remote_state.declare_resource_exists(role, role_arn='myrole:arn')
plan = self.determine_plan(role)
assert plan[0] == models.StoreValue(name='myrole_role_arn',
value='myrole:arn')
self.assert_apicall_equals(
plan[1],
models.APICall(
method_name='put_role_policy',
params={
'role_name': 'myrole',
'policy_name': 'myrole',
'policy_document': {
'iam': 'policy'
}
},
))
