def test_create_statements():
"""Various statement creations."""
s1 = Deny(
apply_to=Principal(PrincipalKind.SERVICE, "myservice"),
to="do_something",
not_on="resource",
)
assert s1.properties
s2 = Allow(
apply_to=Principal(PrincipalKind.SERVICE, "myservice"),
sid="id1",
to="do_something",
on="allowed_resource",
)
assert s2.properties
pd1 = PolicyDocument()
pd2 = PolicyDocument()
pd1.append(s1)
pd2.append(s2)
pd3 = pd1 + pd2
assert len(pd3.statements) == 2
pd1 += [s2]
assert len(pd3.statements) == 2
def add_bucket_access(self, bucket_list):
"""Authorize access to a list of buckets using vpc endpoint.
Note that this just allow an instance in the vpc to ask access
to a given bucket through the endpoint. This does not change
the bucket policy.
The function creates also automatically the S3 VPC endpoint
on the first call.
:param bucket_list: list of bucket names
:type bucket_list: list[Bucket] | list[str]
"""
if self.name + 'S3EndPoint' not in self:
self.add(VPCEndpoint(self.name + 'S3EndPoint',
's3',
self.subnet.vpc,
[self.route_table],
PolicyDocument()))
for bucket in bucket_list:
if isinstance(bucket, Bucket):
bucket_name = bucket.ref
else:
bucket_name = bucket
self.s3_endpoint.policy_document.append(
Allow(to='s3:*',
on=[Join(['arn:aws:s3:::', bucket_name]),
Join(['arn:aws:s3:::', bucket_name, '/*'])],
apply_to=Principal(PrincipalKind.EVERYONE)))
def add_secret_access(self, secret_arn):
"""Give read access to a given secret.
:param secret_name: arn identifying the secret to give access to
:type secret_name: str
"""
endpoint_name = f"{self.name}SecretsManagerEndPoint"
if endpoint_name not in self:
self.add(
VPCInterfaceEndpoint(
name=endpoint_name,
service="secretsmanager",
vpc=self.vpc,
subnet=self.aws_endpoints_subnet.subnet,
policy_document=PolicyDocument(),
security_group=self.aws_endpoints_security_group,
))
self.secretsmanager_endpoint.policy_document.append(
Allow(
to=[
"secretsmanager:GetResourcePolicy",
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret",
"secretsmanager:ListSecretVersionIds",
],
on=[secret_arn],
apply_to=Principal(PrincipalKind.EVERYONE),
))
def test_principal_star():
"""Create a list of principal with one principal being '*'."""
pl = [Principal(PrincipalKind.SERVICE, 'ec2.amazonaws.com'),
Principal(PrincipalKind.EVERYONE)]
with pytest.raises(AssertionError):
Principal.property_list(pl)
pl = [Principal(PrincipalKind.EVERYONE)]
assert Principal.property_list(pl)
def test_create_network():
s = Stack(name="teststack")
s = Stack(name="MyStack")
s += VPC("BuildVPC", "10.10.0.0/16")
s += InternetGateway("Gate")
s += Subnet("BuildPublicSubnet", s["BuildVPC"], "10.10.10.0/24")
s += Subnet("BuildPrivateSubnet", s["BuildVPC"], "10.10.20.0/24")
s += VPCGatewayAttachment("GateAttach", s["BuildVPC"], s["Gate"])
s += RouteTable("RT", s["BuildVPC"])
s += Route("PRoute", s["RT"], "0.0.0.0/0", s["Gate"], s["GateAttach"])
s += SubnetRouteTableAssociation("RTSAssoc", s["BuildPublicSubnet"], s["RT"])
p = PolicyDocument().append(
Allow(
to="GetObject",
on="arn:aws:s3:::abucket/*",
apply_to=Principal(PrincipalKind.SERVICE, "ec2.amazonaws.com"),
)
)
s += VPCEndpoint("S3EndPoint", "s3", s["BuildVPC"], [s["RT"]], policy_document=p)
assert s.body
def test_create_network():
s = Stack(name='teststack')
s = Stack(name='MyStack')
s += VPC('BuildVPC', '10.10.0.0/16')
s += InternetGateway('Gate')
s += Subnet('BuildPublicSubnet', s['BuildVPC'], '10.10.10.0/24')
s += Subnet('BuildPrivateSubnet', s['BuildVPC'], '10.10.20.0/24')
s += VPCGatewayAttachment('GateAttach', s['BuildVPC'], s['Gate'])
s += RouteTable('RT', s['BuildVPC'])
s += Route('PRoute', s['RT'], '0.0.0.0/0', s['Gate'], s['GateAttach'])
s += SubnetRouteTableAssociation('RTSAssoc', s['BuildPublicSubnet'],
s['RT'])
p = PolicyDocument().append(
Allow(to='GetObject',
on='arn:aws:s3:::abucket/*',
apply_to=Principal(PrincipalKind.SERVICE, 'ec2.amazonaws.com')))
s += VPCEndpoint('S3EndPoint',
's3',
s['BuildVPC'], [s['RT']],
policy_document=p)
assert s.body
def add_lambda_access(self, lambda_arns):
"""Add a lambda interface endpoint with permissions to invoke given lambdas.
:param lambda_arns: arn identifying the lambda to give access to
:type lambda_arns: list[str]
"""
endpoint_name = f"{self.name}LambdaEndPoint"
if endpoint_name not in self:
self.add(
VPCInterfaceEndpoint(
name=endpoint_name,
service="lambda",
vpc=self.vpc,
subnet=self.aws_endpoints_subnet.subnet,
policy_document=PolicyDocument(),
security_group=self.aws_endpoints_security_group,
))
self.lambda_endpoint.policy_document.append(
Allow(
to=["lambda:InvokeFunction"],
on=chain.from_iterable(((lambda_arn, lambda_arn + ":*")
for lambda_arn in lambda_arns)),
apply_to=Principal(PrincipalKind.EVERYONE),
))