def handle_predefined_policies(bucket: Bucket, param_key: str, managed_policies_key: str, statement: list) -> None: """ Function to configure and add statements for bucket policy based on predefined Bucket Policies :param bucket: :param str param_key: :param str managed_policies_key: :param list statement: """ unique_policies = list( set(bucket.parameters[param_key]["PredefinedBucketPolicies"])) for policy_name in unique_policies: if policy_name not in bucket.module.iam_policies[ managed_policies_key].keys(): LOG.error( f"Policy {policy_name} is not defined as part of possible permissions set" ) continue policies = generate_resource_permissions( bucket.logical_name, bucket.module.iam_policies[managed_policies_key], Sub(f"arn:${{{AWS_PARTITION}}}:s3:::${{{bucket.cfn_resource.title}}}" ), ) statement += policies[policy_name].PolicyDocument["Statement"]
def handle_user_defined_policies(bucket: Bucket, param_key: str, user_policies_key: str, statement: list): """ Function to add user defined policies :param bucket: :param str param_key: :param str user_policies_key: :param list statement: """ policies = bucket.parameters[param_key][user_policies_key] policy_docs = {} for count, policy_doc in enumerate(policies): if keyisset("Sid", policy_doc): name = policy_doc["Sid"] else: name = f"UserDefined{count}" policy_docs[name] = policy_doc generated_policies = generate_resource_permissions( bucket.logical_name, policy_docs, Sub(f"arn:${{{AWS_PARTITION}}}:s3:::${{{bucket.cfn_resource.title}}}"), True, ) for policy in generated_policies.values(): statement += policy.PolicyDocument["Statement"]
def dynamodb_to_ecs(xresources, services_stack, services_families, res_root_stack, settings): """ Function to link the resource and the ECS Services. :param dict xresources: :param ecs_composex.common.stacks.ComposeXStack services_stack: :param dict services_families: :param ecs_composex.common.stacks.ComposeXStack res_root_stack: :param ecs_composex.common.settings.ComposeXSettings settings: :return: """ l_tables = xresources.copy() handle_new_tables(xresources, services_families, services_stack, res_root_stack, l_tables) for table_name in l_tables: table = xresources[table_name] validate_lookup_resource(table_name, table, res_root_stack) found_resources = lookup_dyn_table(settings.session, table["Lookup"]["Tags"]) if not found_resources: LOG.warning( f"404 not tables found with the provided tags was found in defintion {table_name}." ) continue for found_table in found_resources: table.update(found_table) perms = generate_resource_permissions(found_table["Name"], ACCESS_TYPES, TABLE_ARN, arn=found_table["Arn"]) envvars = generate_resource_envvars( found_table["Name"], xresources[table_name], TABLE_ARN, arn=found_table["Arn"], ) apply_iam_based_resources( table, services_families, services_stack, res_root_stack, envvars, perms, )
def handle_new_topics( xresources, services_families, services_stack, res_root_stack, l_topics, nested=False, ): topics_r = [] s_resources = res_root_stack.stack_template.resources for resource_name in s_resources: if isinstance(s_resources[resource_name], Topic): topics_r.append(s_resources[resource_name].title) elif issubclass(type(s_resources[resource_name]), ComposeXStack): handle_new_topics( xresources, services_families, services_stack, s_resources[resource_name], l_topics, nested=True, ) for topic_name in xresources: if topic_name in topics_r: perms = generate_resource_permissions(topic_name, ACCESS_TYPES, TOPIC_ARN_T) envvars = generate_resource_envvars(topic_name, xresources[topic_name], TOPIC_ARN_T) apply_iam_based_resources( xresources[topic_name], services_families, services_stack, res_root_stack, envvars, perms, nested, ) del l_topics[topic_name]
def handle_new_queues( xresources, services_families, services_stack, res_root_stack, l_queues, nested=False, ): queues_r = [] s_resources = res_root_stack.stack_template.resources for resource_name in s_resources: if isinstance(s_resources[resource_name], Queue): queues_r.append(s_resources[resource_name].title) elif issubclass(type(s_resources[resource_name]), ComposeXStack): handle_new_queues( xresources, services_families, services_stack, s_resources[resource_name], l_queues, nested=True, ) for queue_name in xresources: if queue_name in queues_r: perms = generate_resource_permissions(queue_name, ACCESS_TYPES, SQS_ARN.title) envvars = generate_resource_envvars(queue_name, xresources[queue_name], SQS_URL) apply_iam_based_resources( xresources[queue_name], services_families, services_stack, res_root_stack, envvars, perms, nested, ) del l_queues[queue_name]
def handle_new_keys( xresources, services_families, services_stack, res_root_stack, l_keys, nested=False, ): keys_r = [] s_resources = res_root_stack.stack_template.resources for resource_name in s_resources: if isinstance(s_resources[resource_name], Key): keys_r.append(s_resources[resource_name].title) elif issubclass(type(s_resources[resource_name]), ComposeXStack): handle_new_keys( xresources, services_families, services_stack, s_resources[resource_name], l_keys, nested=True, ) for key_name in xresources: if key_name in keys_r: perms = generate_resource_permissions(key_name, ACCESS_TYPES, KMS_KEY_ARN_T) envvars = generate_resource_envvars(key_name, xresources[key_name], KMS_KEY_ARN_T) apply_iam_based_resources( xresources[key_name], services_families, services_stack, res_root_stack, envvars, perms, nested, ) del l_keys[key_name]