class Roles(object):
def __init__(self):
self.session = Session()
self.iam_client = self.session.client('iam')
self.iam_resource = self.session.resource('iam')
@client_error_ignore('NoSuchEntity')
def find(self, name):
aro = self.iam_resource.Role(name)
aro.create_date
return aro.arn
def create(self, path, name, base_trust_policy):
try:
response = self.iam_client.create_role(
Path='/{}/'.format(path),
RoleName=name,
AssumeRolePolicyDocument=base_trust_policy,
Description='Assumed by resources provisioned by products \
associated with Service Catalog Portfolio {}'.format(name))
logger.debug('Role created: {}'.format(name))
return response['Role']['Arn']
except ClientError as err:
if err.response['Error']['Code'] == 'EntityAlreadyExists':
return self.find(name)
else:
raise err
def __init__(self, arn):
self.session = Session()
self.iam_client = self.session.client('iam')
self.iam_resource = self.session.resource('iam')
self.arn = arn
self.name = arn_to_name(self.arn)
self.aro = self.iam_resource.Role(self.name)
class Policy(object):
def __init__(self, arn):
self.session = Session()
self.iam_client = self.session.client('iam')
self.iam_resource = self.session.resource('iam')
self.arn = arn
self.name = arn_to_name(self.arn)
self.aro = self.iam_resource.Policy(self.arn)
def delete_non_default_versions(self):
for policy_version in self.aro.versions.all():
if not policy_version.is_default_version:
policy_version.delete()
def detach_roles(self):
for rol in self.aro.attached_roles.all():
rol.detach_policy(PolicyArn=self.arn)
@client_error_retry('LimitExceeded', delete_non_default_versions)
def update_document(self, document):
self.iam_client.create_policy_version(
PolicyArn=self.arn,
PolicyDocument=json.dumps(document),
SetAsDefault=True)
logger.info('Policy document updated: {}'.format(document))
@client_error_retry('DeleteConflict', detach_roles)
@client_error_retry('DeleteConflict', delete_non_default_versions)
def delete(self):
self.aro.delete()
class Stack(object):
def __init__(self, stack_id):
self.session = Session()
self.arn = stack_id
cfn_resource = self.session.resource('cloudformation')
self.aro = cfn_resource.Stack(self.arn)
def tag(self, key, exception=False):
value = jmespath.search("[?Key=='{}'].Value|[0]".format(key),
self.aro.tags)
if not value:
if exception:
raise TagNotExist(key)
return value
def stack_resources(self):
resources = []
for resource in self.aro.resource_summaries.all():
stack_resource = self.aro.Resource(resource.logical_id)
if stack_resource.resource_status not in NOT_APPLICABLE_RESOURCE_STATUS:
resources.append(stack_resource)
return resources
# TODO conclude the new created and the deleted and the replaced resources
def stack_resources_change(self):
resources = []
for resource in self.aro.resource_summaries.all():
resource_obj = self.aro.Resource(resource.logical_id)
resources.append(resource_obj)
return resources
def __init__(self, physical_id, **kwargs):
self.physical_id = physical_id
self._session = Session()
self._client = self._session.client(self._service_name())
self._resource = self._resource()
self._iam_client = self._session.client('iam')
self._iam_resource = self._session.resource('iam')
self.arn = self._arn()
self.service_name = self._service_name()
self.access_to = self._access_to()
self.access_from = self._access_from()
self.assumed_role = self._assumed_role()
self.trust_relationship_service = self._trust_relationship_service()
self.statement_id = self._statement_id()
self.actions = kwargs.get('actions', self._actions())
class Table():
def __init__(self, name):
self.session = Session()
self.dynamodb_client = self.session.client('dynamodb')
self.dynamodb_resource = self.session.resource('dynamodb')
self.name = name
self.aro = self.dynamodb_resource.Table(self.name)
def add(self, items):
with self.aro.batch_writer() as batch:
for item in items:
batch.put_item(Item=item)
def remove(self, items):
with self.aro.batch_writer() as batch:
for item in items:
print('item: {}'.format(item))
batch.delete_item(Key=item)
class Role(object):
def __init__(self, arn):
self.session = Session()
self.iam_client = self.session.client('iam')
self.iam_resource = self.session.resource('iam')
self.arn = arn
self.name = arn_to_name(self.arn)
self.aro = self.iam_resource.Role(self.name)
def attach_policy(self, policy_arn):
self.aro.attach_policy(PolicyArn=policy_arn)
def update_trust_document(self, service_name):
policy = self.aro.AssumeRolePolicy()
policy_doc = self.aro.assume_role_policy_document
principal_service = jmespath.search("Statement[].Principal.Service",
policy_doc)
principal_service = jmespath.search("[][][]", principal_service)
if service_name not in principal_service:
principal_service.append(service_name)
policy_doc['Statement'] = [{
'Action': 'sts:AssumeRole',
'Effect': 'Allow',
'Principal': {
'Service': principal_service
}
}]
policy.update(PolicyDocument=json.dumps(policy_doc))
logger.debug("Trust policy updated: {}".format(policy_doc))
def _stop_being_assumed(self):
pass
def _detach_policy(self):
pass
# TODO implement the resolver methods
@client_error_retry('DeleteConflict', _stop_being_assumed)
@client_error_retry('DeleteConflict', _detach_policy)
def delete(self):
self.aro.delete()
class Policies(object):
def __init__(self):
self.session = Session()
self.iam_client = self.session.client('iam')
self.iam_resource = self.session.resource('iam')
def find(self, path, name):
paginator = self.iam_client.get_paginator('list_policies')
response_iterator = paginator.paginate(
Scope='Local',
OnlyAttached=False,
PathPrefix='/{}/'.format(path),
PaginationConfig={
'MaxItems': 123,
'PageSize': 123
}
)
result = []
for response in response_iterator:
result += jmespath.search(
"Policies[?PolicyName=='{}'].Arn".format(name),
response
)
return jmespath.search("[0]", result)
def create(self, path, name, base_policy):
try:
response = self.iam_client.create_policy(
Path='/{}/'.format(path),
PolicyName=name,
PolicyDocument=base_policy,
Description='Set the access to resources provisioned by products \
associated with Service Catalog Portfolio {}'.format(name)
)
logger.info('Policy created: {}'.format(name))
return response['Policy']['Arn']
except ClientError as e:
if e.response['Error']['Code'] == 'EntityAlreadyExists':
return self.find(path, name)
def __init__(self):
self.session = Session()
self.iam_client = self.session.client('iam')
self.iam_resource = self.session.resource('iam')
def __init__(self, stack_id):
self.session = Session()
self.arn = stack_id
cfn_resource = self.session.resource('cloudformation')
self.aro = cfn_resource.Stack(self.arn)
SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
'''
import jmespath
import json
from boto3.dynamodb.conditions import Attr
from helpers.utils.session import Session
from helpers.logger import logger
from helpers.defaults import BASE_POLICY
from helpers.exceptions import EventParsingError
from helpers.controllers.policy import Policy
from helpers.controllers.role import Role
from helpers.utils import convertor
session = Session()
dynamodb_resource = session.resource('dynamodb')
def handler(event, context):
logger.debug(event)
table_arn = jmespath.search(
"Records[?eventSource=='aws:dynamodb'].eventSourceARN | [0]",
event
).split('/stream/')[0]
if not table_arn:
raise(EventParsingError('eventSourceARN'))
table = dynamodb_resource.Table(convertor.arn_to_name(table_arn))
altered_policies = jmespath.search(
class Base(object):
def __init__(self, physical_id, **kwargs):
self.physical_id = physical_id
self._session = Session()
self._client = self._session.client(self._service_name())
self._resource = self._resource()
self._iam_client = self._session.client('iam')
self._iam_resource = self._session.resource('iam')
self.arn = self._arn()
self.service_name = self._service_name()
self.access_to = self._access_to()
self.access_from = self._access_from()
self.assumed_role = self._assumed_role()
self.trust_relationship_service = self._trust_relationship_service()
self.statement_id = self._statement_id()
self.actions = kwargs.get('actions', self._actions())
def __str__(self):
return "Resource id: {} Arn: {}".format(self.physical_id, self.arn)
@catch_error(ResourceNotExistsError)
def _resource(self):
return self._session.resource(self._service_name())
def _arn(self):
return None
def _service_name(self):
return None
def _access_to(self):
return False
def _access_from(self):
return False
def _assumed_role(self):
return None
def _trust_relationship_service(self):
return None
def _statement_id(self):
return None
def _actions(self):
return None
def attach_policy(self, policy):
if not self.assumed_role:
return
role_name = convertor.arn_to_name(self.assumed_role)
self._iam_client.attach_role_policy(RoleName=role_name,
PolicyArn=policy)
def assume_role(self, role):
pass
def detach_policy(self, policy):
if not self.assumed_role:
return
role_name = convertor.arn_to_name(self.assumed_role)
self._iam_client.detach_role_policy(RoleName=role_name,
PolicyArn=policy)
def stop_assume_role(self, role):
pass
def __init__(self, name):
self.session = Session()
self.dynamodb_client = self.session.client('dynamodb')
self.dynamodb_resource = self.session.resource('dynamodb')
self.name = name
self.aro = self.dynamodb_resource.Table(self.name)