def get_deploy_templates(): return { "create": [ { "function": "create_elasticsearch_domain", "parameters": select_parameters( "AccessPolicies", "AdvancedOptions", "CognitoOptions", "DomainName", "EBSOptions", "ElasticsearchClusterConfig", "ElasticsearchVersion", "EncryptionAtRestOptions", "LogPublishingOptions", "NodeToNodeEncryptionOptions", "SnapshotOptions", "VPCOptions", ), }, { "function": "add_tags", "parameters": es_add_tags_params }, ], "delete": { "function": "delete_elasticsearch_domain", "parameters": { "DomainName": "DomainName" }, }, }
def get_deploy_templates(): return { "create": { "function": "publish_version", "parameters": select_parameters("FunctionName", "CodeSha256", "Description"), } }
def events_put_rule_params(params, **kwargs): attrs = [ "ScheduleExpression", "EventPattern", "State", "Description", "Name", "EventBusName", ] result = select_parameters(*attrs)(params, **kwargs) # TODO: remove this when refactoring events (prefix etc. was excluded here already to avoid most of the wrong behavior) def wrap_in_lists(o, **kwargs): if isinstance(o, dict): for k, v in o.items(): if not isinstance(v, (dict, list)) and k not in [ "prefix", "cidr", "exists", ]: o[k] = [v] return o pattern = result.get("EventPattern") if isinstance(pattern, dict): wrapped = common.recurse_object(pattern, wrap_in_lists) result["EventPattern"] = json.dumps(wrapped) return result
def get_deploy_templates(): return { "create": { "function": "create_delivery_stream", "parameters": select_parameters( "DeliveryStreamName", "DeliveryStreamType", "S3DestinationConfiguration", "ElasticsearchDestinationConfiguration", ), }, "delete": { "function": "delete_delivery_stream", "parameters": { "DeliveryStreamName": "DeliveryStreamName" }, }, }
def get_deploy_templates(): return { "create": { "function": "put_parameter", "parameters": merge_parameters( params_dict_to_list("Tags", wrapper="Tags"), select_parameters( "Name", "Type", "Value", "Description", "AllowedPattern", "Policies", "Tier", ), ), "types": {"Value": str}, }, "delete": {"function": "delete_parameter", "parameters": ["Name"]}, }
def get_deploy_templates(cls): return { "create": [ { "function": "create_role", "parameters": param_defaults( dump_json_params( select_parameters( "Path", "RoleName", "AssumeRolePolicyDocument", "Description", "MaxSessionDuration", "PermissionsBoundary", "Tags", ), "AssumeRolePolicyDocument", ), {"RoleName": PLACEHOLDER_RESOURCE_NAME}, ), }, { "function": IAMRole._post_create }, ], "delete": [ { "function": IAMRole._pre_delete }, { "function": "delete_role", "parameters": { "RoleName": "RoleName" } }, ], }
def events_put_rule_params(params, **kwargs): attrs = [ "ScheduleExpression", "EventPattern", "State", "Description", "Name", "EventBusName", ] result = select_parameters(*attrs)(params, **kwargs) def wrap_in_lists(o, **kwargs): if isinstance(o, dict): for k, v in o.items(): if not isinstance(v, (dict, list)): o[k] = [v] return o pattern = result.get("EventPattern") if isinstance(pattern, dict): wrapped = common.recurse_object(pattern, wrap_in_lists) result["EventPattern"] = json.dumps(wrapped) return result
def get_deploy_templates(): return { "create": { "function": "create_delivery_stream", "parameters": select_parameters( "DeliveryStreamName", "DeliveryStreamType", "S3DestinationConfiguration", "ElasticsearchDestinationConfiguration", "AmazonopensearchserviceDestinationConfiguration", "DeliveryStreamEncryptionConfigurationInput", "ExtendedS3DestinationConfiguration", "HttpEndpointDestinationConfiguration", "KinesisStreamSourceConfiguration", "RedshiftDestinationConfiguration", "SplunkDestinationConfiguration", "Tags", ), }, "delete": { "function": "delete_delivery_stream", "parameters": {"DeliveryStreamName": "DeliveryStreamName"}, }, }
def lambda_permission_params(params, **kwargs): result = select_parameters("FunctionName", "Action", "Principal")(params, **kwargs) result["StatementId"] = short_uid() return result
def get_deploy_templates(cls): def _post_create(resource_id, resources, resource_type, func, stack_name): """attaches managed policies from the template to the role""" iam = aws_stack.connect_to_service("iam") resource = resources[resource_id] props = resource["Properties"] role_name = props["RoleName"] # attach managed policies policy_arns = props.get("ManagedPolicyArns", []) for arn in policy_arns: iam.attach_role_policy(RoleName=role_name, PolicyArn=arn) # add inline policies inline_policies = props.get("Policies", []) for policy in inline_policies: assert not isinstance( policy, list ) # remove if this doesn't make any problems for a while if policy == PLACEHOLDER_AWS_NO_VALUE: continue if not isinstance(policy, dict): LOG.info('Invalid format of policy for IAM role "%s": %s' % (props.get("RoleName"), policy)) continue pol_name = policy.get("PolicyName") doc = dict(policy["PolicyDocument"]) doc["Version"] = doc.get("Version") or IAM_POLICY_VERSION statements = ensure_list(doc["Statement"]) for statement in statements: if isinstance(statement.get("Resource"), list): # filter out empty resource strings statement["Resource"] = [ r for r in statement["Resource"] if r ] doc = json.dumps(doc) iam.put_role_policy( RoleName=props["RoleName"], PolicyName=pol_name, PolicyDocument=doc, ) def _pre_delete(resource_id, resources, resource_type, func, stack_name): """detach managed policies from role before deleting""" iam_client = aws_stack.connect_to_service("iam") resource = resources[resource_id] props = resource["Properties"] role_name = props["RoleName"] # TODO: this should probably only remove the policies that are specified in the stack (verify with AWS) # detach managed policies for policy in iam_client.list_attached_role_policies( RoleName=role_name).get("AttachedPolicies", []): iam_client.detach_role_policy(RoleName=role_name, PolicyArn=policy["PolicyArn"]) # delete inline policies for inline_policy_name in iam_client.list_role_policies( RoleName=role_name).get("PolicyNames", []): iam_client.delete_role_policy(RoleName=role_name, PolicyName=inline_policy_name) # TODO: potentially remove this when stack resource deletion order is fixed (check AWS behavior first) # cleanup instance profile try: rs = iam_client.list_instance_profiles_for_role( RoleName=role_name) for instance_profile in rs["InstanceProfiles"]: ip_name = instance_profile["InstanceProfileName"] iam_client.remove_role_from_instance_profile( InstanceProfileName=ip_name, RoleName=role_name) except Exception as e: if "NoSuchEntity" not in str(e): raise return { "create": [ { "function": "create_role", "parameters": param_defaults( dump_json_params( select_parameters( "Path", "RoleName", "AssumeRolePolicyDocument", "Description", "MaxSessionDuration", "PermissionsBoundary", "Tags", ), "AssumeRolePolicyDocument", ), {"RoleName": PLACEHOLDER_RESOURCE_NAME}, ), }, { "function": _post_create }, ], "delete": [ { "function": _pre_delete }, { "function": "delete_role", "parameters": { "RoleName": "RoleName" } }, ], }