def _create_role_policy(stack_arn, function_name): cf = boto3.client('cloudformation', region_name=discovery_utils.get_region_from_stack_arn(stack_arn)) try: res = discovery_utils.try_with_backoff(lambda : cf.describe_stack_resources(StackName=stack_arn)) print 'describe_stack_resource(StackName="{}") result: {}'.format(stack_arn, res) except Exception as e: print 'describe_stack_resource(StackName="{}") error: {}'.format(stack_arn, getattr(e, 'response', e)) raise e policy = { 'Version': '2012-10-17', 'Statement': [ { "Sid": "WriteLogs", "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": "arn:aws:logs:*:*:*" } ] } for resource in res['StackResources']: statement = _make_resource_statement(cf, stack_arn, function_name, resource['LogicalResourceId']) if statement is not None: policy['Statement'].append(statement) print 'generated policy: {}'.format(policy) return json.dumps(policy, indent=4)
def _create_role_policy(stack_arn, policy_name, default_statements, policy_metadata_filter): if not isinstance(default_statements, list): raise ValidationError('The default_statements value is not a list.') cf = boto3.client( 'cloudformation', region_name=discovery_utils.get_region_from_stack_arn(stack_arn)) try: res = discovery_utils.try_with_backoff( lambda: cf.describe_stack_resources(StackName=stack_arn)) print 'describe_stack_resource(StackName="{}") result: {}'.format( stack_arn, res) except Exception as e: print 'describe_stack_resource(StackName="{}") error: {}'.format( stack_arn, getattr(e, 'response', e)) raise e policy = { 'Version': '2012-10-17', 'Statement': copy.deepcopy(default_statements) } for resource in res['StackResources']: statement = _make_resource_statement(cf, stack_arn, policy_name, resource['LogicalResourceId'], policy_metadata_filter) if statement is not None: policy['Statement'].append(statement) print 'generated policy: {}'.format(policy) return json.dumps(policy, indent=4)
def _create_role_policy(stack_arn, function_name): cf = boto3.client( 'cloudformation', region_name=discovery_utils.get_region_from_stack_arn(stack_arn)) try: res = discovery_utils.try_with_backoff( lambda: cf.describe_stack_resources(StackName=stack_arn)) print 'describe_stack_resource(StackName="{}") result: {}'.format( stack_arn, res) except Exception as e: print 'describe_stack_resource(StackName="{}") error: {}'.format( stack_arn, getattr(e, 'response', e)) raise e policy = { 'Version': '2012-10-17', 'Statement': [{ "Sid": "WriteLogs", "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": "arn:aws:logs:*:*:*" }] } for resource in res['StackResources']: statement = _make_resource_statement(cf, stack_arn, function_name, resource['LogicalResourceId']) if statement is not None: policy['Statement'].append(statement) print 'generated policy: {}'.format(policy) return json.dumps(policy, indent=4)
def get_cloud_formation_client(stack_arn): region = discovery_utils.get_region_from_stack_arn(stack_arn) return discovery_utils.CloudFormationClientWrapper( boto3.client('cloudformation', region_name=region))
def region(self): return discovery_utils.get_region_from_stack_arn(self.stack_arn)