def _construct_role(self, resource, prefix=None, suffix=""):
"""Constructs the IAM Role resource allowing the event service to invoke
the StartExecution API of the state machine resource it is associated with.
:param model.stepfunctions.StepFunctionsStateMachine resource: The state machine resource associated with the event
:param string prefix: Prefix to use for the logical ID of the IAM role
:param string suffix: Suffix to add for the logical ID of the IAM role
:returns: the IAM Role resource
:rtype: model.iam.IAMRole
"""
role_logical_id = self._generate_logical_id(prefix=prefix,
suffix=suffix,
resource_type="Role")
event_role = IAMRole(
role_logical_id,
attributes=resource.get_passthrough_resource_attributes())
event_role.AssumeRolePolicyDocument = IAMRolePolicies.construct_assume_role_policy_for_service_principal(
self.principal)
state_machine_arn = resource.get_runtime_attr("arn")
event_role.Policies = [
IAMRolePolicies.step_functions_start_execution_role_policy(
state_machine_arn, role_logical_id)
]
return event_role
def _construct_role(self, managed_policy_map):
"""Constructs a Lambda execution role based on this SAM function's Policies property.
:returns: the generated IAM Role
:rtype: model.iam.IAMRole
"""
execution_role = IAMRole(self.logical_id + 'Role')
execution_role.AssumeRolePolicyDocument = IAMRolePolicies.lambda_assume_role_policy()
managed_policy_arns = [ArnGenerator.generate_aws_managed_policy_arn('service-role/AWSLambdaBasicExecutionRole')]
if self.Tracing:
managed_policy_arns.append(ArnGenerator.generate_aws_managed_policy_arn('AWSXrayWriteOnlyAccess'))
function_policies = FunctionPolicies({"Policies": self.Policies},
# No support for policy templates in the "core"
policy_template_processor=None)
policy_documents = []
if self.DeadLetterQueue:
policy_documents.append(IAMRolePolicies.dead_letter_queue_policy(
self.dead_letter_queue_policy_actions[self.DeadLetterQueue['Type']],
self.DeadLetterQueue['TargetArn']))
for index, policy_entry in enumerate(function_policies.get()):
if policy_entry.type is PolicyTypes.POLICY_STATEMENT:
policy_documents.append({
'PolicyName': execution_role.logical_id + 'Policy' + str(index),
'PolicyDocument': policy_entry.data
})
elif policy_entry.type is PolicyTypes.MANAGED_POLICY:
# There are three options:
# Managed Policy Name (string): Try to convert to Managed Policy ARN
# Managed Policy Arn (string): Insert it directly into the list
# Intrinsic Function (dict): Insert it directly into the list
#
# When you insert into managed_policy_arns list, de-dupe to prevent same ARN from showing up twice
#
policy_arn = policy_entry.data
if isinstance(policy_entry.data, string_types) and policy_entry.data in managed_policy_map:
policy_arn = managed_policy_map[policy_entry.data]
# De-Duplicate managed policy arns before inserting. Mainly useful
# when customer specifies a managed policy which is already inserted
# by SAM, such as AWSLambdaBasicExecutionRole
if policy_arn not in managed_policy_arns:
managed_policy_arns.append(policy_arn)
else:
# Policy Templates are not supported here in the "core"
raise InvalidResourceException(
self.logical_id,
"Policy at index {} in the 'Policies' property is not valid".format(index))
execution_role.ManagedPolicyArns = list(managed_policy_arns)
execution_role.Policies = policy_documents or None
return execution_role
def _construct_role(self, managed_policy_map):
"""Constructs a Lambda execution role based on this SAM function's Policies property.
:returns: the generated IAM Role
:rtype: model.iam.IAMRole
"""
execution_role = IAMRole(self.logical_id + 'Role')
execution_role.AssumeRolePolicyDocument = IAMRolePolicies.lambda_assume_role_policy()
managed_policy_arns = [ArnGenerator.generate_aws_managed_policy_arn('service-role/AWSLambdaBasicExecutionRole')]
if self.Tracing:
managed_policy_arns.append(ArnGenerator.generate_aws_managed_policy_arn('AWSXrayWriteOnlyAccess'))
function_policies = FunctionPolicies({"Policies": self.Policies},
# No support for policy templates in the "core"
policy_template_processor=None)
policy_documents = []
if self.DeadLetterQueue:
policy_documents.append(IAMRolePolicies.dead_letter_queue_policy(
self.dead_letter_queue_policy_actions[self.DeadLetterQueue['Type']],
self.DeadLetterQueue['TargetArn']))
for index, policy_entry in enumerate(function_policies.get()):
if policy_entry.type is PolicyTypes.POLICY_STATEMENT:
policy_documents.append({
'PolicyName': execution_role.logical_id + 'Policy' + str(index),
'PolicyDocument': policy_entry.data
})
elif policy_entry.type is PolicyTypes.MANAGED_POLICY:
# There are three options:
# Managed Policy Name (string): Try to convert to Managed Policy ARN
# Managed Policy Arn (string): Insert it directly into the list
# Intrinsic Function (dict): Insert it directly into the list
#
# When you insert into managed_policy_arns list, de-dupe to prevent same ARN from showing up twice
#
policy_arn = policy_entry.data
if isinstance(policy_entry.data, string_types) and policy_entry.data in managed_policy_map:
policy_arn = managed_policy_map[policy_entry.data]
# De-Duplicate managed policy arns before inserting. Mainly useful
# when customer specifies a managed policy which is already inserted
# by SAM, such as AWSLambdaBasicExecutionRole
if policy_arn not in managed_policy_arns:
managed_policy_arns.append(policy_arn)
else:
# Policy Templates are not supported here in the "core"
raise InvalidResourceException(
self.logical_id,
"Policy at index {} in the 'Policies' property is not valid".format(index))
execution_role.ManagedPolicyArns = list(managed_policy_arns)
execution_role.Policies = policy_documents or None
return execution_role
def construct_role_for_resource(
resource_logical_id,
attributes,
managed_policy_map,
assume_role_policy_document,
resource_policies,
managed_policy_arns=None,
policy_documents=None,
permissions_boundary=None,
tags=None,
):
"""
Constructs an execution role for a resource.
:param resource_logical_id: The logical_id of the SAM resource that the role will be associated with
:param attributes: Map of resource attributes to their values
:param managed_policy_map: Map of managed policy names to the ARNs
:param assume_role_policy_document: The trust policy that must be associated with the role
:param resource_policies: ResourcePolicies object encapuslating the policies property of SAM resource
:param managed_policy_arns: List of managed policy ARNs to be associated with the role
:param policy_documents: List of policy documents to be associated with the role
:param permissions_boundary: The ARN of the policy used to set the permissions boundary for the role
:param tags: Tags to be associated with the role
:returns: the generated IAM Role
:rtype: model.iam.IAMRole
"""
role_logical_id = resource_logical_id + "Role"
execution_role = IAMRole(logical_id=role_logical_id, attributes=attributes)
execution_role.AssumeRolePolicyDocument = assume_role_policy_document
if not managed_policy_arns:
managed_policy_arns = []
if not policy_documents:
policy_documents = []
for index, policy_entry in enumerate(resource_policies.get()):
if policy_entry.type is PolicyTypes.POLICY_STATEMENT:
if is_intrinsic_if(policy_entry.data):
intrinsic_if = policy_entry.data
then_statement = intrinsic_if["Fn::If"][1]
else_statement = intrinsic_if["Fn::If"][2]
if not is_intrinsic_no_value(then_statement):
then_statement = {
"PolicyName":
execution_role.logical_id + "Policy" + str(index),
"PolicyDocument":
then_statement,
}
intrinsic_if["Fn::If"][1] = then_statement
if not is_intrinsic_no_value(else_statement):
else_statement = {
"PolicyName":
execution_role.logical_id + "Policy" + str(index),
"PolicyDocument":
else_statement,
}
intrinsic_if["Fn::If"][2] = else_statement
policy_documents.append(intrinsic_if)
else:
policy_documents.append({
"PolicyName":
execution_role.logical_id + "Policy" + str(index),
"PolicyDocument":
policy_entry.data,
})
elif policy_entry.type is PolicyTypes.MANAGED_POLICY:
# There are three options:
# Managed Policy Name (string): Try to convert to Managed Policy ARN
# Managed Policy Arn (string): Insert it directly into the list
# Intrinsic Function (dict): Insert it directly into the list
#
# When you insert into managed_policy_arns list, de-dupe to prevent same ARN from showing up twice
#
policy_arn = policy_entry.data
if isinstance(
policy_entry.data,
string_types) and policy_entry.data in managed_policy_map:
policy_arn = managed_policy_map[policy_entry.data]
# De-Duplicate managed policy arns before inserting. Mainly useful
# when customer specifies a managed policy which is already inserted
# by SAM, such as AWSLambdaBasicExecutionRole
if policy_arn not in managed_policy_arns:
managed_policy_arns.append(policy_arn)
else:
# Policy Templates are not supported here in the "core"
raise InvalidResourceException(
resource_logical_id,
"Policy at index {} in the '{}' property is not valid".format(
index, resource_policies.POLICIES_PROPERTY_NAME),
)
execution_role.ManagedPolicyArns = list(managed_policy_arns)
execution_role.Policies = policy_documents or None
execution_role.PermissionsBoundary = permissions_boundary
execution_role.Tags = tags
return execution_role