def policy_create_for_execution_role(self, role_name, skip_if_exists=True):
#cloud_watch_arn = "arn:aws:logs:{0}:{1}:log-group:awslogs-*".format(self.region, self.account_id)
cloud_watch_arn = f"arn:aws:logs:{self.region}:{self.account_id}:log-group:*"
role_document = { "Version" : "2008-10-17",
"Statement" : [ { "Effect": "Allow",
"Principal": { "Service": "ecs-tasks.amazonaws.com"},
"Action": "sts:AssumeRole" }]}
policy_document = { "Version" : "2012-10-17",
"Statement": [{ "Effect" : "Allow" ,
"Action" : [ "ecr:GetAuthorizationToken" ,
"ecr:BatchCheckLayerAvailability" ,
"ecr:GetDownloadUrlForLayer" ,
"ecr:GetRepositoryPolicy" ,
"ecr:DescribeRepositories" ,
"ecr:ListImages" ,
"ecr:DescribeImages" ,
"ecr:BatchGetImage" ],
"Resource": "*" },
{ "Effect" : "Allow",
"Action" : [ "logs:CreateLogStream" ,
"logs:PutLogEvents" ],
"Resource": [ cloud_watch_arn ]}]}
policy_name = 'policy_for_{0}'.format(role_name)
iam_role = IAM_Role(role_name=role_name)
if iam_role.exists() and skip_if_exists:
return iam_role
if iam_role.create(policy_document=role_document, skip_if_exists=skip_if_exists):
iam_role.attach_policy(policy_name=policy_name, policy_document=policy_document)
if policy_name in iam_role.iam.role_policies():
return iam_role
def policy_create_for_task_role(self, role_name, skip_if_exists=True):
policy = { "Version" : "2008-10-17",
"Statement" : [ { "Effect": "Allow",
"Principal": { "Service": "ecs-tasks.amazonaws.com"},
"Action": "sts:AssumeRole" }]}
iam_role = IAM_Role(role_name=role_name)
iam_role.create(policy,skip_if_exists=skip_if_exists)
return iam_role
def test_create_function(self):
role_arn = IAM_Role(self.lambda_name +
'__tmp_role').create_for__lambda().get('role_arn')
tmp_folder = Temp_Folder_With_Lambda_File(
self.lambda_name).create_temp_file()
(self.aws_lambda.set_role(role_arn).set_s3_bucket(
self.s3_bucket).set_s3_key(self.s3_key).set_folder_code(
tmp_folder.folder))
create_kwargs = self.aws_lambda.create_kwargs()
assert create_kwargs == {
'Code': {
'S3Bucket': self.s3_bucket,
'S3Key': self.s3_key
},
'FunctionName': self.lambda_name,
'Handler': self.lambda_name + '.run',
'MemorySize': 10240,
'PackageType': 'Zip',
'Role': role_arn,
'Runtime': 'python3.8',
'Tags': {},
'Timeout': 900,
'TracingConfig': {
'Mode': 'PassThrough'
}
}
assert self.aws_lambda.upload() is True
result = self.aws_lambda.create()
data = result.get('data')
name = result.get('name')
status = result.get('status')
assert status == 'ok'
assert name == self.lambda_name
expected_arn = 'arn:aws:lambda:{0}:{1}:function:{2}'.format(
self.region, self.account_id,
self.lambda_name) # expected arn value
(Assert(data).field_is_equal('CodeSize',
242) # confirm lambda creation details
.field_is_equal('FunctionArn', expected_arn).field_is_equal(
'FunctionName', self.lambda_name).field_is_equal(
'Handler', self.lambda_name + '.run').field_is_equal(
'MemorySize',
10240).field_is_equal('Role', role_arn).field_is_equal(
'Runtime', 'python3.8').field_is_equal(
'Timeout',
900).field_is_equal('TracingConfig', {
'Mode': 'PassThrough'
}).field_is_equal('Version', '$LATEST'))
assert self.aws_lambda.invoke() == 'hello None'
assert self.aws_lambda.delete() is True # confirm Lambda was deleted
def test_policy_add_sqs_permissions_to_lambda_role(self):
policy_name = self.iam_utils.arn_aws_policy_service_sqs_lambda.split(
'/').pop(-1)
with Temp_Lambda() as temp_lambda:
lambda_name = temp_lambda.lambda_name
iam_role_name = self.iam_utils.policy_add_sqs_permissions_to_lambda_role(
lambda_name)
iam_role = IAM_Role(role_name=iam_role_name)
pprint(iam_role.info())
assert policy_name in iam_role.policies_statements()
assert iam_role.exists() is True
self.iam_utils.policy_remove_sqs_permissions_to_lambda_role(
lambda_name)
assert policy_name not in iam_role.policies_statements()
def test_create_function(self):
role_arn = IAM_Role(self.lambda_name + '__tmp_role').create_for__lambda().get('role_arn')
tmp_folder = Temp_Folder_Code(self.lambda_name)
(
self.aws_lambda.set_role (role_arn)
.set_s3_bucket (self.s3_bucket )
.set_s3_key (self.s3_key )
.set_folder_code(tmp_folder.folder)
)
assert self.aws_lambda.create_params() == (self.lambda_name, 'python3.7' ,
role_arn , self.lambda_name + '.run',
3008 , 60 ,
{ 'Mode' : 'PassThrough' },
{ 'S3Bucket': self.s3_bucket ,
'S3Key' : self.s3_key }) # confirm values that will be passed to the boto3's create_function
assert self.aws_lambda.upload() is True
result = self.aws_lambda.create()
data = result.get('data')
name = result.get('name')
status = result.get('status')
assert status == 'ok'
assert name == self.lambda_name
expected_arn = 'arn:aws:lambda:{0}:{1}:function:{2}'.format(self.region,self.account_id,self.lambda_name) # expected arn value
(Assert(data).field_is_equal('CodeSize' , 209 ) # confirm lambda creation details
.field_is_equal('FunctionArn' , expected_arn )
.field_is_equal('FunctionName' , self.lambda_name )
.field_is_equal('Handler' , self.lambda_name + '.run')
.field_is_equal('MemorySize' , 3008 )
.field_is_equal('Role' , role_arn )
.field_is_equal('Runtime' , 'python3.7' )
.field_is_equal('Timeout' , 60 )
.field_is_equal('TracingConfig', {'Mode': 'PassThrough'} )
.field_is_equal('Version' , '$LATEST' )
)
assert self.aws_lambda.delete() is True # confirm Lambda was deleted
def create__for_lambda_invocation(self, delete_existing=False):
iam_role = IAM_Role(self.role_name__for_lambda_invocation)
if delete_existing:
iam_role.iam.role_delete()
return iam_role.create_for__lambda().get('role_arn')
def setUp(self):
self.temp_role_name = 'test_IAM_Role__temp_role'
self.iam_role = IAM_Role(role_name=self.temp_role_name)
def for_lambda_invocation_exists(self):
iam_role = IAM_Role(self.role_name__for_lambda_invocation)
return iam_role.iam.role_exists()
def setUp(self):
self.temp_role_name = 'test_IAM_Role__temp_role'
self.iam_role = IAM_Role(role_name=self.temp_role_name)
with AWS_Config() as aws_config:
self.account_id = aws_config.aws_session_account_id()
self.region = aws_config.aws_session_region_name()