def create_iam_profile(self): t = self.template # Create EC2 Container Service Role t.add_resource( Role("ecsServiceRole", AssumeRolePolicyDocument=get_ecs_assumerole_policy(), Path="/", Policies=[ Policy(PolicyName="ecsServiceRolePolicy", PolicyDocument=service_role_policy()) ])) # Role for Empire Controllers t.add_resource( Role("EmpireControllerRole", AssumeRolePolicyDocument=get_default_assumerole_policy(), Path="/", Policies=[ Policy(PolicyName="EmpireControllerPolicy", PolicyDocument=empire_policy()) ])) # Add SNS Events policy if Events are enabled t.add_resource( PolicyType("SNSEventsPolicy", PolicyName="EmpireSNSEventsPolicy", Condition="EnableSNSEvents", PolicyDocument=sns_events_policy(Ref("EventTopic")), Roles=[Ref("EmpireControllerRole")])) t.add_resource( InstanceProfile("EmpireControllerProfile", Path="/", Roles=[Ref("EmpireControllerRole")])) t.add_output( Output("EmpireControllerRole", Value=Ref("EmpireControllerRole")))
def policy(name, statements): if not isinstance(statements, list): statements = [statements] policy = Policy() policy.PolicyName = aws_name(name) policy.PolicyDocument = awacs.aws.Policy(Statement=statements) return policy
def create_iam_profile(self): t = self.template # Create EC2 Container Service Role t.add_resource( Role("ecsServiceRole", AssumeRolePolicyDocument=get_ecs_assumerole_policy(), Path="/", Policies=[ Policy(PolicyName="ecsServiceRolePolicy", PolicyDocument=service_role_policy()) ])) # Role for Empire Controllers t.add_resource( Role("EmpireControllerRole", AssumeRolePolicyDocument=get_default_assumerole_policy(), Path="/", Policies=[ Policy(PolicyName="EmpireControllerPolicy", PolicyDocument=empire_policy()) ])) t.add_resource( InstanceProfile("EmpireControllerProfile", Path="/", Roles=[Ref("EmpireControllerRole")]))
def add_policy(self, policy_name, effect, action="*", resource="*"): # Troposphere object policy = Policy(title=policy_name) policy.PolicyName = policy_name policy_document = PolicyDocument() statement = Statement(effect, action, resource=resource) policy_document.add_statement(statement) policy.PolicyDocument = transform_policy_document(policy_document) self.Policies.append(policy)
def add_multi_statement_policy(self, policy_name, statements): # Troposphere object policy = Policy(title=policy_name) policy.PolicyName = policy_name policy_document = PolicyDocument() for statement in statements: policy_document.add_statement(statement) policy.PolicyDocument = transform_policy_document(policy_document) self.Policies.append(policy)
def generate_iam_policies(self): ns = self.context.namespace base_policies = [ Policy(PolicyName="%s-ecs-agent" % ns, PolicyDocument=ecs_agent_policy()), ] with_logging = copy.deepcopy(base_policies) with_logging.append( Policy(PolicyName="%s-kinesis-logging" % ns, PolicyDocument=logstream_policy())) policies = If("EnableStreamingLogs", with_logging, base_policies) return policies
def generate_iam_policies(self): # Referencing NS like this within a resource name is deprecated, it's # only done here to maintain backwards compatability for minion # clusters. ns = self.context.namespace base_policies = [ Policy(PolicyName="%s-ecs-agent" % ns, PolicyDocument=ecs_agent_policy()), ] with_logging = copy.deepcopy(base_policies) with_logging.append( Policy(PolicyName="%s-kinesis-logging" % ns, PolicyDocument=logstream_policy())) policies = If("EnableStreamingLogs", with_logging, base_policies) return policies
def vpc_role_adder(self): self.k8_master_role = self.template.add_resource( Role('k8master', AssumeRolePolicyDocument=PolicyDocument(Statement=[ Statement(Effect=Allow, Action=[AssumeRole], Principal=Principal("Service", ["ec2.amazonaws.com"])) ]), Policies=[ Policy( PolicyName='k8master', PolicyDocument=PolicyDocument(Statement=[ Statement(Effect=Allow, Action=[ Action('s3', 'List*'), Action('s3', 'Get*'), Action('ecr', '*'), Action('elasticloadbalancing', '*'), cloudformation.SignalResource, Action('ec2', 'Describe*'), ], Resource=['*']) ])) ])) self.k8_worker_role = self.template.add_resource( Role('k8worker', AssumeRolePolicyDocument=PolicyDocument(Statement=[ Statement(Effect=Allow, Action=[AssumeRole], Principal=Principal("Service", ["ec2.amazonaws.com"])) ]), Policies=[ Policy(PolicyName='worker', PolicyDocument=PolicyDocument(Statement=[ Statement(Effect=Allow, Action=[ Action('s3', 'List*'), Action('s3', 'Get*'), Action('ecr', '*'), cloudformation.SignalResource, Action('ec2', 'Describe*'), Action('sns', '*') ], Resource=['*']) ])) ]))
def pass_policy(to_services, name=None, resource=None): services = [] if not isinstance(to_services, list): raise TypeError('services must be of type', list) for service in to_services: if service.endswith('.com') or service.endswith('.com.cn'): services.append(service) else: services.append(Sub(f'{service}.${{URLSuffix}}')) statement = { "Action": ["iam:PassRole"], "Resource": "*", "Effect": "Allow", "Condition": { "StringEqualsIfExists": { "iam:PassedToService": services } } } policy = Policy(PolicyName='AllowPassRoleTo'.join('', to_services), PolicyDocument={ "Version": "2012-10-17", "Statement": [statement] }) return policy
def create_lambda_role(self): t = self.template self.LambdaExecutionRole = t.add_resource(Role( "ddbElasticsearchBridge", Path="/", Policies=[Policy( PolicyName="root", PolicyDocument={ "Version": "2012-10-17", "Statement": [{ "Action": ["es:ESHttpPost"], "Resource": ES DOMAIN HERE + "/*", "Effect": "Allow" }, { "Action": [ "dynamodb:DescribeStream", "dynamodb:GetRecords", "dynamodb:GetShardIterator", "dynamodb:ListStreams"], "Effect": "Allow", "Resource": GetAtt(self.dynamoTable, "StreamArn") }] })], AssumeRolePolicyDocument={ "Version": "2012-10-17", "Statement": [{ "Action": ["sts:AssumeRole"], "Effect": "Allow", "Principal": { "Service": ["lambda.amazonaws.com"] } }] }, ))
def build_cw_cb_role(template=None, role_name="s2nEventsInvokeCodeBuildRole"): """ Create a role for CloudWatch events to trigger Codebuild jobs. """ role_id = template.add_resource( Role( role_name, Path='/', AssumeRolePolicyDocument=PolicyDocument(Statement=[ Statement(Effect=Allow, Action=[ Action("sts", "AssumeRole"), ], Principal=Principal("Service", ["events.amazonaws.com"])) ]), Policies=[ Policy( PolicyName=f"EventsInvokeCBRole", PolicyDocument=PolicyDocument(Statement=[ Statement( Effect=Allow, Action=[Action("codebuild", "StartBuild")], Resource=[ "arn:aws:codebuild:us-west-2:024603541914:project/*", ]) ])) ])) return role_id
def build_cw_cb_role(template, config, role_name="s2nEventsInvokeCodeBuildRole"): """ Create a role for CloudWatch events to trigger scheduled CodeBuild jobs. """ role_id = template.add_resource( Role( role_name, Path='/', AssumeRolePolicyDocument=PolicyDocument(Statement=[ Statement(Effect=Allow, Action=[ Action("sts", "AssumeRole"), ], Principal=Principal("Service", ["events.amazonaws.com"])) ]), Policies=[ Policy( PolicyName=f"EventsInvokeCBRole", PolicyDocument=PolicyDocument(Statement=[ Statement( Effect=Allow, Action=[Action("codebuild", "StartBuild")], Resource=[ "arn:aws:codebuild:{region}:{account_number}:project/*" .format(region=config.get( 'Global', 'aws_region'), account_number=config.get( 'CFNRole', 'account_number')), ]) ])) ])) return role_id
def getDeployResources(t: Template) -> Tuple[ActionTypeID, Role]: statements = [ awacs.aws.Statement(Action=[ awacs.ec2.Action("*"), awacs.awslambda.GetFunction, awacs.awslambda.CreateFunction, awacs.awslambda.GetFunctionConfiguration, awacs.awslambda.DeleteFunction, awacs.awslambda.UpdateFunctionCode, awacs.awslambda.UpdateFunctionConfiguration, awacs.awslambda.CreateAlias, awacs.awslambda.DeleteAlias, awacs.s3.GetObject ], Resource=["*"], Effect=awacs.aws.Allow), awacs.aws.Statement(Action=[ awacs.iam.DeleteRole, awacs.iam.DeleteRolePolicy, awacs.iam.GetRole, awacs.iam.PutRolePolicy, awacs.iam.CreateRole, awacs.iam.PassRole ], Resource=["*"], Effect=awacs.aws.Allow) ] policy_doc = awacs.aws.Policy(Statement=statements) policy = Policy(PolicyDocument=policy_doc, PolicyName="CloudFormationDeployPolicy") assume = defaultAssumeRolePolicyDocument("cloudformation.amazonaws.com") role = t.add_resource( Role("CFDeployRole", RoleName=Sub("${AWS::StackName}-CFDeployRole"), AssumeRolePolicyDocument=assume, Policies=[policy])) actionId = ActionTypeID(Category="Deploy", Owner="AWS", Version="1", Provider="CloudFormation") return (actionId, role)
def add_vpc_flow(template, vpc, boundary=None): """ Function to add VPC Flow Log to log VPC :param troposphere.Template template: :param vpc: The VPC Object :param str boundary: """ if boundary and boundary.startswith("arn:aws"): perm_boundary = boundary elif boundary and not boundary.startswith("arn:aws"): perm_boundary = Sub( f"arn:${{{AWS_PARTITION}}}:iam:${{{AWS_REGION}}}:${{{AWS_ACCOUNT_ID}}}:policy/{boundary}" ) else: perm_boundary = Ref(AWS_NO_VALUE) log_group = template.add_resource( LogGroup( "FlowLogsGroup", RetentionInDays=14, LogGroupName=Sub(f"flowlogs/vpc/${{{vpc.title}}}"), )) role = template.add_resource( Role( "FlowLogsRole", AssumeRolePolicyDocument=service_role_trust_policy("ec2"), PermissionsBoundary=perm_boundary, Policies=[ Policy( PolicyName="CloudWatchAccess", PolicyDocument={ "Version": "2012-10-17", "Statement": [{ "Sid": "AllowCloudWatchLoggingToSpecificLogGroup", "Effect": "Allow", "Action": [ "logs:CreateLogStream", "logs:PutLogEvents", ], "Resource": GetAtt(log_group, "Arn"), }], }, ) ], )) template.add_resource( FlowLog( "VpcFlowLogs", DeliverLogsPermissionArn=GetAtt(role, "Arn"), LogGroupName=Ref(log_group), LogDestinationType="cloud-watch-logs", MaxAggregationInterval=600, ResourceId=Ref(vpc), ResourceType="VPC", TrafficType="ALL", ))
def role(template): role = Role( "sgdemorole", AssumeRolePolicyDocument=awacs.aws.Policy(Statement=[ Statement(Effect=Allow, Principal=Principal("Service", ["ec2.amazonaws.com"]), Action=[AssumeRole]) ], Version="2012-10-17"), Path="/", Policies=[ Policy( PolicyName="sgdemopolicy", PolicyDocument=awacs.aws.Policy( Statement=[ Statement(Effect=Allow, Resource=["*"], Action=[Action("ec2", "DescribeInstances")]) ] #Statement = map(allow_stmt, ["ec2", "SNS", "elasticloadbalancing", "cloudwatch", "autoscaling", "iam", "ecr", "s3", "cloudformation"]) )) ]) template.add_resource(role) return role
def __init__(self, prefix: str, lambda_under_deployment: Function) -> None: """ Constructor. :param prefix: A prefix for deployment lambda resource names. :param lambda_under_deployment: An AWS Lambda function to execute deployments against. """ self.lambda_role = Role( prefix + "DeploymentLambdaRole", Path="/", Policies=[Policy( PolicyName=prefix + "DeploymentLambdaRole", PolicyDocument={ "Version": "2012-10-17", "Statement": [{ "Action": ["logs:*"], "Resource": "arn:aws:logs:*:*:*", "Effect": "Allow" }, { "Action": ["lambda:UpdateFunctionCode"], "Resource": "*", "Effect": "Allow" }, { "Action": ["s3:*"], "Resource": "*", "Effect": "Allow" }] })], AssumeRolePolicyDocument={"Version": "2012-10-17", "Statement": [ { "Action": ["sts:AssumeRole"], "Effect": "Allow", "Principal": { "Service": [ "lambda.amazonaws.com", ] } } ]}, ) self.function = Function( prefix + "DeploymentLambda", Code=Code(ZipFile=self.__read_template()), Handler='index.handler', Role=GetAtt(self.lambda_role, "Arn"), Runtime='python3.6', MemorySize='128', FunctionName=prefix + 'DeploymentLambda', Timeout='10', Environment=Environment( Variables={ 'LAMBDA_FUNCTION_NAME': Ref(lambda_under_deployment) } ), Description=( f'Deployment lambda which updates lambda under deployment function code ' f'from an output from a ci/cd pipeline for {prefix.lower()}.' ) )
def __init__(self, affiliatename, defaulttemplate=False): if defaulttemplate == False: self.template = Template() ## Update the template to accept serverless functions. self.template.set_transform('AWS::Serverless-2016-10-31') self.affiliatename = affiliatename ## TODO: Check that the affiliate name is all lowercase ## Declare the logical name for the bucket resource. self.bucket_logname = 'UserBucket' + affiliatename bucket = Bucket(self.bucket_logname, AccessControl='Private', BucketName=affiliatename) self.bucket = self.template.add_resource(bucket) ## Now define a new user policy: policy = Policy(PolicyDocument=self.customize_userpolicy(), PolicyName=self.affiliatename + 'policy') ## Now define an iam user group to which we can attach this policy: self.group_logname = 'UserGroup' + affiliatename self.groupname = self.affiliatename + 'group' usergroup = Group(self.group_logname, GroupName=self.groupname, Policies=[policy]) self.usergroup = self.template.add_resource(usergroup) self.users = [] self.usercount = 0 else: 'Implement me! and remember to implement getting of resources as attributes!'
def role_build(bucket_name): """ returns: iam.Role """ bucket_name = filter_s3bucket(bucket_name) role = Role("CodeBuildRole", Path='/cicd/codebuild/', AssumeRolePolicyDocument=role_trust_policy('codebuild'), ManagedPolicyArns=[AWS_LAMBDA_BASIC_EXEC], Policies=[ Policy(PolicyName="S3Access", PolicyDocument={ "Version": "2012-10-17", "Statement": [{ 'Effect': 'Allow', 'Resource': [bucket_name], 'Action': [ 's3:PutObject', 's3:PutObjectVersion', 's3:GetObject', 's3:GetObjectVersion' ] }] }) ]) return role
def __create_lambda_edge_function_service_role(template): role = template.add_resource(resource=Role( title='SampleLambdaEdgeServiceRole', RoleName='sample-lambda-edge-service-role', Path='/', AssumeRolePolicyDocument={ "Statement": [{ "Effect": "Allow", "Principal": { "Service": ['lambda.amazonaws.com', 'edgelambda.amazonaws.com'] }, "Action": ["sts:AssumeRole"] }] }, Policies=[ Policy(PolicyName="sample-policy", PolicyDocument={ "Version": "2012-10-17", "Statement": [{ "Action": ['lambda:*', 'logs:*'], "Resource": ['*'], "Effect": "Allow" }] }) ])) add_export(template, role.title + 'Arn', GetAtt(role, 'Arn'))
def add_apigateway_role(template: Template) -> Role: # Create a role for the lambda function return template.add_resource( Role( "LambdaExecutionRole", Path="/", Policies=[ Policy(PolicyName="root", PolicyDocument={ "Version": "2012-10-17", "Statement": [{ "Action": ["logs:*"], "Resource": "arn:aws:logs:*:*:*", "Effect": "Allow" }, { "Action": ["lambda:*"], "Resource": "*", "Effect": "Allow" }] }) ], AssumeRolePolicyDocument={ "Version": "2012-10-17", "Statement": [{ "Action": ["sts:AssumeRole"], "Effect": "Allow", "Principal": { "Service": ["lambda.amazonaws.com", "apigateway.amazonaws.com"] } }] }, ))
def add_use_dynamodb_role(template: Template) -> Role: return template.add_resource( Role("usedynamodbrole", AssumeRolePolicyDocument=PolicyDocument(Statement=[ Statement(Effect=Allow, Action=[AssumeRole], Principal=Principal("Service", ["lambda.amazonaws.com"])), Statement(Effect=Allow, Action=[AssumeRole], Principal=Principal("Service", ["apigateway.amazonaws.com"])) ]), Policies=[ Policy(PolicyName="policy_use_dynamodb", PolicyDocument=PolicyDocument( Id="policy_use_dynamodb", Version="2012-10-17", Statement=[ Statement(Effect=Allow, Action=[ DescribeTable, PutItem, GetRecords, GetItem, DeleteItem, Scan ], Resource=["*"]), Statement(Effect=Allow, Action=[ CreateLogGroup, CreateLogStream, PutLogEvents ], Resource=["*"]) ])) ]))
def __create_codebuild_service_role(template): role = template.add_resource(resource=Role( title='SampleCodeBuildServiceRole', RoleName='sample-codebuild-service-role', Path='/', AssumeRolePolicyDocument={ 'Statement': [{ 'Effect': 'Allow', 'Principal': { 'Service': 'codebuild.amazonaws.com' }, 'Action': ['sts:AssumeRole'] }] }, Policies=[ Policy(PolicyName='sample-codebuild-policy', PolicyDocument={ 'Version': '2012-10-17', 'Statement': [{ "Action": [ 'logs:*', 's3:*', ], "Resource": ['*'], "Effect": "Allow" }] }) ])) add_export(template, role.title + 'Arn', GetAtt(role, 'Arn'))
def build(self) -> Policy: checkForNoneValues(self) policyDocument = PolicyDocumentBuilder() for s in self._statements: policyDocument.addStatement(s) return Policy(PolicyName=Sub(self._name + "-${AWS::StackName}"), PolicyDocument=policyDocument.build())
def logging_from_defined_region(family: ComposeFamily, service: ComposeService) -> None: """ If the region for a log group is given, we just take the shortcut to granting all access to logs in all regions, for any log group / stream. :param family: :param service: :return: """ LOG.warning( f"{family.name}.logging.awslogs driver " "- When defining awslogs-region, Compose-X does not create the CW Log Group" ) family.iam_manager.exec_role.cfn_resource.Policies.append( Policy( PolicyName=f"CloudWatchAccessFor{family.logical_name}", PolicyDocument={ "Version": "2012-10-17", "Statement": [{ "Sid": "AllowCloudWatchLoggingToSpecificLogGroup", "Effect": "Allow", "Action": LOGGING_ACTIONS, "Resource": Sub("arn:${AWS::Partition}:logs:*:${AWS::AccountId}:log-group:*" ), }], }, )) service.logging.log_options.update({"awslogs-create-group": True})
def add_instance_role(self): ''' Add Instance role ''' self.cfn_template.add_resource(Role( title=constants.INST_ROLE, AssumeRolePolicyDocument=PolicyDocument( Statement=[ Statement( Effect=Allow, Action=[AssumeRole], Principal=Principal('Service', ['ec2.amazonaws.com']) ) ] ), Policies=[ Policy( PolicyName='Demo-ECS-Cluster', PolicyDocument=PolicyDocument( Statement=[ Statement( Effect=Allow, Action=[ Action('*') ], Resource=['*'] ) ] ) ) ] )) return self.cfn_template
def generate_iam_policies(self): return [ Policy( PolicyName="ecs-agent", PolicyDocument=ecs_agent_policy(), ) ]
def get_s3_access() -> Policy: statements = [ awacs.aws.Statement(Action=[s3.PutObject, s3.PutObjectAcl], Effect=awacs.aws.Allow, Resource=["arn:aws:s3:::iotweatherdata-prod/*"]) ] policyDoc = awacs.aws.Policy(Statement=statements) return Policy(PolicyName=Sub("S3Access-${AWS::StackName}"), PolicyDocument=policyDoc)
def getBuildRole() -> Role: statement = Statement(Action=[Action("*")], Effect=Allow, Resource=["*"]) policy_doc = awacs.aws.Policy(Statement=[statement]) policy = Policy(PolicyName=Sub("${AWS::StackName}-CodeBuildPolicy"), PolicyDocument=policy_doc) assume = defaultAssumeRolePolicyDocument("codebuild.amazonaws.com") return Role("CodeBuildRole", RoleName=Sub("${AWS::StackName}-LambdaCodeBuildRole"), AssumeRolePolicyDocument=assume, Policies=[policy])
def add_ecs_task_role(self): ''' Add ECS Task Role to template ''' self.cfn_template.add_resource( Role( title=constants.TASK_ROLE, AssumeRolePolicyDocument=PolicyDocument(Statement=[ Statement(Effect=Allow, Action=[AssumeRole], Principal=Principal('Service', ['ecs-tasks.amazonaws.com'])) ]), Policies=[ Policy(PolicyName='ECSTaskDefinitionContainerRole', PolicyDocument=PolicyDocument(Statement=[ Statement(Effect=Allow, Action=[ Action('s3', 'GetObject'), Action('kms', 'Encrypt'), Action('kms', 'Decrypt') ], Resource=['*']) ])), Policy( PolicyName='DemoAppContainerRole', PolicyDocument=PolicyDocument(Statement=[ Statement(Effect=Allow, Action=[ Action('dynamodb', 'BatchGetItem'), Action('dynamodb', 'BatchWriteItem'), Action('dynamodb', 'GetItem'), Action('dynamodb', 'ListTables'), Action('dynamodb', 'PutItem'), Action('dynamodb', 'Query'), Action('dynamodb', 'Scan'), Action('dynamodb', 'UpdateItem'), Action('dynamodb', 'DeleteItem') ], Resource=['*']) ])) ])) return self.cfn_template
def get_secret_manager() -> Policy: statements = [ awacs.aws.Statement( Action=[awacs.aws.Action("secretsmanager", "GetSecretValue")], Effect=awacs.aws.Allow, Resource=["arn:aws:secretsmanager:*:*:secret:iot/prod*"]) ] policyDoc = awacs.aws.Policy(Statement=statements) return Policy(PolicyName=Sub("SecretManagerAccess-${AWS::StackName}"), PolicyDocument=policyDoc)