def test_for_all_values(self):
c = aws.Condition(
aws.ForAllValuesStringLike("dynamodb:requestedAttributes",
["PostDateTime", "Message", "Tags"]))
pd = aws.PolicyDocument(Statement=[
aws.Statement(
Action=[s3.ListBucket],
Effect=aws.Allow,
Resource=[s3.ARN("myBucket")],
Condition=c,
)
])
self.assertEqual(
{
'Statement': [{
'Action': ['s3:ListBucket'],
'Condition': {
'ForAllValues:StringLike': {
'dynamodb:requestedAttributes':
['PostDateTime', 'Message', 'Tags']
}
},
'Effect': 'Allow',
'Resource': ['arn:aws:s3:::myBucket']
}]
}, json.loads(pd.to_json()))
def test_for_all_values(self):
c = aws.Condition(
aws.ForAllValuesStringLike("dynamodb:requestedAttributes",
["PostDateTime", "Message", "Tags"]))
pd = aws.PolicyDocument(Statement=[
aws.Statement(
Action=[s3.ListBucket],
Effect=aws.Allow,
Resource=[s3.ARN("myBucket")],
Condition=c,
)
])
self.assertEqual(
{
"Statement": [{
"Action": ["s3:ListBucket"],
"Condition": {
"ForAllValues:StringLike": {
"dynamodb:requestedAttributes": [
"PostDateTime",
"Message",
"Tags",
]
}
},
"Effect": "Allow",
"Resource": ["arn:aws:s3:::myBucket"],
}]
},
json.loads(pd.to_json()),
)
def _codebuild_role(artifacts_bucket: Parameter, resources_bucket: Parameter,
cmk: Parameter) -> iam.Role:
"""Construct a role for use by CodeBuild.
:param artifacts_bucket: Artifacts bucket parameter
:param resources_bucket: Resources bucket parameter
:param cmk: KMS CMK parameter
:return: Constructed Role
"""
assume_policy = AWS.PolicyDocument(Statement=[
AWS.Statement(
Principal=AWS.Principal(
"Service", make_service_domain_name(CODEBUILD.prefix)),
Effect=AWS.Allow,
Action=[STS.AssumeRole],
)
])
policy = AWS.PolicyDocument(Statement=[
AWS.Statement(
Effect=AWS.Allow,
Action=[
LOGS.CreateLogGroup, LOGS.CreateLogStream, LOGS.PutLogEvents
],
Resource=[account_arn(service_prefix=LOGS.prefix, resource="*")],
),
AWS.Statement(
Effect=AWS.Allow,
Action=[S3.GetObject, S3.GetObjectVersion, S3.PutObject],
Resource=[
Sub(f"${{{artifacts_bucket.title}}}/*"),
Sub(f"${{{resources_bucket.title}}}/*")
],
),
AWS.Statement(Effect=AWS.Allow,
Action=[KMS.Encrypt, KMS.Decrypt, KMS.GenerateDataKey],
Resource=[cmk.ref()]),
])
return iam.Role(
resource_name(iam.Role, "CodeBuild"),
AssumeRolePolicyDocument=assume_policy,
Policies=[
iam.Policy(PolicyName=_policy_name("CodeBuild"),
PolicyDocument=policy)
],
)
def _assume_policy(service: str) -> AWS.PolicyDocument:
return AWS.PolicyDocument(Statement=[
AWS.Statement(
Principal=AWS.Principal("Service", make_service_domain_name(
service)),
Effect=AWS.Allow,
Action=[STS.AssumeRole],
)
])
def _project_key(project: Config) -> kms.Key:
"""Construct the AWS CMK that will be used to protect project resources.
:param project: Source project
:return: Constructed key
"""
policy = AWS.PolicyDocument(
Version="2012-10-17",
Statement=[
AWS.Statement(
Effect=AWS.Allow,
Principal=AWS.Principal("AWS", account_arn("iam", "root")),
Action=[
KMS.Encrypt,
KMS.Decrypt,
KMS.ReEncrypt,
KMS.GenerateDataKey,
KMS.GenerateDataKeyWithoutPlaintext,
KMS.DescribeKey,
KMS.GetKeyPolicy,
],
Resource=["*"],
),
# TODO: Change admin statement to some other principal?
AWS.Statement(
Effect=AWS.Allow,
Principal=AWS.Principal("AWS", account_arn("iam", "root")),
Action=[
KMS.GetKeyPolicy,
KMS.PutKeyPolicy,
KMS.ScheduleKeyDeletion,
KMS.CancelKeyDeletion,
KMS.CreateAlias,
KMS.DeleteAlias,
KMS.UpdateAlias,
KMS.DescribeKey,
KMS.EnableKey,
KMS.DisableKey,
KMS.GetKeyRotationStatus,
KMS.EnableKeyRotation,
KMS.DisableKeyRotation,
KMS.ListKeyPolicies,
KMS.ListResourceTags,
KMS.TagResource,
KMS.UntagResource,
],
Resource=["*"],
),
],
)
return kms.Key(
resource_name(kms.Key, "Stack"),
Enabled=True,
EnableKeyRotation=False,
KeyPolicy=policy,
Tags=project_tags(project),
)
def step_functions_role(name: str, *statements: AWS.Statement) -> iam.Role:
return iam.Role(
name,
AssumeRolePolicyDocument=_assume_policy(STATES.prefix),
Policies=[
iam.Policy(
PolicyName=f"{name}Policy",
PolicyDocument=AWS.PolicyDocument(Statement=list(statements)))
],
)
def _cloudformation_role() -> iam.Role:
"""Construct a role for use by CloudFormation.
:return: Constructed Role
"""
assume_policy = AWS.PolicyDocument(Statement=[
AWS.Statement(
Principal=AWS.Principal(
"Service", make_service_domain_name(CLOUDFORMATION.prefix)),
Effect=AWS.Allow,
Action=[STS.AssumeRole],
)
])
# TODO: Figure out how to scope this down without breaking IAM
# IAM policies break if there is a * in certain fields,
# so this does not work:
# arn:PARTITION:*:REGION:ACCOUNT:*
#
# _desired_policy = AWS.PolicyDocument(
# Statement=[
# AWS.Statement(
# Effect=AWS.Allow,
# Action=[AWS.Action("*")],
# Resource=[
# account_arn(service_prefix="*", resource="*"),
# account_arn(service_prefix=S3.prefix, resource="*"),
# account_arn(service_prefix=IAM.prefix, resource="*"),
# ],
# )
# ]
# )
policy = AWS.PolicyDocument(Statement=[
AWS.Statement(
Effect=AWS.Allow, Action=[AWS.Action("*")], Resource=["*"])
])
return iam.Role(
resource_name(iam.Role, "CloudFormation"),
AssumeRolePolicyDocument=assume_policy,
Policies=[
iam.Policy(PolicyName=_policy_name("CloudFormation"),
PolicyDocument=policy)
],
)
def _cloudformation_role() -> iam.Role:
"""Build and return the IAM Role resource to be used by the pipeline to interact with CloudFormation."""
policy = iam.Policy(
"CloudFormationPolicy",
PolicyName="CloudFormationPolicy",
PolicyDocument=AWS.PolicyDocument(Statement=[AllowEverywhere(Action=[AWS.Action("*")])]),
)
return iam.Role(
"CloudFormationRole", AssumeRolePolicyDocument=_service_assume_role(CLOUDFORMATION.prefix), Policies=[policy]
)
def generate_role_template(
command: str,
actions: list,
role_name: str,
path: str,
assuming_account_id: str,
assuming_resource: str,
output_format: str,
) -> str:
t = troposphere.Template()
t.description = f"Role used to run the {command} command"
t.add_resource(
iam.Role(
title="role",
RoleName=role_name,
Path=path,
Policies=[
iam.Policy(
PolicyName=f"{command}-permissions",
PolicyDocument=aws.PolicyDocument(
Version="2012-10-17",
Id=f"{command}-permissions",
Statement=[
aws.Statement(
Sid="1",
Effect=aws.Allow,
Action=actions,
Resource=["*"],
),
],
),
)
],
AssumeRolePolicyDocument=aws.Policy(
Version="2012-10-17",
Id="AllowAssume",
Statement=[
aws.Statement(
Sid="1",
Effect=aws.Allow,
Principal=aws.Principal("AWS", [
IAM_ARN(assuming_resource, "", assuming_account_id)
]),
Action=[awacs_sts.AssumeRole],
),
],
),
))
if output_format == "json":
return t.to_json()
else:
return t.to_yaml()
def lambda_role(name: str, *additional_statements: AWS.Statement) -> iam.Role:
statements = [_basic_lambda_statement()]
statements.extend(additional_statements)
return iam.Role(
name,
AssumeRolePolicyDocument=_assume_policy(AWSLAMBDA.prefix),
Policies=[
iam.Policy(PolicyName=f"{name}Policy",
PolicyDocument=AWS.PolicyDocument(Statement=statements))
],
)
def _codebuild_role() -> iam.Role:
"""Build and return the IAM Role resource to be used by CodeBuild to run the build project."""
policy = iam.Policy(
"CodeBuildPolicy",
PolicyName="CodeBuildPolicy",
PolicyDocument=AWS.PolicyDocument(
Statement=[
AllowEverywhere(Action=[LOGS.CreateLogGroup, LOGS.CreateLogStream, LOGS.PutLogEvents]),
AllowEverywhere(Action=[S3.GetObject, S3.GetObjectVersion, S3.PutObject]),
]
),
)
return iam.Role("CodeBuildRole", AssumeRolePolicyDocument=_service_assume_role(CODEBUILD.prefix), Policies=[policy])
def generate_role_template(
command: str,
actions: list,
role_name: str,
path: str,
assuming_account_id: str,
assuming_resource: str,
additional_statements: list = [],
) -> troposphere.Template:
t = troposphere.Template()
t.description = f"Role used to run the {command} command"
role = iam.Role(
title="role",
RoleName=role_name,
Path=path,
Policies=[
iam.Policy(
PolicyName=f"{command}-permissions",
PolicyDocument=aws.PolicyDocument(
Version="2012-10-17",
Id=f"{command}-permissions",
Statement=[
aws.Statement(Sid="1",
Effect=aws.Allow,
Action=actions,
Resource=["*"])
] + additional_statements,
),
)
],
AssumeRolePolicyDocument=aws.Policy(
Version="2012-10-17",
Id="AllowAssume",
Statement=[
aws.Statement(
Sid="1",
Effect=aws.Allow,
Principal=aws.Principal(
"AWS",
[IAM_ARN(assuming_resource, "", assuming_account_id)]),
Action=[awacs_sts.AssumeRole],
)
],
),
)
t.add_resource(role)
t.add_output(troposphere.Output("RoleName", Value=troposphere.Ref(role)))
t.add_output(
troposphere.Output("RoleArn", Value=troposphere.GetAtt(role, "Arn")))
return t
def events_trigger_stepfuntions_role(
name: str, statemachine: stepfunctions.StateMachine) -> iam.Role:
return iam.Role(
name,
AssumeRolePolicyDocument=_assume_policy(EVENTS.prefix),
Policies=[
iam.Policy(
PolicyName=f"{name}Policy",
PolicyDocument=AWS.PolicyDocument(Statement=[
AWS.Statement(Effect=AWS.Allow,
Action=[STATES.StartExecution],
Resource=[statemachine.ref()])
]),
)
],
)
def build_subscription(self, t, topic):
policy = t.add_resource(
iam.Role(
"{}SlackSNSRole".format(self.name),
AssumeRolePolicyDocument=aws.Policy(Statement=[
aws.Statement(Action=[awacs.sts.AssumeRole],
Effect=aws.Allow,
Principal=aws.Principal(
"Service", ["lambda.amazonaws.com"]))
]),
Path="/",
Policies=[
iam.Policy(
PolicyName='snspublic',
PolicyDocument=aws.PolicyDocument(Statement=[
aws.Statement(Effect=aws.Allow,
Action=[
awacs.sns.Publish,
awacs.logs.PutLogEvents,
awacs.logs.CreateLogGroup,
awacs.logs.CreateLogStream,
],
Resource=["*"])
]))
],
ManagedPolicyArns=[
# "arn:aws:iam::aws:policy/AdministratorAccess"
]))
code = ["import sys"]
# make lambda function
fn = t.add_resource(
awslambda.Function('{}SlackTopicFN'.format(self.name),
Handler='index.handle',
Runtime='python3.6',
Role=GetAtt(policy, "Arn"),
Code=awslambda.Code(ZipFile=Join("", code))))
t.add_resource(
awslambda.Permission('{}LambdaPerm'.format(self.name),
Action='lambda:InvokeFunction',
FunctionName=GetAtt(fn, "Arn"),
SourceArn=Ref(topic),
Principal="sns.amazonaws.com"))
return ("lambda", GetAtt(fn, "Arn"))
def _pipeline_role(buckets: Iterable[s3.Bucket]) -> iam.Role:
"""Build and return the IAM Role resource to be used by CodePipeline to run the pipeline."""
bucket_statements = [
AWS.Statement(
Effect=AWS.Allow,
Action=[S3.GetBucketVersioning, S3.PutBucketVersioning],
Resource=[GetAtt(bucket, "Arn") for bucket in buckets],
),
AWS.Statement(
Effect=AWS.Allow,
Action=[S3.GetObject, S3.PutObject],
Resource=[
Sub("${{{bucket}.Arn}}/*".format(bucket=bucket.title))
for bucket in buckets
],
),
]
policy = iam.Policy(
"PipelinePolicy",
PolicyName="PipelinePolicy",
PolicyDocument=AWS.PolicyDocument(Statement=bucket_statements + [
AllowEverywhere(Action=[CLOUDWATCH.Action("*"), IAM.PassRole]),
AllowEverywhere(
Action=[LAMBDA.InvokeFunction, LAMBDA.ListFunctions]),
AllowEverywhere(Action=[
CLOUDFORMATION.CreateStack,
CLOUDFORMATION.DeleteStack,
CLOUDFORMATION.DescribeStacks,
CLOUDFORMATION.UpdateStack,
CLOUDFORMATION.CreateChangeSet,
CLOUDFORMATION.DeleteChangeSet,
CLOUDFORMATION.DescribeChangeSet,
CLOUDFORMATION.ExecuteChangeSet,
CLOUDFORMATION.SetStackPolicy,
CLOUDFORMATION.ValidateTemplate,
]),
AllowEverywhere(
Action=[CODEBUILD.BatchGetBuilds, CODEBUILD.StartBuild]),
]),
)
return iam.Role("CodePipelinesRole",
AssumeRolePolicyDocument=_service_assume_role(
CODEPIPELINE.prefix),
Policies=[policy])
def _codepipeline_role(artifacts_bucket: Parameter,
resources_bucket: Parameter,
cmk: Parameter) -> iam.Role:
"""Construct a role for use by CodePipeline.
:param artifacts_bucket: Artifacts bucket parameter
:param resources_bucket: Resources bucket parameter
:param cmk: KMS CMK parameter
:return: Constructed Role
"""
assume_policy = AWS.PolicyDocument(Statement=[
AWS.Statement(
Principal=AWS.Principal(
"Service", make_service_domain_name(CODEPIPELINE.prefix)),
Effect=AWS.Allow,
Action=[STS.AssumeRole],
)
])
policy = AWS.PolicyDocument(Statement=[
AWS.Statement(
Effect=AWS.Allow,
Action=[S3.GetBucketVersioning, S3.PutBucketVersioning],
Resource=[artifacts_bucket.ref(),
resources_bucket.ref()],
),
AWS.Statement(
Effect=AWS.Allow,
Action=[S3.GetObject, S3.PutObject],
Resource=[
Sub(f"${{{artifacts_bucket.title}}}/*"),
Sub(f"${{{resources_bucket.title}}}/*")
],
),
AWS.Statement(Effect=AWS.Allow,
Action=[KMS.Encrypt, KMS.Decrypt, KMS.GenerateDataKey],
Resource=[cmk.ref()]),
AWS.Statement(
Effect=AWS.Allow,
Action=[CLOUDWATCH.Action("*")],
Resource=[
account_arn(service_prefix=CLOUDWATCH.prefix, resource="*")
],
),
AWS.Statement(
Effect=AWS.Allow,
Action=[IAM.PassRole],
Resource=[
account_arn(service_prefix=IAM.prefix, resource="role/*")
],
),
AWS.Statement(
Effect=AWS.Allow,
Action=[LAMBDA.InvokeFunction, LAMBDA.ListFunctions],
Resource=[account_arn(service_prefix=LAMBDA.prefix, resource="*")],
),
AWS.Statement(
Effect=AWS.Allow,
Action=[
CLOUDFORMATION.CreateStack,
CLOUDFORMATION.DeleteStack,
CLOUDFORMATION.DescribeStacks,
CLOUDFORMATION.UpdateStack,
CLOUDFORMATION.CreateChangeSet,
CLOUDFORMATION.DeleteChangeSet,
CLOUDFORMATION.DescribeChangeSet,
CLOUDFORMATION.ExecuteChangeSet,
CLOUDFORMATION.SetStackPolicy,
CLOUDFORMATION.ValidateTemplate,
],
Resource=[
account_arn(service_prefix=CLOUDFORMATION.prefix, resource="*")
],
),
AWS.Statement(
Effect=AWS.Allow,
Action=[CODEBUILD.BatchGetBuilds, CODEBUILD.StartBuild],
Resource=[
account_arn(service_prefix=CODEBUILD.prefix, resource="*")
],
),
])
return iam.Role(
resource_name(iam.Role, "CodePipeline"),
AssumeRolePolicyDocument=assume_policy,
Policies=[
iam.Policy(PolicyName=_policy_name("CodePipeline"),
PolicyDocument=policy)
],
)
def generate_codepipeline_template(
codepipeline_role_name: str,
codepipeline_role_path: str,
codebuild_role_name: str,
codebuild_role_path: str,
ssm_parameter_prefix: str,
scm_provider: str,
scm_connection_arn: str,
scm_full_repository_id: str,
scm_branch_name: str,
scm_bucket_name: str,
scm_object_key: str,
scm_skip_creation_of_repo: str,
migrate_role_arn: str,
) -> troposphere.Template:
version = pkg_resources.get_distribution("aws-organized").version
t = troposphere.Template()
t.set_description(
"CICD template that runs aws organized migrate for the given branch of the given repo"
)
project_name = "AWSOrganized-Migrate"
bucket_name = scm_bucket_name
if scm_provider.lower(
) == "codecommit" and scm_skip_creation_of_repo is False:
t.add_resource(
codecommit.Repository("Repository",
RepositoryName=scm_full_repository_id))
if scm_provider.lower() == "s3" and scm_skip_creation_of_repo is False:
bucket_name = (
scm_bucket_name if scm_bucket_name else
troposphere.Sub("aws-organized-pipeline-source-${AWS::AccountId}"))
t.add_resource(
s3.Bucket(
"Source",
BucketName=bucket_name,
VersioningConfiguration=s3.VersioningConfiguration(
Status="Enabled"),
BucketEncryption=s3.BucketEncryption(
ServerSideEncryptionConfiguration=[
s3.ServerSideEncryptionRule(
ServerSideEncryptionByDefault=s3.
ServerSideEncryptionByDefault(
SSEAlgorithm="AES256"))
]),
))
artifact_store = t.add_resource(
s3.Bucket(
"ArtifactStore",
VersioningConfiguration=s3.VersioningConfiguration(
Status="Enabled"),
BucketEncryption=s3.BucketEncryption(
ServerSideEncryptionConfiguration=[
s3.ServerSideEncryptionRule(
ServerSideEncryptionByDefault=s3.
ServerSideEncryptionByDefault(SSEAlgorithm="AES256"))
]),
))
codepipeline_role = t.add_resource(
iam.Role(
"CodePipelineRole",
RoleName=codepipeline_role_name,
Path=codepipeline_role_path,
ManagedPolicyArns=["arn:aws:iam::aws:policy/AdministratorAccess"],
AssumeRolePolicyDocument=aws.PolicyDocument(
Version="2012-10-17",
Statement=[
aws.Statement(
Effect=aws.Allow,
Action=[awacs_sts.AssumeRole],
Principal=aws.Principal(
"Service", ["codepipeline.amazonaws.com"]),
)
],
),
))
codebuild_role = t.add_resource(
iam.Role(
"CodeBuildRole",
RoleName=codebuild_role_name,
Path=codebuild_role_path,
ManagedPolicyArns=["arn:aws:iam::aws:policy/AdministratorAccess"],
AssumeRolePolicyDocument=aws.PolicyDocument(
Version="2012-10-17",
Statement=[
aws.Statement(
Effect=aws.Allow,
Action=[awacs_sts.AssumeRole],
Principal=aws.Principal("Service",
["codebuild.amazonaws.com"]),
)
],
),
))
version_parameter = ssm.Parameter(
"versionparameter",
Name=f"{ssm_parameter_prefix}/version",
Type="String",
Value=version,
)
t.add_resource(version_parameter)
project = t.add_resource(
codebuild.Project(
"AWSOrganizedMigrate",
Artifacts=codebuild.Artifacts(Type="CODEPIPELINE"),
Environment=codebuild.Environment(
ComputeType="BUILD_GENERAL1_SMALL",
Image="aws/codebuild/standard:4.0",
Type="LINUX_CONTAINER",
EnvironmentVariables=[
{
"Name": "MIGRATE_ROLE_ARN",
"Type": "PLAINTEXT",
"Value": migrate_role_arn,
},
{
"Name": "Version",
"Type": "PARAMETER_STORE",
"Value": troposphere.Ref(version_parameter),
},
{
"Name": "SSM_PARAMETER_PREFIX",
"Type": "PLAINTEXT",
"Value": ssm_parameter_prefix,
},
],
),
Name=project_name,
ServiceRole=troposphere.GetAtt(codebuild_role, "Arn"),
Source=codebuild.Source(
Type="CODEPIPELINE",
BuildSpec=yaml.safe_dump(
dict(
version="0.2",
phases=dict(
install={
"runtime-versions":
dict(python="3.8"),
"commands":
["pip install aws-organized==${Version}"],
},
build={
"commands": [
"aws-organized migrate --ssm-parameter-prefix $SSM_PARAMETER_PREFIX $MIGRATE_ROLE_ARN"
]
},
),
artifacts=dict(files=["environment"]),
)),
),
))
source_actions = dict(
codecommit=codepipeline.Actions(
Name="SourceAction",
ActionTypeId=codepipeline.ActionTypeId(Category="Source",
Owner="AWS",
Version="1",
Provider="CodeCommit"),
OutputArtifacts=[
codepipeline.OutputArtifacts(Name="SourceOutput")
],
Configuration={
"RepositoryName": scm_full_repository_id,
"BranchName": scm_branch_name,
"PollForSourceChanges": "true",
},
RunOrder="1",
),
codestarsourceconnection=codepipeline.Actions(
Name="SourceAction",
ActionTypeId=codepipeline.ActionTypeId(
Category="Source",
Owner="AWS",
Version="1",
Provider="CodeStarSourceConnection",
),
OutputArtifacts=[
codepipeline.OutputArtifacts(Name="SourceOutput")
],
Configuration={
"ConnectionArn": scm_connection_arn,
"FullRepositoryId": scm_full_repository_id,
"BranchName": scm_branch_name,
"OutputArtifactFormat": "CODE_ZIP",
},
RunOrder="1",
),
s3=codepipeline.Actions(
Name="SourceAction",
ActionTypeId=codepipeline.ActionTypeId(Category="Source",
Owner="AWS",
Version="1",
Provider="S3"),
OutputArtifacts=[
codepipeline.OutputArtifacts(Name="SourceOutput")
],
Configuration={
"S3Bucket": bucket_name,
"S3ObjectKey": scm_object_key,
"PollForSourceChanges": True,
},
RunOrder="1",
),
).get(scm_provider.lower())
t.add_resource(
codepipeline.Pipeline(
"Pipeline",
RoleArn=troposphere.GetAtt(codepipeline_role, "Arn"),
Stages=[
codepipeline.Stages(Name="Source", Actions=[source_actions]),
codepipeline.Stages(
Name="Migrate",
Actions=[
codepipeline.Actions(
Name="Migrate",
InputArtifacts=[
codepipeline.InputArtifacts(
Name="SourceOutput")
],
ActionTypeId=codepipeline.ActionTypeId(
Category="Build",
Owner="AWS",
Version="1",
Provider="CodeBuild",
),
Configuration={
"ProjectName": troposphere.Ref(project),
"PrimarySource": "SourceAction",
},
RunOrder="1",
)
],
),
],
ArtifactStore=codepipeline.ArtifactStore(
Type="S3", Location=troposphere.Ref(artifact_store)),
))
return t
jicketidprefix = "KWP-" # Prefix used before the ticket id. Should contain a connecting element, e.g. 'KWP-' to produce
# IDs like 'KWP-xxxxxx'
jicketloopmode = "singleshot"
# Execution Role
# ================
lambdaexecutionrole = iam.Role("APILambdaExecutionRole")
lambdaexecutionrole.AssumeRolePolicyDocument = aws_awacs.PolicyDocument(
Version="2012-10-17",
Id="S3-Account-Permissions",
Statement=[
aws_awacs.Statement(
Sid="1",
Effect=aws_awacs.Allow,
Principal=aws_awacs.Principal("Service", "lambda.amazonaws.com"),
Action=[aws_awacs.Action("sts", "AssumeRole")]
)
],
)
lambdaexecutionrole.RoleName = "GeolocatorLambdaExecutionRole"
lambdaexecutionrole.ManagedPolicyArns = []
lambdaexecutionrole.Policies = [iam.Policy(
PolicyName="LambdaExecutionPolicy",
PolicyDocument=aws_awacs.PolicyDocument(
Version="2012-10-17",
Statement=[
]
)
)]
def generate_codepipeline_template(
codepipeline_role_name: str,
codepipeline_role_path: str,
codebuild_role_name: str,
codebuild_role_path: str,
output_format: str,
migrate_role_arn: str,
) -> str:
t = troposphere.Template()
t.set_description(
"CICD template that runs aws organized migrate for the given branch of the given repo"
)
project_name = "AWSOrganized-Migrate"
repository_name = "AWS-Organized-environment"
repo = t.add_resource(
codecommit.Repository("Repository", RepositoryName=repository_name))
artifact_store = t.add_resource(
s3.Bucket(
"ArtifactStore",
BucketEncryption=s3.BucketEncryption(
ServerSideEncryptionConfiguration=[
s3.ServerSideEncryptionRule(
ServerSideEncryptionByDefault=s3.
ServerSideEncryptionByDefault(SSEAlgorithm="AES256"))
]),
))
codepipeline_role = t.add_resource(
iam.Role(
"CodePipelineRole",
RoleName=codepipeline_role_name,
Path=codepipeline_role_path,
ManagedPolicyArns=[
"arn:aws:iam::aws:policy/AdministratorAccess",
],
Policies=[
iam.Policy(
PolicyName=f"executionpermissions",
PolicyDocument=aws.PolicyDocument(
Version="2012-10-17",
Id=f"executionpermissions",
Statement=[
aws.Statement(
Sid="1",
Effect=aws.Allow,
Action=[
awscd_codecommit.GitPull,
awscd_codecommit.GetBranch,
awscd_codecommit.GetCommit,
awscd_codecommit.UploadArchive,
],
Resource=[troposphere.GetAtt(repo, "Arn")],
),
aws.Statement(
Sid="2",
Effect=aws.Allow,
Action=[
awacs_s3.GetBucketPolicy,
awacs_s3.GetBucketVersioning,
awacs_s3.ListBucket,
],
Resource=[
troposphere.GetAtt(artifact_store, "Arn")
],
),
aws.Statement(
Sid="3",
Effect=aws.Allow,
Action=[
awacs_s3.GetObject,
awacs_s3.GetObjectVersion,
],
Resource=[
troposphere.Join(":", [
troposphere.GetAtt(
artifact_store, 'Arn'), "*"
])
],
),
aws.Statement(
Sid="4",
Effect=aws.Allow,
Action=[
awacs_s3.ListAllMyBuckets,
],
Resource=[
troposphere.Join(":", [
"arn",
troposphere.Partition,
"s3:::*",
])
],
),
# aws.Statement(
# Sid="5",
# Effect=aws.Allow,
# Action=[
# aws.Action("s3", "*")
# ],
# Resource=[
# troposphere.Join(":", [
# troposphere.GetAtt(artifact_store, 'Arn'),
# "*"
# ])
# ],
# ),
# aws.Statement(
# Sid="6",
# Effect=aws.Allow,
# Action=[
# aws.Action("s3", "*")
# ],
# Resource=[
# troposphere.GetAtt(artifact_store, 'Arn')
# ],
# ),
],
),
)
],
AssumeRolePolicyDocument=aws.PolicyDocument(
Version="2012-10-17",
Statement=[
aws.Statement(
Effect=aws.Allow,
Action=[awacs_sts.AssumeRole],
Principal=aws.Principal(
"Service", ["codepipeline.amazonaws.com"]),
),
],
),
))
codebuild_role = t.add_resource(
iam.Role(
"CodeBuildRole",
RoleName=codebuild_role_name,
Path=codebuild_role_path,
ManagedPolicyArns=[
"arn:aws:iam::aws:policy/AdministratorAccess",
],
Policies=[
iam.Policy(
PolicyName=f"executionpermissions",
PolicyDocument=aws.PolicyDocument(
Version="2012-10-17",
Id=f"executionpermissions",
Statement=[
aws.Statement(
Sid="1",
Effect=aws.Allow,
Action=[
awacs_logs.CreateLogGroup,
awacs_logs.CreateLogStream,
awacs_logs.PutLogEvents,
],
Resource=[
# "arn:aws:logs:eu-west-1:669925765091:log-group:/aws/codebuild/examplecodebuild",
# "arn:aws:logs:eu-west-1:669925765091:log-group:/aws/codebuild/examplecodebuild:*",
{
"Fn::Sub": [
f"arn:${{AWS::Partition}}:logs:${{AWS::Region}}:${{AWS::AccountId}}:log-group:/aws/codebuild/{project_name}",
{},
]
},
{
"Fn::Sub": [
f"arn:${{AWS::Partition}}:logs:${{AWS::Region}}:${{AWS::AccountId}}:log-group:/aws/codebuild/{project_name}:*",
{},
]
},
],
),
aws.Statement(
Sid="2",
Effect=aws.Allow,
Action=[
awacs_s3.PutObject,
awacs_s3.GetObject,
awacs_s3.GetObjectVersion,
awacs_s3.GetBucketAcl,
awacs_s3.GetBucketLocation,
],
Resource=[
# "arn:aws:s3:::codepipeline-eu-west-1-*",
{
"Fn::Sub": [
f"arn:${{AWS::Partition}}:s3:::codepipeline-${{AWS::Region}}-*",
{},
]
},
],
),
aws.Statement(
Sid="3",
Effect=aws.Allow,
Action=[
awacs_codebuild.CreateReportGroup,
awacs_codebuild.CreateReport,
awacs_codebuild.UpdateReport,
awacs_codebuild.BatchPutTestCases,
awacs_codebuild.BatchPutCodeCoverages,
],
Resource=[
# "arn:aws:codebuild:eu-west-1:669925765091:report-group/examplecodebuild-*",
{
"Fn::Sub": [
f"arn:${{AWS::Partition}}:codebuild:${{AWS::Region}}:${{AWS::AccountId}}:report-group/{project_name}-*",
{},
]
},
],
),
aws.Statement(Sid="4",
Effect=aws.Allow,
Action=[awacs_sts.AssumeRole],
Resource=[migrate_role_arn]),
# aws.Statement(
# Sid="5",
# Effect=aws.Allow,
# Action=[
# aws.Action("s3", "*")
# ],
# Resource=[
# troposphere.Join(":", [
# troposphere.GetAtt(artifact_store, 'Arn'),
# "*"
# ])
# ],
# ),
# aws.Statement(
# Sid="6",
# Effect=aws.Allow,
# Action=[
# aws.Action("s3", "*")
# ],
# Resource=[
# troposphere.GetAtt(artifact_store, 'Arn')
# ],
# ),
],
),
)
],
AssumeRolePolicyDocument=aws.PolicyDocument(
Version="2012-10-17",
Statement=[
aws.Statement(
Effect=aws.Allow,
Action=[awacs_sts.AssumeRole],
Principal=aws.Principal("Service",
["codebuild.amazonaws.com"]),
),
],
),
))
project = t.add_resource(
codebuild.Project(
"AWSOrganizedMigrate",
Artifacts=codebuild.Artifacts(Type="CODEPIPELINE"),
Environment=codebuild.Environment(
ComputeType="BUILD_GENERAL1_SMALL",
Image="aws/codebuild/standard:4.0",
Type="LINUX_CONTAINER",
EnvironmentVariables=[{
"Name": "MIGRATE_ROLE_ARN",
"Type": "PLAINTEXT",
"Value": migrate_role_arn,
}]),
Name=project_name,
ServiceRole=troposphere.GetAtt(codebuild_role, "Arn"),
Source=codebuild.Source(
Type="CODEPIPELINE",
BuildSpec=yaml.safe_dump(
dict(
version="0.2",
phases=dict(
install={
"runtime-versions": dict(python="3.8"),
"commands": [
"pip install aws-organized",
],
},
build={
"commands": [
"aws-organized migrate $(MIGRATE_ROLE_ARN)",
],
},
),
artifacts=dict(files=[
"environment",
], ),
)),
),
))
source_actions = codepipeline.Actions(
Name="SourceAction",
ActionTypeId=codepipeline.ActionTypeId(
Category="Source",
Owner="AWS",
Version="1",
Provider="CodeCommit",
),
OutputArtifacts=[codepipeline.OutputArtifacts(Name="SourceOutput")],
Configuration={
"RepositoryName": repository_name,
"BranchName": "master",
"PollForSourceChanges": "true",
},
RunOrder="1",
)
pipeline = t.add_resource(
codepipeline.Pipeline(
"Pipeline",
RoleArn=troposphere.GetAtt(codepipeline_role, "Arn"),
Stages=[
codepipeline.Stages(
Name="Source",
Actions=[source_actions],
),
codepipeline.Stages(
Name="Migrate",
Actions=[
codepipeline.Actions(
Name="Migrate",
InputArtifacts=[
codepipeline.InputArtifacts(
Name="SourceOutput")
],
ActionTypeId=codepipeline.ActionTypeId(
Category="Build",
Owner="AWS",
Version="1",
Provider="CodeBuild",
),
Configuration={
"ProjectName": troposphere.Ref(project),
"PrimarySource": "SourceAction",
},
RunOrder="1",
)
],
),
],
ArtifactStore=codepipeline.ArtifactStore(
Type="S3", Location=troposphere.Ref(artifact_store)),
))
if output_format == "json":
return t.to_json()
else:
return t.to_yaml()
"""Resources for lambda function."""
import troposphere
from awacs import aws
from troposphere import awslambda
from troposphere import cloudformation
from troposphere import iam
_ROLE = iam.Role(
title="LambdaRole",
AssumeRolePolicyDocument=aws.PolicyDocument(
Statement=[
aws.Statement(
Action=[aws.Action("sts", "AssumeRole")],
Effect="Allow",
Principal=aws.Principal(
principal="Service", resources=["lambda.amazonaws.com"]
),
)
]
),
ManagedPolicyArns=[
"arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
],
RoleName="cloudformation-kubernetes-lambda",
)
with open("cloudformation/lambda_function/index.py") as in_file:
_CODE = awslambda.Code(ZipFile=in_file.read())
_LAMBDA = awslambda.Function(
title="Lambda",
