def getAWSPolicyDocument(ctx, policyName): meta = aws_policies.getPolicyMeta(ctx, policyName) if meta == None: ctx.log('AWS policy %s was not found' % policyName) else: policyDoc = aws_policies.getDefaultPolicyVersion(ctx, policyName) return policyDoc
def detachPolicy(ctx, roleName, policyName): iam = ctx.iam meta = aws_policies.getPolicyMeta(ctx, policyName) if meta == None: ctx.log("detachPolicy: Error- %s does not exist in cached AWS policies" % policyName) return policyArn = meta["Arn"] if ctx.dry_run: ctx.log("iam.detach_role_policy(RoleName=%s, PolicyArn=%s)" % (roleName, policyArn)) else: msp = iam.detach_role_policy(RoleName=roleName, PolicyArn=policyArn) ctx.audit("Detached policy %s from role %s" % (policyName, roleName))
def comparePolicy(ctx, policyName, no_diff, diff_type, context_lines, offset): ctx.log('%s%-43s' % (offset, policyName),nl=False) meta = aws_policies.getPolicyMeta(ctx, policyName) if meta == None: ctx.log(' not found at AWS!', fg='cyan') return matched, diff = compareModel2AWS(ctx,policyName, meta, diff_type, context_lines) if matched: ctx.log(' MATCHED') else: ctx.log(' NOT MATCHED', fg='cyan') if not no_diff and diff != None: ctx.log('%sDiff output...' % offset, fg='cyan') for line in diff: ctx.log('%s %s' % (offset, line), fg='cyan')
def createPolicy(ctx, targetRegion, targetEnv, targetService, targetPolicy): policies = ctx.modelPolicies ctx.vlog('createPolicy(targetRegion: %s targetEnv: %s targetService: %s targetPolicy: %s)' % (targetRegion, targetEnv, targetService, targetPolicy)) for policyName in ctx.modelPolicies: if isValidTarget(ctx,policyName, targetRegion, targetEnv, targetService, targetPolicy) == False: continue # See if this policy is already in aws if aws_policies.getPolicyMeta(ctx,policyName) != None: ctx.log('%s already exists' % policyName) continue modelPolicy = getModelPolicyDocument(ctx, policyName) if modelPolicy == None: ctx.log('Error: %s does not exist in the model' % policyName) continue policyDocument = json.dumps(modelPolicy, indent=4) ctx.log('Creating policy : %s' % policyName) aws_policies.createPolicy(ctx, policyName, policyDocument)
def updatePolicies(ctx, targetRegion, targetEnv, targetService, targetPolicy, constrainToModel, force): for policyName in ctx.modelPolicies: if isValidTarget(ctx,policyName, targetRegion, targetEnv, targetService, targetPolicy) == False: continue meta = aws_policies.getPolicyMeta(ctx, policyName) if meta == None: ctx.log('Adding model policy not found in AWS: %s' % policyName) createPolicy(ctx, None, None, None, policyName) continue ctx.log('Model policy found in AWS: %s. Comparing policy document' % policyName) policyArn = meta['Arn'] if force: ctx.log('Forcing an update. No compare necessary.') else: matched, diff = compareModel2AWS(ctx,policyName, meta,'unified',0) if matched: ctx.log('%s: MATCHED. Noting to update.' % policyName) continue ctx.log('%s: DID NOT MATCH' % policyName) if force or constrainToModel: # Need to update the policy. Get the number of versions = aws_policies.getPolicyVersions(ctx,meta['Arn']) if len(versions) >= 5: # Too many versions, gotta delete 1 versions.sort() defaultVersionId = meta['DefaultVersionId'] for version in versions: if version != defaultVersionId: aws_policies.deletePolicyVersion(ctx,policyArn, version) break modelPolicy = getModelPolicyDocument(ctx, policyName) policyDocument = json.dumps(modelPolicy,indent=4) aws_policies.createPolicyVersion(ctx, policyArn, policyDocument)