def create_iam_resources(self): # We create a master role, and attach some policies for it, and allow all egress. self.master_role = iam.Role(self.cluster_name + "-master-role", assume_role_policy=ASSUME_ROLE_POLICY_DOC, opts=pulumi.ResourceOptions(parent=self)) iam.RolePolicyAttachment( self.cluster_name + "-master-AmazonEKSClusterPolicy", policy_arn="arn:aws:iam::aws:policy/AmazonEKSClusterPolicy", role=self.master_role, opts=pulumi.ResourceOptions(parent=self)) iam.RolePolicyAttachment( self.cluster_name + "-master-AmazonEKSServicePolicy", policy_arn="arn:aws:iam::aws:policy/AmazonEKSServicePolicy", role=self.master_role, opts=pulumi.ResourceOptions(parent=self))
def default_iam_role(service_naming_convention, lambda_name): current = get_partition() lambda_role = iam.Role( lambda_name + '_' + service_naming_convention, assume_role_policy="""{ "Version": "2012-10-17", "Statement": [ { "Action": "sts:AssumeRole", "Principal": { "Service": "lambda.amazonaws.com" }, "Effect": "Allow", "Sid": "" } ] }""" ) iam.RolePolicyAttachment( lambda_name + '_' + service_naming_convention + '_default_policy', role=lambda_role.name, policy_arn=f"arn:{current.partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" ) return lambda_role
def generate_role(name, resources, **ropts): role = iam.Role( f'{name}', assume_role_policy={ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": "sts:AssumeRole", "Principal": { "Service": "lambda.amazonaws.com", } }] }, **ropts, ) iam.RolePolicyAttachment(f'{name}-base', role=role, policy_arn=BASIC_POLICY.arn, **opts(parent=role)) if resources: iam.RolePolicy( f'{name}-policy', role=role, policy={ "Version": "2012-10-17", # FIXME: Reduce this "Statement": [{ "Effect": "Allow", "Action": "*", # FIXME: More reasonable permissions "Resource": pulumi.Output.all( *[res[0].arn for res in resources.values()]) }] }, **opts(parent=role)) return role
def update_iam(self): aws = self.model.aws if self.model.okta.users: policy = iam.Policy( "sari", name="SARIPolicy", description=MANAGED_BY_SARI_NOTICE, policy=_aws_make_policy( [{ "Effect": "Allow", "Action": "rds-db:connect", "Resource": f"arn:aws:rds-db:*:{aws.account}:dbuser:*/{login}", "Condition": { "StringEquals": { "aws:PrincipalTag/User": login } }, } for login, user in self.model.okta.users.items() if user.status == "ACTIVE" and user.permissions])) iam.RolePolicyAttachment("sari", role=SARI_ROLE_NAME, policy_arn=policy.arn)
"Statement": [{ "Effect": "Allow", "Action": "sts:AssumeRole", "Principal": { "Service": "glue.amazonaws.com" } }] }), description="datalake mart crawler", force_detach_policies=True, path='/glue/', name_prefix=f"{project}-{env}-mart-crawler") # attach policies to crawler role iam.RolePolicyAttachment('crawler-kms-policy', role=crawler_role, policy_arn=infra.policy_kms_full_usage.arn) iam.RolePolicyAttachment('crawler-glue-service-policy', role=crawler_role, policy_arn=infra.policy_glue_service.arn) iam.RolePolicy( 'crawler-read-mart-policy', role=crawler_role, policy=infra.mart_location.apply(lambda p: json.dumps({ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:GetObject", "Resource": f"arn:aws:s3:::{p[5:]}/*", #strip s3:// prefix
def __init__(self, name, scripts_bucket: s3.Bucket = None, managed_policy_arns: List[str] = [], tags: Dict[str, str] = None, opts: pulumi.ResourceOptions = None): super().__init__('hca:ScriptArchiveLambda', name, None, opts) merged_tags = tags.copy() if tags else {} merged_tags.update({'hca:dataclassification': 'pii'}) role = iam.Role(f"{name}-role", path="/lambda/", description=f"role for script archive lambda", assume_role_policy=json.dumps({ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": "sts:AssumeRole", "Principal": { "Service": "lambda.amazonaws.com" } }] }), force_detach_policies=True, tags=merged_tags, opts=pulumi.ResourceOptions(parent=self)) # attach managed policies if managed_policy_arns: for index, policy in enumerate(managed_policy_arns): iam.RolePolicyAttachment( f"{name}-attach-policy-{index}", policy_arn=policy, role=role, opts=pulumi.ResourceOptions(parent=self)) fileprocpolicy = iam.RolePolicy( f"{name}-inline-policy", role=role, policy=scripts_bucket.bucket.apply(inline_policy), opts=pulumi.ResourceOptions(parent=self)) print( f"archive function => {os.path.abspath(os.path.join(os.getcwd(),'../../src/lambdas/scripts_archive.py'))}" ) self.function = lambda_.Function( f"{name}-function", runtime='python3.6', description= 'copy files from fileproc bucket to datalake raw bucket and trigger glue jobs', handler='index.main', memory_size=128, timeout=30, code=pulumi.AssetArchive({ # NOTE use relative path from pulumi root 'index.py': pulumi.FileAsset( os.path.abspath( os.path.join(os.getcwd(), '../../src/lambdas/scripts_archive.py'))), }), #code=pulumi.FileAsset(os.path.abspath(os.path.join(os.getcwd(),'../../src/lambdas/scripts_archive.py'))), role=role.arn, tags=merged_tags, opts=pulumi.ResourceOptions(parent=self)) lambda_.Permission(f"{name}-permission", action='lambda:InvokeFunction', principal='s3.amazonaws.com', function=self.function, source_arn=scripts_bucket.arn, opts=pulumi.ResourceOptions(parent=self))
"Action": "sts:AssumeRole", "Principal": { "Service": "lambda.amazonaws.com" }, "Effect": "Allow", "Sid": "" } ] }""") lambda_role_policy = iam.RolePolicy('lambdaRolePolicy', role=lambda_role.id, policy="""{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": "arn:aws:logs:*:*:*" }] }""") lamdba_vpc_enabled = iam.RolePolicyAttachment( 'lamdba_vpc_enabled', role=lambda_role.id, policy_arn= "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole")
get_secret_resource_policy_document noaccess_role = iam.Role("noaccess-role", name="NoAccessRole", assume_role_policy=get_assume_role_policy_document()) trusted_role = iam.Role("trusted-role", name="TrustedRole", assume_role_policy=get_assume_role_policy_document()) identity_policy = iam.Policy("identity-policy", name="IdentityPolicy", policy=get_identity_policy_document()) noaccess_role_attachment = iam.RolePolicyAttachment( "noaccess-role-attachment", role=noaccess_role, policy_arn=identity_policy.arn) trusted_role_attachment = iam.RolePolicyAttachment( "trusted-role-attachment", role=trusted_role, policy_arn=identity_policy.arn) secret_resource_policy_document = trusted_role.unique_id.apply( lambda it: get_secret_resource_policy_document(it)) secret = secretsmanager.Secret("secret", name="Secret", policy=secret_resource_policy_document) secret_value = secretsmanager.SecretVersion(
def __init__(self, name, # optional list of iam.policy to attach to role iam_policies:List[str]=None, # encrypt logs security_config:glue.SecurityConfiguration=None, # required script_location:str=None, job_args:Dict[str,str]=None, job_db_connections:List[Union[str,glue.Connection]]=None, job_name_prefix:str='', target_table:str='', data_classification:str='nonsensitive', tags:Dict[str,str]=None, opts=None): super().__init__('hca:GlueEtlJob', name, None, opts) merged_tags = tags.copy() if tags else {} merged_tags.update({ 'hca:dataclassification': data_classification, 'hca:job_name': name, 'hca:target_table': target_table, }) self.role = iam.Role( resource_name=f"{name}-role", path="/glue/", description=f"role for glue etl job => {name}", assume_role_policy=json.dumps({ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": "sts:AssumeRole", "Principal": { "Service": "glue.amazonaws.com" } }] }), force_detach_policies=True, opts=pulumi.ResourceOptions(parent=self), tags=merged_tags) if iam_policies: for i, iam_policy in enumerate(iam_policies): iam.RolePolicyAttachment(f"{name}-policy-{i}", policy_arn=iam_policy, role=self.role, opts=pulumi.ResourceOptions(parent=self)) self.glue_job = glue.Job(f"{job_name_prefix}_{name}", glue_version='1.0', command={ 'name': 'glueetl', 'pythonVersion': '3', 'scriptLocation': script_location }, role_arn=self.role.arn, default_arguments=job_args, max_capacity=2, security_configuration=security_config, tags=merged_tags, connections=job_db_connections, opts=pulumi.ResourceOptions(parent=self))
'Statement': [ { 'Action': 'sts:AssumeRole', 'Principal': { 'Service': 'eks.amazonaws.com' }, 'Effect': 'Allow', 'Sid': '' } ], }), ) iam.RolePolicyAttachment( 'eks-service-policy-attachment', role=eks_role.id, policy_arn='arn:aws:iam::aws:policy/AmazonEKSServicePolicy', ) iam.RolePolicyAttachment( 'eks-cluster-policy-attachment', role=eks_role.id, policy_arn='arn:aws:iam::aws:policy/AmazonEKSClusterPolicy', ) ## Ec2 NodeGroup Role ec2_role = iam.Role( 'ec2-nodegroup-iam-role', assume_role_policy=json.dumps({
def __init__(self, name, datalake_bucket: s3.Bucket = None, datalake_raw_path: str = None, fileproc_bucket: s3.Bucket = None, managed_policy_arns: List[str] = None, package_dir: str = None, tags: Dict[str, str] = None, opts: pulumi.ResourceOptions = None): super().__init__('hca:GlueNotificationLambda', name, None, opts) merged_tags = tags.copy() if tags else {} merged_tags.update({'hca:dataclassification': 'pii'}) role = iam.Role(f"{name}-role", path="/lambda/", description=f"role for glue notification lambda", assume_role_policy=json.dumps({ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": "sts:AssumeRole", "Principal": { "Service": "lambda.amazonaws.com" } }] }), force_detach_policies=True, tags=merged_tags, opts=pulumi.ResourceOptions(parent=self)) # attach managed policies if managed_policy_arns: for index, policy in enumerate(managed_policy_arns): iam.RolePolicyAttachment( f"{name}-attach-policy-{index}", policy_arn=policy, role=role, opts=pulumi.ResourceOptions(parent=self)) fileprocpolicy = iam.RolePolicy( f"{name}-inline-policy", role=role, policy=pulumi.Output.all(datalake_bucket.bucket, fileproc_bucket.bucket).apply( lambda b: inline_policy(b[0], b[1])), opts=pulumi.ResourceOptions(parent=self)) self.function = lambda_.Function( f"{name}-function", runtime='python3.6', description= 'copy files from fileproc bucket to datalake raw bucket and trigger glue jobs', handler='glue_notification.main', environment={ 'variables': { 'S3_DATALAKE_BUCKET': datalake_bucket, 'S3_RAW_PATH': datalake_raw_path, 'PULUMI_STACK': pulumi.get_stack(), 'PULUMI_PROJECT': pulumi.get_project() } }, memory_size=256, timeout=60, code=pulumi.AssetArchive({ # use lambda-glue-notification created with build.py '.': pulumi.FileArchive(package_dir), }), role=role.arn, tags=merged_tags, opts=pulumi.ResourceOptions(parent=self)) lambda_.Permission(f"{name}-permission", action='lambda:InvokeFunction', principal='s3.amazonaws.com', function=self.function, source_arn=fileproc_bucket.arn, opts=pulumi.ResourceOptions(parent=self))
"Statement": [ { "Sid": "", "Effect": "Allow", "Action": "sts:AssumeRole", "Principal": {"Service": ["lambda.amazonaws.com"]}, } ], } ), ) # Attach the basic Lambda execution policy to our Role iam.RolePolicyAttachment( resource_name="policy-attachment", policy_arn="arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole", role=role.name, ) lambda_layer = lambda_.LayerVersion( resource_name="layer", layer_name="example-layer", compatible_runtimes=["python3.6"], code=lambda_package.layer_archive_path, source_code_hash=lambda_package.layer_hash, ) # Create Lambda function function = lambda_.Function( resource_name="function", role=role.arn,
"Version": "2012-10-17", "Statement": [{ "Action": "sts:AssumeRole", "Principal": { "Service": "lambda.amazonaws.com" }, "Effect": "Allow", "Sid": "", }], }), ) lambda_role_policy_exec = iam.RolePolicyAttachment( "ce-lambda-role-policy-exec", role=lambda_role.id, policy_arn= "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole", ) lambda_role_policy_ec2 = iam.RolePolicyAttachment( "ce-lambda-role-policy-ec2", role=lambda_role.id, policy_arn="arn:aws:iam::aws:policy/AmazonEC2FullAccess", ) sfn_role = iam.Role( "ce-sfn-role", assume_role_policy=json.dumps({ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow",
}] })) policy = iam.Policy("mypolicy", policy=json.dumps({ "Version": "2012-10-17", "Statement": [{ "Action": ["ec2:Describe*"], "Effect": "Allow", "Resource": "*" }] })) role_policy_attachment = iam.RolePolicyAttachment("myrolepolicyattachment", role=role.id, policy_arn=policy.arn) user = iam.User("myuser") group = iam.Group("mygroup") ## Kinesis stream = kinesis.Stream("mystream", shard_count=1) ## SQS queue = sqs.Queue("myqueue") ## SNS topic = sns.Topic("mytopic")
role = iam.Role( f"{APP}-flowlog-role", assume_role_policy=assume_role_policy_doc, name=f"{APP}-flowlog-role", path="/", tags={ 'Name': f"{APP}-flowlog-role", 'Environment': _env } ) attach_info = Output.all(role.name, policy.arn) role_attach = attach_info.apply( lambda info: iam.RolePolicyAttachment( f"{APP}-flowlog-role-attach", policy_arn=info[1], role=info[0] ) ) flowlog_info = Output.all(role.arn, log_group.arn) flowlog = flowlog_info.apply( lambda info: ec2.FlowLog( f"{APP}-flowlog", iam_role_arn=info[0], log_destination=info[1], traffic_type="ALL", vpc_id=vpc.id, tags={ 'Name': f"{APP}-flowlog", 'Environment': _env
'compressionFormat': 'GZIP' }) firehoseRolePolicy = iam.RolePolicy( 'ReplicationDeliveryStreamPolicy', role=firehoseRole.name, policy=getFirehoseRolePolicyDocument( region, accountId, bucket.arn, deliveryStream.name).apply(lambda d: json.dumps(d))) lambdaRole = iam.Role('ReplicationLambdaRole', assume_role_policy=getLambdaRoleTrustPolicyDocument()) lambdaRoleBasicExecutionPolicy = iam.RolePolicyAttachment( 'ReplicationLambdaBasicExecPolicy', role=lambdaRole.name, policy_arn= 'arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole') lambdaRoleAllowDynamoStreamPolicy = iam.RolePolicy( "ReplicationLambdaAllowDynamoPolicy", role=lambdaRole.name, policy=getAllowDynamoStreamPolicyDocument( dynamoTable.stream_arn).apply(lambda d: json.dumps(d))) lambdaRoleAllowFirehosePutPolicy = iam.RolePolicy( "ReplicationLambdaAllowFirehosePolicy", role=lambdaRole.name, policy=getAllowFirehosePutPolicyDocument( deliveryStream.arn).apply(lambda d: json.dumps(d)))
})) policy = iam.Policy( "iam-policy", policy=table.arn.apply(lambda arn: json.dumps({ "Version": "2012-10-17", "Statement": [{ "Action": ["dynamodb:PutItem", "dynamodb:GetItem"], "Effect": "Allow", "Resource": [arn] }] }))) attachment = iam.RolePolicyAttachment("iam-policy-attachment", role=role, policy_arn=policy.arn) ## GraphQL Schema schema = """ type Query { getTenantById(id: ID!): Tenant } type Mutation { addTenant(id: ID!, name: String!): Tenant! } type Tenant { id: ID! name: String
max_session_duration='3600', path='/', force_detach_policies=False, ) ec2_role = iam.Role( 'ec2-role', assume_role_policy= '{\"Version\":\"2012-10-17\",\"Statement\":[{\"Action\":[\"sts:AssumeRole\"],\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"ec2.amazonaws.com\"]}}]}', max_session_duration='3600', path='/', force_detach_policies=False, ) eks_role_policy_0 = iam.RolePolicyAttachment( 'eks-role-policy-0', policy_arn='arn:aws:iam::aws:policy/AmazonEKSClusterPolicy', role=eks_role.name) eks_role_policy_1 = iam.RolePolicyAttachment( 'eks-role-policy-1', policy_arn='arn:aws:iam::aws:policy/AmazonEKSServicePolicy', role=eks_role.name) instance_role_policy_0 = iam.RolePolicyAttachment( 'instance-role-policy-0', policy_arn='arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly', role=ec2_role.name) instance_role_policy_1 = iam.RolePolicyAttachment( 'instance-role-policy-1', policy_arn='arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy',
"Action": ["s3:GetObject"], "Resource": f"{bucket_arn}/*", }, ], }) iam.RolePolicy( f"{MODULE_NAME}-role-policy", role=role.id, policy=bucket.arn.apply(lambda_role_policy), ) iam.RolePolicyAttachment( f"{MODULE_NAME}-xray", policy_arn="arn:aws:iam::aws:policy/AWSXrayWriteOnlyAccess", role=role.id, ) aws_lambda = lambda_.Function( f"{MODULE_NAME}", role=role.arn, runtime="python3.6", handler="lambda_handler.morgue_stalker", s3_key=config.require("artifact_name"), s3_bucket="morgue-artifacts", tracing_config={"mode": "Active"}, timeout=900, layers=[dependency_layer.arn], environment={"variables": { "MORGUE_BUCKETNAME": bucket.id
"Version": "2012-10-17", "Statement": [ { "Action": "sts:AssumeRole", "Principal": { "Service": "lambda.amazonaws.com" }, "Effect": "Allow", "Sid": "" } ] }""") iam.RolePolicyAttachment( "VpcAccessPolicyAttach", policy_arn= "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole", role=example_role.name) # Lambda mount_location = "/mnt/efs" example_function = lambda_.Function( "exampleFunction", code="lambda.zip", source_code_hash=filebase64sha256("lambda.zip"), handler="handler.my_handler", role=example_role.arn, runtime="python3.8", vpc_config={