Statement(
Effect=Allow,
Action=[AssumeRole],
Principal=Principal("Service", ["ec2.amazonaws.com"])
)
]
)
))
t.add_resource(IAMPolicy(
"Policy",
PolicyName="AllowCodePipeline",
PolicyDocument=Policy(
Statement=[
Statement(
Effect=Allow,
Action=[Action("codepipeline", "*")],
Resource=["*"]
)
]
),
Roles=[Ref("Role")]
))
t.add_resource(InstanceProfile(
"InstanceProfile",
Path="/",
Roles=[Ref("Role")]
))
t.add_resource(ec2.Instance(
"instance",
SecurityGroupRule("HyP3ProcessingInstancesSecurityGroupWebOut",
IpProtocol="tcp",
FromPort="80",
ToPort="80",
CidrIp="0.0.0.0/0"),
SecurityGroupRule("HyP3ProcessingInstancesSecurityGroupWebSOut",
IpProtocol="tcp",
FromPort="443",
ToPort="443",
CidrIp="0.0.0.0/0")
]))
products_bucket_access = IAMPolicy(
PolicyName="ProductsPutObject",
PolicyDocument=Policy(Statement=[
Statement(
Effect=Allow,
Action=[GetObject, PutObject],
Resource=[Sub("${Arn}/*", Arn=GetAtt(products_bucket, "Arn"))])
]))
poll_messages = IAMPolicy(
PolicyName="QueueGetMessages",
PolicyDocument=Policy(Statement=[
Statement(Effect=Allow,
Action=[ReceiveMessage, DeleteMessage, GetQueueUrl],
Resource=[GetAtt(start_events, "Arn")])
]))
publish_notifications = IAMPolicy(
PolicyName="PublishNotifications",
PolicyDocument=Policy(Statement=[
IAMPolicy(PolicyName="CodePipelinePolicy",
PolicyDocument={
"Statement": [
{
"Effect": "Allow",
"Action": "cloudformation:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "codebuild:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "codepipeline:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "ecr:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "ecs:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "iam:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*"
},
],
}),
IAMPolicy(PolicyName="MyeongjaeKimCodePipeline",
PolicyDocument={
"Statement": [
{
"Effect": "Allow",
"Action": "cloudformation:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "codebuild:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "codepipeline:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "ecr:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "ecs:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "iam:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*"
},
]
})
[
FindInMap("Region2Principal", Ref("AWS::Region"),
"EC2Principal")
],
),
)
]),
Path="/",
))
t.add_resource(
IAMPolicy(
"WebServerRolePolicy",
PolicyName="WebServerRole",
PolicyDocument=PolicyDocument(Statement=[
Statement(
Effect=Allow, NotAction=Action("iam", "*"), Resource=["*"])
]),
Roles=[Ref("WebServerRole")],
))
t.add_resource(
InstanceProfile("WebServerInstanceProfile",
Path="/",
Roles=[Ref("WebServerRole")]))
t.add_resource(
Application(
"SampleApplication",
Description="AWS Elastic Beanstalk Sample Node.js Application",
))
IAMPolicy(PolicyName=Join("-", [
Select(0, Split("-", Ref("AWS::StackName"))),
Select(1, Split("-", Ref("AWS::StackName"))), "ScalingRole"
]),
PolicyDocument={
"Statement": [
{
"Effect": "Allow",
"Action": "ecs:UpdateService",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "ecs:DescribeServices",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "application-autoscaling:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "cloudwatch:DescribeAlarms",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "cloudwatch:GetMetricStatistics",
"Resource": "*"
},
],
}),
from .hyp3_autoscaling_group import custom_metric_name, processing_group
from .hyp3_kms_key import kms_key
from .hyp3_sqs import start_events
source_zip = "custom_metric.zip"
print(' adding custom_metric lambda')
describe_autoscale = IAMPolicy(
PolicyName="DescribeAutoScalingGroups",
PolicyDocument=Policy(
Statement=[
Statement(
Effect=Allow,
Action=[DescribeAutoScalingGroups],
Resource=["*"]
)
]
)
)
get_queue_attributes = IAMPolicy(
PolicyName="GetQueueAttributes",
PolicyDocument=Policy(
Statement=[
Statement(
Effect=Allow,
Action=[GetQueueAttributes],
Resource=[GetAtt(start_events, "Arn")]
)
"sudo echo '*/10 * * * * {}' | sudo tee /etc/cron.d/ansible-pull > /dev/null"
.format(AnsiblePullCmd)
]))
t.add_resource(
Role("Role",
AssumeRolePolicyDocument=Policy(Statement=[
Statement(Effect=Allow,
Action=[AssumeRole],
Principal=Principal("Service", ["ec2.amazonaws.com"]))
]),
Policies=[
IAMPolicy(PolicyName="S3access",
PolicyDocument={
"Statement": [{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*"
}]
})
]))
t.add_resource(
InstanceProfile("InstanceProfile", Path="/", Roles=[Ref("Role")]))
t.add_resource(
ec2.Instance(
"instance",
ImageId="ami-08935252a36e25f85",
InstanceType="t2.micro",
SecurityGroups=[Ref("SecurityGroup")],
KeyName=Ref("KeyPair"),
"LambdaCleanImagesRole",
AssumeRolePolicyDocument=Policy(Statement=[
Statement(Effect=Allow,
Action=[AssumeRole],
Principal=Principal("Service", ["lambda.amazonaws.com"]))
]),
Policies=[
IAMPolicy("LambdaCleanBaseImagesPolicy",
PolicyName="LambdaCleanBaseImagesPolicy",
PolicyDocument=Policy(Statement=[
Statement(Effect=Allow,
Action=[
Action('ec2', 'DescribeImages'),
Action('ec2', 'DeregisterImage'),
],
Resource=['*']),
Statement(Effect=Allow,
Action=[
Action('logs', 'CreateLogGroup'),
Action('logs', 'CreateLogStream'),
Action('logs', 'PutLogEvents'),
],
Resource=['arn:aws:logs:*:*:*'])
]))
]))
backup_rds_role = t.add_resource(
Role(
"LambdaBackupRDSRole",
AssumeRolePolicyDocument=Policy(Statement=[
Statement(Effect=Allow,
t.add_resource(InstanceProfile(
"AppServersInstanceProfile",
Path="/",
Roles=[Ref("AppServersRole")]
))
t.add_resource(IAMPolicy(
"Policy",
PolicyName="AllowS3",
PolicyDocument=Policy(
Statement=[
Statement(
Effect=Allow,
Action=[Action("s3", "*")],
Resource=["*"]),
Statement(
Effect=Allow,
Action=[Action("logs", "*")],
Resource=["*"])
]
),
Roles=[Ref("AppServersRole")]
))
t.add_resource(LaunchConfiguration(
"LaunchConfiguration",
UserData=ud,
ImageId="ami-eaa5bf90",
KeyName=Ref("KeyPair"),
SecurityGroups=[Ref("SecurityGroup")],
IAMPolicy(PolicyName="NetworkCodePipeline",
PolicyDocument={
"Statement": [
{
"Effect": "Allow",
"Action": "cloudformation:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "codebuild:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "codepipeline:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "ecr:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "ecs:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "iam:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "codecommit:*",
"Resource": "*"
},
],
}),
["codepipeline.amazonaws.com"]))
]),
Path="/",
Policies=[
IAMPolicy(PolicyName="HelloworldCodePipeline",
PolicyDocument={
"Statement": [{
"Effect": "Allow",
"Action": "cloudformation:*",
"Resource": "*"
}, {
"Effect": "Allow",
"Action": "codebuild:*",
"Resource": "*"
}, {
"Effect": "Allow",
"Action": "codepipeline:*",
"Resource": "*"
}, {
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*"
}, {
"Effect": "Allow",
"Action": "iam:*",
"Resource": "*"
}]
})
]))
t.add_resource(
Role("CloudFormationHelloworldRole",
role = template.add_resource(Role(
"PugRole",
AssumeRolePolicyDocument=Policy(
Statement=[
Statement(
Effect=Allow,
Action=[AssumeRole],
Principal=Principal("Service", ["ec2.amazonaws.com"])
)
]),
Path="/",
Policies=[IAMPolicy(
"PugPolicy",
PolicyName="PugPolicy",
PolicyDocument=Policy(
Statement=[
Statement(Effect=Allow, Action=[Action("s3", "*")],
Resource=["arn:aws:s3:::cpug/*"])
]
))]))
instance_profile = template.add_resource(InstanceProfile(
"PugInstanceProfile",
Path="/",
Roles=[{"Ref": "PugRole"}]
))
user_data = """#!/bin/bash
# install web server
yum install httpd -y
aws s3 cp s3://cpug/image.png /var/www/icons/image.png
IAMPolicy(PolicyName="ECSCodePipeline",
PolicyDocument={
"Statement": [
{
"Effect": "Allow",
"Action": "cloudformation:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "codebuild:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "codepipeline:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "ecr:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "ecs:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "iam:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "codecommit:*",
"Resource": "*"
},
],
}),
t.add_resource(
ec2.Instance(
"instance",
ImageId="ami-0ebe657bc328d4e82",
InstanceType="t2.micro",
SecurityGroups=[Ref("SecurityGroup")],
KeyName=Ref("KeyPair"),
UserData=ud,
IamInstanceProfile=Ref("InstanceProfile"),
))
t.add_resource(
IAMPolicy(
"Policy",
PolicyName="AllowS3",
PolicyDocument=Policy(Statement=[
Statement(Effect=Allow, Action=[Action("s3", "*")], Resource=["*"])
]),
Roles=[Ref("Role")]))
t.add_output(
Output(
"InstancePublicIp",
Description="Public IP of our instance.",
Value=GetAtt("instance", "PublicIp"),
))
t.add_output(
Output(
"WebUrl",
Description="Application endpoint",
IAMPolicy(
"LambdaPolicy",
PolicyName="LambdaCloudtrailPolicy",
PolicyDocument=Policy(Statement=[
Statement(Effect=Allow,
Action=[
Action('s3', 'GetObject'),
],
Resource=[
Join("",
['arn:aws:s3:::',
Ref(bucket), '/*'])
]),
Statement(Effect=Allow,
Action=[
Action('logs', 'CreateLogGroup'),
Action('logs', 'CreateLogStream'),
Action('logs', 'PutLogEvents'),
],
Resource=['arn:aws:logs:*:*:*']),
Statement(
Effect=Allow,
Action=[
Action('lambda', 'GetFunction'),
],
Resource=['*'
] # todo: limit this to the function itself
),
Statement(Effect=Allow,
Action=[Action('sns', 'publish')],
Resource=[Ref(notificationTopic)]),
Statement(Effect=Allow,
Action=[
Action('iam', 'ListRolePolicies'),
Action('iam', 'GetRolePolicy')
],
Resource=['*']),
]))
t.add_resource(
Role("Role",
AssumeRolePolicyDocument=Policy(Statement=[
Statement(Effect=Allow,
Action=[AssumeRole],
Principal=Principal("Service", ["ec2.amazonaws.com"]))
])))
t.add_resource(
InstanceProfile("InstanceProfile", Path="/", Roles=[Ref("Role")]))
t.add_resource(
IAMPolicy(
"Policy",
PolicyName="AllowS3",
PolicyDocument=Policy(Statement=[
Statement(Effect=Allow, Action=[Action("s3", "*")], Resource=["*"])
]),
Roles=[Ref("Role")]))
t.add_resource(
IAMPolicy("MonitoringPolicy",
PolicyName="AllowSendingDataForMonitoring",
PolicyDocument=Policy(Statement=[
Statement(Effect=Allow,
Action=[
Action("cloudwatch", "Put*"),
Action("logs", "Create*"),
Action("logs", "Put*"),
Action("logs", "Describe*"),
Action("events", "Put*"),
AssumeRolePolicyDocument=Policy(
Statement=[
Statement(
Effect=Allow,
Action=[AssumeRole],
Principal=Principal("Service", ["codepipeline.amazonaws.com"])
)
]
),
Policies=[
IAMPolicy(
PolicyName="PortfolioCodePipeline",
PolicyDocument={
"Statement": [
{"Effect": "Allow", "Action": "cloudformation:*", "Resource": "*"},
{"Effect": "Allow", "Action": "codedeploy:*", "Resource": "*"},
{"Effect": "Allow", "Action": "codepipeline:*", "Resource": "*"},
{"Effect": "Allow", "Action": "iam:*", "Resource": "*"},
{"Effect": "Allow", "Action": "s3:*", "Resource": "*"}
]
}
)
]
))
template.add_resource(Pipeline(
"PortfolioPipeline",
RoleArn=GetAtt("PortfolioPipelineRole", "Arn"),
ArtifactStore=ArtifactStore(
Type="S3",
Location=Ref("S3Bucket")
),
