def test_for_all_values(self): c = aws.Condition( aws.ForAllValuesStringLike("dynamodb:requestedAttributes", ["PostDateTime", "Message", "Tags"])) pd = aws.PolicyDocument(Statement=[ aws.Statement( Action=[s3.ListBucket], Effect=aws.Allow, Resource=[s3.ARN("myBucket")], Condition=c, ) ]) self.assertEqual( { 'Statement': [{ 'Action': ['s3:ListBucket'], 'Condition': { 'ForAllValues:StringLike': { 'dynamodb:requestedAttributes': ['PostDateTime', 'Message', 'Tags'] } }, 'Effect': 'Allow', 'Resource': ['arn:aws:s3:::myBucket'] }] }, json.loads(pd.to_json()))
def test_for_all_values(self): c = aws.Condition( aws.ForAllValuesStringLike("dynamodb:requestedAttributes", ["PostDateTime", "Message", "Tags"])) pd = aws.PolicyDocument(Statement=[ aws.Statement( Action=[s3.ListBucket], Effect=aws.Allow, Resource=[s3.ARN("myBucket")], Condition=c, ) ]) self.assertEqual( { "Statement": [{ "Action": ["s3:ListBucket"], "Condition": { "ForAllValues:StringLike": { "dynamodb:requestedAttributes": [ "PostDateTime", "Message", "Tags", ] } }, "Effect": "Allow", "Resource": ["arn:aws:s3:::myBucket"], }] }, json.loads(pd.to_json()), )
def _codebuild_role(artifacts_bucket: Parameter, resources_bucket: Parameter, cmk: Parameter) -> iam.Role: """Construct a role for use by CodeBuild. :param artifacts_bucket: Artifacts bucket parameter :param resources_bucket: Resources bucket parameter :param cmk: KMS CMK parameter :return: Constructed Role """ assume_policy = AWS.PolicyDocument(Statement=[ AWS.Statement( Principal=AWS.Principal( "Service", make_service_domain_name(CODEBUILD.prefix)), Effect=AWS.Allow, Action=[STS.AssumeRole], ) ]) policy = AWS.PolicyDocument(Statement=[ AWS.Statement( Effect=AWS.Allow, Action=[ LOGS.CreateLogGroup, LOGS.CreateLogStream, LOGS.PutLogEvents ], Resource=[account_arn(service_prefix=LOGS.prefix, resource="*")], ), AWS.Statement( Effect=AWS.Allow, Action=[S3.GetObject, S3.GetObjectVersion, S3.PutObject], Resource=[ Sub(f"${{{artifacts_bucket.title}}}/*"), Sub(f"${{{resources_bucket.title}}}/*") ], ), AWS.Statement(Effect=AWS.Allow, Action=[KMS.Encrypt, KMS.Decrypt, KMS.GenerateDataKey], Resource=[cmk.ref()]), ]) return iam.Role( resource_name(iam.Role, "CodeBuild"), AssumeRolePolicyDocument=assume_policy, Policies=[ iam.Policy(PolicyName=_policy_name("CodeBuild"), PolicyDocument=policy) ], )
def _assume_policy(service: str) -> AWS.PolicyDocument: return AWS.PolicyDocument(Statement=[ AWS.Statement( Principal=AWS.Principal("Service", make_service_domain_name( service)), Effect=AWS.Allow, Action=[STS.AssumeRole], ) ])
def _project_key(project: Config) -> kms.Key: """Construct the AWS CMK that will be used to protect project resources. :param project: Source project :return: Constructed key """ policy = AWS.PolicyDocument( Version="2012-10-17", Statement=[ AWS.Statement( Effect=AWS.Allow, Principal=AWS.Principal("AWS", account_arn("iam", "root")), Action=[ KMS.Encrypt, KMS.Decrypt, KMS.ReEncrypt, KMS.GenerateDataKey, KMS.GenerateDataKeyWithoutPlaintext, KMS.DescribeKey, KMS.GetKeyPolicy, ], Resource=["*"], ), # TODO: Change admin statement to some other principal? AWS.Statement( Effect=AWS.Allow, Principal=AWS.Principal("AWS", account_arn("iam", "root")), Action=[ KMS.GetKeyPolicy, KMS.PutKeyPolicy, KMS.ScheduleKeyDeletion, KMS.CancelKeyDeletion, KMS.CreateAlias, KMS.DeleteAlias, KMS.UpdateAlias, KMS.DescribeKey, KMS.EnableKey, KMS.DisableKey, KMS.GetKeyRotationStatus, KMS.EnableKeyRotation, KMS.DisableKeyRotation, KMS.ListKeyPolicies, KMS.ListResourceTags, KMS.TagResource, KMS.UntagResource, ], Resource=["*"], ), ], ) return kms.Key( resource_name(kms.Key, "Stack"), Enabled=True, EnableKeyRotation=False, KeyPolicy=policy, Tags=project_tags(project), )
def step_functions_role(name: str, *statements: AWS.Statement) -> iam.Role: return iam.Role( name, AssumeRolePolicyDocument=_assume_policy(STATES.prefix), Policies=[ iam.Policy( PolicyName=f"{name}Policy", PolicyDocument=AWS.PolicyDocument(Statement=list(statements))) ], )
def _cloudformation_role() -> iam.Role: """Construct a role for use by CloudFormation. :return: Constructed Role """ assume_policy = AWS.PolicyDocument(Statement=[ AWS.Statement( Principal=AWS.Principal( "Service", make_service_domain_name(CLOUDFORMATION.prefix)), Effect=AWS.Allow, Action=[STS.AssumeRole], ) ]) # TODO: Figure out how to scope this down without breaking IAM # IAM policies break if there is a * in certain fields, # so this does not work: # arn:PARTITION:*:REGION:ACCOUNT:* # # _desired_policy = AWS.PolicyDocument( # Statement=[ # AWS.Statement( # Effect=AWS.Allow, # Action=[AWS.Action("*")], # Resource=[ # account_arn(service_prefix="*", resource="*"), # account_arn(service_prefix=S3.prefix, resource="*"), # account_arn(service_prefix=IAM.prefix, resource="*"), # ], # ) # ] # ) policy = AWS.PolicyDocument(Statement=[ AWS.Statement( Effect=AWS.Allow, Action=[AWS.Action("*")], Resource=["*"]) ]) return iam.Role( resource_name(iam.Role, "CloudFormation"), AssumeRolePolicyDocument=assume_policy, Policies=[ iam.Policy(PolicyName=_policy_name("CloudFormation"), PolicyDocument=policy) ], )
def _cloudformation_role() -> iam.Role: """Build and return the IAM Role resource to be used by the pipeline to interact with CloudFormation.""" policy = iam.Policy( "CloudFormationPolicy", PolicyName="CloudFormationPolicy", PolicyDocument=AWS.PolicyDocument(Statement=[AllowEverywhere(Action=[AWS.Action("*")])]), ) return iam.Role( "CloudFormationRole", AssumeRolePolicyDocument=_service_assume_role(CLOUDFORMATION.prefix), Policies=[policy] )
def generate_role_template( command: str, actions: list, role_name: str, path: str, assuming_account_id: str, assuming_resource: str, output_format: str, ) -> str: t = troposphere.Template() t.description = f"Role used to run the {command} command" t.add_resource( iam.Role( title="role", RoleName=role_name, Path=path, Policies=[ iam.Policy( PolicyName=f"{command}-permissions", PolicyDocument=aws.PolicyDocument( Version="2012-10-17", Id=f"{command}-permissions", Statement=[ aws.Statement( Sid="1", Effect=aws.Allow, Action=actions, Resource=["*"], ), ], ), ) ], AssumeRolePolicyDocument=aws.Policy( Version="2012-10-17", Id="AllowAssume", Statement=[ aws.Statement( Sid="1", Effect=aws.Allow, Principal=aws.Principal("AWS", [ IAM_ARN(assuming_resource, "", assuming_account_id) ]), Action=[awacs_sts.AssumeRole], ), ], ), )) if output_format == "json": return t.to_json() else: return t.to_yaml()
def lambda_role(name: str, *additional_statements: AWS.Statement) -> iam.Role: statements = [_basic_lambda_statement()] statements.extend(additional_statements) return iam.Role( name, AssumeRolePolicyDocument=_assume_policy(AWSLAMBDA.prefix), Policies=[ iam.Policy(PolicyName=f"{name}Policy", PolicyDocument=AWS.PolicyDocument(Statement=statements)) ], )
def _codebuild_role() -> iam.Role: """Build and return the IAM Role resource to be used by CodeBuild to run the build project.""" policy = iam.Policy( "CodeBuildPolicy", PolicyName="CodeBuildPolicy", PolicyDocument=AWS.PolicyDocument( Statement=[ AllowEverywhere(Action=[LOGS.CreateLogGroup, LOGS.CreateLogStream, LOGS.PutLogEvents]), AllowEverywhere(Action=[S3.GetObject, S3.GetObjectVersion, S3.PutObject]), ] ), ) return iam.Role("CodeBuildRole", AssumeRolePolicyDocument=_service_assume_role(CODEBUILD.prefix), Policies=[policy])
def generate_role_template( command: str, actions: list, role_name: str, path: str, assuming_account_id: str, assuming_resource: str, additional_statements: list = [], ) -> troposphere.Template: t = troposphere.Template() t.description = f"Role used to run the {command} command" role = iam.Role( title="role", RoleName=role_name, Path=path, Policies=[ iam.Policy( PolicyName=f"{command}-permissions", PolicyDocument=aws.PolicyDocument( Version="2012-10-17", Id=f"{command}-permissions", Statement=[ aws.Statement(Sid="1", Effect=aws.Allow, Action=actions, Resource=["*"]) ] + additional_statements, ), ) ], AssumeRolePolicyDocument=aws.Policy( Version="2012-10-17", Id="AllowAssume", Statement=[ aws.Statement( Sid="1", Effect=aws.Allow, Principal=aws.Principal( "AWS", [IAM_ARN(assuming_resource, "", assuming_account_id)]), Action=[awacs_sts.AssumeRole], ) ], ), ) t.add_resource(role) t.add_output(troposphere.Output("RoleName", Value=troposphere.Ref(role))) t.add_output( troposphere.Output("RoleArn", Value=troposphere.GetAtt(role, "Arn"))) return t
def events_trigger_stepfuntions_role( name: str, statemachine: stepfunctions.StateMachine) -> iam.Role: return iam.Role( name, AssumeRolePolicyDocument=_assume_policy(EVENTS.prefix), Policies=[ iam.Policy( PolicyName=f"{name}Policy", PolicyDocument=AWS.PolicyDocument(Statement=[ AWS.Statement(Effect=AWS.Allow, Action=[STATES.StartExecution], Resource=[statemachine.ref()]) ]), ) ], )
def build_subscription(self, t, topic): policy = t.add_resource( iam.Role( "{}SlackSNSRole".format(self.name), AssumeRolePolicyDocument=aws.Policy(Statement=[ aws.Statement(Action=[awacs.sts.AssumeRole], Effect=aws.Allow, Principal=aws.Principal( "Service", ["lambda.amazonaws.com"])) ]), Path="/", Policies=[ iam.Policy( PolicyName='snspublic', PolicyDocument=aws.PolicyDocument(Statement=[ aws.Statement(Effect=aws.Allow, Action=[ awacs.sns.Publish, awacs.logs.PutLogEvents, awacs.logs.CreateLogGroup, awacs.logs.CreateLogStream, ], Resource=["*"]) ])) ], ManagedPolicyArns=[ # "arn:aws:iam::aws:policy/AdministratorAccess" ])) code = ["import sys"] # make lambda function fn = t.add_resource( awslambda.Function('{}SlackTopicFN'.format(self.name), Handler='index.handle', Runtime='python3.6', Role=GetAtt(policy, "Arn"), Code=awslambda.Code(ZipFile=Join("", code)))) t.add_resource( awslambda.Permission('{}LambdaPerm'.format(self.name), Action='lambda:InvokeFunction', FunctionName=GetAtt(fn, "Arn"), SourceArn=Ref(topic), Principal="sns.amazonaws.com")) return ("lambda", GetAtt(fn, "Arn"))
def _pipeline_role(buckets: Iterable[s3.Bucket]) -> iam.Role: """Build and return the IAM Role resource to be used by CodePipeline to run the pipeline.""" bucket_statements = [ AWS.Statement( Effect=AWS.Allow, Action=[S3.GetBucketVersioning, S3.PutBucketVersioning], Resource=[GetAtt(bucket, "Arn") for bucket in buckets], ), AWS.Statement( Effect=AWS.Allow, Action=[S3.GetObject, S3.PutObject], Resource=[ Sub("${{{bucket}.Arn}}/*".format(bucket=bucket.title)) for bucket in buckets ], ), ] policy = iam.Policy( "PipelinePolicy", PolicyName="PipelinePolicy", PolicyDocument=AWS.PolicyDocument(Statement=bucket_statements + [ AllowEverywhere(Action=[CLOUDWATCH.Action("*"), IAM.PassRole]), AllowEverywhere( Action=[LAMBDA.InvokeFunction, LAMBDA.ListFunctions]), AllowEverywhere(Action=[ CLOUDFORMATION.CreateStack, CLOUDFORMATION.DeleteStack, CLOUDFORMATION.DescribeStacks, CLOUDFORMATION.UpdateStack, CLOUDFORMATION.CreateChangeSet, CLOUDFORMATION.DeleteChangeSet, CLOUDFORMATION.DescribeChangeSet, CLOUDFORMATION.ExecuteChangeSet, CLOUDFORMATION.SetStackPolicy, CLOUDFORMATION.ValidateTemplate, ]), AllowEverywhere( Action=[CODEBUILD.BatchGetBuilds, CODEBUILD.StartBuild]), ]), ) return iam.Role("CodePipelinesRole", AssumeRolePolicyDocument=_service_assume_role( CODEPIPELINE.prefix), Policies=[policy])
def _codepipeline_role(artifacts_bucket: Parameter, resources_bucket: Parameter, cmk: Parameter) -> iam.Role: """Construct a role for use by CodePipeline. :param artifacts_bucket: Artifacts bucket parameter :param resources_bucket: Resources bucket parameter :param cmk: KMS CMK parameter :return: Constructed Role """ assume_policy = AWS.PolicyDocument(Statement=[ AWS.Statement( Principal=AWS.Principal( "Service", make_service_domain_name(CODEPIPELINE.prefix)), Effect=AWS.Allow, Action=[STS.AssumeRole], ) ]) policy = AWS.PolicyDocument(Statement=[ AWS.Statement( Effect=AWS.Allow, Action=[S3.GetBucketVersioning, S3.PutBucketVersioning], Resource=[artifacts_bucket.ref(), resources_bucket.ref()], ), AWS.Statement( Effect=AWS.Allow, Action=[S3.GetObject, S3.PutObject], Resource=[ Sub(f"${{{artifacts_bucket.title}}}/*"), Sub(f"${{{resources_bucket.title}}}/*") ], ), AWS.Statement(Effect=AWS.Allow, Action=[KMS.Encrypt, KMS.Decrypt, KMS.GenerateDataKey], Resource=[cmk.ref()]), AWS.Statement( Effect=AWS.Allow, Action=[CLOUDWATCH.Action("*")], Resource=[ account_arn(service_prefix=CLOUDWATCH.prefix, resource="*") ], ), AWS.Statement( Effect=AWS.Allow, Action=[IAM.PassRole], Resource=[ account_arn(service_prefix=IAM.prefix, resource="role/*") ], ), AWS.Statement( Effect=AWS.Allow, Action=[LAMBDA.InvokeFunction, LAMBDA.ListFunctions], Resource=[account_arn(service_prefix=LAMBDA.prefix, resource="*")], ), AWS.Statement( Effect=AWS.Allow, Action=[ CLOUDFORMATION.CreateStack, CLOUDFORMATION.DeleteStack, CLOUDFORMATION.DescribeStacks, CLOUDFORMATION.UpdateStack, CLOUDFORMATION.CreateChangeSet, CLOUDFORMATION.DeleteChangeSet, CLOUDFORMATION.DescribeChangeSet, CLOUDFORMATION.ExecuteChangeSet, CLOUDFORMATION.SetStackPolicy, CLOUDFORMATION.ValidateTemplate, ], Resource=[ account_arn(service_prefix=CLOUDFORMATION.prefix, resource="*") ], ), AWS.Statement( Effect=AWS.Allow, Action=[CODEBUILD.BatchGetBuilds, CODEBUILD.StartBuild], Resource=[ account_arn(service_prefix=CODEBUILD.prefix, resource="*") ], ), ]) return iam.Role( resource_name(iam.Role, "CodePipeline"), AssumeRolePolicyDocument=assume_policy, Policies=[ iam.Policy(PolicyName=_policy_name("CodePipeline"), PolicyDocument=policy) ], )
def generate_codepipeline_template( codepipeline_role_name: str, codepipeline_role_path: str, codebuild_role_name: str, codebuild_role_path: str, ssm_parameter_prefix: str, scm_provider: str, scm_connection_arn: str, scm_full_repository_id: str, scm_branch_name: str, scm_bucket_name: str, scm_object_key: str, scm_skip_creation_of_repo: str, migrate_role_arn: str, ) -> troposphere.Template: version = pkg_resources.get_distribution("aws-organized").version t = troposphere.Template() t.set_description( "CICD template that runs aws organized migrate for the given branch of the given repo" ) project_name = "AWSOrganized-Migrate" bucket_name = scm_bucket_name if scm_provider.lower( ) == "codecommit" and scm_skip_creation_of_repo is False: t.add_resource( codecommit.Repository("Repository", RepositoryName=scm_full_repository_id)) if scm_provider.lower() == "s3" and scm_skip_creation_of_repo is False: bucket_name = ( scm_bucket_name if scm_bucket_name else troposphere.Sub("aws-organized-pipeline-source-${AWS::AccountId}")) t.add_resource( s3.Bucket( "Source", BucketName=bucket_name, VersioningConfiguration=s3.VersioningConfiguration( Status="Enabled"), BucketEncryption=s3.BucketEncryption( ServerSideEncryptionConfiguration=[ s3.ServerSideEncryptionRule( ServerSideEncryptionByDefault=s3. ServerSideEncryptionByDefault( SSEAlgorithm="AES256")) ]), )) artifact_store = t.add_resource( s3.Bucket( "ArtifactStore", VersioningConfiguration=s3.VersioningConfiguration( Status="Enabled"), BucketEncryption=s3.BucketEncryption( ServerSideEncryptionConfiguration=[ s3.ServerSideEncryptionRule( ServerSideEncryptionByDefault=s3. ServerSideEncryptionByDefault(SSEAlgorithm="AES256")) ]), )) codepipeline_role = t.add_resource( iam.Role( "CodePipelineRole", RoleName=codepipeline_role_name, Path=codepipeline_role_path, ManagedPolicyArns=["arn:aws:iam::aws:policy/AdministratorAccess"], AssumeRolePolicyDocument=aws.PolicyDocument( Version="2012-10-17", Statement=[ aws.Statement( Effect=aws.Allow, Action=[awacs_sts.AssumeRole], Principal=aws.Principal( "Service", ["codepipeline.amazonaws.com"]), ) ], ), )) codebuild_role = t.add_resource( iam.Role( "CodeBuildRole", RoleName=codebuild_role_name, Path=codebuild_role_path, ManagedPolicyArns=["arn:aws:iam::aws:policy/AdministratorAccess"], AssumeRolePolicyDocument=aws.PolicyDocument( Version="2012-10-17", Statement=[ aws.Statement( Effect=aws.Allow, Action=[awacs_sts.AssumeRole], Principal=aws.Principal("Service", ["codebuild.amazonaws.com"]), ) ], ), )) version_parameter = ssm.Parameter( "versionparameter", Name=f"{ssm_parameter_prefix}/version", Type="String", Value=version, ) t.add_resource(version_parameter) project = t.add_resource( codebuild.Project( "AWSOrganizedMigrate", Artifacts=codebuild.Artifacts(Type="CODEPIPELINE"), Environment=codebuild.Environment( ComputeType="BUILD_GENERAL1_SMALL", Image="aws/codebuild/standard:4.0", Type="LINUX_CONTAINER", EnvironmentVariables=[ { "Name": "MIGRATE_ROLE_ARN", "Type": "PLAINTEXT", "Value": migrate_role_arn, }, { "Name": "Version", "Type": "PARAMETER_STORE", "Value": troposphere.Ref(version_parameter), }, { "Name": "SSM_PARAMETER_PREFIX", "Type": "PLAINTEXT", "Value": ssm_parameter_prefix, }, ], ), Name=project_name, ServiceRole=troposphere.GetAtt(codebuild_role, "Arn"), Source=codebuild.Source( Type="CODEPIPELINE", BuildSpec=yaml.safe_dump( dict( version="0.2", phases=dict( install={ "runtime-versions": dict(python="3.8"), "commands": ["pip install aws-organized==${Version}"], }, build={ "commands": [ "aws-organized migrate --ssm-parameter-prefix $SSM_PARAMETER_PREFIX $MIGRATE_ROLE_ARN" ] }, ), artifacts=dict(files=["environment"]), )), ), )) source_actions = dict( codecommit=codepipeline.Actions( Name="SourceAction", ActionTypeId=codepipeline.ActionTypeId(Category="Source", Owner="AWS", Version="1", Provider="CodeCommit"), OutputArtifacts=[ codepipeline.OutputArtifacts(Name="SourceOutput") ], Configuration={ "RepositoryName": scm_full_repository_id, "BranchName": scm_branch_name, "PollForSourceChanges": "true", }, RunOrder="1", ), codestarsourceconnection=codepipeline.Actions( Name="SourceAction", ActionTypeId=codepipeline.ActionTypeId( Category="Source", Owner="AWS", Version="1", Provider="CodeStarSourceConnection", ), OutputArtifacts=[ codepipeline.OutputArtifacts(Name="SourceOutput") ], Configuration={ "ConnectionArn": scm_connection_arn, "FullRepositoryId": scm_full_repository_id, "BranchName": scm_branch_name, "OutputArtifactFormat": "CODE_ZIP", }, RunOrder="1", ), s3=codepipeline.Actions( Name="SourceAction", ActionTypeId=codepipeline.ActionTypeId(Category="Source", Owner="AWS", Version="1", Provider="S3"), OutputArtifacts=[ codepipeline.OutputArtifacts(Name="SourceOutput") ], Configuration={ "S3Bucket": bucket_name, "S3ObjectKey": scm_object_key, "PollForSourceChanges": True, }, RunOrder="1", ), ).get(scm_provider.lower()) t.add_resource( codepipeline.Pipeline( "Pipeline", RoleArn=troposphere.GetAtt(codepipeline_role, "Arn"), Stages=[ codepipeline.Stages(Name="Source", Actions=[source_actions]), codepipeline.Stages( Name="Migrate", Actions=[ codepipeline.Actions( Name="Migrate", InputArtifacts=[ codepipeline.InputArtifacts( Name="SourceOutput") ], ActionTypeId=codepipeline.ActionTypeId( Category="Build", Owner="AWS", Version="1", Provider="CodeBuild", ), Configuration={ "ProjectName": troposphere.Ref(project), "PrimarySource": "SourceAction", }, RunOrder="1", ) ], ), ], ArtifactStore=codepipeline.ArtifactStore( Type="S3", Location=troposphere.Ref(artifact_store)), )) return t
jicketidprefix = "KWP-" # Prefix used before the ticket id. Should contain a connecting element, e.g. 'KWP-' to produce # IDs like 'KWP-xxxxxx' jicketloopmode = "singleshot" # Execution Role # ================ lambdaexecutionrole = iam.Role("APILambdaExecutionRole") lambdaexecutionrole.AssumeRolePolicyDocument = aws_awacs.PolicyDocument( Version="2012-10-17", Id="S3-Account-Permissions", Statement=[ aws_awacs.Statement( Sid="1", Effect=aws_awacs.Allow, Principal=aws_awacs.Principal("Service", "lambda.amazonaws.com"), Action=[aws_awacs.Action("sts", "AssumeRole")] ) ], ) lambdaexecutionrole.RoleName = "GeolocatorLambdaExecutionRole" lambdaexecutionrole.ManagedPolicyArns = [] lambdaexecutionrole.Policies = [iam.Policy( PolicyName="LambdaExecutionPolicy", PolicyDocument=aws_awacs.PolicyDocument( Version="2012-10-17", Statement=[ ] ) )]
def generate_codepipeline_template( codepipeline_role_name: str, codepipeline_role_path: str, codebuild_role_name: str, codebuild_role_path: str, output_format: str, migrate_role_arn: str, ) -> str: t = troposphere.Template() t.set_description( "CICD template that runs aws organized migrate for the given branch of the given repo" ) project_name = "AWSOrganized-Migrate" repository_name = "AWS-Organized-environment" repo = t.add_resource( codecommit.Repository("Repository", RepositoryName=repository_name)) artifact_store = t.add_resource( s3.Bucket( "ArtifactStore", BucketEncryption=s3.BucketEncryption( ServerSideEncryptionConfiguration=[ s3.ServerSideEncryptionRule( ServerSideEncryptionByDefault=s3. ServerSideEncryptionByDefault(SSEAlgorithm="AES256")) ]), )) codepipeline_role = t.add_resource( iam.Role( "CodePipelineRole", RoleName=codepipeline_role_name, Path=codepipeline_role_path, ManagedPolicyArns=[ "arn:aws:iam::aws:policy/AdministratorAccess", ], Policies=[ iam.Policy( PolicyName=f"executionpermissions", PolicyDocument=aws.PolicyDocument( Version="2012-10-17", Id=f"executionpermissions", Statement=[ aws.Statement( Sid="1", Effect=aws.Allow, Action=[ awscd_codecommit.GitPull, awscd_codecommit.GetBranch, awscd_codecommit.GetCommit, awscd_codecommit.UploadArchive, ], Resource=[troposphere.GetAtt(repo, "Arn")], ), aws.Statement( Sid="2", Effect=aws.Allow, Action=[ awacs_s3.GetBucketPolicy, awacs_s3.GetBucketVersioning, awacs_s3.ListBucket, ], Resource=[ troposphere.GetAtt(artifact_store, "Arn") ], ), aws.Statement( Sid="3", Effect=aws.Allow, Action=[ awacs_s3.GetObject, awacs_s3.GetObjectVersion, ], Resource=[ troposphere.Join(":", [ troposphere.GetAtt( artifact_store, 'Arn'), "*" ]) ], ), aws.Statement( Sid="4", Effect=aws.Allow, Action=[ awacs_s3.ListAllMyBuckets, ], Resource=[ troposphere.Join(":", [ "arn", troposphere.Partition, "s3:::*", ]) ], ), # aws.Statement( # Sid="5", # Effect=aws.Allow, # Action=[ # aws.Action("s3", "*") # ], # Resource=[ # troposphere.Join(":", [ # troposphere.GetAtt(artifact_store, 'Arn'), # "*" # ]) # ], # ), # aws.Statement( # Sid="6", # Effect=aws.Allow, # Action=[ # aws.Action("s3", "*") # ], # Resource=[ # troposphere.GetAtt(artifact_store, 'Arn') # ], # ), ], ), ) ], AssumeRolePolicyDocument=aws.PolicyDocument( Version="2012-10-17", Statement=[ aws.Statement( Effect=aws.Allow, Action=[awacs_sts.AssumeRole], Principal=aws.Principal( "Service", ["codepipeline.amazonaws.com"]), ), ], ), )) codebuild_role = t.add_resource( iam.Role( "CodeBuildRole", RoleName=codebuild_role_name, Path=codebuild_role_path, ManagedPolicyArns=[ "arn:aws:iam::aws:policy/AdministratorAccess", ], Policies=[ iam.Policy( PolicyName=f"executionpermissions", PolicyDocument=aws.PolicyDocument( Version="2012-10-17", Id=f"executionpermissions", Statement=[ aws.Statement( Sid="1", Effect=aws.Allow, Action=[ awacs_logs.CreateLogGroup, awacs_logs.CreateLogStream, awacs_logs.PutLogEvents, ], Resource=[ # "arn:aws:logs:eu-west-1:669925765091:log-group:/aws/codebuild/examplecodebuild", # "arn:aws:logs:eu-west-1:669925765091:log-group:/aws/codebuild/examplecodebuild:*", { "Fn::Sub": [ f"arn:${{AWS::Partition}}:logs:${{AWS::Region}}:${{AWS::AccountId}}:log-group:/aws/codebuild/{project_name}", {}, ] }, { "Fn::Sub": [ f"arn:${{AWS::Partition}}:logs:${{AWS::Region}}:${{AWS::AccountId}}:log-group:/aws/codebuild/{project_name}:*", {}, ] }, ], ), aws.Statement( Sid="2", Effect=aws.Allow, Action=[ awacs_s3.PutObject, awacs_s3.GetObject, awacs_s3.GetObjectVersion, awacs_s3.GetBucketAcl, awacs_s3.GetBucketLocation, ], Resource=[ # "arn:aws:s3:::codepipeline-eu-west-1-*", { "Fn::Sub": [ f"arn:${{AWS::Partition}}:s3:::codepipeline-${{AWS::Region}}-*", {}, ] }, ], ), aws.Statement( Sid="3", Effect=aws.Allow, Action=[ awacs_codebuild.CreateReportGroup, awacs_codebuild.CreateReport, awacs_codebuild.UpdateReport, awacs_codebuild.BatchPutTestCases, awacs_codebuild.BatchPutCodeCoverages, ], Resource=[ # "arn:aws:codebuild:eu-west-1:669925765091:report-group/examplecodebuild-*", { "Fn::Sub": [ f"arn:${{AWS::Partition}}:codebuild:${{AWS::Region}}:${{AWS::AccountId}}:report-group/{project_name}-*", {}, ] }, ], ), aws.Statement(Sid="4", Effect=aws.Allow, Action=[awacs_sts.AssumeRole], Resource=[migrate_role_arn]), # aws.Statement( # Sid="5", # Effect=aws.Allow, # Action=[ # aws.Action("s3", "*") # ], # Resource=[ # troposphere.Join(":", [ # troposphere.GetAtt(artifact_store, 'Arn'), # "*" # ]) # ], # ), # aws.Statement( # Sid="6", # Effect=aws.Allow, # Action=[ # aws.Action("s3", "*") # ], # Resource=[ # troposphere.GetAtt(artifact_store, 'Arn') # ], # ), ], ), ) ], AssumeRolePolicyDocument=aws.PolicyDocument( Version="2012-10-17", Statement=[ aws.Statement( Effect=aws.Allow, Action=[awacs_sts.AssumeRole], Principal=aws.Principal("Service", ["codebuild.amazonaws.com"]), ), ], ), )) project = t.add_resource( codebuild.Project( "AWSOrganizedMigrate", Artifacts=codebuild.Artifacts(Type="CODEPIPELINE"), Environment=codebuild.Environment( ComputeType="BUILD_GENERAL1_SMALL", Image="aws/codebuild/standard:4.0", Type="LINUX_CONTAINER", EnvironmentVariables=[{ "Name": "MIGRATE_ROLE_ARN", "Type": "PLAINTEXT", "Value": migrate_role_arn, }]), Name=project_name, ServiceRole=troposphere.GetAtt(codebuild_role, "Arn"), Source=codebuild.Source( Type="CODEPIPELINE", BuildSpec=yaml.safe_dump( dict( version="0.2", phases=dict( install={ "runtime-versions": dict(python="3.8"), "commands": [ "pip install aws-organized", ], }, build={ "commands": [ "aws-organized migrate $(MIGRATE_ROLE_ARN)", ], }, ), artifacts=dict(files=[ "environment", ], ), )), ), )) source_actions = codepipeline.Actions( Name="SourceAction", ActionTypeId=codepipeline.ActionTypeId( Category="Source", Owner="AWS", Version="1", Provider="CodeCommit", ), OutputArtifacts=[codepipeline.OutputArtifacts(Name="SourceOutput")], Configuration={ "RepositoryName": repository_name, "BranchName": "master", "PollForSourceChanges": "true", }, RunOrder="1", ) pipeline = t.add_resource( codepipeline.Pipeline( "Pipeline", RoleArn=troposphere.GetAtt(codepipeline_role, "Arn"), Stages=[ codepipeline.Stages( Name="Source", Actions=[source_actions], ), codepipeline.Stages( Name="Migrate", Actions=[ codepipeline.Actions( Name="Migrate", InputArtifacts=[ codepipeline.InputArtifacts( Name="SourceOutput") ], ActionTypeId=codepipeline.ActionTypeId( Category="Build", Owner="AWS", Version="1", Provider="CodeBuild", ), Configuration={ "ProjectName": troposphere.Ref(project), "PrimarySource": "SourceAction", }, RunOrder="1", ) ], ), ], ArtifactStore=codepipeline.ArtifactStore( Type="S3", Location=troposphere.Ref(artifact_store)), )) if output_format == "json": return t.to_json() else: return t.to_yaml()
"""Resources for lambda function.""" import troposphere from awacs import aws from troposphere import awslambda from troposphere import cloudformation from troposphere import iam _ROLE = iam.Role( title="LambdaRole", AssumeRolePolicyDocument=aws.PolicyDocument( Statement=[ aws.Statement( Action=[aws.Action("sts", "AssumeRole")], Effect="Allow", Principal=aws.Principal( principal="Service", resources=["lambda.amazonaws.com"] ), ) ] ), ManagedPolicyArns=[ "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" ], RoleName="cloudformation-kubernetes-lambda", ) with open("cloudformation/lambda_function/index.py") as in_file: _CODE = awslambda.Code(ZipFile=in_file.read()) _LAMBDA = awslambda.Function( title="Lambda",