def _get_iam_ec2_role(self):
iam_role_name, policies = super(ToilJenkinsSlave,
self)._get_iam_ec2_role()
iam_role_name += '--' + abreviated_snake_case_class_name(
ToilJenkinsSlave)
policies.update(dict(s3_full=s3_full_policy, sdb_full=sdb_full_policy))
return iam_role_name, policies
def _get_iam_ec2_role(self):
iam_role_name, policies = super(JenkinsMaster,
self)._get_iam_ec2_role()
iam_role_name += '--' + abreviated_snake_case_class_name(JenkinsMaster)
policies.update(
dict(
ec2_full=dict(
Version="2012-10-17",
Statement=[
# FIXME: Be more specific
dict(Effect="Allow", Resource="*", Action="ec2:*")
]),
jenkins_master_iam_pass_role=dict(
Version="2012-10-17",
Statement=[
dict(Effect="Allow",
Resource=self._role_arn(),
Action="iam:PassRole")
]),
jenkins_master_s3=dict(
Version="2012-10-17",
Statement=[
dict(Effect="Allow",
Resource="arn:aws:s3:::*",
Action="s3:ListAllMyBuckets"),
dict(
Effect="Allow",
Action="s3:*",
Resource=[
"arn:aws:s3:::public-artifacts.cghub.ucsc.edu",
"arn:aws:s3:::public-artifacts.cghub.ucsc.edu/*"
])
])))
return iam_role_name, policies
def _get_iam_ec2_role(self):
iam_role_name, policies = super(ToilBoxSupport,
self)._get_iam_ec2_role()
iam_role_name += '--' + abreviated_snake_case_class_name(
ToilBoxSupport)
policies.update(
dict(toil_iam_pass_role=dict(Version="2012-10-17",
Statement=[
dict(Effect="Allow",
Resource=self._role_arn(),
Action="iam:PassRole")
]),
ec2_full=ec2_full_policy,
s3_full=s3_full_policy,
sbd_full=sdb_full_policy,
ec2_toil_box=dict(Version="2012-10-17",
Statement=[
dict(Effect="Allow",
Resource="*",
Action="ec2:CreateTags"),
dict(Effect="Allow",
Resource="*",
Action="ec2:CreateVolume"),
dict(Effect="Allow",
Resource="*",
Action="ec2:AttachVolume")
])))
return iam_role_name, policies
def _get_iam_ec2_role( self ):
role_name, policies = super( AgentBox, self )._get_iam_ec2_role( )
if self.enable_agent:
role_name += '--' + abreviated_snake_case_class_name( AgentBox )
policies.update( dict(
ec2_read_only=ec2_read_only_policy,
s3_read_only=s3_read_only_policy,
iam_read_only=iam_read_only_policy,
sqs_agent=dict( Version="2012-10-17", Statement=[
dict( Effect="Allow", Resource="*", Action=[
"sqs:Get*",
"sqs:List*",
"sqs:CreateQueue",
"sqs:SetQueueAttributes",
"sqs:ReceiveMessage",
"sqs:DeleteMessage" ] ) ] ),
sns_agent=dict( Version="2012-10-17", Statement=[
dict( Effect="Allow", Resource="*", Action=[
"sns:Get*",
"sns:List*",
"sns:CreateTopic",
"sns:Subscribe" ] ) ] ),
cloud_watch=dict( Version='2012-10-17', Statement=[
dict( Effect='Allow', Resource='*', Action=[
'cloudwatch:Get*',
'cloudwatch:List*',
'cloudwatch:PutMetricData' ] ) ] ) ) )
return role_name, policies
def _get_iam_ec2_role(self):
iam_role_name, policies = super(CgcloudJenkinsSlave,
self)._get_iam_ec2_role()
iam_role_name += '--' + abreviated_snake_case_class_name(
CgcloudJenkinsSlave)
cgcloud_bucket_arn = "arn:aws:s3:::%s" % self.ctx.s3_bucket_name
policies.update(
dict(
ec2_full=ec2_full_policy, # FIXME: Be more specific
iam_cgcloud_jenkins_slave_pass_role=dict(
Version="2012-10-17",
Statement=[
# This assumes that if instance lives in /, then tests running on the instance
# will run in /test-5571439d. If the instance lives in /foo, then tests running
# on the instance will run in /foo/test-5571439d.
dict(Effect="Allow",
Resource=self._pass_role_arn(),
Action="iam:PassRole")
]),
register_keypair=dict(
Version="2012-10-17",
Statement=[
dict(Effect="Allow",
Resource="arn:aws:s3:::*",
Action="s3:ListAllMyBuckets"),
dict(Effect="Allow",
Action="s3:*",
Resource=[
cgcloud_bucket_arn, cgcloud_bucket_arn + "/*"
]),
dict(Effect="Allow",
Action=["sns:Publish", "sns:CreateTopic"],
Resource=
'arn:aws:sns:*:%s:cgcloud-agent-notifications' %
self.ctx.account)
]),
iam_cgcloud_jenkins_slave=dict(
Version="2012-10-17",
Statement=[
dict(Effect="Allow",
Resource="*",
Action=[
"iam:ListRoles", "iam:CreateRole",
"iam:DeleteRole", "iam:ListRolePolicies",
"iam:DeleteRolePolicy", "iam:GetRolePolicy",
"iam:PutRolePolicy",
"iam:ListInstanceProfiles",
"iam:GetInstanceProfile",
"iam:CreateInstanceProfile",
"iam:DeleteInstanceProfile",
"iam:RemoveRoleFromInstanceProfile",
"iam:AddRoleToInstanceProfile",
"iam:DeleteInstanceProfile"
])
])))
return iam_role_name, policies
def _get_iam_ec2_role( self ):
iam_role_name, policies = super( MesosBoxSupport, self )._get_iam_ec2_role( )
iam_role_name += '--' + abreviated_snake_case_class_name( MesosBoxSupport )
policies.update( dict(
ec2_read_only=ec2_read_only_policy,
ec2_mesos_box=dict( Version="2012-10-17", Statement=[
dict( Effect="Allow", Resource="*", Action="ec2:CreateTags" ),
dict( Effect="Allow", Resource="*", Action="ec2:CreateVolume" ),
dict( Effect="Allow", Resource="*", Action="ec2:AttachVolume" ) ] ) ) )
return iam_role_name, policies
def _get_iam_ec2_role( self ):
role_name, policies = super( SparkBox, self )._get_iam_ec2_role( )
role_name += '--' + abreviated_snake_case_class_name( SparkBox )
policies.update( dict(
ec2_read_only=ec2_read_only_policy,
ec2_spark_box=dict( Version="2012-10-17", Statement=[
dict( Effect="Allow", Resource="*", Action="ec2:CreateTags" ),
dict( Effect="Allow", Resource="*", Action="ec2:CreateVolume" ),
dict( Effect="Allow", Resource="*", Action="ec2:AttachVolume" ) ] ) ) )
return role_name, policies
def _get_iam_ec2_role( self ):
iam_role_name, policies = super( ToilBoxSupport, self )._get_iam_ec2_role( )
iam_role_name += '--' + abreviated_snake_case_class_name( ToilBoxSupport )
policies.update( dict(
toil_iam_pass_role=dict(
Version="2012-10-17",
Statement=[
dict( Effect="Allow", Resource=self._role_arn( ), Action="iam:PassRole" ) ] ),
ec2_full=ec2_full_policy,
s3_full=s3_full_policy,
sbd_full=sdb_full_policy,
ec2_toil_box=dict( Version="2012-10-17", Statement=[
dict( Effect="Allow", Resource="*", Action="ec2:CreateTags" ),
dict( Effect="Allow", Resource="*", Action="ec2:CreateVolume" ),
dict( Effect="Allow", Resource="*", Action="ec2:AttachVolume" ) ] ) ) )
return iam_role_name, policies
def _get_iam_ec2_role( self ):
role_name, policies = super( CgcloudJenkinsSlave, self )._get_iam_ec2_role( )
role_name += '--' + abreviated_snake_case_class_name( CgcloudJenkinsSlave )
cgcloud_bucket_arn = "arn:aws:s3:::%s" % self.ctx.s3_bucket_name
# This is a bit convoluted, but it is still better than optionally allowing wildcards in
# the name validation in Context.absolute_name(). The ? wildcard is not very well
# documented but I found evidence for it here:
# http://docs.aws.amazon.com/IAM/latest/UserGuide/PolicyVariables.html#policy-vars-specialchars
test_namespace_suffix_pattern = "?" * test_namespace_suffix_length
pass_role_arn = self._role_arn( role_prefix='test/testnamespacesuffixpattern/' )
pass_role_arn = pass_role_arn.replace( 'testnamespacesuffixpattern',
test_namespace_suffix_pattern )
policies.update( dict(
ec2_full=ec2_full_policy, # FIXME: Be more specific
iam_cgcloud_jenkins_slave_pass_role=dict( Version="2012-10-17", Statement=[
# This assumes that if instance lives in /, then tests running on the instance
# will run in /test-5571439d. If the instance lives in /foo, then tests running
# on the instance will run in /foo/test-5571439d.
dict( Effect="Allow",
Resource=pass_role_arn,
Action="iam:PassRole" ) ] ),
register_keypair=dict( Version="2012-10-17", Statement=[
dict( Effect="Allow", Resource="arn:aws:s3:::*", Action="s3:ListAllMyBuckets" ),
dict( Effect="Allow", Action="s3:*", Resource=[
cgcloud_bucket_arn,
cgcloud_bucket_arn + "/*" ] ),
dict( Effect="Allow",
Resource='arn:aws:sns:*:%s:cgcloud-agent-notifications' % self.ctx.account,
Action=[ "sns:Publish", "sns:CreateTopic" ] ) ] ),
iam_cgcloud_jenkins_slave=dict( Version="2012-10-17", Statement=[
dict( Effect="Allow", Resource="*", Action=[
"iam:ListRoles",
"iam:CreateRole",
"iam:DeleteRole",
"iam:ListRolePolicies",
"iam:DeleteRolePolicy",
"iam:GetRolePolicy",
"iam:PutRolePolicy",
"iam:ListInstanceProfiles",
"iam:GetInstanceProfile",
"iam:CreateInstanceProfile",
"iam:DeleteInstanceProfile",
"iam:RemoveRoleFromInstanceProfile",
"iam:AddRoleToInstanceProfile",
"iam:DeleteInstanceProfile" ] ) ] ) ) )
return role_name, policies
def _get_iam_ec2_role(self):
role_name, policies = super(AgentBox, self)._get_iam_ec2_role()
if self.enable_agent:
role_name += '--' + abreviated_snake_case_class_name(AgentBox)
policies.update(
dict(ec2_read_only=ec2_read_only_policy,
s3_read_only=s3_read_only_policy,
iam_read_only=iam_read_only_policy,
sqs_agent=dict(Version="2012-10-17",
Statement=[
dict(Effect="Allow",
Resource="*",
Action=[
"sqs:Get*", "sqs:List*",
"sqs:CreateQueue",
"sqs:SetQueueAttributes",
"sqs:ReceiveMessage",
"sqs:DeleteMessage"
])
]),
sns_agent=dict(Version="2012-10-17",
Statement=[
dict(Effect="Allow",
Resource="*",
Action=[
"sns:Get*", "sns:List*",
"sns:CreateTopic",
"sns:Subscribe"
])
]),
cloud_watch=dict(Version='2012-10-17',
Statement=[
dict(Effect='Allow',
Resource='*',
Action=[
'cloudwatch:Get*',
'cloudwatch:List*',
'cloudwatch:PutMetricData'
])
])))
return role_name, policies
def _get_iam_ec2_role( self ):
role_name, policies = super( JenkinsMaster, self )._get_iam_ec2_role( )
role_name += '--' + abreviated_snake_case_class_name( JenkinsMaster )
policies.update( dict(
ec2_full=dict(
Version="2012-10-17",
Statement=[
# FIXME: Be more specific
dict( Effect="Allow", Resource="*", Action="ec2:*" ) ] ),
jenkins_master_iam_pass_role=dict(
Version="2012-10-17",
Statement=[
dict( Effect="Allow", Resource=self._role_arn( ), Action="iam:PassRole" ) ] ),
jenkins_master_s3=dict(
Version="2012-10-17",
Statement=[
dict( Effect="Allow", Resource="arn:aws:s3:::*", Action="s3:ListAllMyBuckets" ),
dict( Effect="Allow", Action="s3:*", Resource=[
"arn:aws:s3:::public-artifacts.cghub.ucsc.edu",
"arn:aws:s3:::public-artifacts.cghub.ucsc.edu/*" ] ) ] ) ) )
return role_name, policies
def _get_iam_ec2_role( self ):
iam_role_name, policies = super( CgcloudJenkinsSlave, self )._get_iam_ec2_role( )
iam_role_name += '--' + abreviated_snake_case_class_name( CgcloudJenkinsSlave )
cgcloud_bucket_arn = "arn:aws:s3:::%s" % self.ctx.s3_bucket_name
policies.update( dict(
ec2_full=ec2_full_policy, # FIXME: Be more specific
iam_cgcloud_jenkins_slave_pass_role=dict( Version="2012-10-17", Statement=[
# This assumes that if instance lives in /, then tests running on the instance
# will run in /test-5571439d. If the instance lives in /foo, then tests running
# on the instance will run in /foo/test-5571439d.
dict( Effect="Allow", Resource=self._pass_role_arn(),
Action="iam:PassRole" ) ] ),
register_keypair=dict( Version="2012-10-17", Statement=[
dict( Effect="Allow", Resource="arn:aws:s3:::*", Action="s3:ListAllMyBuckets" ),
dict( Effect="Allow",
Action="s3:*",
Resource=[ cgcloud_bucket_arn, cgcloud_bucket_arn + "/*" ] ),
dict( Effect="Allow",
Action=[ "sns:Publish", "sns:CreateTopic" ],
Resource='arn:aws:sns:*:%s:cgcloud-agent-notifications' % self.ctx.account ) ] ),
iam_cgcloud_jenkins_slave=dict( Version="2012-10-17", Statement=[
dict( Effect="Allow",
Resource="*",
Action=[ "iam:ListRoles",
"iam:CreateRole",
"iam:DeleteRole",
"iam:ListRolePolicies",
"iam:DeleteRolePolicy",
"iam:GetRolePolicy",
"iam:PutRolePolicy",
"iam:ListInstanceProfiles",
"iam:GetInstanceProfile",
"iam:CreateInstanceProfile",
"iam:DeleteInstanceProfile",
"iam:RemoveRoleFromInstanceProfile",
"iam:AddRoleToInstanceProfile",
"iam:DeleteInstanceProfile" ] ) ] ) ) )
return iam_role_name, policies
def name( cls ):
return abreviated_snake_case_class_name( cls, Cluster )
def _get_iam_ec2_role( self ):
role_name, policies = super( S3amJenkinsSlave, self )._get_iam_ec2_role( )
role_name += '--' + abreviated_snake_case_class_name( S3amJenkinsSlave )
policies.update( dict( s3_full=s3_full_policy ) )
return role_name, policies
def operation( self ):
return abreviated_snake_case_class_name( self.__class__, ClusterCommand )
def _get_iam_ec2_role(self):
role_name, policies = super(CgcloudJenkinsSlave,
self)._get_iam_ec2_role()
role_name += '--' + abreviated_snake_case_class_name(
CgcloudJenkinsSlave)
cgcloud_bucket_arn = "arn:aws:s3:::%s" % self.ctx.s3_bucket_name
# This is a bit convoluted, but it is still better than optionally allowing wildcards in
# the name validation in Context.absolute_name(). The ? wildcard is not very well
# documented but I found evidence for it here:
# http://docs.aws.amazon.com/IAM/latest/UserGuide/PolicyVariables.html#policy-vars-specialchars
test_namespace_suffix_pattern = "?" * test_namespace_suffix_length
pass_role_arn = self._role_arn(
role_prefix='test/testnamespacesuffixpattern/')
pass_role_arn = pass_role_arn.replace('testnamespacesuffixpattern',
test_namespace_suffix_pattern)
policies.update(
dict(
ec2_full=ec2_full_policy, # FIXME: Be more specific
iam_cgcloud_jenkins_slave_pass_role=dict(
Version="2012-10-17",
Statement=[
# This assumes that if instance lives in /, then tests running on the instance
# will run in /test-5571439d. If the instance lives in /foo, then tests running
# on the instance will run in /foo/test-5571439d.
dict(Effect="Allow",
Resource=pass_role_arn,
Action="iam:PassRole")
]),
register_keypair=dict(
Version="2012-10-17",
Statement=[
dict(Effect="Allow",
Resource="arn:aws:s3:::*",
Action="s3:ListAllMyBuckets"),
dict(Effect="Allow",
Action="s3:*",
Resource=[
cgcloud_bucket_arn, cgcloud_bucket_arn + "/*"
]),
dict(Effect="Allow",
Resource=
'arn:aws:sns:*:%s:cgcloud-agent-notifications' %
self.ctx.account,
Action=["sns:Publish", "sns:CreateTopic"])
]),
iam_cgcloud_jenkins_slave=dict(
Version="2012-10-17",
Statement=[
dict(Effect="Allow",
Resource="*",
Action=[
"iam:ListRoles", "iam:CreateRole",
"iam:DeleteRole", "iam:ListRolePolicies",
"iam:DeleteRolePolicy", "iam:GetRolePolicy",
"iam:PutRolePolicy",
"iam:ListInstanceProfiles",
"iam:GetInstanceProfile",
"iam:CreateInstanceProfile",
"iam:DeleteInstanceProfile",
"iam:RemoveRoleFromInstanceProfile",
"iam:AddRoleToInstanceProfile",
"iam:DeleteInstanceProfile"
])
])))
return role_name, policies
def operation(self):
return abreviated_snake_case_class_name(self.__class__, ClusterCommand)
def name( cls ):
return abreviated_snake_case_class_name( cls, Cluster )