def _generate_lambda_log_event_policy(lambda_arn):
"""Generate secure policy for handling logs.
:param string lambda_arn: The Lambda arn to associate the policy with, to ensure least privileges for logging events
:return A policy document suitable for attaching via PutRolePolicy
Note: This policy is attached to the Lambda's execution role after the Lambda is created
"""
arn_parser = aws_utils.ArnParser(lambda_arn)
region = arn_parser.region
aws_account_id = arn_parser.account_id
lambda_function_name = arn_parser.resource_id
# Strip out information about version if present <lambda_name>:<version> will form the resource_id
if lambda_function_name.find(':') != -1:
lambda_function_name = lambda_function_name.rsplit(':', 1)[0]
log_group_arn = \
aws_utils.ArnParser.format_arn_with_resource_type(service="logs", region=region, account_id=aws_account_id, resource_type="log-group",
resource_id="/aws/lambda/{}".format(lambda_function_name), separator=":")
log_stream_arn = \
aws_utils.ArnParser.format_arn_with_resource_type(service="logs", region=region, account_id=aws_account_id, resource_type="log-group",
resource_id="/aws/lambda/{}:log-stream:*".format(lambda_function_name), separator=":")
return {
"Version":
"2012-10-17",
"Statement": [{
"Sid": "WriteLogEvents",
"Effect": "Allow",
"Action": ["logs:PutLogEvents", "logs:CreateLogStream"],
"Resource": [log_group_arn, log_stream_arn]
}]
}
def __test_real_aws_arns(self):
lambda_arns = {
# Lambda arns
'arn:aws:lambda:us-east-1:677027324277:function:cctest0NPM4I0-CRH-CoreResourceTypes-Custom_CognitoIdentityPool',
'arn:aws:lambda:us-east-1:677027324277:function:cctestC6L1JI1-AH-CoreResourceTypes-AWS_SQS_Queue',
}
for arn in lambda_arns:
parser = aws_utils.ArnParser(arn)
self.assertTrue(aws_utils.ArnParser.is_valid_arn(arn))
self.assertEqual(parser.region, 'us-east-1')
self.assertEqual(parser.resource_type, 'function')
iam_arns = {'arn:aws:iam::677027324277:role/cctestU7METFZ'}
for arn in iam_arns:
parser = aws_utils.ArnParser(arn)
self.assertTrue(aws_utils.ArnParser.is_valid_arn(arn))
self.assertEqual(parser.resource_type, 'role')
def test_with_valid_simple_arn(self):
arn = aws_utils.ArnParser(
'arn:partition:service:region:account-id:resource-id')
# Checking arn parts
self.assertEqual('partition', arn.partition, 'partition')
self.assertEqual('service', arn.service, 'service')
self.assertEqual('region', arn.region, 'region')
self.assertEqual('account-id', arn.account_id, 'account id')
self.assertEqual('resource-id', arn.resource_id, 'resource id')
self.assertEqual(None, arn.resource_type, 'resource type')
arn_args = {
'service': arn.service,
'partition': arn.partition,
'region': arn.region,
'accountId': arn.account_id,
'resourceId': arn.resource_id
}
remade_arn = aws_utils.ArnParser.format_arn_string(arn_args)
self.assertEqual(arn.arn, remade_arn)
def __test_with_separator(self, separator):
arn = aws_utils.ArnParser(
'arn:partition:service:region:account-id:resource-type{}resource-id'
.format(separator))
# Checking arn parts
self.assertEqual('partition', arn.partition, 'partition')
self.assertEqual('service', arn.service, 'service')
self.assertEqual('region', arn.region, 'region')
self.assertEqual('account-id', arn.account_id, 'account id')
self.assertEqual('resource-id', arn.resource_id, 'resource id')
self.assertEqual('resource-type', arn.resource_type, 'resource type')
arn_args = {
'service': arn.service,
'partition': arn.partition,
'region': arn.region,
'accountId': arn.account_id,
'resourceId': arn.resource_id,
'resourceType': arn.resource_type,
'separator': separator
}
remade_arn = aws_utils.ArnParser.format_arn_string(arn_args)
self.assertEqual(arn.arn, remade_arn)
def test_with_arn_with_missing_region(self):
source_arn = "arn:aws:iam::111111111111:role/Cognito_MyIdentityPoolAuth_Role"
ap = aws_utils.ArnParser(source_arn)
self.assertEqual('', ap.region)
self.assertEqual('role', ap.resource_type)