def _generate_lambda_log_event_policy(lambda_arn): """Generate secure policy for handling logs. :param string lambda_arn: The Lambda arn to associate the policy with, to ensure least privileges for logging events :return A policy document suitable for attaching via PutRolePolicy Note: This policy is attached to the Lambda's execution role after the Lambda is created """ arn_parser = aws_utils.ArnParser(lambda_arn) region = arn_parser.region aws_account_id = arn_parser.account_id lambda_function_name = arn_parser.resource_id # Strip out information about version if present <lambda_name>:<version> will form the resource_id if lambda_function_name.find(':') != -1: lambda_function_name = lambda_function_name.rsplit(':', 1)[0] log_group_arn = \ aws_utils.ArnParser.format_arn_with_resource_type(service="logs", region=region, account_id=aws_account_id, resource_type="log-group", resource_id="/aws/lambda/{}".format(lambda_function_name), separator=":") log_stream_arn = \ aws_utils.ArnParser.format_arn_with_resource_type(service="logs", region=region, account_id=aws_account_id, resource_type="log-group", resource_id="/aws/lambda/{}:log-stream:*".format(lambda_function_name), separator=":") return { "Version": "2012-10-17", "Statement": [{ "Sid": "WriteLogEvents", "Effect": "Allow", "Action": ["logs:PutLogEvents", "logs:CreateLogStream"], "Resource": [log_group_arn, log_stream_arn] }] }
def __test_real_aws_arns(self): lambda_arns = { # Lambda arns 'arn:aws:lambda:us-east-1:677027324277:function:cctest0NPM4I0-CRH-CoreResourceTypes-Custom_CognitoIdentityPool', 'arn:aws:lambda:us-east-1:677027324277:function:cctestC6L1JI1-AH-CoreResourceTypes-AWS_SQS_Queue', } for arn in lambda_arns: parser = aws_utils.ArnParser(arn) self.assertTrue(aws_utils.ArnParser.is_valid_arn(arn)) self.assertEqual(parser.region, 'us-east-1') self.assertEqual(parser.resource_type, 'function') iam_arns = {'arn:aws:iam::677027324277:role/cctestU7METFZ'} for arn in iam_arns: parser = aws_utils.ArnParser(arn) self.assertTrue(aws_utils.ArnParser.is_valid_arn(arn)) self.assertEqual(parser.resource_type, 'role')
def test_with_valid_simple_arn(self): arn = aws_utils.ArnParser( 'arn:partition:service:region:account-id:resource-id') # Checking arn parts self.assertEqual('partition', arn.partition, 'partition') self.assertEqual('service', arn.service, 'service') self.assertEqual('region', arn.region, 'region') self.assertEqual('account-id', arn.account_id, 'account id') self.assertEqual('resource-id', arn.resource_id, 'resource id') self.assertEqual(None, arn.resource_type, 'resource type') arn_args = { 'service': arn.service, 'partition': arn.partition, 'region': arn.region, 'accountId': arn.account_id, 'resourceId': arn.resource_id } remade_arn = aws_utils.ArnParser.format_arn_string(arn_args) self.assertEqual(arn.arn, remade_arn)
def __test_with_separator(self, separator): arn = aws_utils.ArnParser( 'arn:partition:service:region:account-id:resource-type{}resource-id' .format(separator)) # Checking arn parts self.assertEqual('partition', arn.partition, 'partition') self.assertEqual('service', arn.service, 'service') self.assertEqual('region', arn.region, 'region') self.assertEqual('account-id', arn.account_id, 'account id') self.assertEqual('resource-id', arn.resource_id, 'resource id') self.assertEqual('resource-type', arn.resource_type, 'resource type') arn_args = { 'service': arn.service, 'partition': arn.partition, 'region': arn.region, 'accountId': arn.account_id, 'resourceId': arn.resource_id, 'resourceType': arn.resource_type, 'separator': separator } remade_arn = aws_utils.ArnParser.format_arn_string(arn_args) self.assertEqual(arn.arn, remade_arn)
def test_with_arn_with_missing_region(self): source_arn = "arn:aws:iam::111111111111:role/Cognito_MyIdentityPoolAuth_Role" ap = aws_utils.ArnParser(source_arn) self.assertEqual('', ap.region) self.assertEqual('role', ap.resource_type)