def create_default_events_role(self, role_name):
"""Create lmdo default event role"""
try:
response = self.get_role(role_name)
if response:
Oprint.warn(
'Role {} exists, no action required'.format(role_name),
'iam')
return response
template = get_template(IAM_ROLE_EVENTS)
if not template:
return False
if not response:
with open(template, 'r') as outfile:
assume_policy = outfile.read()
response = self.create_role(role_name, assume_policy)
policy = self.create_default_policy(
role_name, self.create_policy_name(role_name,
'default-events'),
IAM_POLICY_EVENTS)
except Exception as e:
Oprint.err(e, 'apigateway')
return response
def create_apigateway_lambda_role(self, role_name):
"""Create APIGateway role that can invoke lambda"""
try:
response = self.get_role(role_name)
if response:
Oprint.warn(
'Role {} exists, no action required'.format(role_name),
'iam')
template = get_template(IAM_ROLE_APIGATEWAY_LAMBDA)
if not template:
return False
if not response:
with open(template, 'r') as outfile:
assume_policy = outfile.read()
response = self.create_role(role_name, assume_policy)
policy = self.create_default_policy(
role_name, self.create_policy_name(role_name, 'lambda-invoke'),
IAM_POLICY_APIGATEWAY_LAMBDA_INVOKE)
except Exception as e:
Oprint.err(e, 'iam')
return response
def create_wsgi_api(self):
"""Create/Update api definition for wsgi app"""
swagger_api = False
# If there is already an exsiting swagger api template,
# fetch it so we won't duplicate it
#if os.path.isfile(self.get_swagger_template()) and self.get_apigateway_name():
swagger_api = self.if_api_exist_by_name(self.get_apigateway_name())
iam = IAM()
for lm_func in self._config.get('Lambda'):
if lm_func.get('Type') != AWSLambda.FUNCTION_TYPE_WSGI or lm_func.get('DisableApiGateway'):
continue
function_name = self.get_lmdo_format_name(lm_func.get('FunctionName'))
role = iam.get_lambda_apigateway_default_role(function_name)
Oprint.info('Create/Update API Gateway for wsgi function {}'.format(lm_func.get('FunctionName')), 'apigateway')
to_replace = {
"$title": self.get_apigateway_name(),
"$version": str(datetime.datetime.utcnow()),
"$basePath": lm_func.get('ApiBasePath') or '/res',
"$apiRegion": self.get_region(),
"$functionRegion": self.get_region(),
"$accountId": self.get_account_id(),
"$functionName": function_name,
"$credentials": role['Role'].get('Arn')
}
# Enable cognito user pool as authorizer
if lm_func.get('CognitoUserPoolId'):
se_replace = {
"$apiRegion": self.get_region(),
"$accountId": self.get_account_id(),
"$userPoolId": lm_func.get('CognitoUserPoolId'),
"$CognitoUserPool": 'CognitoUserPool-{}'.format(lm_func.get('FunctionName'))
}
to_replace["$securityDefinitions"] = self.get_apigateway_authorizer(se_replace)
to_replace["$authorizer"] = '{"' + str(se_replace['$CognitoUserPool'])+'":[]}'
else:
to_replace["$securityDefinitions"] = ''
to_replace["$authorizer"] = ''
template_dir = get_template(APIGATEWAY_SWAGGER_WSGI)
if not template_dir:
Oprint.err('Template {} for creating wsgi APIGateway hasn\'t been installed or missing'.format(APIGATEWAY_SWAGGER_WSGI), 'apigateway')
with open(template_dir, 'r') as outfile:
body = update_template(outfile.read(), to_replace)
if not swagger_api:
swagger_api = self.import_rest_api(body)
else:
# Always overwrite for update
self.put_rest_api(swagger_api.get('id'), body, 'merge')
return swagger_api
def create_default_policy(self, role_name, policy_name, policy_file):
"""Create APIGateway role inline policy that can invoke lambda"""
try:
template = get_template(policy_file)
if not template:
return False
with open(template, 'r') as outfile:
policy_doc = outfile.read()
return self._client.put_role_policy(RoleName=role_name,
PolicyName=policy_name,
PolicyDocument=policy_doc)
except Exception as e:
Oprint.err(e, 'iam')
def unlock_stack(self, stack_name):
"""Unlock stack for update"""
try:
if not self.can_update_stack_policy(stack_name=stack_name):
return True
unlock_policy = get_template(CLOUDFORMATION_STACK_UNLOCK_POLICY)
with open(unlock_policy, 'r') as outfile:
policy = outfile.read()
Oprint.info('Unlocking stack {} for update'.format(stack_name), self.NAME)
response = self._client.set_stack_policy(StackName=stack_name, StackPolicyBody=policy)
except Exception as e:
Oprint.err(e, self.NAME)
return True
def lock_stack(self, stack_name):
"""Lock stack so no changes can be made accidentally"""
try:
if not self.can_update_stack_policy(stack_name=stack_name):
return True
lock_policy = get_template(CLOUDFORMATION_STACK_LOCK_POLICY)
with open(lock_policy, 'r') as outfile:
policy = outfile.read()
Oprint.info('Locking stack {} to prevent accidental changes'.format(stack_name), self.NAME)
response = self._client.set_stack_policy(StackName=stack_name, StackPolicyBody=policy)
except ClientError as ce:
Oprint.err(str(ce.response['Error']['Message']), self.NAME)
except Exception as e:
Oprint.err(e, self.NAME)
return True