def policy_create_for_execution_role(self, role_name, skip_if_exists=True): #cloud_watch_arn = "arn:aws:logs:{0}:{1}:log-group:awslogs-*".format(self.region, self.account_id) cloud_watch_arn = f"arn:aws:logs:{self.region}:{self.account_id}:log-group:*" role_document = { "Version" : "2008-10-17", "Statement" : [ { "Effect": "Allow", "Principal": { "Service": "ecs-tasks.amazonaws.com"}, "Action": "sts:AssumeRole" }]} policy_document = { "Version" : "2012-10-17", "Statement": [{ "Effect" : "Allow" , "Action" : [ "ecr:GetAuthorizationToken" , "ecr:BatchCheckLayerAvailability" , "ecr:GetDownloadUrlForLayer" , "ecr:GetRepositoryPolicy" , "ecr:DescribeRepositories" , "ecr:ListImages" , "ecr:DescribeImages" , "ecr:BatchGetImage" ], "Resource": "*" }, { "Effect" : "Allow", "Action" : [ "logs:CreateLogStream" , "logs:PutLogEvents" ], "Resource": [ cloud_watch_arn ]}]} policy_name = 'policy_for_{0}'.format(role_name) iam_role = IAM_Role(role_name=role_name) if iam_role.exists() and skip_if_exists: return iam_role if iam_role.create(policy_document=role_document, skip_if_exists=skip_if_exists): iam_role.attach_policy(policy_name=policy_name, policy_document=policy_document) if policy_name in iam_role.iam.role_policies(): return iam_role
def policy_create_for_task_role(self, role_name, skip_if_exists=True): policy = { "Version" : "2008-10-17", "Statement" : [ { "Effect": "Allow", "Principal": { "Service": "ecs-tasks.amazonaws.com"}, "Action": "sts:AssumeRole" }]} iam_role = IAM_Role(role_name=role_name) iam_role.create(policy,skip_if_exists=skip_if_exists) return iam_role
def test_create_function(self): role_arn = IAM_Role(self.lambda_name + '__tmp_role').create_for__lambda().get('role_arn') tmp_folder = Temp_Folder_With_Lambda_File( self.lambda_name).create_temp_file() (self.aws_lambda.set_role(role_arn).set_s3_bucket( self.s3_bucket).set_s3_key(self.s3_key).set_folder_code( tmp_folder.folder)) create_kwargs = self.aws_lambda.create_kwargs() assert create_kwargs == { 'Code': { 'S3Bucket': self.s3_bucket, 'S3Key': self.s3_key }, 'FunctionName': self.lambda_name, 'Handler': self.lambda_name + '.run', 'MemorySize': 10240, 'PackageType': 'Zip', 'Role': role_arn, 'Runtime': 'python3.8', 'Tags': {}, 'Timeout': 900, 'TracingConfig': { 'Mode': 'PassThrough' } } assert self.aws_lambda.upload() is True result = self.aws_lambda.create() data = result.get('data') name = result.get('name') status = result.get('status') assert status == 'ok' assert name == self.lambda_name expected_arn = 'arn:aws:lambda:{0}:{1}:function:{2}'.format( self.region, self.account_id, self.lambda_name) # expected arn value (Assert(data).field_is_equal('CodeSize', 242) # confirm lambda creation details .field_is_equal('FunctionArn', expected_arn).field_is_equal( 'FunctionName', self.lambda_name).field_is_equal( 'Handler', self.lambda_name + '.run').field_is_equal( 'MemorySize', 10240).field_is_equal('Role', role_arn).field_is_equal( 'Runtime', 'python3.8').field_is_equal( 'Timeout', 900).field_is_equal('TracingConfig', { 'Mode': 'PassThrough' }).field_is_equal('Version', '$LATEST')) assert self.aws_lambda.invoke() == 'hello None' assert self.aws_lambda.delete() is True # confirm Lambda was deleted
def test_policy_add_sqs_permissions_to_lambda_role(self): policy_name = self.iam_utils.arn_aws_policy_service_sqs_lambda.split( '/').pop(-1) with Temp_Lambda() as temp_lambda: lambda_name = temp_lambda.lambda_name iam_role_name = self.iam_utils.policy_add_sqs_permissions_to_lambda_role( lambda_name) iam_role = IAM_Role(role_name=iam_role_name) pprint(iam_role.info()) assert policy_name in iam_role.policies_statements() assert iam_role.exists() is True self.iam_utils.policy_remove_sqs_permissions_to_lambda_role( lambda_name) assert policy_name not in iam_role.policies_statements()
def test_create_function(self): role_arn = IAM_Role(self.lambda_name + '__tmp_role').create_for__lambda().get('role_arn') tmp_folder = Temp_Folder_Code(self.lambda_name) ( self.aws_lambda.set_role (role_arn) .set_s3_bucket (self.s3_bucket ) .set_s3_key (self.s3_key ) .set_folder_code(tmp_folder.folder) ) assert self.aws_lambda.create_params() == (self.lambda_name, 'python3.7' , role_arn , self.lambda_name + '.run', 3008 , 60 , { 'Mode' : 'PassThrough' }, { 'S3Bucket': self.s3_bucket , 'S3Key' : self.s3_key }) # confirm values that will be passed to the boto3's create_function assert self.aws_lambda.upload() is True result = self.aws_lambda.create() data = result.get('data') name = result.get('name') status = result.get('status') assert status == 'ok' assert name == self.lambda_name expected_arn = 'arn:aws:lambda:{0}:{1}:function:{2}'.format(self.region,self.account_id,self.lambda_name) # expected arn value (Assert(data).field_is_equal('CodeSize' , 209 ) # confirm lambda creation details .field_is_equal('FunctionArn' , expected_arn ) .field_is_equal('FunctionName' , self.lambda_name ) .field_is_equal('Handler' , self.lambda_name + '.run') .field_is_equal('MemorySize' , 3008 ) .field_is_equal('Role' , role_arn ) .field_is_equal('Runtime' , 'python3.7' ) .field_is_equal('Timeout' , 60 ) .field_is_equal('TracingConfig', {'Mode': 'PassThrough'} ) .field_is_equal('Version' , '$LATEST' ) ) assert self.aws_lambda.delete() is True # confirm Lambda was deleted
def create__for_lambda_invocation(self, delete_existing=False): iam_role = IAM_Role(self.role_name__for_lambda_invocation) if delete_existing: iam_role.iam.role_delete() return iam_role.create_for__lambda().get('role_arn')
def setUp(self): self.temp_role_name = 'test_IAM_Role__temp_role' self.iam_role = IAM_Role(role_name=self.temp_role_name)
def for_lambda_invocation_exists(self): iam_role = IAM_Role(self.role_name__for_lambda_invocation) return iam_role.iam.role_exists()
def setUp(self): self.temp_role_name = 'test_IAM_Role__temp_role' self.iam_role = IAM_Role(role_name=self.temp_role_name) with AWS_Config() as aws_config: self.account_id = aws_config.aws_session_account_id() self.region = aws_config.aws_session_region_name()