def _codedeploy_iam_role(self): iam_role = IAMRole(CODE_DEPLOY_SERVICE_ROLE_LOGICAL_ID) iam_role.AssumeRolePolicyDocument = { "Version": "2012-10-17", "Statement": [ { "Action": ["sts:AssumeRole"], "Effect": "Allow", "Principal": {"Service": ["codedeploy.amazonaws.com"]}, } ], } # CodeDeploy has a new managed policy. We cannot update any existing partitions, without customer reach out # that support AWSCodeDeployRoleForLambda since this could regress stacks that are currently deployed. if ArnGenerator.get_partition_name() in ["aws-iso", "aws-iso-b"]: iam_role.ManagedPolicyArns = [ ArnGenerator.generate_aws_managed_policy_arn("service-role/AWSCodeDeployRoleForLambdaLimited") ] else: iam_role.ManagedPolicyArns = [ ArnGenerator.generate_aws_managed_policy_arn("service-role/AWSCodeDeployRoleForLambda") ] return iam_role
def _construct_role(self, resource, prefix=None, suffix=""): """Constructs the IAM Role resource allowing the event service to invoke the StartExecution API of the state machine resource it is associated with. :param model.stepfunctions.StepFunctionsStateMachine resource: The state machine resource associated with the event :param string prefix: Prefix to use for the logical ID of the IAM role :param string suffix: Suffix to add for the logical ID of the IAM role :returns: the IAM Role resource :rtype: model.iam.IAMRole """ role_logical_id = self._generate_logical_id(prefix=prefix, suffix=suffix, resource_type="Role") event_role = IAMRole( role_logical_id, attributes=resource.get_passthrough_resource_attributes()) event_role.AssumeRolePolicyDocument = IAMRolePolicies.construct_assume_role_policy_for_service_principal( self.principal) state_machine_arn = resource.get_runtime_attr("arn") event_role.Policies = [ IAMRolePolicies.step_functions_start_execution_role_policy( state_machine_arn, role_logical_id) ] return event_role
def _construct_role(self, managed_policy_map): """Constructs a Lambda execution role based on this SAM function's Policies property. :returns: the generated IAM Role :rtype: model.iam.IAMRole """ execution_role = IAMRole(self.logical_id + 'Role') execution_role.AssumeRolePolicyDocument = IAMRolePolicies.lambda_assume_role_policy() managed_policy_arns = [ArnGenerator.generate_aws_managed_policy_arn('service-role/AWSLambdaBasicExecutionRole')] if self.Tracing: managed_policy_arns.append(ArnGenerator.generate_aws_managed_policy_arn('AWSXrayWriteOnlyAccess')) function_policies = FunctionPolicies({"Policies": self.Policies}, # No support for policy templates in the "core" policy_template_processor=None) policy_documents = [] if self.DeadLetterQueue: policy_documents.append(IAMRolePolicies.dead_letter_queue_policy( self.dead_letter_queue_policy_actions[self.DeadLetterQueue['Type']], self.DeadLetterQueue['TargetArn'])) for index, policy_entry in enumerate(function_policies.get()): if policy_entry.type is PolicyTypes.POLICY_STATEMENT: policy_documents.append({ 'PolicyName': execution_role.logical_id + 'Policy' + str(index), 'PolicyDocument': policy_entry.data }) elif policy_entry.type is PolicyTypes.MANAGED_POLICY: # There are three options: # Managed Policy Name (string): Try to convert to Managed Policy ARN # Managed Policy Arn (string): Insert it directly into the list # Intrinsic Function (dict): Insert it directly into the list # # When you insert into managed_policy_arns list, de-dupe to prevent same ARN from showing up twice # policy_arn = policy_entry.data if isinstance(policy_entry.data, string_types) and policy_entry.data in managed_policy_map: policy_arn = managed_policy_map[policy_entry.data] # De-Duplicate managed policy arns before inserting. Mainly useful # when customer specifies a managed policy which is already inserted # by SAM, such as AWSLambdaBasicExecutionRole if policy_arn not in managed_policy_arns: managed_policy_arns.append(policy_arn) else: # Policy Templates are not supported here in the "core" raise InvalidResourceException( self.logical_id, "Policy at index {} in the 'Policies' property is not valid".format(index)) execution_role.ManagedPolicyArns = list(managed_policy_arns) execution_role.Policies = policy_documents or None return execution_role
def test_codedeploy_iam_role(self): expected_codedeploy_iam_role = IAMRole('CodeDeployServiceRole') expected_codedeploy_iam_role.AssumeRolePolicyDocument = { 'Version': '2012-10-17', 'Statement': [{ 'Action': ['sts:AssumeRole'], 'Effect': 'Allow', 'Principal': {'Service': ['codedeploy.amazonaws.com']} }] } expected_codedeploy_iam_role.ManagedPolicyArns = ['arn:aws:iam::aws:policy/service-role/AWSCodeDeployRoleForLambda'] self.assertEqual(DeploymentPreferenceCollection().codedeploy_iam_role.to_dict(), expected_codedeploy_iam_role.to_dict())
def _codedeploy_iam_role(self): iam_role = IAMRole(CODE_DEPLOY_SERVICE_ROLE_LOGICAL_ID) iam_role.AssumeRolePolicyDocument = { 'Version': '2012-10-17', 'Statement': [{ 'Action': ['sts:AssumeRole'], 'Effect': 'Allow', 'Principal': {'Service': ['codedeploy.amazonaws.com']} }] } iam_role.ManagedPolicyArns = [ ArnGenerator.generate_aws_managed_policy_arn('service-role/AWSCodeDeployRoleForLambda') ] return iam_role
def _codedeploy_iam_role(self): iam_role = IAMRole(CODE_DEPLOY_SERVICE_ROLE_LOGICAL_ID) iam_role.AssumeRolePolicyDocument = { 'Version': '2012-10-17', 'Statement': [{ 'Action': ['sts:AssumeRole'], 'Effect': 'Allow', 'Principal': { 'Service': ['codedeploy.amazonaws.com'] } }] } iam_role.ManagedPolicyArns = [ ArnGenerator.generate_aws_managed_policy_arn( 'service-role/AWSCodeDeployRoleForLambda') ] return iam_role
def test_codedeploy_iam_role(self): expected_codedeploy_iam_role = IAMRole("CodeDeployServiceRole") expected_codedeploy_iam_role.AssumeRolePolicyDocument = { "Version": "2012-10-17", "Statement": [ { "Action": ["sts:AssumeRole"], "Effect": "Allow", "Principal": {"Service": ["codedeploy.amazonaws.com"]}, } ], } expected_codedeploy_iam_role.ManagedPolicyArns = [ "arn:aws:iam::aws:policy/service-role/AWSCodeDeployRoleForLambda" ] self.assertEqual( DeploymentPreferenceCollection().codedeploy_iam_role.to_dict(), expected_codedeploy_iam_role.to_dict() )
def _codedeploy_iam_role(self): iam_role = IAMRole(CODE_DEPLOY_SERVICE_ROLE_LOGICAL_ID) iam_role.AssumeRolePolicyDocument = { "Version": "2012-10-17", "Statement": [{ "Action": ["sts:AssumeRole"], "Effect": "Allow", "Principal": { "Service": ["codedeploy.amazonaws.com"] }, }], } iam_role.ManagedPolicyArns = [ ArnGenerator.generate_aws_managed_policy_arn( "service-role/AWSCodeDeployRoleForLambda") ] return iam_role
def construct_role_for_resource( resource_logical_id, attributes, managed_policy_map, assume_role_policy_document, resource_policies, managed_policy_arns=None, policy_documents=None, permissions_boundary=None, tags=None, ): """ Constructs an execution role for a resource. :param resource_logical_id: The logical_id of the SAM resource that the role will be associated with :param attributes: Map of resource attributes to their values :param managed_policy_map: Map of managed policy names to the ARNs :param assume_role_policy_document: The trust policy that must be associated with the role :param resource_policies: ResourcePolicies object encapuslating the policies property of SAM resource :param managed_policy_arns: List of managed policy ARNs to be associated with the role :param policy_documents: List of policy documents to be associated with the role :param permissions_boundary: The ARN of the policy used to set the permissions boundary for the role :param tags: Tags to be associated with the role :returns: the generated IAM Role :rtype: model.iam.IAMRole """ role_logical_id = resource_logical_id + "Role" execution_role = IAMRole(logical_id=role_logical_id, attributes=attributes) execution_role.AssumeRolePolicyDocument = assume_role_policy_document if not managed_policy_arns: managed_policy_arns = [] if not policy_documents: policy_documents = [] for index, policy_entry in enumerate(resource_policies.get()): if policy_entry.type is PolicyTypes.POLICY_STATEMENT: if is_intrinsic_if(policy_entry.data): intrinsic_if = policy_entry.data then_statement = intrinsic_if["Fn::If"][1] else_statement = intrinsic_if["Fn::If"][2] if not is_intrinsic_no_value(then_statement): then_statement = { "PolicyName": execution_role.logical_id + "Policy" + str(index), "PolicyDocument": then_statement, } intrinsic_if["Fn::If"][1] = then_statement if not is_intrinsic_no_value(else_statement): else_statement = { "PolicyName": execution_role.logical_id + "Policy" + str(index), "PolicyDocument": else_statement, } intrinsic_if["Fn::If"][2] = else_statement policy_documents.append(intrinsic_if) else: policy_documents.append({ "PolicyName": execution_role.logical_id + "Policy" + str(index), "PolicyDocument": policy_entry.data, }) elif policy_entry.type is PolicyTypes.MANAGED_POLICY: # There are three options: # Managed Policy Name (string): Try to convert to Managed Policy ARN # Managed Policy Arn (string): Insert it directly into the list # Intrinsic Function (dict): Insert it directly into the list # # When you insert into managed_policy_arns list, de-dupe to prevent same ARN from showing up twice # policy_arn = policy_entry.data if isinstance( policy_entry.data, string_types) and policy_entry.data in managed_policy_map: policy_arn = managed_policy_map[policy_entry.data] # De-Duplicate managed policy arns before inserting. Mainly useful # when customer specifies a managed policy which is already inserted # by SAM, such as AWSLambdaBasicExecutionRole if policy_arn not in managed_policy_arns: managed_policy_arns.append(policy_arn) else: # Policy Templates are not supported here in the "core" raise InvalidResourceException( resource_logical_id, "Policy at index {} in the '{}' property is not valid".format( index, resource_policies.POLICIES_PROPERTY_NAME), ) execution_role.ManagedPolicyArns = list(managed_policy_arns) execution_role.Policies = policy_documents or None execution_role.PermissionsBoundary = permissions_boundary execution_role.Tags = tags return execution_role