Statement( Effect=Allow, Action=[AssumeRole], Principal=Principal("Service", ["ec2.amazonaws.com"]) ) ] ) )) t.add_resource(IAMPolicy( "Policy", PolicyName="AllowCodePipeline", PolicyDocument=Policy( Statement=[ Statement( Effect=Allow, Action=[Action("codepipeline", "*")], Resource=["*"] ) ] ), Roles=[Ref("Role")] )) t.add_resource(InstanceProfile( "InstanceProfile", Path="/", Roles=[Ref("Role")] )) t.add_resource(ec2.Instance( "instance",
SecurityGroupRule("HyP3ProcessingInstancesSecurityGroupWebOut", IpProtocol="tcp", FromPort="80", ToPort="80", CidrIp="0.0.0.0/0"), SecurityGroupRule("HyP3ProcessingInstancesSecurityGroupWebSOut", IpProtocol="tcp", FromPort="443", ToPort="443", CidrIp="0.0.0.0/0") ])) products_bucket_access = IAMPolicy( PolicyName="ProductsPutObject", PolicyDocument=Policy(Statement=[ Statement( Effect=Allow, Action=[GetObject, PutObject], Resource=[Sub("${Arn}/*", Arn=GetAtt(products_bucket, "Arn"))]) ])) poll_messages = IAMPolicy( PolicyName="QueueGetMessages", PolicyDocument=Policy(Statement=[ Statement(Effect=Allow, Action=[ReceiveMessage, DeleteMessage, GetQueueUrl], Resource=[GetAtt(start_events, "Arn")]) ])) publish_notifications = IAMPolicy( PolicyName="PublishNotifications", PolicyDocument=Policy(Statement=[
IAMPolicy(PolicyName="CodePipelinePolicy", PolicyDocument={ "Statement": [ { "Effect": "Allow", "Action": "cloudformation:*", "Resource": "*" }, { "Effect": "Allow", "Action": "codebuild:*", "Resource": "*" }, { "Effect": "Allow", "Action": "codepipeline:*", "Resource": "*" }, { "Effect": "Allow", "Action": "ecr:*", "Resource": "*" }, { "Effect": "Allow", "Action": "ecs:*", "Resource": "*" }, { "Effect": "Allow", "Action": "iam:*", "Resource": "*" }, { "Effect": "Allow", "Action": "s3:*", "Resource": "*" }, ], }),
IAMPolicy(PolicyName="MyeongjaeKimCodePipeline", PolicyDocument={ "Statement": [ { "Effect": "Allow", "Action": "cloudformation:*", "Resource": "*" }, { "Effect": "Allow", "Action": "codebuild:*", "Resource": "*" }, { "Effect": "Allow", "Action": "codepipeline:*", "Resource": "*" }, { "Effect": "Allow", "Action": "ecr:*", "Resource": "*" }, { "Effect": "Allow", "Action": "ecs:*", "Resource": "*" }, { "Effect": "Allow", "Action": "iam:*", "Resource": "*" }, { "Effect": "Allow", "Action": "s3:*", "Resource": "*" }, ] })
[ FindInMap("Region2Principal", Ref("AWS::Region"), "EC2Principal") ], ), ) ]), Path="/", )) t.add_resource( IAMPolicy( "WebServerRolePolicy", PolicyName="WebServerRole", PolicyDocument=PolicyDocument(Statement=[ Statement( Effect=Allow, NotAction=Action("iam", "*"), Resource=["*"]) ]), Roles=[Ref("WebServerRole")], )) t.add_resource( InstanceProfile("WebServerInstanceProfile", Path="/", Roles=[Ref("WebServerRole")])) t.add_resource( Application( "SampleApplication", Description="AWS Elastic Beanstalk Sample Node.js Application", ))
IAMPolicy(PolicyName=Join("-", [ Select(0, Split("-", Ref("AWS::StackName"))), Select(1, Split("-", Ref("AWS::StackName"))), "ScalingRole" ]), PolicyDocument={ "Statement": [ { "Effect": "Allow", "Action": "ecs:UpdateService", "Resource": "*" }, { "Effect": "Allow", "Action": "ecs:DescribeServices", "Resource": "*" }, { "Effect": "Allow", "Action": "application-autoscaling:*", "Resource": "*" }, { "Effect": "Allow", "Action": "cloudwatch:DescribeAlarms", "Resource": "*" }, { "Effect": "Allow", "Action": "cloudwatch:GetMetricStatistics", "Resource": "*" }, ], }),
from .hyp3_autoscaling_group import custom_metric_name, processing_group from .hyp3_kms_key import kms_key from .hyp3_sqs import start_events source_zip = "custom_metric.zip" print(' adding custom_metric lambda') describe_autoscale = IAMPolicy( PolicyName="DescribeAutoScalingGroups", PolicyDocument=Policy( Statement=[ Statement( Effect=Allow, Action=[DescribeAutoScalingGroups], Resource=["*"] ) ] ) ) get_queue_attributes = IAMPolicy( PolicyName="GetQueueAttributes", PolicyDocument=Policy( Statement=[ Statement( Effect=Allow, Action=[GetQueueAttributes], Resource=[GetAtt(start_events, "Arn")] )
"sudo echo '*/10 * * * * {}' | sudo tee /etc/cron.d/ansible-pull > /dev/null" .format(AnsiblePullCmd) ])) t.add_resource( Role("Role", AssumeRolePolicyDocument=Policy(Statement=[ Statement(Effect=Allow, Action=[AssumeRole], Principal=Principal("Service", ["ec2.amazonaws.com"])) ]), Policies=[ IAMPolicy(PolicyName="S3access", PolicyDocument={ "Statement": [{ "Effect": "Allow", "Action": "s3:*", "Resource": "*" }] }) ])) t.add_resource( InstanceProfile("InstanceProfile", Path="/", Roles=[Ref("Role")])) t.add_resource( ec2.Instance( "instance", ImageId="ami-08935252a36e25f85", InstanceType="t2.micro", SecurityGroups=[Ref("SecurityGroup")], KeyName=Ref("KeyPair"),
"LambdaCleanImagesRole", AssumeRolePolicyDocument=Policy(Statement=[ Statement(Effect=Allow, Action=[AssumeRole], Principal=Principal("Service", ["lambda.amazonaws.com"])) ]), Policies=[ IAMPolicy("LambdaCleanBaseImagesPolicy", PolicyName="LambdaCleanBaseImagesPolicy", PolicyDocument=Policy(Statement=[ Statement(Effect=Allow, Action=[ Action('ec2', 'DescribeImages'), Action('ec2', 'DeregisterImage'), ], Resource=['*']), Statement(Effect=Allow, Action=[ Action('logs', 'CreateLogGroup'), Action('logs', 'CreateLogStream'), Action('logs', 'PutLogEvents'), ], Resource=['arn:aws:logs:*:*:*']) ])) ])) backup_rds_role = t.add_resource( Role( "LambdaBackupRDSRole", AssumeRolePolicyDocument=Policy(Statement=[ Statement(Effect=Allow,
t.add_resource(InstanceProfile( "AppServersInstanceProfile", Path="/", Roles=[Ref("AppServersRole")] )) t.add_resource(IAMPolicy( "Policy", PolicyName="AllowS3", PolicyDocument=Policy( Statement=[ Statement( Effect=Allow, Action=[Action("s3", "*")], Resource=["*"]), Statement( Effect=Allow, Action=[Action("logs", "*")], Resource=["*"]) ] ), Roles=[Ref("AppServersRole")] )) t.add_resource(LaunchConfiguration( "LaunchConfiguration", UserData=ud, ImageId="ami-eaa5bf90", KeyName=Ref("KeyPair"), SecurityGroups=[Ref("SecurityGroup")],
IAMPolicy(PolicyName="NetworkCodePipeline", PolicyDocument={ "Statement": [ { "Effect": "Allow", "Action": "cloudformation:*", "Resource": "*" }, { "Effect": "Allow", "Action": "codebuild:*", "Resource": "*" }, { "Effect": "Allow", "Action": "codepipeline:*", "Resource": "*" }, { "Effect": "Allow", "Action": "ecr:*", "Resource": "*" }, { "Effect": "Allow", "Action": "ecs:*", "Resource": "*" }, { "Effect": "Allow", "Action": "iam:*", "Resource": "*" }, { "Effect": "Allow", "Action": "s3:*", "Resource": "*" }, { "Effect": "Allow", "Action": "codecommit:*", "Resource": "*" }, ], }),
["codepipeline.amazonaws.com"])) ]), Path="/", Policies=[ IAMPolicy(PolicyName="HelloworldCodePipeline", PolicyDocument={ "Statement": [{ "Effect": "Allow", "Action": "cloudformation:*", "Resource": "*" }, { "Effect": "Allow", "Action": "codebuild:*", "Resource": "*" }, { "Effect": "Allow", "Action": "codepipeline:*", "Resource": "*" }, { "Effect": "Allow", "Action": "s3:*", "Resource": "*" }, { "Effect": "Allow", "Action": "iam:*", "Resource": "*" }] }) ])) t.add_resource( Role("CloudFormationHelloworldRole",
role = template.add_resource(Role( "PugRole", AssumeRolePolicyDocument=Policy( Statement=[ Statement( Effect=Allow, Action=[AssumeRole], Principal=Principal("Service", ["ec2.amazonaws.com"]) ) ]), Path="/", Policies=[IAMPolicy( "PugPolicy", PolicyName="PugPolicy", PolicyDocument=Policy( Statement=[ Statement(Effect=Allow, Action=[Action("s3", "*")], Resource=["arn:aws:s3:::cpug/*"]) ] ))])) instance_profile = template.add_resource(InstanceProfile( "PugInstanceProfile", Path="/", Roles=[{"Ref": "PugRole"}] )) user_data = """#!/bin/bash # install web server yum install httpd -y aws s3 cp s3://cpug/image.png /var/www/icons/image.png
IAMPolicy(PolicyName="ECSCodePipeline", PolicyDocument={ "Statement": [ { "Effect": "Allow", "Action": "cloudformation:*", "Resource": "*" }, { "Effect": "Allow", "Action": "codebuild:*", "Resource": "*" }, { "Effect": "Allow", "Action": "codepipeline:*", "Resource": "*" }, { "Effect": "Allow", "Action": "ecr:*", "Resource": "*" }, { "Effect": "Allow", "Action": "ecs:*", "Resource": "*" }, { "Effect": "Allow", "Action": "iam:*", "Resource": "*" }, { "Effect": "Allow", "Action": "s3:*", "Resource": "*" }, { "Effect": "Allow", "Action": "codecommit:*", "Resource": "*" }, ], }),
t.add_resource( ec2.Instance( "instance", ImageId="ami-0ebe657bc328d4e82", InstanceType="t2.micro", SecurityGroups=[Ref("SecurityGroup")], KeyName=Ref("KeyPair"), UserData=ud, IamInstanceProfile=Ref("InstanceProfile"), )) t.add_resource( IAMPolicy( "Policy", PolicyName="AllowS3", PolicyDocument=Policy(Statement=[ Statement(Effect=Allow, Action=[Action("s3", "*")], Resource=["*"]) ]), Roles=[Ref("Role")])) t.add_output( Output( "InstancePublicIp", Description="Public IP of our instance.", Value=GetAtt("instance", "PublicIp"), )) t.add_output( Output( "WebUrl", Description="Application endpoint",
IAMPolicy( "LambdaPolicy", PolicyName="LambdaCloudtrailPolicy", PolicyDocument=Policy(Statement=[ Statement(Effect=Allow, Action=[ Action('s3', 'GetObject'), ], Resource=[ Join("", ['arn:aws:s3:::', Ref(bucket), '/*']) ]), Statement(Effect=Allow, Action=[ Action('logs', 'CreateLogGroup'), Action('logs', 'CreateLogStream'), Action('logs', 'PutLogEvents'), ], Resource=['arn:aws:logs:*:*:*']), Statement( Effect=Allow, Action=[ Action('lambda', 'GetFunction'), ], Resource=['*' ] # todo: limit this to the function itself ), Statement(Effect=Allow, Action=[Action('sns', 'publish')], Resource=[Ref(notificationTopic)]), Statement(Effect=Allow, Action=[ Action('iam', 'ListRolePolicies'), Action('iam', 'GetRolePolicy') ], Resource=['*']), ]))
t.add_resource( Role("Role", AssumeRolePolicyDocument=Policy(Statement=[ Statement(Effect=Allow, Action=[AssumeRole], Principal=Principal("Service", ["ec2.amazonaws.com"])) ]))) t.add_resource( InstanceProfile("InstanceProfile", Path="/", Roles=[Ref("Role")])) t.add_resource( IAMPolicy( "Policy", PolicyName="AllowS3", PolicyDocument=Policy(Statement=[ Statement(Effect=Allow, Action=[Action("s3", "*")], Resource=["*"]) ]), Roles=[Ref("Role")])) t.add_resource( IAMPolicy("MonitoringPolicy", PolicyName="AllowSendingDataForMonitoring", PolicyDocument=Policy(Statement=[ Statement(Effect=Allow, Action=[ Action("cloudwatch", "Put*"), Action("logs", "Create*"), Action("logs", "Put*"), Action("logs", "Describe*"), Action("events", "Put*"),
AssumeRolePolicyDocument=Policy( Statement=[ Statement( Effect=Allow, Action=[AssumeRole], Principal=Principal("Service", ["codepipeline.amazonaws.com"]) ) ] ), Policies=[ IAMPolicy( PolicyName="PortfolioCodePipeline", PolicyDocument={ "Statement": [ {"Effect": "Allow", "Action": "cloudformation:*", "Resource": "*"}, {"Effect": "Allow", "Action": "codedeploy:*", "Resource": "*"}, {"Effect": "Allow", "Action": "codepipeline:*", "Resource": "*"}, {"Effect": "Allow", "Action": "iam:*", "Resource": "*"}, {"Effect": "Allow", "Action": "s3:*", "Resource": "*"} ] } ) ] )) template.add_resource(Pipeline( "PortfolioPipeline", RoleArn=GetAtt("PortfolioPipelineRole", "Arn"), ArtifactStore=ArtifactStore( Type="S3", Location=Ref("S3Bucket") ),