def _add_cloudwatch_event_rule( builder: Template, replication_bucket: Parameter, listener_workflow: stepfunctions.StateMachine) -> events.Rule: base_name = "ReplicationListenerEvent" trigger_role = events_trigger_stepfuntions_role( f"{base_name}Role", statemachine=listener_workflow) builder.add_resource(trigger_role) rule = events.Rule( f"{base_name}Rule", State="ENABLED", EventPattern={ "source": ["aws.s3"], "detail-type": ["AWS API Call via CloudTrail"], "detail": { "eventSource": ["s3.amazonaws.com"], "eventName": ["PutObject"], "requestParameters": { "bucketName": [replication_bucket.ref()] }, }, }, Targets=[ events.Target(Arn=listener_workflow.ref(), Id=f"{base_name}TriggerWorkflow", RoleArn=trigger_role.get_att("Arn")) ], ) return builder.add_resource(rule)
def lambda_function( *, bucket_name: Parameter, workers_key: Parameter, name: str, role: iam.Role, runtime: str, namespace: str, module: str, memory_size: int, timeout: int, tags: Tags, source_bucket: Optional[Parameter] = None, ) -> awslambda.Function: if source_bucket is None: source_bucket = bucket_name return awslambda.Function( name, Role=role.get_att("Arn"), Code=awslambda.Code(S3Bucket=source_bucket.ref(), S3Key=workers_key.ref()), Handler=f"accretion_workers.{namespace}.{module}.lambda_handler", Environment=_lambda_environment(bucket_name), Runtime=runtime, MemorySize=memory_size, Timeout=timeout, Tags=tags, )
def _codebuild_role(artifacts_bucket: Parameter, resources_bucket: Parameter, cmk: Parameter) -> iam.Role: """Construct a role for use by CodeBuild. :param artifacts_bucket: Artifacts bucket parameter :param resources_bucket: Resources bucket parameter :param cmk: KMS CMK parameter :return: Constructed Role """ assume_policy = AWS.PolicyDocument(Statement=[ AWS.Statement( Principal=AWS.Principal( "Service", make_service_domain_name(CODEBUILD.prefix)), Effect=AWS.Allow, Action=[STS.AssumeRole], ) ]) policy = AWS.PolicyDocument(Statement=[ AWS.Statement( Effect=AWS.Allow, Action=[ LOGS.CreateLogGroup, LOGS.CreateLogStream, LOGS.PutLogEvents ], Resource=[account_arn(service_prefix=LOGS.prefix, resource="*")], ), AWS.Statement( Effect=AWS.Allow, Action=[S3.GetObject, S3.GetObjectVersion, S3.PutObject], Resource=[ Sub(f"${{{artifacts_bucket.title}}}/*"), Sub(f"${{{resources_bucket.title}}}/*") ], ), AWS.Statement(Effect=AWS.Allow, Action=[KMS.Encrypt, KMS.Decrypt, KMS.GenerateDataKey], Resource=[cmk.ref()]), ]) return iam.Role( resource_name(iam.Role, "CodeBuild"), AssumeRolePolicyDocument=assume_policy, Policies=[ iam.Policy(PolicyName=_policy_name("CodeBuild"), PolicyDocument=policy) ], )
def test_ref_can_be_requested(self): param = Parameter('title', Type='String') reference = param.ref() self.assertIsInstance(reference, Ref) self.assertDictEqual(reference.data, {'Ref': 'title'})
def _codepipeline_role(artifacts_bucket: Parameter, resources_bucket: Parameter, cmk: Parameter) -> iam.Role: """Construct a role for use by CodePipeline. :param artifacts_bucket: Artifacts bucket parameter :param resources_bucket: Resources bucket parameter :param cmk: KMS CMK parameter :return: Constructed Role """ assume_policy = AWS.PolicyDocument(Statement=[ AWS.Statement( Principal=AWS.Principal( "Service", make_service_domain_name(CODEPIPELINE.prefix)), Effect=AWS.Allow, Action=[STS.AssumeRole], ) ]) policy = AWS.PolicyDocument(Statement=[ AWS.Statement( Effect=AWS.Allow, Action=[S3.GetBucketVersioning, S3.PutBucketVersioning], Resource=[artifacts_bucket.ref(), resources_bucket.ref()], ), AWS.Statement( Effect=AWS.Allow, Action=[S3.GetObject, S3.PutObject], Resource=[ Sub(f"${{{artifacts_bucket.title}}}/*"), Sub(f"${{{resources_bucket.title}}}/*") ], ), AWS.Statement(Effect=AWS.Allow, Action=[KMS.Encrypt, KMS.Decrypt, KMS.GenerateDataKey], Resource=[cmk.ref()]), AWS.Statement( Effect=AWS.Allow, Action=[CLOUDWATCH.Action("*")], Resource=[ account_arn(service_prefix=CLOUDWATCH.prefix, resource="*") ], ), AWS.Statement( Effect=AWS.Allow, Action=[IAM.PassRole], Resource=[ account_arn(service_prefix=IAM.prefix, resource="role/*") ], ), AWS.Statement( Effect=AWS.Allow, Action=[LAMBDA.InvokeFunction, LAMBDA.ListFunctions], Resource=[account_arn(service_prefix=LAMBDA.prefix, resource="*")], ), AWS.Statement( Effect=AWS.Allow, Action=[ CLOUDFORMATION.CreateStack, CLOUDFORMATION.DeleteStack, CLOUDFORMATION.DescribeStacks, CLOUDFORMATION.UpdateStack, CLOUDFORMATION.CreateChangeSet, CLOUDFORMATION.DeleteChangeSet, CLOUDFORMATION.DescribeChangeSet, CLOUDFORMATION.ExecuteChangeSet, CLOUDFORMATION.SetStackPolicy, CLOUDFORMATION.ValidateTemplate, ], Resource=[ account_arn(service_prefix=CLOUDFORMATION.prefix, resource="*") ], ), AWS.Statement( Effect=AWS.Allow, Action=[CODEBUILD.BatchGetBuilds, CODEBUILD.StartBuild], Resource=[ account_arn(service_prefix=CODEBUILD.prefix, resource="*") ], ), ]) return iam.Role( resource_name(iam.Role, "CodePipeline"), AssumeRolePolicyDocument=assume_policy, Policies=[ iam.Policy(PolicyName=_policy_name("CodePipeline"), PolicyDocument=policy) ], )
def test_ref_can_be_requested(self): param = Parameter("title", Type="String") reference = param.ref() self.assertIsInstance(reference, Ref) self.assertDictEqual(reference.data, {"Ref": "title"})
def _lambda_environment(bucket_name: Parameter) -> awslambda.Environment: return awslambda.Environment(Variables=dict(S3_BUCKET=bucket_name.ref()))