Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
def create_role(self):
t = self.template
self.role = t.add_resource(
iam.Role(
ROLE,
AssumeRolePolicyDocument=make_simple_assume_policy(
"firehose.amazonaws.com"
),
Path="/",
Policies=[self.generate_iam_policy()]
)
)
t.add_output(Output("RoleName", Value=Ref(self.role)))
t.add_output(Output("RoleArn", Value=GetAtt(self.role, "Arn")))
)
# codecommit_repo_users ManagedPolicies
managed_policy_arns = []
for user_ref in action_config.codecommit_repo_users:
user = get_model_obj_from_ref(user_ref, self.paco_ctx.project)
# codecommit_stack = user.__parent__.__parent__.__parent__.stack
user_logical_id = self.gen_cf_logical_name(user.username)
codecommit_user_policy_param = self.create_cfn_parameter(
param_type='String',
name='CodeCommitUserPolicy' + user_logical_id,
description='The CodeCommit User Policy for ' + user.username,
value=user_ref + '.policy.arn',
)
managed_policy_arns.append(troposphere.Ref(codecommit_user_policy_param))
project_role_res = troposphere.iam.Role(
title='CodeBuildProjectRole',
template=template,
RoleName=self.project_role_name,
ManagedPolicyArns=managed_policy_arns,
AssumeRolePolicyDocument=PolicyDocument(
Version="2012-10-17",
Statement=[
Statement(
Effect=Allow,
Action=[ AssumeRole ],
Principal=Principal("Service", ['codebuild.amazonaws.com']),
)
]
)
)
template.add_description("Example API Gateway with Lambda as backend")
param_lambda_source_bucket = template.add_parameter(Parameter(
"LambdaSourceBucket",
Type="String",
Description="Name of the bucket where lambda function sources is stored"
))
param_lambda_file_name = template.add_parameter(Parameter(
"LambdaFileName",
Type="String",
Description="Name of the ZIP file with lambda function sources inside S3 bucket"
))
lambda_role = template.add_resource(iam.Role(
"LambaRole",
AssumeRolePolicyDocument=aws.Policy(
Statement=[
aws.Statement(
Effect=aws.Allow,
Action=[sts.AssumeRole],
Principal=aws.Principal(
"Service", ["lambda.amazonaws.com"]
)
)
]
),
Policies=[
iam.Policy(
PolicyName="LambdaPolicy",
PolicyDocument=aws.Policy(
def add_helpers(template):
"""
Add helper resources to the template
This only needs to be called manually if for some reason the monkey patching doesn't work.
"""
if LAMBDA_ROLE not in template.resources:
template.add_resource(
iam.Role(
LAMBDA_ROLE,
AssumeRolePolicyDocument=PolicyDocument(
Version='2012-10-17',
Statement=[
Statement(
Effect=Allow,
Action=[Action('sts', 'AssumeRole')],
Principal=Principal('Service', 'lambda.amazonaws.com'),
)
],
),
ManagedPolicyArns=[
'arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole',
'arn:aws:iam::aws:policy/service-role/AWSLambdaRole',
],
Policies=[
def add_state_machine_role(template: troposphere.Template,
function: troposphere.awslambda.Function) -> troposphere.iam.Role:
role = troposphere.iam.Role(
"StateMachineRole", template,
AssumeRolePolicyDocument={
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"states.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"
]
}
],
Default="0.1"
))
withSpotPrice = "WithSpotPrice"
template.add_condition(withSpotPrice, Not(Equals(Ref(spot), "0")))
gcTimeRatio = template.add_parameter(Parameter(
"GcTimeRatioValue",
Description="Hadoop name node garbage collector time ratio",
Type=NUMBER,
Default="19"
))
# IAM roles required by EMR
emr_service_role = template.add_resource(iam.Role(
'EMRServiceRole',
AssumeRolePolicyDocument={
"Statement": [{
"Effect": "Allow",
"Principal": {
"Service": [
"elasticmapreduce.amazonaws.com"
]
},
"Action": ["sts:AssumeRole"]
}]
},
ManagedPolicyArns=[
'arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceRole'
]
))
method_id = 'ApiGatewayMethod' + self.create_cfn_logical_id(method.name)
method.logical_id = method_id
cfn_export_dict = method.cfn_export_dict
for resource in self.apigatewayrestapi.resources.values():
if resource.name == method.resource_id:
cfn_export_dict["ResourceId"] = troposphere.Ref(resource.resource)
if 'ResourceId' not in cfn_export_dict:
cfn_export_dict["ResourceId"] = troposphere.GetAtt(restapi_resource, 'RootResourceId')
cfn_export_dict["RestApiId"] = troposphere.Ref(restapi_resource)
uri = troposphere.Join('', ["arn:aws:apigateway:", method.region_name, ":lambda:path/2015-03-31/functions/", method.parameter_arn_ref, "/invocations"])
cfn_export_dict["Integration"]["Uri"] = uri
if method.integration.integration_type == 'AWS_PROXY':
# IAM Role - allows API Gateway to invoke Lambda
# ToDo: enable Api Gateway to invoke things other than Lambda ...
iam_role_resource = troposphere.iam.Role(
self.create_cfn_logical_id('ApiGatewayIamRole' + self.apigatewayrestapi.name + method.name),
Path='/',
AssumeRolePolicyDocument=Policy(
Version='2012-10-17',
Statement=[
Statement(
Effect=Allow,
Action=[awacs.sts.AssumeRole],
Principal=Principal('Service',['apigateway.amazonaws.com'])
)
],
),
Policies=[
troposphere.iam.Policy(
PolicyName=self.create_cfn_logical_id('LambdaAccessApiGateway' + self.apigatewayrestapi.name + method.name),
PolicyDocument=Policy(
CLOUDFORMATION.DeleteStack,
CLOUDFORMATION.DescribeStacks,
CLOUDFORMATION.UpdateStack,
CLOUDFORMATION.CreateChangeSet,
CLOUDFORMATION.DeleteChangeSet,
CLOUDFORMATION.DescribeChangeSet,
CLOUDFORMATION.ExecuteChangeSet,
CLOUDFORMATION.SetStackPolicy,
CLOUDFORMATION.ValidateTemplate,
]
),
AllowEverywhere(Action=[CODEBUILD.BatchGetBuilds, CODEBUILD.StartBuild]),
]
),
)
return iam.Role(
"CodePipelinesRole", AssumeRolePolicyDocument=_service_assume_role(CODEPIPELINE.prefix), Policies=[policy]
)