Skip to content

Commit

Permalink
feat(hamlet): add permissions extensions
Browse files Browse the repository at this point in the history
  • Loading branch information
roleyfoley committed Jan 30, 2021
1 parent 2a151a4 commit 4c68e0c
Show file tree
Hide file tree
Showing 5 changed files with 128 additions and 58 deletions.
34 changes: 34 additions & 0 deletions hamlet/s3support/extensions/s3_inventory_copy_batch/extension.ftl
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
[#ftl]

[@addExtension
id="s3_inventory_copy_batch"
aliases=[
"_s3_inventory_copy_batch"
]
description=[
"Configures the s3 batch lambda"
]
supportedTypes=[
LAMBDA_COMPONENT_TYPE,
LAMBDA_FUNCTION_COMPONENT_TYPE
]
/]

[#macro shared_extension_s3_inventory_copy_batch_deployment_setup occurrence ]

[@Settings
[
"DESTINATION_BUCKET_NAME"
] +
valueIfContent(
[ "S3_DESTINATION_PREFIX" ],
(_context.DefaultEnvironment["S3_DESTINATION_PREFIX"])!"",
[]
) +
valueIfContent(
[ "S3_DESTINATION_SUFFIX" ],
(_context.DefaultEnvironment["S3_DESTINATION_SUFFIX"])!"",
[]
)
/]
[/#macro]
61 changes: 61 additions & 0 deletions hamlet/s3support/extensions/s3_inventory_copy_event/extension.ftl
Original file line number Diff line number Diff line change
@@ -0,0 +1,61 @@
[#ftl]

[@addExtension
id="s3_inventory_copy_event"
aliases=[
"_s3_inventory_copy_event"
]
description=[
"Configures the s3 event lambda with batch permissions"
]
supportedTypes=[
LAMBDA_COMPONENT_TYPE,
LAMBDA_FUNCTION_COMPONENT_TYPE
]
/]

[#macro shared_extension_s3_inventory_copy_event_deployment_setup occurrence ]

[#-- When submitting an s3 batch we need to give batch an IAM role which allows it to access the source and invoke the lambda --]
[#-- This creates a new role using the same links as the lambda but with a different trust --]
[@includeServicesConfiguration
provider=AWS_PROVIDER
services=AWS_IDENTITY_SERVICE
deploymentFramework=CLOUD_FORMATION_DEPLOYMENT_FRAMEWORK
/]

[#local s3BatchRoleId = formatResourceId(AWS_IAM_ROLE_RESOURCE_TYPE, occurrence.Core.Id, "s3", "batchoperations") ]
[#local s3BatchPolicies = getLinkTargetsOutboundRoles(_context.Links) ]

[#if deploymentSubsetRequired("iam", true) &&
isPartOfCurrentDeploymentUnit(s3BatchRoleId)]
[@createRole
id=s3BatchRoleId
trustedServices=[
"batchoperations.s3.amazonaws.com"
]
policies=[getPolicyDocument(s3BatchPolicies, "links")]
/]
[/#if]

[@ContextSetting
name="S3_BATCH_ROLE_ARN"
value=getReference(s3BatchRoleId, ARN_ATTRIBUTE_TYPE)
/]

[#-- Allow the S3 event function to pass the IAM role to s3 batch --]
[@Policy
iamPassRolePermission(
[
getReference(s3BatchRoleId, ARN_ATTRIBUTE_TYPE)
]
)
/]

[@Settings
[
"S3_BATCH_JOB_LAMBDA_ARN",
"S3_BATCH_PRIORITY"
]
/]
[/#macro]

This file was deleted.

46 changes: 31 additions & 15 deletions hamlet/s3support/modules/s3_inventory_copy/module.ftl
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,7 @@
"Default" : "s3_inventory_copy/"
},
{
"Names" : "soucrceBucketLink",
"Names" : "sourceBucketLink",
"Description" : "A link to the source s3 bucket which will trigger the copy",
"Children" : linkChildrenConfiguration
}
Expand All @@ -55,7 +55,7 @@
"Names" : "s3InventoryProfileSuffix",
"Description" : "The suffix ( added to the id ) for the deployment profile which configures the userpool client",
"Type" : STRING_TYPE,
"Default" : "_cognitoqs"
"Default" : "_s3inventorycopy"
},
{
"Names" : "lambdaImageUrl",
Expand All @@ -67,7 +67,7 @@
"Names" : "lambdaImageHash",
"Description" : "The sha1 hash of the lambda zip image",
"Type" : STRING_TYPE,
"Default" : "4ecc2684e18be6ad91b704cf211b074919314144"
"Default" : "3a32ca21b1b5d4331718b508c67cd931784cb33c"
},
{
"Names" : "batchPriorty",
Expand All @@ -83,8 +83,11 @@
id
tier
instance
sourceBucketLink
destinationBucketLink
s3KeyPrefix
s3KeySuffix
s3InventoryPrefix
s3InventoryProfileSuffix
lambdaImageUrl
lambdaImageHash
Expand All @@ -98,25 +101,38 @@
[#local namespace = formatName(product["Name"], environment["Name"], segment["Name"])]

[#local lambdaId = formatName(id, "lambda") ]
[#local lambdaSettingsNamespace = formatName(namespace, tier, lambdaId, instance)]

[#local s3EventSettingsNamespace = formatName(namespace, tier, id, instance, "s3event")]
[#local s3BatchSettingsNamespace = formatName(namespace, tier, id, instance, "s3batch")]

[#-- Lambda Configuration --]
[@loadModule
settingSets=[
{
"Type" : "Settings",
"Scope" : "Products",
"Namespace" : lambdaSettingsNamespace,
"Namespace" : s3EventSettingsNamespace,
"Settings" : {
"S3_DESTINATION_PREFIX" : s3KeyPrefix,
"S3_DESTINATION_SUFFIX" : s3KeySuffix,
"S3_BATCH_PRIORITY" : batchPriorty
}
}
]
/]

[@loadModule
settingSets=[
{
"Type" : "Settings",
"Scope" : "Products",
"Namespace" : s3BatchSettingsNamespace,
"Settings" : {
"S3_DESTINATION_PREFIX" : s3KeyPrefix,
"S3_DESTINATION_SUFFIX" : s3KeySuffix
}
}
]
/]

[#-- Solution Configuration --]
[@loadModule
blueprint={
Expand All @@ -134,15 +150,15 @@
"ImageHash" : lambdaImageHash
}
},
"RunTime": "python3.6,
"RunTime": "python3.8",
"MemorySize": 128,
"PredefineLogGroup": true,
"VPCAccess": false,
"Timeout": 10
"Timeout": 10,
"Functions": {
"s3event": {
"Handler": "src/lambda.s3event_lambda_handler",
"Extensions": [ "_noenv" ],
"Extensions": [ "_noenv", "_s3_inventory_copy_event" ],
"Links" : {
"S3_BATCH_JOB_LAMBDA" : {
"Tier" : tier,
Expand All @@ -153,22 +169,22 @@
"Role" : "invoke"
},
"S3_SOURCE" :
soucrceBucketLink +
sourceBucketLink +
{
"Role" : "consume"
}
}
},
"s3batch": {
"Handler": "src/lambda.s3batch_lambda_handler",
"Extensions": [ "_noenv" ],
"Extensions": [ "_noenv", "_s3_inventory_copy_batch" ],
"Links" : {
"S3_SOURCE" :
soucrceBucketLink +
"SOURCE_BUCKET" :
sourceBucketLink +
{
"Role" : "consume"
},
"s3_DESTINATION" :
"DESTINATION_BUCKET" :
destinationBucketLink +
{
"Role" : "produce"
Expand Down
2 changes: 2 additions & 0 deletions hamlet/s3support/provider.ftl
Original file line number Diff line number Diff line change
@@ -1 +1,3 @@
[#ftl]

[#assign S3SUPPORT_PROVIDER = "s3support" ]

0 comments on commit 4c68e0c

Please sign in to comment.