/
iam.clj
90 lines (76 loc) · 3.97 KB
/
iam.clj
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
(ns stepwise.iam
(:require [bean-dip.core :as bd]
[clojure.data.json :as json]
[stepwise.arns :as arns])
(:import (com.amazonaws.services.identitymanagement AmazonIdentityManagementClientBuilder
AmazonIdentityManagement)
(com.amazonaws.services.identitymanagement.model CreateRoleRequest
PutRolePolicyRequest
GetRoleRequest
GetRolePolicyRequest
NoSuchEntityException)
(com.amazonaws.regions DefaultAwsRegionProviderChain)))
(def assume-role-policy
{"Version" "2012-10-17",
"Statement" [{"Effect" "Allow",
"Principal" {"Service" "states.us-west-2.amazonaws.com"},
"Action" "sts:AssumeRole"}]})
(def execution-policy
{"Version" "2012-10-17"
"Statement" [; Permission to call Lambda functions
{"Effect" "Allow"
"Action" ["lambda:InvokeFunction"]
"Resource" "*"}
; Permission to call another nested workflow execution
; Reference https://docs.aws.amazon.com/step-functions/latest/dg/stepfunctions-iam.html
{"Effect" "Allow"
"Action" ["states:StartExecution"]
"Resource" "arn:aws:states:*:*"}
{"Effect" "Allow"
"Action" ["states:DescribeExecution"
"states:StopExecution"]
"Resource" "*"}
{"Effect" "Allow"
"Action" ["events:PutTargets"
"events:PutRule"
"events:DescribeRule"]
"Resource" "arn:aws:events:us-west-2:*:rule/StepFunctionsGetEventsForStepFunctionsExecutionRule"}]})
(set! *warn-on-reflection* true)
(defmethod bd/->bean-val ::policy-document [_ policy-document]
(json/write-str policy-document))
(defmethod bd/->bean-val ::assume-role-policy-document [_ policy-document]
(json/write-str policy-document))
(bd/def-translation GetRoleRequest #{::role-name})
(bd/def-translation CreateRoleRequest #{::path ::role-name ::assume-role-policy-document})
(bd/def-translation GetRolePolicyRequest #{::role-name ::policy-name})
(bd/def-translation PutRolePolicyRequest #{::policy-document ::policy-name ::role-name})
(def client
(delay (AmazonIdentityManagementClientBuilder/defaultClient)))
(def region
(delay (.getRegion (DefaultAwsRegionProviderChain.))))
(def path "/service-role/")
(defn get-role-name []
(str "StepwiseStatesExecutionRole-" @region))
(defn get-policy-name []
(str "StepwiseStatesExecutionPolicy-" @region))
(def execution-role-arn
(delay
(let [role-name (get-role-name)
policy-name (get-policy-name)
client ^AmazonIdentityManagement @client]
(try
(.getRole client (map->GetRoleRequest {::role-name role-name}))
(catch NoSuchEntityException _
(.createRole client (map->CreateRoleRequest {::path path
::role-name role-name
::assume-role-policy-document assume-role-policy}))))
(try
(.getRolePolicy client (map->GetRolePolicyRequest {::role-name role-name
::policy-name policy-name}))
(catch NoSuchEntityException _
(.putRolePolicy client (map->PutRolePolicyRequest {::role-name role-name
::policy-name policy-name
::policy-document execution-policy}))))
(arns/get-role-arn path role-name))))
(defn ensure-execution-role []
@execution-role-arn)