- Fixed AWS principle when account ids start with zero

- Fixed DeploymentPipeline IAM Permissions - provision on CodeCommit will now display repository ssh clone URLs.
waterbear-cloud · Sep 16, 2021 · 389ceda · 389ceda
1 parent 1030544
commit 389ceda
Show file tree

Hide file tree

Showing 3 changed files with 47 additions and 15 deletions.
diff --git a/src/paco/cftemplates/iam_roles.py b/src/paco/cftemplates/iam_roles.py
@@ -233,7 +233,7 @@ def __init__(
               AWS:"""
                 for aws_item in role_config.assume_role_policy.aws:
                     principal_yaml += """
-                - """ + aws_item
+                - '""" + aws_item + "'"
         else:
             pass
         iam_role_table['assume_role_principal'] = principal_yaml

diff --git a/src/paco/cftemplates/iam_user_account_delegates.py b/src/paco/cftemplates/iam_user_account_delegates.py
@@ -149,7 +149,8 @@ def deployment_pipeline_codepipeline_permissions(self, pipeline_list, assume_rol
         statement_list = []
 
         list_pipelines_actions = [
-            Action('codepipeline', 'ListPipelines')
+            Action('codepipeline', 'ListPipelines'),
+            Action('codepipeline', 'ListPipelineExecutions')
         ]
         readonly_actions = [
             Action('codepipeline', 'GetPipeline'),
@@ -160,7 +161,8 @@ def deployment_pipeline_codepipeline_permissions(self, pipeline_list, assume_rol
             Action('codepipeline', 'ListActionTypes'),
             Action('codepipeline', 'ListTagsForResource'),
             Action('codepipeline', 'StartPipelineExecution'),
-            Action('codepipeline', 'StopPipelineExecution')
+            Action('codepipeline', 'StopPipelineExecution'),
+            Action('codebuild', 'ListProjects')
         ]
         retrystages_actions = [
             Action('codepipeline', 'RetryStageExecution')
@@ -197,6 +199,17 @@ def deployment_pipeline_codepipeline_permissions(self, pipeline_list, assume_rol
                 )
             )
 
+        managed_policy_res = troposphere.iam.ManagedPolicy(
+            title=self.create_cfn_logical_id("CodePipelineReadPolicy"),
+            PolicyDocument=PolicyDocument(
+                Version="2012-10-17",
+                Statement=statement_list
+            ),
+            Roles=[ troposphere.Ref(assume_role_res) ]
+        )
+        self.template.add_resource(managed_policy_res)
+
+        statement_list = []
         if pipeline_ctx['permission'].find('RetryStages') != -1:
             statement_list.append(
                 Statement(
@@ -207,17 +220,15 @@ def deployment_pipeline_codepipeline_permissions(self, pipeline_list, assume_rol
                 )
             )
 
-
-
-        managed_policy_res = troposphere.iam.ManagedPolicy(
-            title=self.create_cfn_logical_id("CodePipelinePolicy"),
-            PolicyDocument=PolicyDocument(
-                Version="2012-10-17",
-                Statement=statement_list
-            ),
-            Roles=[ troposphere.Ref(assume_role_res) ]
-        )
-        self.template.add_resource(managed_policy_res)
+            managed_policy_res = troposphere.iam.ManagedPolicy(
+                title=self.create_cfn_logical_id("CodePipelineRetryStagesPolicy"),
+                PolicyDocument=PolicyDocument(
+                    Version="2012-10-17",
+                    Statement=statement_list
+                ),
+                Roles=[ troposphere.Ref(assume_role_res) ]
+            )
+            self.template.add_resource(managed_policy_res)
 
     def deployment_pipeline_codebuild_permissions(self, pipeline_list, assume_role_res):
         statement_list = []
@@ -281,7 +292,6 @@ def set_codebuild_permissions(self, readonly_codebuild_arns, assume_role_res, po
             Action('events', 'DescribeRule'),
             Action('events', 'ListTargetsByRule'),
             Action('events', 'ListRuleNamesByTarget'),
-            Action('logs', 'GetLogEvents')
         ]
         if len(readonly_codebuild_arns) > 0:
             statement_list.append(
@@ -292,6 +302,27 @@ def set_codebuild_permissions(self, readonly_codebuild_arns, assume_role_res, po
                     Resource=readonly_codebuild_arns
                 )
             )
+            statement_list.append(
+                Statement(
+                    Sid='CodeBuildLogStreamsReadOnly',
+                    Effect=Allow,
+                    Action=[
+                        Action('logs', 'GetLogEvents'),
+                        Action('logs', 'DescribeLogStreams')
+                    ],
+                    Resource=[f'arn:aws:logs:{self.aws_region}:{self.account_id}:log-group:/aws/codebuild/*']
+                )
+            )
+            statement_list.append(
+                Statement(
+                    Sid='CodeBuildLogGroupsReadOnly',
+                    Effect=Allow,
+                    Action=[
+                        Action('logs', 'DescribeLogGroups')
+                    ],
+                    Resource=[f'*']
+                )
+            )
 
         managed_policy_res = troposphere.iam.ManagedPolicy(
             title=self.create_cfn_logical_id_join([policy_id, "CodeBuildPolicy"]),

diff --git a/src/paco/stack_grps/grp_codecommit.py b/src/paco/stack_grps/grp_codecommit.py
@@ -115,6 +115,7 @@ def codecommit_post_stack_hook(self, hook, config):
             for repo_config in repo_group.values():
                 if self.paco_ctx.get_ref(repo_config.account+'.name') != self.account_ctx.get_name():
                     continue
+                print(f'repository clone: {repo_config.repository_name}: git clone ssh://git-codecommit.{repo_config.region}.amazonaws.com/v1/repos/{repo_config.repository_name}')
                 if repo_config.users != None:
                     for user_config in repo_config.users.values():
                         if user_config.public_ssh_key != None and user_config.username not in user_done.keys():