From b886c52a8996afe3286a7a8fba5258092d94e402 Mon Sep 17 00:00:00 2001 From: Clark Schneider Date: Tue, 3 May 2022 22:57:44 +0000 Subject: [PATCH] Issue # Get*, List* for all services with a cloudcontrol provisionable resource required fro cloudcontrol.get_resource() --- stacks/control_broker_stack.py | 301 ++++++++++++++++++ .../pac_evaluation_router/lambda_function.py | 2 +- 2 files changed, 302 insertions(+), 1 deletion(-) diff --git a/stacks/control_broker_stack.py b/stacks/control_broker_stack.py index 9e8a1abd..ddae0167 100644 --- a/stacks/control_broker_stack.py +++ b/stacks/control_broker_stack.py @@ -224,6 +224,18 @@ def deploy_inner_sfn_lambdas(self): aws_iam.PolicyStatement( actions=[ "cloudformation:ValidateTemplate", + "cloudformation:DescribeType", + "cloudformation:Get*", #FIXME + "cloudformation:Describe*", #FIXME + ], + resources=["*"], + ) + ) + self.lambda_pac_evaluation_router.role.add_to_policy( + aws_iam.PolicyStatement( + actions=[ + "cloudcontrol:GetResource", + "cloudcontrol:*", #FIXME ], resources=["*"], ) @@ -238,6 +250,295 @@ def deploy_inner_sfn_lambdas(self): ], ) ) + self.lambda_pac_evaluation_router.role.add_to_policy( + aws_iam.PolicyStatement( + # Get*, List* for all services with a cloudcontrol provisionable resource + # required fro cloudcontrol.get_resource() + actions=[ + "acmpca:Get*", + "acmpca:List*", + "aps:Get*", + "aps:List*", + "accessanalyzer:Get*", + "accessanalyzer:List*", + "amplify:Get*", + "amplify:List*", + "amplifyuibuilder:Get*", + "amplifyuibuilder:List*", + "apigateway:Get*", + "apigateway:List*", + "appflow:Get*", + "appflow:List*", + "appintegrations:Get*", + "appintegrations:List*", + "apprunner:Get*", + "apprunner:List*", + "appstream:Get*", + "appstream:List*", + "appsync:Get*", + "appsync:List*", + "applicationinsights:Get*", + "applicationinsights:List*", + "athena:Get*", + "athena:List*", + "auditmanager:Get*", + "auditmanager:List*", + "autoscaling:Get*", + "autoscaling:List*", + "backup:Get*", + "backup:List*", + "batch:Get*", + "batch:List*", + "budgets:Get*", + "budgets:List*", + "ce:Get*", + "ce:List*", + "cur:Get*", + "cur:List*", + "cassandra:Get*", + "cassandra:List*", + "certificatemanager:Get*", + "certificatemanager:List*", + "chatbot:Get*", + "chatbot:List*", + "cloudformation:Get*", + "cloudformation:List*", + "cloudfront:Get*", + "cloudfront:List*", + "cloudtrail:Get*", + "cloudtrail:List*", + "cloudwatch:Get*", + "cloudwatch:List*", + "codeartifact:Get*", + "codeartifact:List*", + "codeguruprofiler:Get*", + "codeguruprofiler:List*", + "codegurureviewer:Get*", + "codegurureviewer:List*", + "codestarconnections:Get*", + "codestarconnections:List*", + "codestarnotifications:Get*", + "codestarnotifications:List*", + "config:Get*", + "config:List*", + "connect:Get*", + "connect:List*", + "customerprofiles:Get*", + "customerprofiles:List*", + "databrew:Get*", + "databrew:List*", + "datasync:Get*", + "datasync:List*", + "detective:Get*", + "detective:List*", + "devopsguru:Get*", + "devopsguru:List*", + "devicefarm:Get*", + "devicefarm:List*", + "dynamodb:Get*", + "dynamodb:List*", + "ec2:Get*", + "ec2:List*", + "ecr:Get*", + "ecr:List*", + "ecs:Get*", + "ecs:List*", + "efs:Get*", + "efs:List*", + "eks:Get*", + "eks:List*", + "emr:Get*", + "emr:List*", + "emrcontainers:Get*", + "emrcontainers:List*", + "elasticache:Get*", + "elasticache:List*", + "elasticloadbalancingv2:Get*", + "elasticloadbalancingv2:List*", + "eventschemas:Get*", + "eventschemas:List*", + "events:Get*", + "events:List*", + "evidently:Get*", + "evidently:List*", + "fis:Get*", + "fis:List*", + "fms:Get*", + "fms:List*", + "finspace:Get*", + "finspace:List*", + "forecast:Get*", + "forecast:List*", + "frauddetector:Get*", + "frauddetector:List*", + "gamelift:Get*", + "gamelift:List*", + "globalaccelerator:Get*", + "globalaccelerator:List*", + "glue:Get*", + "glue:List*", + "greengrassv2:Get*", + "greengrassv2:List*", + "groundstation:Get*", + "groundstation:List*", + "healthlake:Get*", + "healthlake:List*", + "iam:Get*", + "iam:List*", + "ivs:Get*", + "ivs:List*", + "imagebuilder:Get*", + "imagebuilder:List*", + "inspector:Get*", + "inspector:List*", + "inspectorv2:Get*", + "inspectorv2:List*", + "iot:Get*", + "iot:List*", + "iotanalytics:Get*", + "iotanalytics:List*", + "iotcoredeviceadvisor:Get*", + "iotcoredeviceadvisor:List*", + "iotevents:Get*", + "iotevents:List*", + "iotfleethub:Get*", + "iotfleethub:List*", + "iotsitewise:Get*", + "iotsitewise:List*", + "iotwireless:Get*", + "iotwireless:List*", + "kms:Get*", + "kms:List*", + "kafkaconnect:Get*", + "kafkaconnect:List*", + "kendra:Get*", + "kendra:List*", + "kinesis:Get*", + "kinesis:List*", + "kinesisfirehose:Get*", + "kinesisfirehose:List*", + "kinesisvideo:Get*", + "kinesisvideo:List*", + "lambda:Get*", + "lambda:List*", + "lex:Get*", + "lex:List*", + "licensemanager:Get*", + "licensemanager:List*", + "lightsail:Get*", + "lightsail:List*", + "location:Get*", + "location:List*", + "logs:Get*", + "logs:List*", + "lookoutequipment:Get*", + "lookoutequipment:List*", + "lookoutmetrics:Get*", + "lookoutmetrics:List*", + "lookoutvision:Get*", + "lookoutvision:List*", + "msk:Get*", + "msk:List*", + "mwaa:Get*", + "mwaa:List*", + "macie:Get*", + "macie:List*", + "mediaconnect:Get*", + "mediaconnect:List*", + "mediapackage:Get*", + "mediapackage:List*", + "memorydb:Get*", + "memorydb:List*", + "networkfirewall:Get*", + "networkfirewall:List*", + "networkmanager:Get*", + "networkmanager:List*", + "nimblestudio:Get*", + "nimblestudio:List*", + "opensearchservice:Get*", + "opensearchservice:List*", + "opsworkscm:Get*", + "opsworkscm:List*", + "panorama:Get*", + "panorama:List*", + "personalize:Get*", + "personalize:List*", + "pinpoint:Get*", + "pinpoint:List*", + "qldb:Get*", + "qldb:List*", + "quicksight:Get*", + "quicksight:List*", + "rds:Get*", + "rds:List*", + "rum:Get*", + "rum:List*", + "redshift:Get*", + "redshift:List*", + "refactorspaces:Get*", + "refactorspaces:List*", + "rekognition:Get*", + "rekognition:List*", + "resiliencehub:Get*", + "resiliencehub:List*", + "resourcegroups:Get*", + "resourcegroups:List*", + "robomaker:Get*", + "robomaker:List*", + "route53:Get*", + "route53:List*", + "route53recoverycontrol:Get*", + "route53recoverycontrol:List*", + "route53recoveryreadiness:Get*", + "route53recoveryreadiness:List*", + "route53resolver:Get*", + "route53resolver:List*", + "s3:Get*", + "s3:List*", + "s3objectlambda:Get*", + "s3objectlambda:List*", + "s3outposts:Get*", + "s3outposts:List*", + "ses:Get*", + "ses:List*", + "sqs:Get*", + "sqs:List*", + "ssm:Get*", + "ssm:List*", + "ssmcontacts:Get*", + "ssmcontacts:List*", + "ssmincidents:Get*", + "ssmincidents:List*", + "sso:Get*", + "sso:List*", + "sagemaker:Get*", + "sagemaker:List*", + "servicecatalog:Get*", + "servicecatalog:List*", + "servicecatalogappregistry:Get*", + "servicecatalogappregistry:List*", + "signer:Get*", + "signer:List*", + "stepfunctions:Get*", + "stepfunctions:List*", + "synthetics:Get*", + "synthetics:List*", + "timestream:Get*", + "timestream:List*", + "transfer:Get*", + "transfer:List*", + "wafv2:Get*", + "wafv2:List*", + "wisdom:Get*", + "wisdom:List*", + "workspaces:Get*", + "workspaces:List*", + "xray:Get*", + "xray:List*", + ], + resources=["*"], + ) + ) # InputType CloudFormation - PaCFramework OPA - PythonSubprocess diff --git a/supplementary_files/lambdas/pac_evaluation_router/lambda_function.py b/supplementary_files/lambdas/pac_evaluation_router/lambda_function.py index 8ecc092e..6dd1fd29 100644 --- a/supplementary_files/lambdas/pac_evaluation_router/lambda_function.py +++ b/supplementary_files/lambdas/pac_evaluation_router/lambda_function.py @@ -151,7 +151,7 @@ def parse_config_event(self): print(f'resource_configuration_keys:\n{resource_configuration_keys}') self.resource_id = configuration_item['resourceId'] - print(f'resource_id:\n{self.resource_type}') + print(f'resource_id:\n{self.resource_id}') def get_converted_cloudformation(self):