Adding in the CFN Hooks support

VerticalRelevance · May 27, 2022 · 04f7464 · 04f7464
1 parent e1b3b45
commit 04f7464
Show file tree

Hide file tree

Showing 2 changed files with 524 additions and 6 deletions.
diff --git a/stacks/control_broker_stack.py b/stacks/control_broker_stack.py
@@ -70,6 +70,7 @@ def __init__(
         self.output_handler_event_driven()
 
 
+        self.input_handler_cfn_hook()
         self.input_handler_cloudformation()
         self.input_handler_config_event()
         self.input_handler_cross_cloud_custom_auth()
@@ -755,28 +756,106 @@ def input_handler_config_event(self):
             )
         )
 
-    def input_handler_cfn_hooks(self):
+    def input_handler_cfn_hook(self):
 
-        self.lambda_invoked_by_apigw_cfn_hooks = aws_lambda.Function(
+        self.bucket_cfn_hook_converted_inputs = aws_s3.Bucket(
             self,
-            "InvokedByApigwCfnHooks",
+            "CFNHookConvertedInput",
+            removal_policy=RemovalPolicy.DESTROY,
+            auto_delete_objects=True,
+            block_public_access=aws_s3.BlockPublicAccess(
+                block_public_acls=True,
+                ignore_public_acls=True,
+                block_public_policy=True,
+                restrict_public_buckets=True,
+            ),
+        )
+
+        self.bucket_cfn_hook_raw_inputs = aws_s3.Bucket(
+            self,
+            "CFNHookRawInput",
+            removal_policy=RemovalPolicy.DESTROY,
+            auto_delete_objects=True,
+            block_public_access=aws_s3.BlockPublicAccess(
+                block_public_acls=True,
+                ignore_public_acls=True,
+                block_public_policy=True,
+                restrict_public_buckets=True,
+            ),
+        )
+
+        self.lambda_invoked_by_apigw_cfn_hook = aws_lambda.Function(
+            self,
+            "InvokedByApigwCFNHook",
             runtime=aws_lambda.Runtime.PYTHON_3_9,
             handler="lambda_function.lambda_handler",
             timeout=Duration.seconds(60),
             memory_size=1024,
             code=aws_lambda.Code.from_asset(
-                "./supplementary_files/lambdas/invoked_by_apigw_cfn_hooks"
+                "./supplementary_files/lambdas/invoked_by_apigw_cfn_hook"
             ),
+            environment={
+                "RawPaCResultsBucket": self.bucket_raw_pac_results.bucket_name,
+                "OutputHandlers": json.dumps(
+                    {
+                        "OPA": {
+                            "Bucket": self.bucket_output_handler.bucket_name
+                        }
+                    }
+                ),
+                "CFNHookConvertedInputsBucket":self.bucket_cfn_hook_converted_inputs.bucket_name
+            },
             layers=[
                 self.layers['requests'],
                 self.layers['aws_requests_auth']
             ]
         )
 
-        self.api.add_api_handler(
-            "CfnHooks", self.lambda_invoked_by_apigw_cfn_hooks, "/CfnHooks"
+        self.lambda_invoked_by_apigw_cfn_hook.role.add_to_policy(
+            aws_iam.PolicyStatement(
+                actions=[
+                    "cloudformation:ValidateTemplate",
+                    "cloudformation:DescribeType",
+                ],
+                resources=["*"],
+            )
+        )
+
+        self.lambda_invoked_by_apigw_cfn_hook.role.add_to_policy(
+            aws_iam.PolicyStatement(
+                actions=[
+                    "cloudcontrol:GetResource",
+                ],
+                resources=["*"],
+            )
         )
 
+        self.lambda_invoked_by_apigw_cfn_hook.role.add_to_policy(
+            aws_iam.PolicyStatement(
+                actions=[
+                    "s3:GetObject", # required to generate presigned url for get_object ClientMethod
+                ],
+                resources=[
+                    self.bucket_raw_pac_results.bucket_arn,
+                    self.bucket_raw_pac_results.arn_for_objects("*"),
+                    self.bucket_output_handler.bucket_arn,
+                    self.bucket_output_handler.arn_for_objects("*"),
+                ],
+            )
+        )
+
+        self.lambda_invoked_by_apigw_cfn_hook.role.add_to_policy(
+            aws_iam.PolicyStatement(
+                actions=[
+                    "s3:PutObject",
+                ],
+                resources=[
+                    self.bucket_cfn_hook_converted_inputs.bucket_arn,
+                    self.bucket_cfn_hook_converted_inputs.arn_for_objects("*"),
+                ],
+            )
+        )
+
     def input_handler_cross_cloud_custom_auth(self):
 
         self.bucket_cross_cloud_inputs = aws_s3.Bucket(
@@ -1047,6 +1126,8 @@ def eval_engine(self):
                     self.bucket_evaluation_context.arn_for_objects("*"),
                     self.bucket_config_events_converted_inputs.bucket_arn,
                     self.bucket_config_events_converted_inputs.arn_for_objects("*"),
+                    self.bucket_cfn_hook_converted_inputs.bucket_arn,
+                    self.bucket_cfn_hook_converted_inputs.arn_for_objects("*"),
                     self.bucket_cloudformation_raw_inputs.bucket_arn,
                     self.bucket_cloudformation_raw_inputs.arn_for_objects("*"),
                     self.bucket_cross_cloud_inputs.bucket_arn,
@@ -1073,6 +1154,10 @@ def eval_engine(self):
 
     def add_apis(self):
 
+        handler_url_cfn_hook = self.api.add_api_handler(
+            "CFNHook", self.lambda_invoked_by_apigw_cfn_hook, "/CFNHook"
+        )
+
         handler_url_config_event = self.api.add_api_handler(
             "ConfigEvent", self.lambda_invoked_by_apigw_config_event, "/ConfigEvent"
         )