Skip to content

Commit

Permalink
Issue #5 WIP ConfigEventToCloudFormationConverter
Browse files Browse the repository at this point in the history
  • Loading branch information
@cschneider-vertical-relevance
cschneider-vertical-relevance committed May 3, 2022
1 parent 943968d commit 0e51b7a
Show file tree
Hide file tree
Showing 3 changed files with 320 additions and 47 deletions.
44 changes: 39 additions & 5 deletions stacks/control_broker_stack.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,8 @@ def __init__(
self.deploy_outer_sfn()

self.Input_reader_roles: List[aws_iam.Role] = [
self.lambda_input_type_cloudformation_pac_framework_opa.role,
self.lambda_evaluate_cloudformation_by_opa.role,
self.lambda_pac_evaluation_router.role,
]

self.outer_eval_engine_state_machine = (
Expand Down Expand Up @@ -124,6 +125,21 @@ def deploy_utils(self):
],
)

# converted inputs

self.bucket_converted_inputs = aws_s3.Bucket(
self,
"ConvertedInputs",
removal_policy=RemovalPolicy.DESTROY,
auto_delete_objects=True,
block_public_access=aws_s3.BlockPublicAccess(
block_public_acls=True,
ignore_public_acls=True,
block_public_policy=True,
restrict_public_buckets=True,
),
)

# results reports

self.bucket_eval_results_reports = aws_s3.Bucket(
Expand Down Expand Up @@ -196,6 +212,12 @@ def deploy_inner_sfn_lambdas(self):
code=aws_lambda.Code.from_asset(
"./supplementary_files/lambdas/pac_evaluation_router"
),
environment = {
"PaCBucketRouting": json.dumps({
"OPA":self.bucket_opa_policies.bucket_name
}),
"ConvertedInputsBucket": self.bucket_converted_inputs.bucket_name
}
)

self.lambda_pac_evaluation_router.role.add_to_policy(
Expand All @@ -206,10 +228,20 @@ def deploy_inner_sfn_lambdas(self):
resources=["*"],
)
)
self.lambda_pac_evaluation_router.role.add_to_policy(
aws_iam.PolicyStatement(
actions=[
"s3:PutObject",
],
resources=[
self.bucket_converted_inputs.arn_for_objects("*"),
],
)
)

# InputType CloudFormation - PaCFramework OPA - PythonSubprocess

self.lambda_input_type_cloudformation_pac_framework_opa = aws_lambda.Function(
self.lambda_evaluate_cloudformation_by_opa = aws_lambda.Function(
self,
"EvaluateCloudFormationTemplateByOPAPythonSubprocess",
runtime=aws_lambda.Runtime.PYTHON_3_9,
Expand All @@ -221,7 +253,7 @@ def deploy_inner_sfn_lambdas(self):
),
)

self.lambda_input_type_cloudformation_pac_framework_opa.role.add_to_policy(
self.lambda_evaluate_cloudformation_by_opa.role.add_to_policy(
aws_iam.PolicyStatement(
actions=[
"s3:HeadObject",
Expand All @@ -231,6 +263,8 @@ def deploy_inner_sfn_lambdas(self):
resources=[
self.bucket_opa_policies.bucket_arn,
self.bucket_opa_policies.arn_for_objects("*"),
self.bucket_converted_inputs.bucket_arn,
self.bucket_converted_inputs.arn_for_objects("*"),
],
)
)
Expand Down Expand Up @@ -332,7 +366,7 @@ def deploy_inner_sfn(self):
actions=["lambda:InvokeFunction"],
resources=[
self.lambda_pac_evaluation_router.function_arn,
self.lambda_input_type_cloudformation_pac_framework_opa.function_arn,
self.lambda_evaluate_cloudformation_by_opa.function_arn,
self.lambda_gather_infractions.function_arn,
self.lambda_handle_infraction.function_arn,
],
Expand Down Expand Up @@ -420,7 +454,7 @@ def deploy_inner_sfn(self):
# "ResultPath": "$.EvaluateCloudFormationTemplateByOPA",
# "Resource": "arn:aws:states:::lambda:invoke",
# "Parameters": {
# "FunctionName": self.lambda_input_type_cloudformation_pac_framework_opa.function_name,
# "FunctionName": self.lambda_evaluate_cloudformation_by_opa.function_name,
# "Payload": {
# "JsonInput.$": "$.JsonInput",
# "OpaPolicies": {
Expand Down
9 changes: 0 additions & 9 deletions supplementary_files/lambdas/conversion/lambda_function.py
View file

This file was deleted.

Loading

0 comments on commit 0e51b7a

Please sign in to comment.