class Codepipe::Role

Public Class Methods

new(options={}) click to toggle source
# File lib/codepipe/role.rb, line 8
def initialize(options={})
  @options = options
  @role_path = options[:role_path] || get_role_path
  @properties = default_properties
end

Public Instance Methods

logical_id() click to toggle source
# File lib/codepipe/role.rb, line 35
def logical_id
  "IamRole"
end
run() click to toggle source
# File lib/codepipe/role.rb, line 14
def run
  evaluate(@role_path) if File.exist?(@role_path)
  @properties[:policies] = [{
    policy_name: "CodePipelineAccess",
    policy_document: {
      version: "2012-10-17",
      statement: derived_iam_statements
    }
  }]

  @properties[:managed_policy_arns] = @managed_policy_arns if @managed_policy_arns && !@managed_policy_arns.empty?

  resource = {
    logical_id => {
      type: "AWS::IAM::Role",
      properties: @properties
    }
  }
  CfnCamelizer.transform(resource)
end

Private Instance Methods

default_iam_statements() click to toggle source
# File lib/codepipe/role.rb, line 68
def default_iam_statements
  # Based on the one created by CodePipeline Console
  [{
    "action"=>["iam:PassRole"],
    "resource"=>"*",
    "effect"=>"Allow",
    "condition"=>
      {"string_equals_if_exists"=>
        {"iam:passed_to_service"=>
          ["cloudformation.amazonaws.com",
           "elasticbeanstalk.amazonaws.com",
           "ec2.amazonaws.com",
           "ecs-tasks.amazonaws.com"]
        }
      }
  },{
    "action"=>
      ["codecommit:CancelUploadArchive",
       "codecommit:GetBranch",
       "codecommit:GetCommit",
       "codecommit:GetUploadArchiveStatus",
       "codecommit:UploadArchive"],
      "resource"=>"*",
      "effect"=>"Allow"
  },{
    "action"=>
     ["codedeploy:CreateDeployment",
      "codedeploy:GetApplication",
      "codedeploy:GetApplicationRevision",
      "codedeploy:GetDeployment",
      "codedeploy:GetDeploymentConfig",
      "codedeploy:RegisterApplicationRevision"],
      "resource"=>"*",
      "effect"=>"Allow"
  },{
    "action"=>
      ["elasticbeanstalk:*",
       "ec2:*",
       "elasticloadbalancing:*",
       "autoscaling:*",
       "cloudwatch:*",
       "s3:*",
       "sns:*",
       "cloudformation:*",
       "rds:*",
       "sqs:*",
       "ecs:*"],
    "resource"=>"*",
    "effect"=>"Allow"
  },{
    "action"=>["lambda:InvokeFunction", "lambda:ListFunctions"],
    "resource"=>"*",
    "effect"=>"Allow"
  },{
    "action"=>
       ["opsworks:CreateDeployment",
        "opsworks:DescribeApps",
        "opsworks:DescribeCommands",
        "opsworks:DescribeDeployments",
        "opsworks:DescribeInstances",
        "opsworks:DescribeStacks",
        "opsworks:UpdateApp",
        "opsworks:UpdateStack"],
      "resource"=>"*",
      "effect"=>"Allow"
  },{
    "action"=>
     ["cloudformation:CreateStack",
      "cloudformation:DeleteStack",
      "cloudformation:DescribeStacks",
      "cloudformation:UpdateStack",
      "cloudformation:CreateChangeSet",
      "cloudformation:DeleteChangeSet",
      "cloudformation:DescribeChangeSet",
      "cloudformation:ExecuteChangeSet",
      "cloudformation:SetStackPolicy",
      "cloudformation:ValidateTemplate"],
    "resource"=>"*",
    "effect"=>"Allow"
  },{
    "action"=>["codebuild:BatchGetBuilds", "codebuild:StartBuild"],
    "resource"=>"*",
    "effect"=>"Allow"
  },{
    "action"=>
      ["devicefarm:ListProjects",
       "devicefarm:ListDevicePools",
       "devicefarm:GetRun",
       "devicefarm:GetUpload",
       "devicefarm:CreateUpload",
       "devicefarm:ScheduleRun"],
      "resource"=>"*",
      "effect"=>"Allow",
  },{
    "action"=>
      ["servicecatalog:ListProvisioningArtifacts",
       "servicecatalog:CreateProvisioningArtifact",
       "servicecatalog:DescribeProvisioningArtifact",
       "servicecatalog:DeleteProvisioningArtifact",
       "servicecatalog:UpdateProduct"],
    "resource"=>"*",
    "effect"=>"Allow",
  },{
    "action"=>["cloudformation:ValidateTemplate"],
    "resource"=>"*",
    "effect"=>"Allow",
  },{
    "action"=>["ecr:DescribeImages"],
    "resource"=>"*",
    "effect"=>"Allow",
  }]
end
default_properties() click to toggle source
# File lib/codepipe/role.rb, line 44
def default_properties
  {
    assume_role_policy_document: {
      statement: [{
        action: ["sts:AssumeRole"],
        effect: "Allow",
        principal: {
          service: principal_services
        }
      }],
      version: "2012-10-17"
    },
    path: "/"
  }
end
derived_iam_statements() click to toggle source
# File lib/codepipe/role.rb, line 64
def derived_iam_statements
  @iam_statements || default_iam_statements
end
get_role_path() click to toggle source
# File lib/codepipe/role.rb, line 40
def get_role_path
  lookup_codepipeline_file("role.rb")
end
principal_services() click to toggle source
# File lib/codepipe/role.rb, line 60
def principal_services
  ["codepipeline.amazonaws.com"]
end