module Convection::DSL::Template::Resource::IAMRole

Role DSL

Public Instance Methods

allow_instance_termination(&block) click to toggle source

Add a policy to allow instance to self-terminate

# File lib/convection/model/template/resource/aws_iam_role.rb, line 64
def allow_instance_termination(&block)
  with_instance_profile if instance_profile.nil?

  term_policy = Model::Template::Resource::IAMPolicy.new("#{ name }TerminationPolicy", @template)
  term_policy.policy_name('allow-instance-termination')

  parent_role = self
  term_policy.allow do
    action 'ec2:TerminateInstances'
    resource '*'
    condition :StringEquals => {
      'ec2:InstanceProfile' => get_att(parent_role.instance_profile.name, 'Arn')
    }
  end
  term_policy.role(self)
  term_policy.depends_on(instance_profile)

  term_policy.instance_exec(&block) if block
  @template.resources[term_policy.name] = term_policy
end
assume_role_policy(policy_name, &block) click to toggle source
# File lib/convection/model/template/resource/aws_iam_role.rb, line 9
def assume_role_policy(policy_name, &block)
  @trust_relationship = Model::Mixin::Policy.new(:name => policy_name, :template => @template)
  trust_relationship.instance_exec(&block) if block
end
policy(policy_name, &block) click to toggle source
# File lib/convection/model/template/resource/aws_iam_role.rb, line 14
def policy(policy_name, &block)
  add_policy = Model::Mixin::Policy.new(:name => policy_name, :template => @template)
  add_policy.instance_exec(&block) if block

  policies << add_policy
end
trust_cloudtrail(&block) click to toggle source

Add a canned trust policy for Cloudtrail

# File lib/convection/model/template/resource/aws_iam_role.rb, line 59
def trust_cloudtrail(&block)
  trust_service('cloudtrail', 'trust-cloudtrail-instances', &block)
end
trust_ec2_instances(&block) click to toggle source

Add a canned trust policy for EC2 instances

# File lib/convection/model/template/resource/aws_iam_role.rb, line 44
def trust_ec2_instances(&block)
  trust_service('ec2', 'trust-ec2-instances', &block)
end
trust_emr(&block) click to toggle source

Add a canned trust policy for EMR

# File lib/convection/model/template/resource/aws_iam_role.rb, line 54
def trust_emr(&block)
  trust_service('elasticmapreduce', 'trust-emr', &block)
end
trust_flow_logs(&block) click to toggle source

Add a canned trust policy for Flow Logs

# File lib/convection/model/template/resource/aws_iam_role.rb, line 49
def trust_flow_logs(&block)
  trust_service('vpc-flow-logs', 'trust-flow-logs', &block)
end
trust_service(name, policy_name = nil, &block) click to toggle source

Add a canned trust policy for any AWS service

# File lib/convection/model/template/resource/aws_iam_role.rb, line 33
def trust_service(name, policy_name = nil, &block)
  policy_name ||= "trust-#{name}-service"
  @trust_relationship = Model::Mixin::Policy.new(:name => policy_name, :template => @template)
  trust_relationship.allow do
    action 'sts:AssumeRole'
    principal :Service => "#{name}.amazonaws.com"
  end
  trust_relationship.instance_exec(&block) if block
end
with_instance_profile(&block) click to toggle source

Create an IAM Instance Profile for this role

# File lib/convection/model/template/resource/aws_iam_role.rb, line 22
def with_instance_profile(&block)
  profile = Model::Template::Resource::IAMInstanceProfile.new("#{ name }Profile", @template)
  profile.role(self)
  profile.path(path)

  profile.instance_exec(&block) if block
  @instance_profile = profile
  @template.resources[profile.name] = profile
end