Skip to content

Commit

Permalink
Update examples for updated AWS managed policies (pulumi#894)
Browse files Browse the repository at this point in the history 
Co-authored-by: Mikhail Shilkov <[email protected]>
  • Loading branch information
@mikhailshilkov
Lee Zen and mikhailshilkov committed Jan 29, 2021
1 parent fa9b2d7 commit 88e52a4
Show file tree
Hide file tree
Showing 19 changed files with 95 additions and 100 deletions.
7 changes: 2 additions & 5 deletions aws-django-voting-app/__main__.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -87,7 +87,7 @@

# Attaching execution permissions to the exec role
exec_policy_attachment = aws.iam.RolePolicyAttachment("app-exec-policy", role=app_exec_role.name,
policy_arn="arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy")
policy_arn=aws.iam.ManagedPolicy.AMAZON_ECS_TASK_EXECUTION_ROLE_POLICY)

# Creating an IAM role used by Fargate to manage tasks
app_task_role = aws.iam.Role("app-task-role",
Expand All @@ -106,10 +106,7 @@

# Attaching execution permissions to the task role
task_policy_attachment = aws.iam.RolePolicyAttachment("app-access-policy", role=app_task_role.name,
policy_arn="arn:aws:iam::aws:policy/AmazonEC2ContainerServiceFullAccess")

task_policy_attachment = aws.iam.RolePolicyAttachment("app-lambda-policy", role=app_task_role.name,
policy_arn="arn:aws:iam::aws:policy/AWSLambdaFullAccess")
policy_arn=aws.iam.ManagedPolicy.AMAZON_ECS_FULL_ACCESS)

# Creating storage space to upload a docker image of our app to
app_ecr_repo = aws.ecr.Repository("app-ecr-repo",
Expand Down
2 changes: 1 addition & 1 deletion aws-fs-lambda-webserver/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ After cloning this repo, from this working directory, run these commands:
1. Build and publish the lambda function, making the output available to our Pulumi program.

```bash
dotnet publish ./LambdaWebService
dotnet publish ./LambdaWebServer
```

2. Execute our Pulumi program to archive our published function output, and create our lambda.
Expand Down
8 changes: 3 additions & 5 deletions aws-fs-lambda-webserver/pulumi/Program.fs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ open Pulumi.Aws.Lambda

module ManagedPolicies =
let AWSLambdaBasicExecutionRole = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
let AWSLambdaFullAccess = "arn:aws:iam::aws:policy/AWSLambdaFullAccess"
let AWSLambdaExecute = "arn:aws:iam::aws:policy/AWSLambdaExecute"

let openApiSpec (name, arn) =
let quotedTitle = "\"" + name + "api\""
Expand Down Expand Up @@ -57,7 +57,6 @@ let addInvokePermission name accountId functionArn executionArn =
Action = input "lambda:InvokeFunction",
Function = functionArn,
Principal = input "apigateway.amazonaws.com",
SourceAccount = accountId,
SourceArn = executionArn,
StatementIdPrefix = input "lambdaPermission"
)
Expand Down Expand Up @@ -88,14 +87,14 @@ let infra () =
)
)

RolePolicyAttachment("lambdaS3ReadOnlyAccess", RolePolicyAttachmentArgs(Role = io lambdaRole.Id, PolicyArn = input ManagedPolicies.AWSLambdaFullAccess)) |> ignore
RolePolicyAttachment("lambdaS3ReadOnlyAccess", RolePolicyAttachmentArgs(Role = io lambdaRole.Id, PolicyArn = input ManagedPolicies.AWSLambdaExecute)) |> ignore
RolePolicyAttachment("lambdaBasicExecution", RolePolicyAttachmentArgs(Role = io lambdaRole.Id, PolicyArn = input ManagedPolicies.AWSLambdaBasicExecutionRole)) |> ignore

let lambda =
Function(
"basicLambda",
FunctionArgs(
Runtime = input "dotnetcore3.1",
Runtime = inputUnion2Of2 Pulumi.Aws.Lambda.Runtime.DotnetCore3d1,
Code = input (FileArchive "../LambdaWebServer/bin/Debug/netcoreapp3.1/publish" :> Archive),
Handler = input "LambdaWebServer::Setup+LambdaEntryPoint::FunctionHandlerAsync",
Role = io lambdaRole.Arn,
Expand Down Expand Up @@ -143,4 +142,3 @@ let infra () =
[<EntryPoint>]
let main _argv =
Deployment.run infra

5 changes: 1 addition & 4 deletions aws-py-voting-app/__main__.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -94,10 +94,7 @@

# Attaching execution permissions to the task role
task_policy_attachment = aws.iam.RolePolicyAttachment("app-access-policy", role=app_task_role.name,
policy_arn="arn:aws:iam::aws:policy/AmazonEC2ContainerServiceFullAccess")

task_policy_attachment = aws.iam.RolePolicyAttachment("app-lambda-policy", role=app_task_role.name,
policy_arn="arn:aws:iam::aws:policy/AWSLambdaFullAccess")
policy_arn=aws.iam.ManagedPolicy.AMAZON_ECS_FULL_ACCESS)

# Creating storage space to upload a docker image of our app to
app_ecr_repo = aws.ecr.Repository("app-ecr-repo",
Expand Down
2 changes: 1 addition & 1 deletion aws-ts-apigatewayv2-http-api-quickcreate/index.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ const lambdaRole = new aws.iam.Role("lambdaRole", {
// Attach the fullaccess policy to the Lambda role created above
const rolepolicyattachment = new aws.iam.RolePolicyAttachment("lambdaRoleAttachment", {
role: lambdaRole,
policyArn: aws.iam.ManagedPolicies.AWSLambdaFullAccess,
policyArn: aws.iam.ManagedPolicy.AWSLambdaBasicExecutionRole,
});

// Create the Lambda to execute
Expand Down
4 changes: 2 additions & 2 deletions aws-ts-apigatewayv2-http-api-quickcreate/package.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,8 @@
"@types/node": "^10.0.0"
},
"dependencies": {
"@pulumi/aws": "^3.0.0",
"@pulumi/awsx": "^0.23.0",
"@pulumi/aws": "^3.25.1",
"@pulumi/awsx": "^0.24.0",
"@pulumi/pulumi": "^2.0.0"
}
}
4 changes: 2 additions & 2 deletions aws-ts-apigatewayv2-http-api/index.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,9 +33,9 @@ const lambdaRole = new aws.iam.Role("lambdaRole", {
},
});

const lambadRoleAttachment = new aws.iam.RolePolicyAttachment("lambdaRoleAttachment", {
const lambdaRoleAttachment = new aws.iam.RolePolicyAttachment("lambdaRoleAttachment", {
role: lambdaRole,
policyArn: aws.iam.ManagedPolicies.AWSLambdaFullAccess,
policyArn: aws.iam.ManagedPolicy.AWSLambdaBasicExecutionRole,
});

const lambda = new aws.lambda.Function("lambdaFunction", {
Expand Down
4 changes: 2 additions & 2 deletions aws-ts-apigatewayv2-http-api/package.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,8 @@
"@types/node": "^10.0.0"
},
"dependencies": {
"@pulumi/aws": "^3.0.0",
"@pulumi/awsx": "^0.23.0",
"@pulumi/aws": "^3.25.1",
"@pulumi/awsx": "^0.24.0",
"@pulumi/pulumi": "^2.0.0"
}
}
2 changes: 1 addition & 1 deletion aws-ts-lambda-efs/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -130,7 +130,7 @@ After cloning this repo, `cd` into it and run these commands:
```bash
$ curl -X POST -d '<h1>Hello world</h1>' $(pulumi stack output url)files/index.html
$ curl -X GET $(pulumi stack output url)files/file.txt
$ curl -X GET $(pulumi stack output url)files/index.html
<h1>Hello world</h1>
```
Expand Down
2 changes: 1 addition & 1 deletion aws-ts-lambda-efs/index.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ export = async () => {
// Lambda
function efsvpcCallback(name: string, f: aws.lambda.Callback<awsx.apigateway.Request, awsx.apigateway.Response>) {
return new aws.lambda.CallbackFunction(name, {
policies: [aws.iam.ManagedPolicies.AWSLambdaVPCAccessExecutionRole, aws.iam.ManagedPolicies.AWSLambdaFullAccess],
policies: [aws.iam.ManagedPolicy.AWSLambdaVPCAccessExecutionRole, aws.iam.ManagedPolicy.LambdaFullAccess],
vpcConfig: {
subnetIds: vpc.privateSubnetIds,
securityGroupIds: [vpc.vpc.defaultSecurityGroupId],
Expand Down
4 changes: 2 additions & 2 deletions aws-ts-lambda-efs/package.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,8 @@
"name": "aws-ts-lambda-efs",
"version": "0.1.0",
"dependencies": {
"@pulumi/aws": "^3.0.0",
"@pulumi/awsx": "^0.23.0",
"@pulumi/aws": "^3.25.1",
"@pulumi/awsx": "^0.24.0",
"@pulumi/pulumi": "^2.0.0"
}
}
6 changes: 3 additions & 3 deletions aws-ts-lambda-thumbnailer/index.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,9 +12,9 @@ const image = awsx.ecr.buildAndPushImage("sampleapp", {
const role = new aws.iam.Role("thumbnailerRole", {
assumeRolePolicy: aws.iam.assumeRolePolicyForPrincipal({ Service: "lambda.amazonaws.com" }),
});
const lambdaFullAccess = new aws.iam.RolePolicyAttachment("lambdaFullAccess", {
const lambdaS3Access = new aws.iam.RolePolicyAttachment("lambdaFullAccess", {
role: role.name,
policyArn: aws.iam.ManagedPolicies.AWSLambdaFullAccess,
policyArn: aws.iam.ManagedPolicy.AWSLambdaExecute,
});

const thumbnailer = new aws.lambda.Function("thumbnailer", {
Expand Down Expand Up @@ -44,6 +44,6 @@ bucket.onObjectCreated("onNewThumbnail", new aws.lambda.CallbackFunction<aws.s3.
}
},
policies: [
aws.iam.ManagedPolicies.AWSLambdaFullAccess, // Provides wide access to "serverless" services (Dynamo, S3, etc.)
aws.iam.ManagedPolicy.AWSLambdaExecute, // Provides wide access to Lambda and S3
],
}), { filterSuffix: ".jpg" });
4 changes: 2 additions & 2 deletions aws-ts-lambda-thumbnailer/package.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
"main": "index.js",
"dependencies": {
"@pulumi/pulumi": "^2.0.0",
"@pulumi/aws": "^3.17.0",
"@pulumi/awsx": "^0.23.0"
"@pulumi/aws": "^3.25.1",
"@pulumi/awsx": "^0.24.0"
}
}
4 changes: 2 additions & 2 deletions aws-ts-serverless-datawarehouse/datawarehouse/lambdaCron/index.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,10 +41,10 @@ export class LambdaCronJob extends pulumi.ComponentResource {
}
}

// always attach the lambda policy for logging, etc.
// always attach the lambda policy for logging
const loggingAttachment = new aws.iam.RolePolicyAttachment(`${name}-Attachment-lambda`, {
role: partitionRole,
policyArn: aws.iam.ManagedPolicies.AWSLambdaFullAccess,
policyArn: aws.iam.ManagedPolicy.AWSLambdaBasicExecutionRole,
}, options);

const cron = new aws.cloudwatch.EventRule(`${name}-cron`, {
Expand Down
4 changes: 2 additions & 2 deletions aws-ts-thumbnailer/index.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,8 +25,8 @@ const ffmpegThumbnailTask = new awsx.ecs.FargateTaskDefinition("ffmpegThumbTask"
bucket.onObjectCreated("onNewVideo", new aws.lambda.CallbackFunction<aws.s3.BucketEvent, void>("onNewVideo", {
// Specify appropriate policies so that this AWS lambda can run EC2 tasks.
policies: [
aws.iam.ManagedPolicies.AWSLambdaFullAccess, // Provides wide access to "serverless" services (Dynamo, S3, etc.)
aws.iam.ManagedPolicies.AmazonEC2ContainerServiceFullAccess, // Required for lambda compute to be able to run Tasks
aws.iam.ManagedPolicy.AWSLambdaExecute, // Provides access to logging and S3
aws.iam.ManagedPolicy.AmazonECSFullAccess, // Required for lambda compute to be able to run Tasks
],
callback: async bucketArgs => {
console.log("onNewVideo called");
Expand Down
4 changes: 2 additions & 2 deletions aws-ts-thumbnailer/package.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
"main": "index.js",
"dependencies": {
"@pulumi/pulumi": "^2.0.0",
"@pulumi/aws": "^3.0.0",
"@pulumi/awsx": "^0.23.0"
"@pulumi/aws": "^3.25.1",
"@pulumi/awsx": "^0.24.0"
}
}
2 changes: 1 addition & 1 deletion cloud-js-thumbnailer-machine-learning/Pulumi.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,4 +11,4 @@ template:
default: true
cloud-aws:computeIAMRolePolicyARNs:
description: The IAM role policies to apply to compute (both Lambda and ECS) within this Pulumi program
default: arn:aws:iam::aws:policy/AWSLambdaFullAccess,arn:aws:iam::aws:policy/AmazonEC2ContainerServiceFullAccess,arn:aws:iam::aws:policy/AmazonRekognitionFullAccess
default: arn:aws:iam::aws:policy/AWSLambdaExecute,arn:aws:iam::aws:policy/AWSLambda_FullAccess,arn:aws:iam::aws:policy/AmazonECS_FullAccess,arn:aws:iam::aws:policy/AmazonRekognitionFullAccess,arn:aws:iam::aws:policy/IAMFullAccess
Loading

0 comments on commit 88e52a4

Please sign in to comment.