How to use the troposphere.iam.Policy function in troposphere
To help you get started, we’ve selected a few troposphere examples, based on popular ways it is used in public projects.
Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
rackerlabs / jetstream / test_templates / ec2_instance.py View on Github 
Type="String",
Description="Image Id"
))
default_test_params.add(TestParameter("ImageId", "ami-6869aa05"))
self.template.add_resource(Instance(
"EC2Instance",
Tags=Tags(
Name=Ref("AWS::StackName"),
ServiceProvider="Rackspace",
Environment=Ref(Environment),
),
InstanceType="t2.small",
ImageId=Ref(ImageId),
))
EC2Policy = Policy(
PolicyName="EC2_S3_Access",
PolicyDocument={
"Statement": [{
"Effect": "Allow",
"Action": "s3:*",
"Resource": Ref(Bucket)
}]
})
EC2InstanceRole = self.template.add_resource(Role(
"EC2InstanceRole",
AssumeRolePolicyDocument={
"Statement": [{
"Effect": "Allow",
"Principal": {
"Service": ["ec2.amazonaws.com"]role = template.add_resource(iam.Role(
"InstanceRole",
AssumeRolePolicyDocument={
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": ["ec2.amazonaws.com"]
},
"Action": ["sts:AssumeRole"]
}
]
},
Path="/",
Policies=[
iam.Policy(
PolicyName="ReadFromS3AndDynamo",
PolicyDocument={
"Statement": [
{
"Effect": "Allow",
"Resource": "arn:aws:s3:::artifacts.sanction.com",
"Action": [
"s3:ListBucket"
]
},
{
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::artifacts.sanction.com/maven/releases/*"
],
"Action": [def generate_iam_policies(self):
return [
Policy(
PolicyName="ecs-agent",
PolicyDocument=ecs_agent_policy(),
)]###
cloud_front_origin_elb_sg_ip_sync_lambda_iam_role = template.add_resource(Role(
"CloudFrontOriginElbSgIpSyncLambdaIamRole",
AssumeRolePolicyDocument={
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {
"Service": ["lambda.amazonaws.com"]
},
"Action": ["sts:AssumeRole"]
}]
},
Policies=[
Policy(
PolicyName="cloud_front_origin_elb_sg_ip_sync_lambda_iam_role_policy",
PolicyDocument={
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:*:*:*"
},
{
"Effect": "Allow",
"Action": [
"ec2:DescribeSecurityGroups",StackName,
'-%s-*' % function_name,
])
return self.template.add_resource(
iam.Role(
name,
AssumeRolePolicyDocument=make_simple_assume_policy(
'lambda.amazonaws.com', 'edgelambda.amazonaws.com'
),
PermissionsBoundary=(
variables['RoleBoundaryArn'] if self.role_boundary_specified
else NoValue
),
Policies=[
iam.Policy(
PolicyName="LambdaLogCreation",
PolicyDocument=PolicyDocument(
Version='2012-10-17',
Statement=[
Statement(
Action=[awacs.logs.CreateLogGroup,
awacs.logs.CreateLogStream,
awacs.logs.PutLogEvents],
Effect=Allow,
Resource=[lambda_resource, edge_resource]
)def generate_iam_policy(self):
return iam.Policy(
PolicyName=Sub("${AWS::StackName}-policy"),
PolicyDocument=Policy(
Statement=self.generate_iam_policy_statements()
)'StackDeletorRole',
Metadata={
'Description': 'Some comment',
},
AssumeRolePolicyDocument={
"Statement": [{
"Effect": "Allow",
"Principal": {
"Service": 'ec2.amazonaws.com',
},
"Action": ["sts:AssumeRole"]
}]
},
Path='/',
Policies=[
iam.Policy(
PolicyName="AllowStackDeletionPolicy",
PolicyDocument={
"Version" : "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [ "cloudformation:DeleteStack" ],
"Resource": Sub('arn:aws:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/${AWS::StackName}/*'),
},
{
"Effect": "Allow",
"Action": [ "ec2:DescribeInstances", "ec2:describeAddresses" ],
"Resource": "*"
},
{
"Effect": "Allow",def generate_iam_policies(self):
name_prefix = self.context.get_fqn(self.name)
s3_policy = iam.Policy(
S3_WRITE_POLICY,
PolicyName='{}-s3-write'.format(name_prefix),
PolicyDocument=s3_write_policy(Ref(BUCKET)),
)
logs_policy = iam.Policy(
LOGS_WRITE_POLICY,
PolicyName='{}-logs-write'.format(name_prefix),
PolicyDocument=logs_write_policy(),
)
return [s3_policy, logs_policy]def generate_iam_policies(self):
# Referencing NS like this within a resource name is deprecated, it's
# only done here to maintain backwards compatability for minion
# clusters.
ns = self.context.namespace
base_policies = [
Policy(
PolicyName="%s-ecs-agent" % ns,
PolicyDocument=ecs_agent_policy()),
]
with_logging = copy.deepcopy(base_policies)
with_logging.append(
Policy(
PolicyName="%s-kinesis-logging" % ns,
PolicyDocument=logstream_policy()
)
)
policies = If("EnableStreamingLogs", with_logging, base_policies)
return policies
Popular troposphere functions
- troposphere.AWSObject
- troposphere.AWSProperty
- troposphere.ec2
- troposphere.ec2.Instance
- troposphere.ec2.SecurityGroup
- troposphere.ec2.SecurityGroupRule
- troposphere.Equals
- troposphere.FindInMap
- troposphere.GetAtt
- troposphere.iam
- troposphere.iam.Policy
- troposphere.iam.Role
- troposphere.If
- troposphere.Join
- troposphere.Output
- troposphere.Parameter
- troposphere.Ref
- troposphere.Sub
- troposphere.Tags
- troposphere.Template