nutritious-shampoo-16116
10/27/2020, 11:34 AMdef setup_s3_read_write_policy(buckets: List[pulumi.Output], project_name: str, instance_role: iam.Role):
"""
Create a policy to access a list of buckets in R/W mode
"""
def create_and_attach_policy(args: List) -> None:
policy = json.dumps(
{
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:ListBucket"],
"Resource": [f"arn:aws:s3:::{arg}" for arg in args],
},
{
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": [f"arn:aws:s3:::{arg}/*" for arg in args],
},
],
}
)
S3_POLICY_NAME = create_unique_name(f'{project_name}-buckets-policy')
s3_policy = iam.Policy(S3_POLICY_NAME, policy=policy)
S3_ROLE_POLICY_ATTACHMENT = create_unique_name(
f'{project_name}-buckets-role-policy-attachment'
)
iam.RolePolicyAttachment(
S3_ROLE_POLICY_ATTACHMENT, role=instance_role, policy_arn=s3_policy.arn
)
pulumi.Output.all(*[bucket.id for bucket in buckets]).apply(
lambda args: create_and_attach_policy(args)
)
def setup_s3_read_write_policy(buckets: List[pulumi.Output], project_name: str, instance_role: iam.Role):
"""
Create a policy to access a list of buckets in R/W mode
"""
def create_and_attach_policy(args: List) -> None:
policy = json.dumps(
{
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:ListBucket"],
"Resource": [f"arn:aws:s3:::{arg.id}" for arg in args],
},
{
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": [f"arn:aws:s3:::{arg.id}/*" for arg in args],
},
],
}
)
S3_POLICY_NAME = create_unique_name(f'{project_name}-buckets-policy')
s3_policy = iam.Policy(S3_POLICY_NAME, policy=policy)
S3_ROLE_POLICY_ATTACHMENT = create_unique_name(
f'{project_name}-buckets-role-policy-attachment'
)
iam.RolePolicyAttachment(
S3_ROLE_POLICY_ATTACHMENT, role=instance_role, policy_arn=s3_policy.arn
)
pulumi.Output.all(*[buckets]).apply(
lambda args: create_and_attach_policy(args)
)