Class: Sfn::Callback::StackPolicy

Inherits:

Sfn::Callback

Object
Sfn::Callback
Sfn::Callback::StackPolicy

show all

Defined in:: lib/sfn/callback/stack_policy.rb

Constant Summary collapse

DEFENSELESS_POLICY = Policy to apply prior to stack deletion

{
  "Statement" => [{
    "Effect" => "Allow",
    "Action" => "Update:*",
    "Resource" => "*",
    "Principal" => "*",
  }],
}

Instance Attribute Summary collapse

#policies ⇒ Smash readonly

Cached policies.

Attributes inherited from Sfn::Callback

#api, #arguments, #config, #ui

Instance Method Summary collapse

#before_update(args) ⇒ Object

Disable all existing policies prior to update.
#initialize(*args) ⇒ self constructor

Overload to init policy cache.
#save_stack_policy(p_stack) ⇒ NilClass

Save the cached policy for the given stack.
#submit_policy(args) ⇒ Object (also: #after_create, #after_update)

Submit all cached policies.
#template(info) ⇒ Object

Generate stack policy for stack and cache for the after hook to handle.

Methods inherited from Sfn::Callback

#run_action

Constructor Details

#initialize(*args) ⇒ `self`

Overload to init policy cache

# File 'lib/sfn/callback/stack_policy.rb', line 23

def initialize(*args)
  super
  @policies = Smash.new
end

Instance Attribute Details

#policies ⇒ `Smash` (readonly)



18
19
20

# File 'lib/sfn/callback/stack_policy.rb', line 18

def policies
  @policies
end

Instance Method Details

#before_update(args) ⇒ `Object`

Disable all existing policies prior to update

# File 'lib/sfn/callback/stack_policy.rb', line 48

def before_update(args)
  if config.get(:stack_policy, :update).to_s == "defenseless"
    ui.warn "Disabling all stack policies for update."
    stack = args[:api_stack]
    ([stack] + stack.nested_stacks).compact.each do |p_stack|
      @policies[p_stack.name] = DEFENSELESS_POLICY
      run_action "Disabling stack policy for #{ui.color(p_stack.name, :yellow)}" do
        save_stack_policy(p_stack)
      end
    end
  end
end

#save_stack_policy(p_stack) ⇒ `NilClass`

Save the cached policy for the given stack

# File 'lib/sfn/callback/stack_policy.rb', line 76

def save_stack_policy(p_stack)
  valid_logical_ids = p_stack.resources.reload.all.map(&:logical_id)
  stack_policy = @policies.fetch(p_stack.id,
                                 @policies.fetch(p_stack.data[:logical_id]),
                                 @policies[p_stack.name]).to_smash
  if stack_policy
    stack_policy[:Statement].delete_if do |policy_item|
      policy_match = policy_item[:Resource].to_s.match(
        %r{LogicalResourceId/(?<logical_id>.+)$}
      )
      if policy_match
        !valid_logical_ids.include?(policy_match["logical_id"])
      end
    end
  end
  result = p_stack.api.request(
    :path => "/",
    :method => :post,
    :form => Smash.new(
      "Action" => "SetStackPolicy",
      "StackName" => p_stack.id,
      "StackPolicyBody" => MultiJson.dump(stack_policy),
    ),
  )
end

#submit_policy(args) ⇒ `Object` Also known as: after_create, after_update

Submit all cached policies

# File 'lib/sfn/callback/stack_policy.rb', line 31

def submit_policy(args)
  ui.info "Submitting stack policy documents"
  stack = args[:api_stack]
  ([stack] + stack.nested_stacks).compact.each do |p_stack|
    run_action "Applying stack policy to #{ui.color(p_stack.name, :yellow)}" do
      save_stack_policy(p_stack)
    end
  end
  ui.info "Stack policy documents successfully submitted!"
end

#template(info) ⇒ `Object`

Generate stack policy for stack and cache for the after hook to handle

# File 'lib/sfn/callback/stack_policy.rb', line 65

def template(info)
  if info[:sparkle_stack]
    @policies.set(info.fetch(:stack_name, "unknown"),
                  info[:sparkle_stack].generate_policy)
  end
end