in swift_iam_role/swift_iam_role.py [0:0]
def create_swift_infrastructure_role(
self, database_instance: _rds.DatabaseInstance, instance_ids: List[str],
mq_broker_arn: str):
"""create swift infrastructure role"""
swift_infrastructure_role = \
_iam.Role(self, "SWIFTInfrastructureRole",
role_name="SWIFTInfrastructureRole",
assumed_by=_iam.AccountPrincipal(account_id=self.account)
.with_conditions({"Bool": {"aws:MultiFactorAuthPresent": "true"}})
)
instances_resource = []
if instance_ids is not None:
for instance_id in instance_ids:
instances_resource.append(
"arn:aws:ec2:" + self.region + ":" + self.account + ":instance/" + instance_id)
statements = [
_iam.PolicyStatement(
effect=_iam.Effect.ALLOW, actions=["rds:Describe*"],
resources=["*"]),
_iam.PolicyStatement(
effect=_iam.Effect.ALLOW, actions=["rds:Start*", "rds:Stop*"],
resources=[database_instance.instance_arn]),
_iam.PolicyStatement(
effect=_iam.Effect.ALLOW, actions=["ec2:Describe*"],
resources=["*"]),
_iam.PolicyStatement(
effect=_iam.Effect.ALLOW, actions=["ec2:Start*", "ec2:Stop*"],
resources=instances_resource),
_iam.PolicyStatement(
effect=_iam.Effect.ALLOW, actions=["mq:List*", "mq:Describe*", "mq:RebootBroker"],
resources=[mq_broker_arn]),
_iam.PolicyStatement(
effect=_iam.Effect.ALLOW, actions=["logs:List*", "logs:Describe*", "logs:Get*"],
resources=["*"])]
_iam.Policy(
self, "SwiftInfrastructurePolicy", policy_name="SwiftInfrastructurePolicy",
roles=[swift_infrastructure_role], statements=statements,
force=True)