def remove_policy()

in infra/clean_template.py [0:0]

• 20 lines of code
• 10 McCabe index (conditional complexity)

def remove_policy(input_path: str, output_path: str):
    """Remove all IAM policies from a CloudFormation json template

    CDK implementation of CodePipelines does not respect the CF option to leave a role blank
    to automatically default to the execution role.

    for reference, check https://github.com/aws/aws-cdk/issues/14887
    """
    with open(input_path, "r") as f:
        t = json.load(f)

    # Remove policies
    policy_list = [
        k for k in t["Resources"] if t["Resources"][k]["Type"] == "AWS::IAM::Policy"
    ]
    for p in policy_list:
        logger.debug(f"Removing Policy {p}")
        del t["Resources"][p]

    # Remove policy dependencies
    depends_on = [k for k in t["Resources"] if "DependsOn" in t["Resources"][k]]
    for d in depends_on:
        for p in policy_list:
            if p in t["Resources"][d]["DependsOn"]:
                logger.debug(f"Removing DependsOn {p}")
                t["Resources"][d]["DependsOn"].remove(p)
        if len(t["Resources"][d]["DependsOn"]) == 0:
            del t["Resources"][d]["DependsOn"]

    # Save file back
    logger.info(f"Writing template to: {output_path}")
    with open(output_path, "w") as f:
        json.dump(t, f, indent=2)