func CreateDeviceFleetPolicy()

in aws/iam.go [184:284]

• 92 lines of code
• 5 McCabe index (conditional complexity)

func CreateDeviceFleetPolicy(client IamClient, cliArgs *cli.CliArgs) *types.Policy {
	var condition map[string]interface{}
	conditionByt := []byte(` {
		"StringEqualsIfExists": {
			"iam:PassedToService": [
				"iot.amazonaws.com",
				"credentials.iot.amazonaws.com"
			]
		}
	}`)

	if err := json.Unmarshal(conditionByt, &condition); err != nil {
		log.Fatal("Invaild json doc. Encountered err ", err)
	}

	policyDocument := &PolicyDocument{
		Version: "2012-10-17",
		Statement: []StatementEntry{
			{
				Sid:    "SageMakerEdgeApis",
				Effect: "Allow",
				Action: []string{
					"sagemaker:SendHeartbeat",
					"sagemaker:GetDeviceRegistration",
				},
				Resource: []string{
					fmt.Sprintf("arn:aws:sagemaker:%s:%s:device-fleet/%s/device/*", cliArgs.Region, cliArgs.Account, strings.ToLower(cliArgs.DeviceFleet)),
					fmt.Sprintf("arn:aws:sagemaker:%s:%s:device-fleet/%s", cliArgs.Region, cliArgs.Account, strings.ToLower(cliArgs.DeviceFleet)),
				},
			},
			{
				Sid:    "CreateIOTRoleAlias",
				Effect: "Allow",
				Action: []string{
					"iot:CreateRoleAlias",
					"iot:DescribeRoleAlias",
					"iot:UpdateRoleAlias",
					"iot:ListTagsForResource",
					"iot:TagResource",
				},
				Resource: []string{
					fmt.Sprintf("arn:aws:iot:%s:%s:rolealias/SageMakerEdge-%s", cliArgs.Region, cliArgs.Account, cliArgs.DeviceFleet),
				},
			},
			{
				Sid:    "CreateIoTRoleAliasIamPermissionsGetRole",
				Effect: "Allow",
				Action: []string{
					"iam:GetRole",
				},
				Resource: []string{
					fmt.Sprintf("arn:aws:iam::%s:role/%s", cliArgs.Account, cliArgs.DeviceFleetRole),
				},
			},
			{
				Sid:    "CreateIoTRoleAliasIamPermissionsPassRole",
				Effect: "Allow",
				Action: []string{
					"iam:PassRole",
				},
				Resource: []string{
					fmt.Sprintf("arn:aws:iam::%s:role/%s", cliArgs.Account, cliArgs.DeviceFleetRole),
				},
				Condition: condition,
			},
		},
	}
	policy, _ := json.MarshalIndent(policyDocument, "", " ")
	policyDoc := string(policy)

	policyDescription := fmt.Sprintf("SageMaker device fleet policy for %s", cliArgs.DeviceFleet)
	policyPath := "/"
	policyName := fmt.Sprintf("%s-policy", strings.ToLower(cliArgs.DeviceFleet))
	policyArn := fmt.Sprintf("arn:aws:iam::%s:policy/%s", cliArgs.Account, policyName)

	getPolicyOutput, err := client.GetPolicy(context.TODO(), &iam.GetPolicyInput{
		PolicyArn: &policyArn,
	})

	if err != nil {
		var nse *types.NoSuchEntityException
		if errors.As(err, &nse) {
			ret, err := client.CreatePolicy(context.TODO(), &iam.CreatePolicyInput{
				Description:    &policyDescription,
				Path:           &policyPath,
				PolicyDocument: &policyDoc,
				PolicyName:     &policyName,
			})

			if err != nil {
				log.Fatalf("Failed to create policy with name %s. Encountered error %s\n", policyName, err)
			}

			return ret.Policy
		}

		log.Fatalf("Failed to get policy with name %s. Encountered error %s\n", policyName, err)
	}

	return getPolicyOutput.Policy
}