in aws/solutions/lambda-backed-cloudformation-custom-resources/update_kms_policy/lambda_function.py [0:0]
def cloudformation_create(event, context):
"""Add the given permissions to the KMS key policy for the specified IAM ARN."""
if DEBUG_MODE is True:
print("Create Option: Attempting to run creation")
original_policy_document = get_kms_key_policy(event, context)
policy_json = json.loads(original_policy_document['Policy'])
if isinstance(policy_json['Statement'], list):
print("Resource is a list, appending...")
policy_json['Statement'].append(
{
"Action": event['ResourceProperties']['actions-csv'].split(','),
"Principal": {
"AWS": event['ResourceProperties']['iam-principal-arn']
},
"Resource": "*",
"Effect": "Allow"
}
)
print(json.dumps(policy_json, indent=2))
else:
custom_raise_exception(event, context, 'Endpoint policy looks invalid, Statement stanza is not a list.')
if DEBUG_MODE is True:
print("New policy\n%s" % json.dumps(policy_json, indent=2))
modify_kms_policy(event, context, policy_json)
response_data = {}
if event['StackId'] == '012345678910/fake-stack-id':
print("Skipping sending CloudFormation response due to local testing.")
return
send(event, context, 'SUCCESS', response_data, event['StackId'])
if DEBUG_MODE is True:
print("Exiting successfully")
return