in src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/lambda_codebase/enable_cross_account_access.py [0:0]
def lambda_handler(event, _):
target_role_policies = {
'adf-cloudformation-deployment-role': 'adf-cloudformation-deployment-role-policy-kms',
'adf-cloudformation-role': 'adf-cloudformation-role-policy'
}
role_policies = {
'adf-codepipeline-role': 'adf-codepipeline-role-policy',
'adf-cloudformation-deployment-role': 'adf-cloudformation-deployment-role-policy',
'adf-cloudformation-role': 'adf-cloudformation-role-policy'
}
sts = STS()
partition = get_partition(REGION_DEFAULT)
parameter_store = ParameterStore(
region=event.get('deployment_account_region'),
role=boto3
)
account_id = event.get("account_id")
kms_key_arns = []
s3_buckets = []
for region in list(set([event.get('deployment_account_region')] + event.get("regions", []))):
kms_key_arn = parameter_store.fetch_parameter(
f"/cross_region/kms_arn/{region}"
)
kms_key_arns.append(kms_key_arn)
s3_bucket = parameter_store.fetch_parameter(
f"/cross_region/s3_regional_bucket/{region}"
)
s3_buckets.append(s3_bucket)
try:
role = sts.assume_cross_account_role(
f'arn:{partition}:iam::{account_id}:role/adf-cloudformation-deployment-role',
'base_cfn_role'
)
LOGGER.debug("Role has been assumed for %s", account_id)
update_iam(role, s3_bucket, kms_key_arn, target_role_policies)
except ClientError as err:
LOGGER.debug("%s could not be assumed (%s), continuing", account_id, err, exc_info=True)
continue
update_iam(boto3, s3_buckets, kms_key_arns, role_policies)
return event