in cloudformation/external-slurmdbd/external_slurmdbd/external_slurmdbd_stack.py [0:0]
def _add_iam_role(self):
role = iam.CfnRole(
self,
"SlurmdbdInstanceRole",
assume_role_policy_document=get_assume_role_policy_document("ec2.{0}".format(self.url_suffix)),
description="Role for Slurmdbd EC2 instance to access necessary AWS resources",
)
iam.CfnPolicy(
Stack.of(self),
"ExternalSlurmdbdPolicies",
policy_name="ExternalSlurmdbdPolicies",
roles=[role.ref],
policy_document=iam.PolicyDocument(
statements=[
iam.PolicyStatement(
actions=["secretsmanager:GetSecretValue"],
resources=[
self.dbms_password_secret_arn.value_as_string,
self.munge_key_secret_arn.value_as_string,
],
effect=iam.Effect.ALLOW,
sid="SecretsManagerPolicy",
),
iam.PolicyStatement(
actions=["logs:CreateLogStream", "logs:PutLogEvents"],
resources=[self._log_group.log_group_arn],
effect=iam.Effect.ALLOW,
sid="CloudWatchLogsPolicy",
),
iam.PolicyStatement(
actions=["ec2:AssignPrivateIpAddresses"],
resources=["*"],
effect=iam.Effect.ALLOW,
conditions={"StringLike": {"ec2:Subnet": f"*{self.subnet_id.value_as_string}"}},
sid="IPAssignmentPolicy",
),
iam.PolicyStatement(
actions=[
"s3:ListBucket",
],
resources=[self.s3_bucket.attr_arn],
effect=iam.Effect.ALLOW,
sid="S3BucketPolicy",
),
iam.PolicyStatement(
actions=[
"s3:GetObject",
"s3:PutObject",
"s3:AbortMultipartUpload",
"s3:DeleteObject",
],
resources=[self.s3_bucket.attr_arn + "/*"],
effect=iam.Effect.ALLOW,
sid="S3BucketObjectsPolicy",
),
# iam.PolicyStatement(
# actions=[
# "route53:CreateHostedZone",
# "route53:DeleteHostedZone",
# ],
# resources=[slurmdbd_hosted_zone.value_as_string],
# effect=iam.Effect.ALLOW,
# sid="IPAssignmentPolicy",
# ),
]
),
)
return role