in source/idea/pipeline/stack.py [0:0]
def get_smoke_test_step(self) -> pipelines.CodeBuildStep:
step = (
IntegTestStepBuilder(
"integ-tests.smoke", self.params.cluster_name, self.region
)
.test_specific_install_command(
*get_commands_for_scripts(
["source/idea/pipeline/scripts/chrome/install_commands.sh"]
)
)
.test_specific_role_policy_statement(
iam.PolicyStatement.from_json(
{
"Effect": "Allow",
"Action": [
"ssm:SendCommand",
],
"Resource": [
f"arn:{self.partition}:ssm:{self.region}:*:document/*",
],
}
),
iam.PolicyStatement.from_json(
{
"Effect": "Allow",
"Action": [
"ssm:SendCommand",
],
"Resource": [
f"arn:{self.partition}:ec2:{self.region}:{self.account}:instance/*"
],
"Condition": {
"StringLike": {
"ssm:resourceTag/res:EnvironmentName": [
self.params.cluster_name
]
}
},
}
),
iam.PolicyStatement.from_json(
{
"Effect": "Allow",
"Action": [
"ssm:GetCommandInvocation",
],
"Resource": "*",
}
),
iam.PolicyStatement.from_json(
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
],
# TODO: Specify the bucket to which SSM writes command outputs
"Resource": "*",
}
),
iam.PolicyStatement.from_json(
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:DescribeLoadBalancers",
],
"Resource": "*",
}
),
iam.PolicyStatement.from_json(
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:ModifyLoadBalancerAttributes",
],
"Resource": f"arn:{self.partition}:elasticloadbalancing:{self.region}:{self.account}:loadbalancer/app/{self.params.cluster_name}-external-alb/*",
}
),
iam.PolicyStatement.from_json(
{
"Effect": "Allow",
"Action": [
"autoscaling:DescribeAutoScalingGroups",
],
"Resource": "*",
}
),
iam.PolicyStatement.from_json(
{
"Effect": "Allow",
"Action": [
"dynamodb:GetItem",
"dynamodb:Scan",
"dynamodb:PutItem",
"dynamodb:DeleteItem",
"dynamodb:Query",
],
"Resource": [
f"arn:{self.partition}:dynamodb:{self.region}:{self.account}:table/{self.params.cluster_name}.cluster-settings",
f"arn:{self.partition}:dynamodb:{self.region}:{self.account}:table/{self.params.cluster_name}.ad-sync.distributed-lock",
f"arn:{self.partition}:dynamodb:{self.region}:{self.account}:table/{self.params.cluster_name}.ad-sync.status",
],
}
),
iam.PolicyStatement.from_json(
{
"Effect": "Allow",
"Action": [
"ecs:RunTask",
"ecs:StopTask",
"ecs:ListTasks",
],
"Resource": "*",
"Condition": {
"ArnEquals": {
"ecs:cluster": f"arn:{self.partition}:ecs:{self.region}:{self.account}:cluster/{self.params.cluster_name}-ad-sync-cluster",
}
},
},
),
iam.PolicyStatement.from_json(
{
"Effect": "Allow",
"Action": [
"iam:PassRole",
],
"Resource": f"arn:{self.partition}:iam::{self.account}:role/{self.params.cluster_name}-ad-sync-task-role",
}
),
iam.PolicyStatement.from_json(
{
"Effect": "Allow",
"Action": ["ec2:DescribeSecurityGroups", "ec2:DeregisterImage"],
"Resource": "*",
}
),
)
.build()
)
return step