Module: Convection::DSL::Template::Resource::IAMRole
- Included in:
- Model::Template::Resource::IAMRole
- Defined in:
- lib/convection/model/template/resource/aws_iam_role.rb
Overview
Role DSL
Instance Method Summary collapse
-
#allow_instance_termination(&block) ⇒ Object
Add a policy to allow instance to self-terminate.
- #assume_role_policy(policy_name, &block) ⇒ Object
- #policy(policy_name, &block) ⇒ Object
-
#trust_cloudtrail(&block) ⇒ Object
Add a canned trust policy for Cloudtrail.
-
#trust_ec2_instances(&block) ⇒ Object
Add a canned trust policy for EC2 instances.
-
#trust_emr(&block) ⇒ Object
Add a canned trust policy for EMR.
-
#trust_flow_logs(&block) ⇒ Object
Add a canned trust policy for Flow Logs.
-
#trust_service(name, policy_name = nil, &block) ⇒ Object
Add a canned trust policy for any AWS service.
-
#with_instance_profile(&block) ⇒ Object
Create an IAM Instance Profile for this role.
Instance Method Details
#allow_instance_termination(&block) ⇒ Object
Add a policy to allow instance to self-terminate
64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 |
# File 'lib/convection/model/template/resource/aws_iam_role.rb', line 64 def allow_instance_termination(&block) with_instance_profile if instance_profile.nil? term_policy = Model::Template::Resource::IAMPolicy.new("#{ name }TerminationPolicy", @template) term_policy.policy_name('allow-instance-termination') parent_role = self term_policy.allow do action 'ec2:TerminateInstances' resource '*' condition :StringEquals => { 'ec2:InstanceProfile' => get_att(parent_role.instance_profile.name, 'Arn') } end term_policy.role(self) term_policy.depends_on(instance_profile) term_policy.instance_exec(&block) if block @template.resources[term_policy.name] = term_policy end |
#assume_role_policy(policy_name, &block) ⇒ Object
9 10 11 12 |
# File 'lib/convection/model/template/resource/aws_iam_role.rb', line 9 def assume_role_policy(policy_name, &block) @trust_relationship = Model::Mixin::Policy.new(:name => policy_name, :template => @template) trust_relationship.instance_exec(&block) if block end |
#policy(policy_name, &block) ⇒ Object
14 15 16 17 18 19 |
# File 'lib/convection/model/template/resource/aws_iam_role.rb', line 14 def policy(policy_name, &block) add_policy = Model::Mixin::Policy.new(:name => policy_name, :template => @template) add_policy.instance_exec(&block) if block policies << add_policy end |
#trust_cloudtrail(&block) ⇒ Object
Add a canned trust policy for Cloudtrail
59 60 61 |
# File 'lib/convection/model/template/resource/aws_iam_role.rb', line 59 def trust_cloudtrail(&block) trust_service('cloudtrail', 'trust-cloudtrail-instances', &block) end |
#trust_ec2_instances(&block) ⇒ Object
Add a canned trust policy for EC2 instances
44 45 46 |
# File 'lib/convection/model/template/resource/aws_iam_role.rb', line 44 def trust_ec2_instances(&block) trust_service('ec2', 'trust-ec2-instances', &block) end |
#trust_emr(&block) ⇒ Object
Add a canned trust policy for EMR
54 55 56 |
# File 'lib/convection/model/template/resource/aws_iam_role.rb', line 54 def trust_emr(&block) trust_service('elasticmapreduce', 'trust-emr', &block) end |
#trust_flow_logs(&block) ⇒ Object
Add a canned trust policy for Flow Logs
49 50 51 |
# File 'lib/convection/model/template/resource/aws_iam_role.rb', line 49 def trust_flow_logs(&block) trust_service('vpc-flow-logs', 'trust-flow-logs', &block) end |
#trust_service(name, policy_name = nil, &block) ⇒ Object
Add a canned trust policy for any AWS service
33 34 35 36 37 38 39 40 41 |
# File 'lib/convection/model/template/resource/aws_iam_role.rb', line 33 def trust_service(name, policy_name = nil, &block) policy_name ||= "trust-#{name}-service" @trust_relationship = Model::Mixin::Policy.new(:name => policy_name, :template => @template) trust_relationship.allow do action 'sts:AssumeRole' principal :Service => "#{name}.amazonaws.com" end trust_relationship.instance_exec(&block) if block end |
#with_instance_profile(&block) ⇒ Object
Create an IAM Instance Profile for this role
22 23 24 25 26 27 28 29 30 |
# File 'lib/convection/model/template/resource/aws_iam_role.rb', line 22 def with_instance_profile(&block) profile = Model::Template::Resource::IAMInstanceProfile.new("#{ name }Profile", @template) profile.role(self) profile.path(path) profile.instance_exec(&block) if block @instance_profile = profile @template.resources[profile.name] = profile end |