Module: Convection::DSL::Template::Resource::IAMRole

Included in:
Model::Template::Resource::IAMRole
Defined in:
lib/convection/model/template/resource/aws_iam_role.rb

Overview

Role DSL

Instance Method Summary collapse

Instance Method Details

#allow_instance_termination(&block) ⇒ Object

Add a policy to allow instance to self-terminate



64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
# File 'lib/convection/model/template/resource/aws_iam_role.rb', line 64

def allow_instance_termination(&block)
  with_instance_profile if instance_profile.nil?

  term_policy = Model::Template::Resource::IAMPolicy.new("#{ name }TerminationPolicy", @template)
  term_policy.policy_name('allow-instance-termination')

  parent_role = self
  term_policy.allow do
    action 'ec2:TerminateInstances'
    resource '*'
    condition :StringEquals => {
      'ec2:InstanceProfile' => get_att(parent_role.instance_profile.name, 'Arn')
    }
  end
  term_policy.role(self)
  term_policy.depends_on(instance_profile)

  term_policy.instance_exec(&block) if block
  @template.resources[term_policy.name] = term_policy
end

#assume_role_policy(policy_name, &block) ⇒ Object



9
10
11
12
# File 'lib/convection/model/template/resource/aws_iam_role.rb', line 9

def assume_role_policy(policy_name, &block)
  @trust_relationship = Model::Mixin::Policy.new(:name => policy_name, :template => @template)
  trust_relationship.instance_exec(&block) if block
end

#policy(policy_name, &block) ⇒ Object



14
15
16
17
18
19
# File 'lib/convection/model/template/resource/aws_iam_role.rb', line 14

def policy(policy_name, &block)
  add_policy = Model::Mixin::Policy.new(:name => policy_name, :template => @template)
  add_policy.instance_exec(&block) if block

  policies << add_policy
end

#trust_cloudtrail(&block) ⇒ Object

Add a canned trust policy for Cloudtrail



59
60
61
# File 'lib/convection/model/template/resource/aws_iam_role.rb', line 59

def trust_cloudtrail(&block)
  trust_service('cloudtrail', 'trust-cloudtrail-instances', &block)
end

#trust_ec2_instances(&block) ⇒ Object

Add a canned trust policy for EC2 instances



44
45
46
# File 'lib/convection/model/template/resource/aws_iam_role.rb', line 44

def trust_ec2_instances(&block)
  trust_service('ec2', 'trust-ec2-instances', &block)
end

#trust_emr(&block) ⇒ Object

Add a canned trust policy for EMR



54
55
56
# File 'lib/convection/model/template/resource/aws_iam_role.rb', line 54

def trust_emr(&block)
  trust_service('elasticmapreduce', 'trust-emr', &block)
end

#trust_flow_logs(&block) ⇒ Object

Add a canned trust policy for Flow Logs



49
50
51
# File 'lib/convection/model/template/resource/aws_iam_role.rb', line 49

def trust_flow_logs(&block)
  trust_service('vpc-flow-logs', 'trust-flow-logs', &block)
end

#trust_service(name, policy_name = nil, &block) ⇒ Object

Add a canned trust policy for any AWS service



33
34
35
36
37
38
39
40
41
# File 'lib/convection/model/template/resource/aws_iam_role.rb', line 33

def trust_service(name, policy_name = nil, &block)
  policy_name ||= "trust-#{name}-service"
  @trust_relationship = Model::Mixin::Policy.new(:name => policy_name, :template => @template)
  trust_relationship.allow do
    action 'sts:AssumeRole'
    principal :Service => "#{name}.amazonaws.com"
  end
  trust_relationship.instance_exec(&block) if block
end

#with_instance_profile(&block) ⇒ Object

Create an IAM Instance Profile for this role



22
23
24
25
26
27
28
29
30
# File 'lib/convection/model/template/resource/aws_iam_role.rb', line 22

def with_instance_profile(&block)
  profile = Model::Template::Resource::IAMInstanceProfile.new("#{ name }Profile", @template)
  profile.role(self)
  profile.path(path)

  profile.instance_exec(&block) if block
  @instance_profile = profile
  @template.resources[profile.name] = profile
end