class Drunker::Executor::IAM

Attributes

logger[R]
policy[R]
role[R]

Public Class Methods

new(source:, artifact:, config:, logger:) click to toggle source
# File lib/drunker/executor/iam.rb, line 6
def initialize(source:, artifact:, config:, logger:)
  timestamp = Time.now.to_i
  client = Aws::IAM::Client.new(config.aws_client_options)
  iam = Aws::IAM::Resource.new(client: client)

  @role = iam.create_role(
      role_name: "drunker-codebuild-servie-role-#{timestamp}",
      assume_role_policy_document: role_json,
  )
  logger.info("Created IAM role: #{role.name}")
  @policy = iam.create_policy(
      policy_name: "drunker-codebuild-service-policy-#{timestamp}",
      policy_document: policy_json(source: source, artifact: artifact)
  )
  logger.info("Created IAM policy: #{policy.policy_name}")
  role.attach_policy(policy_arn: policy.arn)
  logger.debug("Attached #{policy.policy_name} to #{role.name}")
  @logger = logger
end

Public Instance Methods

delete() click to toggle source
# File lib/drunker/executor/iam.rb, line 26
def delete
  role.detach_policy(policy_arn: policy.arn)
  logger.debug("Detached #{policy.policy_name} from #{role.name}")
  policy.delete
  logger.info("Deleted IAM policy: #{policy.policy_name}")
  role.delete
  logger.info("Deleted IAM role: #{role.name}")
end

Private Instance Methods

policy_json(source:, artifact:) click to toggle source
# File lib/drunker/executor/iam.rb, line 55
def policy_json(source:, artifact:)
  {
    Version: "2012-10-17",
    Statement: [
      {
        Effect: "Allow",
        Resource: "*",
        Action: [
          "logs:CreateLogGroup",
          "logs:CreateLogStream",
          "logs:PutLogEvents",
        ]
      },
      {
        Effect: "Allow",
        Resource: [
          "arn:aws:s3:::#{source.location}"
        ],
        Action: [
          "s3:GetObject",
          "s3:GetObjectVersion",
        ]
      },
      {
        Effect: "Allow",
        Resource: [
          "arn:aws:s3:::#{artifact.bucket.name}/*"
        ],
        Action: [
          "s3:PutObject"
        ]
      }
    ]
  }.to_json
end
role_json() click to toggle source
# File lib/drunker/executor/iam.rb, line 40
def role_json
  {
    Version: "2012-10-17",
    Statement: [
      {
        Effect: "Allow",
        Principal: {
          Service: "codebuild.amazonaws.com",
        },
        Action: "sts:AssumeRole",
      }
    ],
  }.to_json
end