import pulumi import pulumi_aws as aws import conf as config import json def create_execution_role(): execution_role = aws.iam.Role(f"{config.project_name}-execution-role", assume_role_policy=json.dumps({ "Version": "2012-10-17", "Statement": [{ "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ecs-tasks.amazonaws.com", }, }, ], }), inline_policies=[aws.iam.RoleInlinePolicyArgs( name=f"{config.project_name}-{config.stack_name}-service-secrets-policy", policy=json.dumps({ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ecr:GetAuthorizationToken", "ecr:BatchCheckLayerAvailability", "ecr:GetDownloadUrlForLayer", "ecr:GetRepositoryPolicy", "ecr:DescribeRepositories", "ecr:ListImages", "ecr:DescribeImages", "ecr:BatchGetImage", "ecr:GetLifecyclePolicy", "ecr:GetLifecyclePolicyPreview", "ecr:ListTagsForResource", "ecr:DescribeImageScanFindings" ], "Resource": "*" } ], }), )], managed_policy_arns=["arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"]) return execution_role def create_execution_role_with_keys(ssm_parameter, key): execution_role = aws.iam.Role(f"{config.project_name}-execution-role", assume_role_policy=json.dumps({ "Statement": [{ "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ecs-tasks.amazonaws.com", }, }], "Version": "2012-10-17", }), inline_policies=[aws.iam.RoleInlinePolicyArgs( name=f"{config.project_name}-{config.stack_name}-service-secrets-policy", policy=pulumi.Output.all(ssm_parameter.arn, key.arn).apply(lambda args: json.dumps({ "Version": "2012-10-17", "Statement": [ { "Action": ["ssm:GetParameters"], "Condition": { "StringEquals": { "ssm:ResourceTag/pulumi-application": config.project_name, "ssm:ResourceTag/pulumi-environment": config.stack_name, }, }, "Effect": "Allow", "Resource": [args[0]], }, { "Action": ["kms:Decrypt"], "Condition": { "StringEquals": { "aws:ResourceTag/pulumi-application": config.project_name, "aws:ResourceTag/pulumi-environment": config.stack_name, }, }, "Effect": "Allow", "Resource": [args[1]], "Sid": "DecryptTaggedKMSKey", }, { "Effect": "Allow", "Action": [ "ecr:GetAuthorizationToken", "ecr:BatchCheckLayerAvailability", "ecr:GetDownloadUrlForLayer", "ecr:GetRepositoryPolicy", "ecr:DescribeRepositories", "ecr:ListImages", "ecr:DescribeImages", "ecr:BatchGetImage", "ecr:GetLifecyclePolicy", "ecr:GetLifecyclePolicyPreview", "ecr:ListTagsForResource", "ecr:DescribeImageScanFindings" ], "Resource": "*" } ], })), )], managed_policy_arns=["arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"]) return execution_role def create_task_role(): task_role = aws.iam.Role(f"{config.project_name}-task-role", assume_role_policy=json.dumps({ "Statement": [{ "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ecs-tasks.amazonaws.com", }, }], "Version": "2012-10-17", }), inline_policies=[ aws.iam.RoleInlinePolicyArgs( name="ExecuteCommand", policy=json.dumps({ "Version": "2012-10-17", "Statement": [ { "Action": [ "ssmmessages:CreateControlChannel", "ssmmessages:OpenControlChannel", "ssmmessages:CreateDataChannel", "ssmmessages:OpenDataChannel", ], "Effect": "Allow", "Resource": "*", }, { "Action": [ "logs:CreateLogStream", "logs:DescribeLogGroups", "logs:DescribeLogStreams", "logs:PutLogEvents", ], "Effect": "Allow", "Resource": "*", },{ "Effect": "Allow", "Action": [ "athena:StartQueryExecution", "athena:GetQueryExecution", "athena:GetQueryResults", "athena:StopQueryExecution", ], "Resource": f"arn:aws:athena:us-east-1:305427701314:workgroup/iceberg-workgroup", }, { "Effect": "Allow", "Action": [ "glue:GetDatabase", "glue:GetTable", "glue:GetPartitions", ], "Resource": [ f"arn:aws:glue:us-east-1:305427701314:catalog", f"arn:aws:glue:us-east-1:305427701314:database/dnx_warehouse", f"arn:aws:glue:us-east-1:305427701314:table/dnx_warehouse/*", ], }, { "Effect" : "Allow", "Action" : [ "secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret" ], "Resource" : ["arn:aws:secretsmanager:us-east-1:305427701314:secret:assistente-db-secrets-manager-mpYPMi" ]}, { "Effect": "Allow", "Action": [ "dynamodb:Scan", "dynamodb:GetItem", "dynamodb:Query", "dynamodb:DescribeTable" ], "Resource": [ "arn:aws:dynamodb:us-east-1:305427701314:table/poc_dnx_monthly_summary", "arn:aws:dynamodb:us-east-1:305427701314:table/poc_dnx_monthly_summary/index/*" ] }, ], }), ), aws.iam.RoleInlinePolicyArgs( name="DenyIAM", policy=json.dumps({ "Version": "2012-10-17", "Statement": [{ "Action": "iam:*", "Effect": "Deny", "Resource": "*", }], }), ), aws.iam.RoleInlinePolicyArgs( name="BedrockS3SQSAccess", policy=json.dumps({ "Version": "2012-10-17", "Statement": [ # S3 { "Effect": "Allow", "Action": [ "s3:*", "s3-object-lambda:*" ], "Resource": "*" }, # SQS { "Effect": "Allow", "Action": [ "sqs:StartMessageMoveTask", "sqs:DeleteMessage", "sqs:GetQueueUrl", "sqs:ListDeadLetterSourceQueues", "sqs:ListMessageMoveTasks", "sqs:PurgeQueue", "sqs:ReceiveMessage", "sqs:GetQueueAttributes", "sqs:ListQueueTags" ], "Resource": "arn:aws:sqs:us-east-1:673991670544:ai-med-dev-queue-63cb463" }, { "Effect": "Allow", "Action": "sqs:ListQueues", "Resource": "*" }, # Bedrock { "Effect": "Allow", "Action": [ "bedrock:*" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "kms:DescribeKey" ], "Resource": "arn:*:kms:*:*:key/*" }, { "Effect": "Allow", "Action": [ "iam:ListRoles", "ec2:DescribeVpcs", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "arn:aws:iam::*:role/*AmazonBedrock*", "Condition": { "StringEquals": { "iam:PassedToService": "bedrock.amazonaws.com" } } } ] }) ), ]) return task_role