Add ECR policies and make logs policy more flexible

This is in preparation of a basic Fargate ECS blueprint.
cloudtools · Jun 18, 2018 · 3fc4a39 · 3fc4a39
1 parent 5ac0d5a
commit 3fc4a39
Showing 1 changed file with 53 additions and 2 deletions.
diff --git a/stacker_blueprints/policies.py b/stacker_blueprints/policies.py
@@ -17,6 +17,7 @@
 from awacs import (
     cloudwatch,
     dynamodb,
+    ecr,
     kinesis,
     ec2,
     logs,
@@ -216,13 +217,19 @@ def write_to_cloudwatch_logs_stream_policy(log_group_name, log_stream_name):
     )
 
 
-def cloudwatch_logs_write_statements(log_group=None):
+def cloudwatch_logs_write_statements(log_group=None, log_stream_prefix=None):
+    if not log_stream_prefix:
+        log_stream_prefix = "*"
     resources = ["arn:aws:logs:*:*:*"]
     if log_group:
         log_group_parts = ["arn:aws:logs:", Region, ":", AccountId,
                            ":log-group:", log_group]
         log_group_arn = Join("", log_group_parts)
-        log_stream_wild = Join("", log_group_parts + [":*"])
+        log_stream_wild = Join(
+            "",
+            log_group_parts + [":" + log_stream_prefix]
+        )
+
         resources = [log_group_arn, log_stream_wild]
 
     return [
@@ -292,3 +299,47 @@ def dynamodb_autoscaling_policy(tables):
             ),
         ]
     )
+
+
+def ecr_repo_client_statements(ecr_repo="*"):
+    statements = []
+    statements.append(
+        Statement(
+            Effect=Allow,
+            Resource=["*"],
+            Action=[ecr.GetAuthorizationToken, ]
+        )
+    )
+
+    statements.append(
+        Statement(
+            Effect=Allow,
+            Resource=[ecr_repo],
+            Action=[
+                ecr.BatchCheckLayerAvailability,
+                ecr.GetDownloadUrlForLayer,
+                ecr.BatchGetImage,
+            ]
+        )
+    )
+
+    return statements
+
+
+def ecs_task_execution_statements(ecr_repo="*", log_group=None,
+                                  log_stream_prefix=None):
+    statements = ecr_repo_client_statements(ecr_repo)
+    if log_group:
+        statements.extend(
+            cloudwatch_logs_write_statements(log_group, log_stream_prefix)
+        )
+    return statements
+
+
+def ecs_task_execution_policy(ecr_repo="*", log_group=None,
+                              log_stream_prefix=None):
+    return Policy(
+        Statement=ecs_task_execution_statements(
+            ecr_repo, log_group, log_stream_prefix
+        )
+    )