Refactoring permissions to JSON files (#151)

JohnPreston · web-flow · commit e24ee495a39c · 2020-08-12T21:49:33.000+01:00
diff --git a/MANIFEST.in b/MANIFEST.in
@@ -10,3 +10,4 @@ recursive-exclude * __pycache__
 recursive-exclude * *.py[co]
 
 recursive-include docs *.rst conf.py Makefile make.bat *.jpg *.png *.gif
+recursive-include ecs_composex *.json
diff --git a/ecs_composex/dns/SYNTAX.rst b/ecs_composex/dns/SYNTAX.rst
@@ -1 +1,14 @@
 ﻿
+.. dns_reference_syntax:
+
+x-dns
+======
+
+.. code-block:: yaml
+
+    x-dns:
+      PrivateNamespace:
+        Name: mycluster.lan
+      PublicNamespace:
+        Name: lambda-my-aws.io
+
diff --git a/ecs_composex/dynamodb/dynamodb_perms.json b/ecs_composex/dynamodb/dynamodb_perms.json
@@ -0,0 +1,32 @@
+﻿{
+    "RW": {
+        "Action": [
+            "dynamodb:BatchGet*",
+            "dynamodb:DescribeStream",
+            "dynamodb:DescribeTable",
+            "dynamodb:Get*",
+            "dynamodb:Query",
+            "dynamodb:Scan",
+            "dynamodb:BatchWrite*",
+            "dynamodb:DeleteItem",
+            "dynamodb:UpdateItem",
+            "dynamodb:PutItem"
+        ],
+        "Effect": "Allow"
+    },
+    "RO": {
+        "Action": [
+            "dynamodb:DescribeTable",
+            "dynamodb:Query",
+            "dynamodb:Scan"
+        ],
+        "Effect": "Allow"
+    },
+    "PowerUser": {
+        "NotAction": [
+            "dynamodb:CreateTable",
+            "dynamodb:DeleteTable",
+            "dynamodb:DeleteBackup"
+        ]
+    }
+}
diff --git a/ecs_composex/dynamodb/dynamodb_perms.py b/ecs_composex/dynamodb/dynamodb_perms.py
@@ -20,31 +20,17 @@
 based on pre-defined TABLE policies for consumers
 """
 
-ACCESS_TYPES = {
-    "RW": {
-        "Action": [
-            "dynamodb:BatchGet*",
-            "dynamodb:DescribeStream",
-            "dynamodb:DescribeTable",
-            "dynamodb:Get*",
-            "dynamodb:Query",
-            "dynamodb:Scan",
-            "dynamodb:BatchWrite*",
-            "dynamodb:DeleteItem",
-            "dynamodb:UpdateItem",
-            "dynamodb:PutItem",
-        ],
-        "Effect": "Allow",
-    },
-    "RO": {
-        "Action": ["dynamodb:DescribeTable", "dynamodb:Query", "dynamodb:Scan"],
-        "Effect": "Allow",
-    },
-    "PowerUser": {
-        "NotAction": [
-            "dynamodb:CreateTable",
-            "dynamodb:DeleteTable",
-            "dynamodb:DeleteBackup",
-        ]
-    },
-}
+from os import path
+from json import loads
+
+
+def get_access_types():
+    with open(
+        f"{path.abspath(path.dirname(__file__))}/dynamodb_perms.json",
+        "r",
+        encoding="utf-8-sig",
+    ) as perms_fd:
+        return loads(perms_fd.read())
+
+
+ACCESS_TYPES = get_access_types()
diff --git a/ecs_composex/kms/kms_perms.json b/ecs_composex/kms/kms_perms.json
@@ -0,0 +1,34 @@
+﻿{
+    "SQS": {
+        "Action": [
+            "kms:GenerateDataKey",
+            "kms:Decrypt"
+        ],
+        "Effect": "Allow"
+    },
+    "DecryptOnly": {
+        "Action": [
+            "kms:Decrypt"
+        ],
+        "Effect": "Allow"
+    },
+    "EncryptOnly": {
+        "Action": [
+            "kms:Encrypt",
+            "kms:GenerateDataKey*",
+            "kms:ReEncrypt*"
+        ],
+        "Effect": "Allow"
+    },
+    "EncryptDecrypt": {
+        "Action": [
+            "kms:Encrypt",
+            "kms:Decrypt",
+            "kms:ReEncrypt*",
+            "kms:GenerateDataKey*",
+            "kms:CreateGrant",
+            "kms:DescribeKey"
+        ],
+        "Effect": "Allow"
+    }
+}
diff --git a/ecs_composex/kms/kms_perms.py b/ecs_composex/kms/kms_perms.py
@@ -20,22 +20,17 @@
 based on pre-defined TABLE policies for consumers
 """
 
-ACCESS_TYPES = {
-    "SQS": {"Action": ["kms:GenerateDataKey", "kms:Decrypt"], "Effect": "Allow"},
-    "DecryptOnly": {"Action": ["kms:Decrypt"], "Effect": "Allow"},
-    "EncryptOnly": {
-        "Action": ["kms:Encrypt", "kms:GenerateDataKey*", "kms:ReEncrypt*"],
-        "Effect": "Allow",
-    },
-    "EncryptDecrypt": {
-        "Action": [
-            "kms:Encrypt",
-            "kms:Decrypt",
-            "kms:ReEncrypt*",
-            "kms:GenerateDataKey*",
-            "kms:CreateGrant",
-            "kms:DescribeKey",
-        ],
-        "Effect": "Allow",
-    },
-}
+from os import path
+from json import loads
+
+
+def get_access_types():
+    with open(
+        f"{path.abspath(path.dirname(__file__))}/kms_perms.json",
+        "r",
+        encoding="utf-8-sig",
+    ) as perms_fd:
+        return loads(perms_fd.read())
+
+
+ACCESS_TYPES = get_access_types()
diff --git a/ecs_composex/sqs/sqs_perms.json b/ecs_composex/sqs/sqs_perms.json
@@ -0,0 +1,23 @@
+﻿{
+    "RWMessages": {
+        "Sid": "RWAccessMessages",
+        "NotAction": [
+            "sqs:TagQueue",
+            "sqs:RemovePermission",
+            "sqs:AddPermission",
+            "sqs:UntagQueue",
+            "sqs:PurgeQueue",
+            "sqs:DeleteQueue",
+            "sqs:CreateQueue",
+            "sqs:SetQueueAttributes"
+        ],
+        "Effect": "Allow"
+    },
+    "Publish": {
+        "Sid": "PublishMessages",
+        "NotAction": [
+            "sqs:SendMessage"
+        ],
+        "Effect": "Allow"
+    }
+}
diff --git a/ecs_composex/sqs/sqs_perms.py b/ecs_composex/sqs/sqs_perms.py
@@ -20,40 +20,17 @@
 based on pre-defined SQS policies for consumers
 """
 
-ACCESS_TYPES = {
-    "RWMessages": {
-        "NotAction": [
-            "sqs:TagQueue",
-            "sqs:RemovePermission",
-            "sqs:AddPermission",
-            "sqs:UntagQueue",
-            "sqs:PurgeQueue",
-            "sqs:DeleteQueue",
-            "sqs:CreateQueue",
-            "sqs:SetQueueAttributes",
-        ],
-        "Effect": "Allow",
-    },
-    "RWPermissions": {
-        "NotAction": [
-            "sqs:RemovePermission",
-            "sqs:AddPermission",
-            "sqs:PurgeQueue",
-            "sqs:SetQueueAttributes",
-        ],
-        "Effect": "Allow",
-    },
-    "RO": {
-        "NotAction": [
-            "sqs:TagQueue",
-            "sqs:RemovePermission",
-            "sqs:AddPermission",
-            "sqs:UntagQueue",
-            "sqs:PurgeQueue",
-            "sqs:Delete*",
-            "sqs:Create*",
-            "sqs:Set*",
-        ],
-        "Effect": "Allow",
-    },
-}
+from os import path
+from json import loads
+
+
+def get_access_types():
+    with open(
+        f"{path.abspath(path.dirname(__file__))}/sqs_perms.json",
+        "r",
+        encoding="utf-8-sig",
+    ) as perms_fd:
+        return loads(perms_fd.read())
+
+
+ACCESS_TYPES = get_access_types()

Original file line number	Diff line number	Diff line change
`@@ -10,3 +10,4 @@ recursive-exclude * __pycache__`
`10`	`10`	`recursive-exclude * *.py[co]`
`11`	`11`
`12`	`12`	`recursive-include docs .rst conf.py Makefile make.bat .jpg .png .gif`
	`13`	`+recursive-include ecs_composex *.json`