Skip to content

Commit 88e52a4

Browse files
Lee Zenmikhailshilkov
Lee Zen
and
mikhailshilkov
authored
Update examples for updated AWS managed policies (pulumi#894)
Co-authored-by: Mikhail Shilkov <[email protected]>
1 parent fa9b2d7 commit 88e52a4

File tree

19 files changed

+95
-100
lines changed

19 files changed

+95
-100
lines changed

aws-django-voting-app/__main__.py

+2-5
Original file line numberDiff line numberDiff line change
@@ -87,7 +87,7 @@
8787

8888
# Attaching execution permissions to the exec role
8989
exec_policy_attachment = aws.iam.RolePolicyAttachment("app-exec-policy", role=app_exec_role.name,
90-
policy_arn="arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy")
90+
policy_arn=aws.iam.ManagedPolicy.AMAZON_ECS_TASK_EXECUTION_ROLE_POLICY)
9191

9292
# Creating an IAM role used by Fargate to manage tasks
9393
app_task_role = aws.iam.Role("app-task-role",
@@ -106,10 +106,7 @@
106106

107107
# Attaching execution permissions to the task role
108108
task_policy_attachment = aws.iam.RolePolicyAttachment("app-access-policy", role=app_task_role.name,
109-
policy_arn="arn:aws:iam::aws:policy/AmazonEC2ContainerServiceFullAccess")
110-
111-
task_policy_attachment = aws.iam.RolePolicyAttachment("app-lambda-policy", role=app_task_role.name,
112-
policy_arn="arn:aws:iam::aws:policy/AWSLambdaFullAccess")
109+
policy_arn=aws.iam.ManagedPolicy.AMAZON_ECS_FULL_ACCESS)
113110

114111
# Creating storage space to upload a docker image of our app to
115112
app_ecr_repo = aws.ecr.Repository("app-ecr-repo",

aws-fs-lambda-webserver/README.md

+1-1
Original file line numberDiff line numberDiff line change
@@ -17,7 +17,7 @@ After cloning this repo, from this working directory, run these commands:
1717
1. Build and publish the lambda function, making the output available to our Pulumi program.
1818

1919
```bash
20-
dotnet publish ./LambdaWebService
20+
dotnet publish ./LambdaWebServer
2121
```
2222

2323
2. Execute our Pulumi program to archive our published function output, and create our lambda.

aws-fs-lambda-webserver/pulumi/Program.fs

+3-5
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,7 @@ open Pulumi.Aws.Lambda
77

88
module ManagedPolicies =
99
let AWSLambdaBasicExecutionRole = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
10-
let AWSLambdaFullAccess = "arn:aws:iam::aws:policy/AWSLambdaFullAccess"
10+
let AWSLambdaExecute = "arn:aws:iam::aws:policy/AWSLambdaExecute"
1111

1212
let openApiSpec (name, arn) =
1313
let quotedTitle = "\"" + name + "api\""
@@ -57,7 +57,6 @@ let addInvokePermission name accountId functionArn executionArn =
5757
Action = input "lambda:InvokeFunction",
5858
Function = functionArn,
5959
Principal = input "apigateway.amazonaws.com",
60-
SourceAccount = accountId,
6160
SourceArn = executionArn,
6261
StatementIdPrefix = input "lambdaPermission"
6362
)
@@ -88,14 +87,14 @@ let infra () =
8887
)
8988
)
9089

91-
RolePolicyAttachment("lambdaS3ReadOnlyAccess", RolePolicyAttachmentArgs(Role = io lambdaRole.Id, PolicyArn = input ManagedPolicies.AWSLambdaFullAccess)) |> ignore
90+
RolePolicyAttachment("lambdaS3ReadOnlyAccess", RolePolicyAttachmentArgs(Role = io lambdaRole.Id, PolicyArn = input ManagedPolicies.AWSLambdaExecute)) |> ignore
9291
RolePolicyAttachment("lambdaBasicExecution", RolePolicyAttachmentArgs(Role = io lambdaRole.Id, PolicyArn = input ManagedPolicies.AWSLambdaBasicExecutionRole)) |> ignore
9392

9493
let lambda =
9594
Function(
9695
"basicLambda",
9796
FunctionArgs(
98-
Runtime = input "dotnetcore3.1",
97+
Runtime = inputUnion2Of2 Pulumi.Aws.Lambda.Runtime.DotnetCore3d1,
9998
Code = input (FileArchive "../LambdaWebServer/bin/Debug/netcoreapp3.1/publish" :> Archive),
10099
Handler = input "LambdaWebServer::Setup+LambdaEntryPoint::FunctionHandlerAsync",
101100
Role = io lambdaRole.Arn,
@@ -143,4 +142,3 @@ let infra () =
143142
[<EntryPoint>]
144143
let main _argv =
145144
Deployment.run infra
146-

aws-py-voting-app/__main__.py

+1-4
Original file line numberDiff line numberDiff line change
@@ -94,10 +94,7 @@
9494

9595
# Attaching execution permissions to the task role
9696
task_policy_attachment = aws.iam.RolePolicyAttachment("app-access-policy", role=app_task_role.name,
97-
policy_arn="arn:aws:iam::aws:policy/AmazonEC2ContainerServiceFullAccess")
98-
99-
task_policy_attachment = aws.iam.RolePolicyAttachment("app-lambda-policy", role=app_task_role.name,
100-
policy_arn="arn:aws:iam::aws:policy/AWSLambdaFullAccess")
97+
policy_arn=aws.iam.ManagedPolicy.AMAZON_ECS_FULL_ACCESS)
10198

10299
# Creating storage space to upload a docker image of our app to
103100
app_ecr_repo = aws.ecr.Repository("app-ecr-repo",

aws-ts-apigatewayv2-http-api-quickcreate/index.ts

+1-1
Original file line numberDiff line numberDiff line change
@@ -23,7 +23,7 @@ const lambdaRole = new aws.iam.Role("lambdaRole", {
2323
// Attach the fullaccess policy to the Lambda role created above
2424
const rolepolicyattachment = new aws.iam.RolePolicyAttachment("lambdaRoleAttachment", {
2525
role: lambdaRole,
26-
policyArn: aws.iam.ManagedPolicies.AWSLambdaFullAccess,
26+
policyArn: aws.iam.ManagedPolicy.AWSLambdaBasicExecutionRole,
2727
});
2828

2929
// Create the Lambda to execute

aws-ts-apigatewayv2-http-api-quickcreate/package.json

+2-2
Original file line numberDiff line numberDiff line change
@@ -4,8 +4,8 @@
44
"@types/node": "^10.0.0"
55
},
66
"dependencies": {
7-
"@pulumi/aws": "^3.0.0",
8-
"@pulumi/awsx": "^0.23.0",
7+
"@pulumi/aws": "^3.25.1",
8+
"@pulumi/awsx": "^0.24.0",
99
"@pulumi/pulumi": "^2.0.0"
1010
}
1111
}

aws-ts-apigatewayv2-http-api/index.ts

+2-2
Original file line numberDiff line numberDiff line change
@@ -33,9 +33,9 @@ const lambdaRole = new aws.iam.Role("lambdaRole", {
3333
},
3434
});
3535

36-
const lambadRoleAttachment = new aws.iam.RolePolicyAttachment("lambdaRoleAttachment", {
36+
const lambdaRoleAttachment = new aws.iam.RolePolicyAttachment("lambdaRoleAttachment", {
3737
role: lambdaRole,
38-
policyArn: aws.iam.ManagedPolicies.AWSLambdaFullAccess,
38+
policyArn: aws.iam.ManagedPolicy.AWSLambdaBasicExecutionRole,
3939
});
4040

4141
const lambda = new aws.lambda.Function("lambdaFunction", {

aws-ts-apigatewayv2-http-api/package.json

+2-2
Original file line numberDiff line numberDiff line change
@@ -4,8 +4,8 @@
44
"@types/node": "^10.0.0"
55
},
66
"dependencies": {
7-
"@pulumi/aws": "^3.0.0",
8-
"@pulumi/awsx": "^0.23.0",
7+
"@pulumi/aws": "^3.25.1",
8+
"@pulumi/awsx": "^0.24.0",
99
"@pulumi/pulumi": "^2.0.0"
1010
}
1111
}

aws-ts-lambda-efs/README.md

+1-1
Original file line numberDiff line numberDiff line change
@@ -130,7 +130,7 @@ After cloning this repo, `cd` into it and run these commands:
130130
131131
```bash
132132
$ curl -X POST -d '<h1>Hello world</h1>' $(pulumi stack output url)files/index.html
133-
$ curl -X GET $(pulumi stack output url)files/file.txt
133+
$ curl -X GET $(pulumi stack output url)files/index.html
134134
<h1>Hello world</h1>
135135
```
136136

aws-ts-lambda-efs/index.ts

+1-1
Original file line numberDiff line numberDiff line change
@@ -30,7 +30,7 @@ export = async () => {
3030
// Lambda
3131
function efsvpcCallback(name: string, f: aws.lambda.Callback<awsx.apigateway.Request, awsx.apigateway.Response>) {
3232
return new aws.lambda.CallbackFunction(name, {
33-
policies: [aws.iam.ManagedPolicies.AWSLambdaVPCAccessExecutionRole, aws.iam.ManagedPolicies.AWSLambdaFullAccess],
33+
policies: [aws.iam.ManagedPolicy.AWSLambdaVPCAccessExecutionRole, aws.iam.ManagedPolicy.LambdaFullAccess],
3434
vpcConfig: {
3535
subnetIds: vpc.privateSubnetIds,
3636
securityGroupIds: [vpc.vpc.defaultSecurityGroupId],

aws-ts-lambda-efs/package.json

+2-2
Original file line numberDiff line numberDiff line change
@@ -2,8 +2,8 @@
22
"name": "aws-ts-lambda-efs",
33
"version": "0.1.0",
44
"dependencies": {
5-
"@pulumi/aws": "^3.0.0",
6-
"@pulumi/awsx": "^0.23.0",
5+
"@pulumi/aws": "^3.25.1",
6+
"@pulumi/awsx": "^0.24.0",
77
"@pulumi/pulumi": "^2.0.0"
88
}
99
}

aws-ts-lambda-thumbnailer/index.ts

+3-3
Original file line numberDiff line numberDiff line change
@@ -12,9 +12,9 @@ const image = awsx.ecr.buildAndPushImage("sampleapp", {
1212
const role = new aws.iam.Role("thumbnailerRole", {
1313
assumeRolePolicy: aws.iam.assumeRolePolicyForPrincipal({ Service: "lambda.amazonaws.com" }),
1414
});
15-
const lambdaFullAccess = new aws.iam.RolePolicyAttachment("lambdaFullAccess", {
15+
const lambdaS3Access = new aws.iam.RolePolicyAttachment("lambdaFullAccess", {
1616
role: role.name,
17-
policyArn: aws.iam.ManagedPolicies.AWSLambdaFullAccess,
17+
policyArn: aws.iam.ManagedPolicy.AWSLambdaExecute,
1818
});
1919

2020
const thumbnailer = new aws.lambda.Function("thumbnailer", {
@@ -44,6 +44,6 @@ bucket.onObjectCreated("onNewThumbnail", new aws.lambda.CallbackFunction<aws.s3.
4444
}
4545
},
4646
policies: [
47-
aws.iam.ManagedPolicies.AWSLambdaFullAccess, // Provides wide access to "serverless" services (Dynamo, S3, etc.)
47+
aws.iam.ManagedPolicy.AWSLambdaExecute, // Provides wide access to Lambda and S3
4848
],
4949
}), { filterSuffix: ".jpg" });

aws-ts-lambda-thumbnailer/package.json

+2-2
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@
44
"main": "index.js",
55
"dependencies": {
66
"@pulumi/pulumi": "^2.0.0",
7-
"@pulumi/aws": "^3.17.0",
8-
"@pulumi/awsx": "^0.23.0"
7+
"@pulumi/aws": "^3.25.1",
8+
"@pulumi/awsx": "^0.24.0"
99
}
1010
}

aws-ts-serverless-datawarehouse/datawarehouse/lambdaCron/index.ts

+2-2
Original file line numberDiff line numberDiff line change
@@ -41,10 +41,10 @@ export class LambdaCronJob extends pulumi.ComponentResource {
4141
}
4242
}
4343

44-
// always attach the lambda policy for logging, etc.
44+
// always attach the lambda policy for logging
4545
const loggingAttachment = new aws.iam.RolePolicyAttachment(`${name}-Attachment-lambda`, {
4646
role: partitionRole,
47-
policyArn: aws.iam.ManagedPolicies.AWSLambdaFullAccess,
47+
policyArn: aws.iam.ManagedPolicy.AWSLambdaBasicExecutionRole,
4848
}, options);
4949

5050
const cron = new aws.cloudwatch.EventRule(`${name}-cron`, {

aws-ts-thumbnailer/index.ts

+2-2
Original file line numberDiff line numberDiff line change
@@ -25,8 +25,8 @@ const ffmpegThumbnailTask = new awsx.ecs.FargateTaskDefinition("ffmpegThumbTask"
2525
bucket.onObjectCreated("onNewVideo", new aws.lambda.CallbackFunction<aws.s3.BucketEvent, void>("onNewVideo", {
2626
// Specify appropriate policies so that this AWS lambda can run EC2 tasks.
2727
policies: [
28-
aws.iam.ManagedPolicies.AWSLambdaFullAccess, // Provides wide access to "serverless" services (Dynamo, S3, etc.)
29-
aws.iam.ManagedPolicies.AmazonEC2ContainerServiceFullAccess, // Required for lambda compute to be able to run Tasks
28+
aws.iam.ManagedPolicy.AWSLambdaExecute, // Provides access to logging and S3
29+
aws.iam.ManagedPolicy.AmazonECSFullAccess, // Required for lambda compute to be able to run Tasks
3030
],
3131
callback: async bucketArgs => {
3232
console.log("onNewVideo called");

aws-ts-thumbnailer/package.json

+2-2
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@
44
"main": "index.js",
55
"dependencies": {
66
"@pulumi/pulumi": "^2.0.0",
7-
"@pulumi/aws": "^3.0.0",
8-
"@pulumi/awsx": "^0.23.0"
7+
"@pulumi/aws": "^3.25.1",
8+
"@pulumi/awsx": "^0.24.0"
99
}
1010
}

cloud-js-thumbnailer-machine-learning/Pulumi.yaml

+1-1
Original file line numberDiff line numberDiff line change
@@ -11,4 +11,4 @@ template:
1111
default: true
1212
cloud-aws:computeIAMRolePolicyARNs:
1313
description: The IAM role policies to apply to compute (both Lambda and ECS) within this Pulumi program
14-
default: arn:aws:iam::aws:policy/AWSLambdaFullAccess,arn:aws:iam::aws:policy/AmazonEC2ContainerServiceFullAccess,arn:aws:iam::aws:policy/AmazonRekognitionFullAccess
14+
default: arn:aws:iam::aws:policy/AWSLambdaExecute,arn:aws:iam::aws:policy/AWSLambda_FullAccess,arn:aws:iam::aws:policy/AmazonECS_FullAccess,arn:aws:iam::aws:policy/AmazonRekognitionFullAccess,arn:aws:iam::aws:policy/IAMFullAccess

0 commit comments

Comments
 (0)