This repository was archived by the owner on Dec 9, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 2
Expand file tree
/
Copy pathdeployRole.js
More file actions
114 lines (96 loc) · 2.84 KB
/
deployRole.js
File metadata and controls
114 lines (96 loc) · 2.84 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
const AWS = require('aws-sdk')
const removeRolePolicies = require('./removeRolePolicies.js')
const updateRolePolicy = async (config, params = {}) => {
const iam = new AWS.IAM(config)
// clear previously deployed policy arns if any
await removeRolePolicies(config, params)
if (typeof params.policy === 'string') {
// policy is an arn of a managed policy
await iam
.attachRolePolicy({
RoleName: params.roleName,
PolicyArn: params.policy
})
.promise()
} else {
// Otherwise, create an inline policy
// Policies can either be a full policy object or an array of Statements.
let policyDocument
if (Array.isArray(params.policy)) {
policyDocument = {
Version: '2012-10-17',
Statement: params.policy
}
} else if (params.policy.Statement) {
policyDocument = params.policy
} else {
throw new Error(
'Invalid "policy" param. This can either be a standard IAM Policy object, or an array of Statements to be included in a larger policy object.'
)
}
await iam
.putRolePolicy({
RoleName: params.roleName,
PolicyName: params.roleName,
PolicyDocument: JSON.stringify(policyDocument)
})
.promise()
}
}
const updateRole = async (config, params = {}) => {
const iam = new AWS.IAM(config)
const res = await iam.getRole({ RoleName: params.roleName }).promise()
await iam
.updateAssumeRolePolicy({
RoleName: params.roleName,
PolicyDocument: JSON.stringify(params.assumeRolePolicyDocument)
})
.promise()
await updateRolePolicy(config, params)
return res.Role.Arn
}
const createRole = async (config, params = {}) => {
const iam = new AWS.IAM(config)
const res = await iam
.createRole({
RoleName: params.roleName,
Description: params.roleDescription || null,
Path: '/',
AssumeRolePolicyDocument: JSON.stringify(params.assumeRolePolicyDocument)
})
.promise()
await updateRolePolicy(config, params)
return res.Role.Arn
}
module.exports = async (config, params = {}) => {
/**
* Validate
*/
if (!params.roleName) {
throw new Error(`Missing "roleName" param.`)
}
params.policy = params.policy || 'arn:aws:iam::aws:policy/AdministratorAccess'
// assumeRolePolicyDocument should cancel out "service"
if (!params.assumeRolePolicyDocument) {
params.assumeRolePolicyDocument = {
Version: '2012-10-17',
Statement: {
Effect: 'Allow',
Principal: {
Service: params.service || 'lambda.amazonaws.com'
},
Action: 'sts:AssumeRole'
}
}
}
try {
const roleArn = await updateRole(config, params)
return { roleArn }
} catch (e) {
if (e.code === 'NoSuchEntity') {
const roleArn = await createRole(config, params)
return { roleArn }
}
throw e
}
}