github.com/mweagle/Sparta@v1.15.0/aws/iam/builder/build.go (about) 1 package iambuilder 2 3 import ( 4 sparta "github.com/mweagle/Sparta" 5 spartaIAM "github.com/mweagle/Sparta/aws/iam" 6 gocf "github.com/mweagle/go-cloudformation" 7 ) 8 9 //////////////////////////////////////////////////////////////////////////////// 10 /* 11 ___ ___ ___ ___ _ _ ___ ___ ___ 12 | _ \ __/ __|/ _ \| | | | _ \/ __| __| 13 | / _|\__ \ (_) | |_| | / (__| _| 14 |_|_\___|___/\___/ \___/|_|_\\___|___| 15 */ 16 //////////////////////////////////////////////////////////////////////////////// 17 18 // IAMResourceBuilder encapsulates the IAM builder for a resource 19 type IAMResourceBuilder struct { 20 builder *IAMBuilder 21 resourceParts []gocf.Stringable 22 } 23 24 // Ref inserts a go-cloudformation Ref entry 25 func (iamRes *IAMResourceBuilder) Ref(resName string, delimiter ...string) *IAMResourceBuilder { 26 iamRes.resourceParts = append(iamRes.resourceParts, 27 gocf.Ref(resName)) 28 for _, eachDelimiter := range delimiter { 29 iamRes.resourceParts = append(iamRes.resourceParts, 30 gocf.String(eachDelimiter)) 31 } 32 return iamRes 33 } 34 35 // Attr inserts a go-cloudformation GetAtt entry 36 func (iamRes *IAMResourceBuilder) Attr(resName string, propName string, delimiter ...string) *IAMResourceBuilder { 37 iamRes.resourceParts = append(iamRes.resourceParts, 38 gocf.GetAtt(resName, propName)) 39 for _, eachDelimiter := range delimiter { 40 iamRes.resourceParts = append(iamRes.resourceParts, 41 gocf.String(eachDelimiter)) 42 } 43 return iamRes 44 } 45 46 // Region inserts the AWS::Region pseudo param into the privilege 47 func (iamRes *IAMResourceBuilder) Region(delimiter ...string) *IAMResourceBuilder { 48 iamRes.resourceParts = append(iamRes.resourceParts, 49 gocf.Ref("AWS::Region")) 50 for _, eachDelimiter := range delimiter { 51 iamRes.resourceParts = append(iamRes.resourceParts, 52 gocf.String(eachDelimiter)) 53 } 54 return iamRes 55 } 56 57 // AccountID inserts the AWS::AccountId pseudo param into the privilege 58 func (iamRes *IAMResourceBuilder) AccountID(delimiter ...string) *IAMResourceBuilder { 59 iamRes.resourceParts = append(iamRes.resourceParts, 60 gocf.Ref("AWS::AccountId")) 61 for _, eachDelimiter := range delimiter { 62 iamRes.resourceParts = append(iamRes.resourceParts, 63 gocf.String(eachDelimiter)) 64 } 65 return iamRes 66 } 67 68 // NotificationARNS inserts the AWS::NotificationARNs pseudo param into the privilege 69 func (iamRes *IAMResourceBuilder) NotificationARNS(delimiter ...string) *IAMResourceBuilder { 70 iamRes.resourceParts = append(iamRes.resourceParts, 71 gocf.Ref("AWS::NotificationARNs")) 72 for _, eachDelimiter := range delimiter { 73 iamRes.resourceParts = append(iamRes.resourceParts, 74 gocf.String(eachDelimiter)) 75 } 76 return iamRes 77 } 78 79 // Partition inserts the AWS::Partition pseudo param into the privilege 80 func (iamRes *IAMResourceBuilder) Partition(delimiter ...string) *IAMResourceBuilder { 81 iamRes.resourceParts = append(iamRes.resourceParts, 82 gocf.Ref("AWS::Partition")) 83 for _, eachDelimiter := range delimiter { 84 iamRes.resourceParts = append(iamRes.resourceParts, 85 gocf.String(eachDelimiter)) 86 } 87 return iamRes 88 } 89 90 // StackID inserts the AWS::StackID pseudo param into the privilege 91 func (iamRes *IAMResourceBuilder) StackID(delimiter ...string) *IAMResourceBuilder { 92 iamRes.resourceParts = append(iamRes.resourceParts, 93 gocf.Ref("AWS::StackId")) 94 for _, eachDelimiter := range delimiter { 95 iamRes.resourceParts = append(iamRes.resourceParts, 96 gocf.String(eachDelimiter)) 97 } 98 return iamRes 99 } 100 101 // StackName inserts the AWS::StackName pseudo param into the privilege 102 func (iamRes *IAMResourceBuilder) StackName(delimiter ...string) *IAMResourceBuilder { 103 iamRes.resourceParts = append(iamRes.resourceParts, 104 gocf.Ref("AWS::StackName")) 105 for _, eachDelimiter := range delimiter { 106 iamRes.resourceParts = append(iamRes.resourceParts, 107 gocf.String(eachDelimiter)) 108 } 109 return iamRes 110 } 111 112 // URLSuffix inserts the AWS::URLSuffix pseudo param into the privilege 113 func (iamRes *IAMResourceBuilder) URLSuffix(delimiter ...string) *IAMResourceBuilder { 114 iamRes.resourceParts = append(iamRes.resourceParts, 115 gocf.Ref("AWS::URLSuffix")) 116 for _, eachDelimiter := range delimiter { 117 iamRes.resourceParts = append(iamRes.resourceParts, 118 gocf.String(eachDelimiter)) 119 } 120 return iamRes 121 } 122 123 // Literal inserts a string literal into the ARN being constructed 124 func (iamRes *IAMResourceBuilder) Literal(arnPart string) *IAMResourceBuilder { 125 iamRes.resourceParts = append(iamRes.resourceParts, 126 gocf.String(arnPart)) 127 return iamRes 128 } 129 130 // ToPolicyStatement finalizes the builder and returns a spartaIAM.PolicyStatements 131 func (iamRes *IAMResourceBuilder) ToPolicyStatement() spartaIAM.PolicyStatement { 132 return spartaIAM.PolicyStatement{ 133 Action: iamRes.builder.apiCalls, 134 Effect: iamRes.builder.effect, 135 Resource: gocf.Join("", iamRes.resourceParts...), 136 } 137 } 138 139 // ToPrivilege returns a legacy sparta.IAMRolePrivilege type for this 140 // entry 141 func (iamRes *IAMResourceBuilder) ToPrivilege() sparta.IAMRolePrivilege { 142 return sparta.IAMRolePrivilege{ 143 Actions: iamRes.builder.apiCalls, 144 Resource: gocf.Join("", iamRes.resourceParts...), 145 } 146 } 147 148 // IAMBuilder is the intermediate type that 149 // creates the Resource to which the privilege applies 150 type IAMBuilder struct { 151 apiCalls []string 152 effect string 153 condition interface{} 154 } 155 156 // ForResource returns the IAMPrivilegeBuilder instance 157 // which can be finalized into an IAMRolePrivilege 158 func (iamRes *IAMBuilder) ForResource() *IAMResourceBuilder { 159 return &IAMResourceBuilder{ 160 builder: iamRes, 161 resourceParts: make([]gocf.Stringable, 0), 162 } 163 } 164 165 // WithCondition applies the given condition to the policy 166 func (iamRes *IAMBuilder) WithCondition(conditionExpression interface{}) *IAMBuilder { 167 iamRes.condition = conditionExpression 168 return iamRes 169 } 170 171 //////////////////////////////////////////////////////////////////////////////// 172 /* 173 ___ ___ ___ _ _ ___ ___ ___ _ _ 174 | _ \ _ \_ _| \| |/ __|_ _| _ \/_\ | | 175 | _/ /| || .` | (__ | || _/ _ \| |__ 176 |_| |_|_\___|_|\_|\___|___|_|/_/ \_\____| 177 178 */ 179 //////////////////////////////////////////////////////////////////////////////// 180 181 // IAMPrincipalBuilder is the builder for a Principal allowance 182 type IAMPrincipalBuilder struct { 183 builder *IAMBuilder 184 principal *gocf.IAMPrincipal 185 } 186 187 // ForPrincipals returns the IAMPrincipalBuilder instance 188 // which can be finalized into an IAMRolePrivilege 189 func (iamRes *IAMBuilder) ForPrincipals(principals ...string) *IAMPrincipalBuilder { 190 stringablePrincipals := make([]gocf.Stringable, len(principals)) 191 for index, eachPrincipal := range principals { 192 stringablePrincipals[index] = gocf.String(eachPrincipal) 193 } 194 195 return &IAMPrincipalBuilder{ 196 builder: iamRes, 197 principal: &gocf.IAMPrincipal{ 198 Service: gocf.StringList(stringablePrincipals...), 199 }, 200 } 201 } 202 203 // ForFederatedPrincipals returns the IAMPrincipalBuilder instance 204 // which can be finalized into an IAMRolePrivilege 205 func (iamRes *IAMBuilder) ForFederatedPrincipals(principals ...string) *IAMPrincipalBuilder { 206 stringablePrincipals := make([]gocf.Stringable, len(principals)) 207 for index, eachPrincipal := range principals { 208 stringablePrincipals[index] = gocf.String(eachPrincipal) 209 } 210 211 return &IAMPrincipalBuilder{ 212 builder: iamRes, 213 principal: &gocf.IAMPrincipal{ 214 Federated: gocf.StringList(stringablePrincipals...), 215 }, 216 } 217 } 218 219 // ToPolicyStatement finalizes the builder and returns a spartaIAM.PolicyStatements 220 func (iampb *IAMPrincipalBuilder) ToPolicyStatement() spartaIAM.PolicyStatement { 221 statement := spartaIAM.PolicyStatement{ 222 Action: iampb.builder.apiCalls, 223 Effect: iampb.builder.effect, 224 Principal: iampb.principal, 225 } 226 if iampb.builder.condition != nil { 227 statement.Condition = iampb.builder.condition 228 } 229 return statement 230 } 231 232 // ToPrivilege returns a legacy sparta.IAMRolePrivilege type for this 233 // IAMPrincipalBuilder entry 234 func (iampb *IAMPrincipalBuilder) ToPrivilege() sparta.IAMRolePrivilege { 235 privilege := sparta.IAMRolePrivilege{ 236 Actions: iampb.builder.apiCalls, 237 Principal: iampb.principal, 238 } 239 if iampb.builder.condition != nil { 240 privilege.Condition = iampb.builder.condition 241 } 242 return privilege 243 } 244 245 //////////////////////////////////////////////////////////////////////////////// 246 /* 247 ___ _____ ___ ___ 248 / __|_ _/ _ \| _ \ 249 | (__ | || (_) | / 250 \___| |_| \___/|_|_\ 251 */ 252 //////////////////////////////////////////////////////////////////////////////// 253 254 // Allow creates a IAMPrivilegeBuilder instance Allowing the supplied API calls 255 func Allow(apiCalls ...string) *IAMBuilder { 256 builder := IAMBuilder{ 257 apiCalls: apiCalls, 258 effect: "Allow", 259 } 260 return &builder 261 } 262 263 // Deny creates a IAMPrivilegeBuilder instance Denying the supplied API calls 264 func Deny(apiCalls ...string) *IAMBuilder { 265 builder := IAMBuilder{ 266 apiCalls: apiCalls, 267 effect: "Deny", 268 } 269 return &builder 270 }