sidecar/src/Commands/Actions/CreateExecutionRole.php at 6e8f2e49201a0644af6aadd166619ba588144d8a · aarondfrancis/sidecar · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
<?php

declare(strict_types=1);

/**
 * @author Aaron Francis <aarondfrancis@gmail.com|https://twitter.com/aarondfrancis>
 */

namespace Hammerstone\Sidecar\Commands\Actions;

use Aws\Iam\IamClient;
use Illuminate\Support\Arr;
use Throwable;

class CreateExecutionRole extends BaseAction
{
    protected IamClient $client;

    public function invoke(): string
    {
        $this->progress('Creating an execution role for your functions...');

        $this->client = $this->command->client(IamClient::class);

        $role = Arr::get($this->findOrCreateRole(), 'Role.Arn');

        $this->attachPolicy();

        return $role;
    }

    public function roleName()
    {
        return 'sidecar-execution-role';
    }

    protected function findOrCreateRole()
    {
        try {
            $role = $this->client->getRole([
                'RoleName' => 'sidecar-execution-role'
            ]);

            $this->progress('Role already exists');
        } catch (Throwable $e) {
            $role = $this->createRole();
        }

        return $role;
    }

    protected function createRole()
    {
        return $this->client->createRole([
            'RoleName' => $this->roleName(),
            'AssumeRolePolicyDocument' => json_encode([
                'Version' => '2012-10-17',
                'Statement' => [[
                    'Effect' => 'Allow',
                    'Principal' => [
                        'Service' => 'lambda.amazonaws.com'
                    ],
                    'Action' => 'sts:AssumeRole'
                ]]
            ]),
        ]);
    }

    protected function attachPolicy()
    {
        $this->progress('Attaching policy to execution role...');

        $this->client->putRolePolicy([
            'PolicyName' => 'sidecar-execution-policy',
            'RoleName' => $this->roleName(),
            'PolicyDocument' => json_encode($this->policy()),
        ]);
    }

    protected function policy()
    {
        return [
            'Version' => '2012-10-17',
            'Statement' => [[
                'Effect' => 'Allow',
                'Resource' => '*',
                'Action' => [
                    'logs:CreateLogGroup',
                    'logs:CreateLogStream',
                    'logs:FilterLogEvents',
                    'logs:PutLogEvents',
                    'lambda:invokeFunction',
                    's3:*',
                ],
            ]]
        ];
    }
}