diff --git a/aws/policy/paas.yaml b/aws/policy/paas.yaml index 641f58ad..2a476931 100644 --- a/aws/policy/paas.yaml +++ b/aws/policy/paas.yaml @@ -24,6 +24,14 @@ Statement: - Sid: AllowResourceRestrictedActionsWhichIncurNoFees Effect: Allow Action: + - cloudfront:CreateInvalidation + - cloudfront:DeleteCloudFrontOriginAccessIdentity + - cloudfront:DeleteDistribution + - cloudfront:DeleteStreamingDistribution + - cloudfront:TagResource + - cloudfront:UntagResource + - cloudfront:UpdateCloudFrontOriginAccessIdentity + - cloudfront:UpdateDistribution - ecr:DeleteLifecyclePolicy - ecr:DeleteRepository - ecr:DeleteRepositoryPolicy @@ -86,6 +94,9 @@ Statement: - lightsail:StopInstance - lightsail:ReleaseStaticIp Resource: + - 'arn:aws:cloudfront::{{ aws_account_id }}:distribution/*' + - 'arn:aws:cloudfront::{{ aws_account_id }}:origin-access-identity/*' + - 'arn:aws:cloudfront::{{ aws_account_id }}:streaming-distribution/*' - 'arn:aws:ecr:{{ aws_region }}:{{ aws_account_id }}:repository/*' - 'arn:aws:eks:{{ aws_region }}:{{ aws_account_id }}:cluster/*' - 'arn:aws:eks:{{ aws_region }}:{{ aws_account_id }}:fargateprofile/*/*/*' @@ -95,16 +106,19 @@ Statement: - 'arn:aws:lightsail:{{ aws_region }}:{{ aws_account_id }}:*' - 'arn:aws:lambda:{{ aws_region }}:{{ aws_account_id }}:layer:*' - # - Sid: AllowUnrestrictedResourceActionsWhichIncurFees - # Effect: Allow - # Action: - # - - # Resource: - # - "*" + - Sid: AllowUnrestrictedResourceActionsWhichIncurFees + Effect: Allow + Action: + - cloudfront:CreateDistribution + - cloudfront:CreateStreamingDistribution + - cloudfront:CreateStreamingDistributionWithTags + Resource: + - "*" - Sid: AllowUnrestrictedResourceActionsWhichIncurNoFees Effect: Allow Action: + - cloudfront:CreateCloudFrontOriginAccessIdentity - ecr:GetAuthorizationToken - ecr:CreateRepository - ecr:DescribeRepositories @@ -115,6 +129,8 @@ Statement: - lambda:ListFunctions - lambda:ListLayers - lambda:ListVersionsByFunction + - cloudfront:Get* + - cloudfront:List* Resource: - "*" diff --git a/aws/terminator/paas.py b/aws/terminator/paas.py index 7d5ef3dd..5df85809 100644 --- a/aws/terminator/paas.py +++ b/aws/terminator/paas.py @@ -44,3 +44,76 @@ def created_time(self): def terminate(self): for version in self.client.list_layer_versions(LayerName=self.name)['LayerVersions']: self.client.delete_layer_version(LayerName=self.name, VersionNumber=version['Version']) + + +class CloudFrontDistribution(Terminator): + @staticmethod + def create(credentials): + def list_cloudfront_distributions(client): + result = client.get_paginator('list_distributions').paginate().build_full_result() + return result.get('DistributionList', {}).get('Items', []) + + return Terminator._create(credentials, CloudFrontDistribution, 'cloudfront', list_cloudfront_distributions) + + @property + def created_time(self): + return self.instance['LastModifiedTime'] + + @property + def name(self): + return self.instance['DomainName'] + + @property + def Id(self): + return self.instance['Id'] + + def terminate(self): + + distribution = self.client.get_distribution(Id=self.Id) + ETag = distribution['ETag'] + distribution = distribution['Distribution'] + if distribution.get('Status') == "Deployed": + if distribution['DistributionConfig']['Enabled']: + # disable distribution + distribution['DistributionConfig']['Enabled'] = False + self.client.update_distribution(DistributionConfig=distribution['DistributionConfig'], Id=self.Id, IfMatch=ETag) + else: + # delete distribution + self.client.delete_distribution(Id=self.Id, IfMatch=ETag) + + +class CloudFrontStreamingDistribution(Terminator): + @staticmethod + def create(credentials): + def list_cloudfront_streaming_distributions(client): + result = client.get_paginator('list_streaming_distributions').paginate().build_full_result() + return result.get('StreamingDistributionList', {}).get('Items', []) + + return Terminator._create(credentials, CloudFrontStreamingDistribution, 'cloudfront', list_cloudfront_streaming_distributions) + + @property + def created_time(self): + return self.instance['LastModifiedTime'] + + @property + def name(self): + return self.instance['DomainName'] + + @property + def Id(self): + return self.instance['Id'] + + def terminate(self): + streaming_distribution = self.client.get_streaming_distribution(Id=self.Id) + ETag = streaming_distribution['ETag'] + streaming_distribution = streaming_distribution['StreamingDistribution'] + if streaming_distribution.get('Status') == "Deployed": + if streaming_distribution['StreamingDistributionConfig']['Enabled']: + # disable streaming distribution + streaming_distribution['StreamingDistributionConfig']['Enabled'] = False + self.client.update_streaming_distribution(StreamingDistributionConfig=streaming_distribution['StreamingDistributionConfig'], + Id=self.Id, + IfMatch=ETag) + else: + # delete streaming distribution + self.client.delete_streaming_distribution(Id=self.Id, IfMatch=ETag)