Common Properties
¶
Property
¶
This class is used for all property types that we haven't had time to implement yet.
Properties:
- Condition
¶
Policy
¶
Contains information about an attached policy.
Properties:
- PolicyDocument: A policy document object.
- PolicyName: The friendly name (not ARN) identifying the policy.
¶
PolicyDocument
¶
Contains information about an attached policy.
Properties:
- Statement: A statement object.
- Version
allowed_actions_with(self, pattern)
¶
Finds all statements which have at least one action with the pattern.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
pattern |
Pattern |
Pattern to match. |
required |
Returns:
| Type | Description |
|---|---|
List[pycfmodel.model.resources.properties.statement.Statement] |
List of statements. |
Source code in pycfmodel/model/resources/properties/policy_document.py
def allowed_actions_with(self, pattern: Pattern) -> List[Statement]:
"""
Finds all statements which have at least one action with the pattern.
Arguments:
pattern: Pattern to match.
Returns:
List of [statements][pycfmodel.model.resources.properties.statement.Statement].
"""
return [
statement
for statement in self._statement_as_list()
if statement.actions_with(pattern) and statement.Effect == "Allow"
]
allowed_principals_with(self, pattern)
¶
Finds all allowed principals which match the pattern.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
pattern |
Pattern |
Pattern to match. |
required |
Returns:
| Type | Description |
|---|---|
List[str] |
List of principals. |
Source code in pycfmodel/model/resources/properties/policy_document.py
def allowed_principals_with(self, pattern: Pattern) -> List[str]:
"""
Finds all allowed principals which match the pattern.
Arguments:
pattern: Pattern to match.
Returns:
List of principals.
"""
principals = set()
for statement in self._statement_as_list():
if statement.Effect == "Allow":
principals.update(statement.principals_with(pattern))
return list(principals)
get_allowed_actions(self)
¶
Find all allowed Actions which are specified in statements.
Returns:
| Type | Description |
|---|---|
List[str] |
List of matching actions. |
Source code in pycfmodel/model/resources/properties/policy_document.py
def get_allowed_actions(self) -> List[str]:
"""
Find all allowed Actions which are specified in statements.
Returns:
List of matching actions.
"""
actions = set()
for statement in self._statement_as_list():
if statement.Effect.lower() == "allow":
actions.update(statement.get_expanded_action_list())
return sorted(actions)
get_iam_actions(self, difference=False)
¶
Find all IAM Actions which are specified in statements.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
difference |
|
when True, the behaviour changes to find the difference between all IAM Actions and those |
False |
Returns:
| Type | Description |
|---|---|
List[str] |
List of matching actions. |
Source code in pycfmodel/model/resources/properties/policy_document.py
def get_iam_actions(self, difference=False) -> List[str]:
"""
Find all IAM Actions which are specified in statements.
Arguments:
difference: when True, the behaviour changes to find the difference between all IAM Actions and those
specified in the statements of the policy. Default = False.
Returns:
List of matching actions.
"""
actions = set()
for statement in self._statement_as_list():
for action in statement.get_expanded_action_list():
if action.startswith("iam:"):
actions.add(action)
if difference:
return sorted(
set([action for action in CLOUDFORMATION_ACTIONS if action.lower().startswith("iam:")]).difference(
actions
)
)
return sorted(actions)
non_whitelisted_allowed_principals(self, whitelist)
¶
Find non whitelisted allowed principals.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
whitelist |
List[str] |
List of whitelisted principals. |
required |
Returns:
| Type | Description |
|---|---|
List[str] |
List of principals. |
Source code in pycfmodel/model/resources/properties/policy_document.py
def non_whitelisted_allowed_principals(self, whitelist: List[str]) -> List[str]:
"""
Find non whitelisted allowed principals.
Arguments:
whitelist: List of whitelisted principals.
Returns:
List of principals.
"""
principals = set()
for statement in self._statement_as_list():
if statement.Effect == "Allow":
principals.update(statement.non_whitelisted_principals(whitelist))
return list(principals)
statements_with(self, pattern)
¶
Finds all statements which have at least one resource with the pattern.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
pattern |
Pattern |
Pattern to match. |
required |
Returns:
| Type | Description |
|---|---|
List[pycfmodel.model.resources.properties.statement.Statement] |
List of statements. |
Source code in pycfmodel/model/resources/properties/policy_document.py
def statements_with(self, pattern: Pattern) -> List[Statement]:
"""
Finds all statements which have at least one resource with the pattern.
Arguments:
pattern: Pattern to match.
Returns:
List of [statements][pycfmodel.model.resources.properties.statement.Statement].
"""
return [statement for statement in self._statement_as_list() if statement.resources_with(pattern)]
¶
SecurityGroupEgressProp
¶
An outbound rule permits instances to send traffic from the specified IPv4 or IPv6 CIDR address range, or to the instances associated with the specified security group.
Properties:
- CidrIp: The IPv4 ranges.
- CidrIpv6: The IPv6 ranges.
- Description: The description of an egress (outbound) security group rule.
- DestinationPrefixListId: The prefix list IDs for an AWS service.
- DestinationSecurityGroupId: The ID of the security group.
- FromPort: The start of port range for the TCP and UDP protocols.
- IpProtocol: The IP protocol name (tcp, udp, icmp, icmpv6) or number (see Protocol Numbers).
- ToPort: The end of port range for the TCP and UDP protocols.
More info at AWS Docs
ipv4_slash_zero(self)
¶
Returns True if CidrIp matches 0.0.0.0/0, otherwise False.
Source code in pycfmodel/model/resources/properties/security_group_egress_prop.py
def ipv4_slash_zero(self) -> bool:
""" Returns True if `CidrIp` matches `0.0.0.0/0`, otherwise False. """
# Remove after this is fixed https://bugs.python.org/issue38655
if not self.CidrIp:
return False
return self.CidrIp == IPv4Network(IPV4_ZERO_VALUE)
ipv6_slash_zero(self)
¶
Returns True if CidrIpv6 matches ::/0, otherwise False.
Source code in pycfmodel/model/resources/properties/security_group_egress_prop.py
def ipv6_slash_zero(self) -> bool:
""" Returns True if `CidrIpv6` matches `::/0`, otherwise False. """
# Remove after this is fixed https://bugs.python.org/issue38655
if not self.CidrIpv6:
return False
return self.CidrIpv6 == IPv6Network(IPV6_ZERO_VALUE)
¶
SecurityGroupIngressProp
¶
An inbound rule permits instances to receive traffic from the specified IPv4 or IPv6 CIDR address range, or from the instances associated with the specified security group.
Properties:
- CidrIp: The IPv4 ranges.
- CidrIpv6: The IPv6 ranges.
- Description: The description of an egress (outbound) security group rule.
- FromPort: The start of port range for the TCP and UDP protocols.
- IpProtocol: The IP protocol name (tcp, udp, icmp, icmpv6) or number (see Protocol Numbers).
- SourcePrefixListId: The prefix list IDs for an AWS service.
- SourceSecurityGroupId: The ID of the security group.
- SourceSecurityGroupName: The name of the source security group.
- SourceSecurityGroupOwnerId: The AWS account ID for the source security group.
- ToPort: The end of port range for the TCP and UDP protocols.
More info at AWS Docs
ipv4_slash_zero(self)
¶
Returns True if CidrIp matches 0.0.0.0/0, otherwise False.
Source code in pycfmodel/model/resources/properties/security_group_ingress_prop.py
def ipv4_slash_zero(self) -> bool:
""" Returns True if `CidrIp` matches `0.0.0.0/0`, otherwise False. """
# Remove after this is fixed https://bugs.python.org/issue38655
if not self.CidrIp:
return False
return self.CidrIp == IPv4Network(IPV4_ZERO_VALUE)
ipv6_slash_zero(self)
¶
Returns True if CidrIpv6 matches ::/0, otherwise False.
Source code in pycfmodel/model/resources/properties/security_group_ingress_prop.py
def ipv6_slash_zero(self) -> bool:
""" Returns True if `CidrIpv6` matches `::/0`, otherwise False. """
# Remove after this is fixed https://bugs.python.org/issue38655
if not self.CidrIpv6:
return False
return self.CidrIpv6 == IPv6Network(IPV6_ZERO_VALUE)
¶
Statement
¶
Contains information about an attached policy.
Properties:
- Sid: Optional identifier.
- Effect: Whether the statement results in an allow or an explicit deny.
- Principal: Specify the IAM user, federated user, IAM role, AWS account, AWS service, or other principal that is allowed to access a resource.
- NotPrincipal: Specify the IAM user, federated user, IAM role, AWS account, AWS service, or other principal that is not allowed or denied access to a resource.
- Action: Specific action or actions that will be allowed or denied.
- NotAction: Explicitly matches everything except the specified action or list of actions.
- Resource: Specifies the object or objects that the statement covers.
- NotResource: Specifies the object or objects that the statement does not cover.
More info at AWS Docs
actions_with(self, pattern)
¶
Finds all actions which match the pattern.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
pattern |
Pattern |
Pattern to match. |
required |
Returns:
| Type | Description |
|---|---|
List[str] |
List of actions. |
Source code in pycfmodel/model/resources/properties/statement.py
def actions_with(self, pattern: Pattern) -> List[str]:
"""
Finds all actions which match the pattern.
Arguments:
pattern: Pattern to match.
Returns:
List of actions.
"""
return [action for action in self.get_action_list() if isinstance(action, str) and pattern.match(action)]
get_action_list(self, include_action=True, include_not_action=True)
¶
Gets all actions specified in Action and NotAction.
Returns:
| Type | Description |
|---|---|
List[Union[str, pycfmodel.model.base.FunctionDict]] |
List of actions. |
Source code in pycfmodel/model/resources/properties/statement.py
def get_action_list(self, include_action=True, include_not_action=True) -> List[ResolvableStr]:
"""
Gets all actions specified in `Action` and `NotAction`.
Returns:
List of actions.
"""
action_list = []
included_actions = []
if include_action:
included_actions.append(self.Action)
if include_not_action:
included_actions.append(self.NotAction)
for actions in included_actions:
if isinstance(actions, List):
action_list.extend(actions)
elif isinstance(actions, (str, dict)):
action_list.append(actions)
return action_list
get_principal_list(self)
¶
Gets all actions specified in Principal and NotPrincipal.
Returns:
| Type | Description |
|---|---|
List[Union[str, pycfmodel.model.base.FunctionDict]] |
List of principals. |
Source code in pycfmodel/model/resources/properties/statement.py
def get_principal_list(self) -> List[ResolvableStr]:
"""
Gets all actions specified in `Principal` and `NotPrincipal`.
Returns:
List of principals.
"""
principal_list = []
for principals in [self.Principal, self.NotPrincipal]:
if isinstance(principals, list):
principal_list.extend(principals)
elif isinstance(principals, str):
principal_list.append(principals)
elif is_resolvable_dict(principals):
principal_list.append(principals)
elif isinstance(principals, dict):
for value in principals.values():
if isinstance(value, (str, Dict)):
principal_list.append(value)
elif isinstance(value, List):
principal_list.extend(value)
elif principals is not None:
raise ValueError(f"Not supported type: {type(principals)}")
return principal_list
get_resource_list(self)
¶
Gets all resources specified in Resource and NotResource.
Returns:
| Type | Description |
|---|---|
List[Union[str, pycfmodel.model.base.FunctionDict]] |
List of resources. |
Source code in pycfmodel/model/resources/properties/statement.py
def get_resource_list(self) -> List[ResolvableStr]:
"""
Gets all resources specified in `Resource` and `NotResource`.
Returns:
List of resources.
"""
resource_list = []
for resources in [self.Resource, self.NotResource]:
if isinstance(resources, List):
resource_list.extend(resources)
elif isinstance(resources, (str, dict)):
resource_list.append(resources)
return resource_list
non_whitelisted_principals(self, whitelist)
¶
Find non whitelisted principals.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
whitelist |
List[str] |
List of whitelisted principals. |
required |
Returns:
| Type | Description |
|---|---|
List[str] |
List of principals. |
Source code in pycfmodel/model/resources/properties/statement.py
def non_whitelisted_principals(self, whitelist: List[str]) -> List[str]:
"""
Find non whitelisted principals.
Arguments:
whitelist: List of whitelisted principals.
Returns:
List of principals.
"""
return [
principal
for principal in self.get_principal_list()
if isinstance(principal, str) and principal not in whitelist
]
principals_with(self, pattern)
¶
Finds all principals which match the pattern.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
pattern |
Pattern |
Pattern to match. |
required |
Returns:
| Type | Description |
|---|---|
List[str] |
List of principals. |
Source code in pycfmodel/model/resources/properties/statement.py
def principals_with(self, pattern: Pattern) -> List[str]:
"""
Finds all principals which match the pattern.
Arguments:
pattern: Pattern to match.
Returns:
List of principals.
"""
return [
principal
for principal in self.get_principal_list()
if isinstance(principal, str) and pattern.match(principal)
]
resources_with(self, pattern)
¶
Finds all resources which match the pattern.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
pattern |
Pattern |
Pattern to match. |
required |
Returns:
| Type | Description |
|---|---|
List[str] |
List of resources. |
Source code in pycfmodel/model/resources/properties/statement.py
def resources_with(self, pattern: Pattern) -> List[str]:
"""
Finds all resources which match the pattern.
Arguments:
pattern: Pattern to match.
Returns:
List of resources.
"""
return [
resource for resource in self.get_resource_list() if isinstance(resource, str) and pattern.match(resource)
]