Merge remote-tracking branch 'origin/python-refactor' into python-refactor

Mitch Garnaat
Commit d9c1d280eec399206ab8bac7b952dbf71657bee2 d9c1d280 2 parents 9ba7028f bd4bc560
Showing 2 changed files with 40 additions and 4 deletions
README.md
kappa/policy.py
--- a/README.md
View file @d9c1d28
+++ b/README.md
View file @d9c1d28
@@ -70,9 +70,9 @@ simple/
 
 Within the directory we see:
 
- * kappa.yml.sample which is a sample YAML configuration file for the project
- * _src which is a directory containing the source code for the Lambda function
- * _test which is a directory containing some test data
+ * `kappa.yml.sample` which is a sample YAML configuration file for the project
+ * `_src` which is a directory containing the source code for the Lambda function
+ * `_test` which is a directory containing some test data
 
 The first step is to make a copy of the sample configuration file:
 
@@ -204,3 +204,36 @@ Kappa will figure out what has changed and make the necessary updates for you.
 
 That gives you a quick overview of kappa.  To learn more about it, I recommend
 you check out the tutorial.
+ 
+ Policies
+ --------
+ 
+ Hands up who loves writing IAM policies. Yeah, that's what I thought. With
+ Kappa, there is a simplified way of writing policies and granting your Lambda
+ function the permissions it needs.
+ 
+ The simplified version allows you to specify, in your `kappa.yml` file, the
+ ARN of the resource you want to access, and then a list of the API methods you
+ want to allow. For example:
+ 
+ ```
+ policy:
+   resources:
+     - arn: arn:aws:logs:*:*:*
+       actions:
+         - "*"
+ ```
+ 
+ To express this using the official IAM policy format, you can instead use a
+ statement:
+ 
+ ```
+ policy:
+   statements:
+     - Effect: Allow
+       Resource: "*"
+       Action:
+         - "logs:*"
+ ```
+ 
+ Both of these do the same thing.
--- a/kappa/policy.py
View file @d9c1d28
+++ b/kappa/policy.py
View file @d9c1d28
@@ -44,7 +44,8 @@ class Policy(object):
             self.environment)
 
     def document(self):
-         if 'resources' not in self._config['policy']:
+         if ('resources' not in self._config['policy'] and
+                 'statements' not in self._config['policy']):
             return None
         document = {"Version": "2012-10-17"}
         statements = []
@@ -59,6 +60,8 @@ class Policy(object):
                 actions.append("{}:{}".format(service, action))
             statement['Action'] = actions
             statements.append(statement)
+         for statement in self._config['policy'].get('statements', []):
+             statements.append(statement)
         return json.dumps(document, indent=2, sort_keys=True)
 
     @property