# Copyright 2017 Amazon.com, Inc. or its affiliates. All Rights Reserved.
#
# Permission is hereby granted, free of charge, to any person obtaining a copy of this
# software and associated documentation files (the "Software"), to deal in the Software
# without restriction, including without limitation the rights to use, copy, modify,
# merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
# permit persons to whom the Software is furnished to do so.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
# INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
# PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
# HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
# SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

import boto3
import json
from botocore.exceptions import ClientError

# lambda function that interacts with IAM
#   to replace the managed IAM policy on a given IAM Group.
# Input parameters:
#   GroupName = the IAM Group Name
#   DetachPolicyArn = the ARN of the policy that needs to be detached.
#   AttachPolicyArn = the ARN of the policy that needs to be attached.
#
# The function is triggered from a step function state machine
# The code attempts to first detach the given policy (referenced through its ARN)
# Then it attempts to attach the given policy (again, referenced through its ARN)

def lambda_handler(context,event):
    try:
        iam = boto3.resource('iam')
        print ("parameters: " + json.dumps(context))

        group           = iam.Group(context['GroupName'])
        group.detach_policy(PolicyArn=context['DetachPolicyArn'])
        group.attach_policy(PolicyArn=context['AttachPolicyArn'])

        return 200 #SUCCESS
    except ClientError as e:
        if e.response['Error']['Code'] == 'NoSuchEntity':
            print ("Incorrect Policy Arn. Either the policy is not attached to the given group, or the policy arn does not exist")
            return e.response['ResponseMetadata']['HTTPStatusCode']
        else:
            print ("Unexpected error: %s" % e)
            return 500