MovableInkAWS 2.6.2 → 2.6.3
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/Gemfile.lock +1 -1
- data/lib/movable_ink/aws/iam.rb +23 -0
- data/lib/movable_ink/aws/ssm.rb +21 -2
- data/lib/movable_ink/aws.rb +2 -2
- data/lib/movable_ink/version.rb +1 -1
- data/spec/iam_spec.rb +43 -0
- data/spec/ssm_spec.rb +34 -0
- metadata +4 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 4e7ad037cd5628c4064e602e7818305adf691666f178b1cba16f967c17021b1d
|
4
|
+
data.tar.gz: 7f6fbc76c3c7669aadd15682cd806c2e3268f39cd74dd395913910aa01b826f7
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 73af21192d6d001442427ed83f21e18b7aee0e214243b6e8572d1ca51f2b9d15a562e14435f666737f6158651285c2a95ac59f3c7a38d8a7539404a4f24a2559
|
7
|
+
data.tar.gz: 0cc73c99406611d2d6482149eea67a8c235b7b5caa0dd7d366ac0e6256c5a2b8faae3de6e83350ff71a464cac40f2b518c6b7a5b72e80613af8a8ee8042352c3
|
data/Gemfile.lock
CHANGED
@@ -0,0 +1,23 @@
|
|
1
|
+
require 'aws-sdk-iam'
|
2
|
+
|
3
|
+
module MovableInk
|
4
|
+
class AWS
|
5
|
+
module IAM
|
6
|
+
def is_arn_iam_user?(arn, username = nil)
|
7
|
+
# arn:aws:iam::account:user/user-name-with-path
|
8
|
+
!arn.match(/arn:aws:iam::\d+:user\/#{(username) ? username + '$' : ''}/).nil?
|
9
|
+
end
|
10
|
+
|
11
|
+
def is_arn_iam_role?(arn, rolename = nil)
|
12
|
+
# arn:aws:iam::account:role/role-name-with-path
|
13
|
+
!arn.match(/arn:aws:iam::\d+:role\/#{(rolename) ? rolename + '$' : ''}/).nil?
|
14
|
+
end
|
15
|
+
|
16
|
+
def is_arn_iam_assumed_role?(arn, rolename = nil, exact_match = true)
|
17
|
+
# arn:aws:sts::account:assumed-role/role-name/role-session-name
|
18
|
+
role_name_session_delimiter = (exact_match) ? '/' : ''
|
19
|
+
!arn.match(/arn:aws:sts::\d+:assumed\-role\/#{(rolename) ? rolename + role_name_session_delimiter : ''}/).nil?
|
20
|
+
end
|
21
|
+
end
|
22
|
+
end
|
23
|
+
end
|
data/lib/movable_ink/aws/ssm.rb
CHANGED
@@ -4,14 +4,33 @@ module MovableInk
|
|
4
4
|
class AWS
|
5
5
|
module SSM
|
6
6
|
|
7
|
+
SSM_DEFAULT_REGION = 'us-east-1'
|
8
|
+
SSM_DEFAULT_FAILOVER_REGION = 'us-west-2'
|
9
|
+
|
10
|
+
def mi_secrets_config_file_path
|
11
|
+
'/etc/movableink/secrets_config.json'
|
12
|
+
end
|
13
|
+
|
14
|
+
def mi_secrets_config
|
15
|
+
@mi_secrets_config ||= (File.exist?(mi_secrets_config_file_path)) ? JSON.parse(File.read(mi_secrets_config_file_path), :symbolize_names => true) : nil
|
16
|
+
end
|
17
|
+
|
18
|
+
def mi_ssm_clients_regions
|
19
|
+
default_regions = [SSM_DEFAULT_REGION, SSM_DEFAULT_FAILOVER_REGION]
|
20
|
+
|
21
|
+
return default_regions if !mi_secrets_config || !mi_secrets_config[:ssm_parameters_regions_map] || !mi_secrets_config[:ssm_parameters_regions_map].key?(my_region.to_sym)
|
22
|
+
my_region_map = mi_secrets_config[:ssm_parameters_regions_map][my_region.to_sym]
|
23
|
+
(my_region_map.keys == [:primary_region, :failover_region]) ? my_region_map.values : default_regions
|
24
|
+
end
|
25
|
+
|
7
26
|
def ssm_client(region = nil)
|
8
27
|
@ssm_clients_map ||= {}
|
9
|
-
@ssm_clients_map[region] ||= Aws::SSM::Client.new(region: (region.nil?) ?
|
28
|
+
@ssm_clients_map[region] ||= Aws::SSM::Client.new(region: (region.nil?) ? mi_ssm_clients_regions[0] : region)
|
10
29
|
end
|
11
30
|
|
12
31
|
def ssm_client_failover(failregion = nil)
|
13
32
|
@ssm_failover_clients_map ||= {}
|
14
|
-
@ssm_failover_clients_map[failregion] ||= Aws::SSM::Client.new(region: (failregion.nil?) ?
|
33
|
+
@ssm_failover_clients_map[failregion] ||= Aws::SSM::Client.new(region: (failregion.nil?) ? mi_ssm_clients_regions[1] : failregion)
|
15
34
|
end
|
16
35
|
|
17
36
|
def run_with_backoff_and_client_fallback(region = nil, failregion = nil, &block)
|
data/lib/movable_ink/aws.rb
CHANGED
@@ -7,13 +7,12 @@ require_relative 'aws/route53'
|
|
7
7
|
require_relative 'aws/ssm'
|
8
8
|
require_relative 'aws/athena'
|
9
9
|
require_relative 'aws/s3'
|
10
|
+
require_relative 'aws/iam'
|
10
11
|
require_relative 'aws/eks'
|
11
12
|
require_relative 'aws/elasticache'
|
12
13
|
require_relative 'aws/api_gateway'
|
13
14
|
require_relative 'consul/consul'
|
14
15
|
require 'aws-sdk-cloudwatch'
|
15
|
-
require 'aws-sdk-iam'
|
16
|
-
|
17
16
|
|
18
17
|
module MovableInk
|
19
18
|
class AWS
|
@@ -28,6 +27,7 @@ module MovableInk
|
|
28
27
|
include ElastiCache
|
29
28
|
include ApiGateway
|
30
29
|
include EKS
|
30
|
+
include IAM
|
31
31
|
|
32
32
|
class << self
|
33
33
|
def regions
|
data/lib/movable_ink/version.rb
CHANGED
data/spec/iam_spec.rb
ADDED
@@ -0,0 +1,43 @@
|
|
1
|
+
require_relative '../lib/movable_ink/aws'
|
2
|
+
|
3
|
+
describe MovableInk::AWS::IAM do
|
4
|
+
let(:aws) { MovableInk::AWS.new }
|
5
|
+
|
6
|
+
describe 'is_arn_iam_user?' do
|
7
|
+
it 'matches user by arn type' do
|
8
|
+
expect(aws.is_arn_iam_user?('arn:aws:iam::123:user/anosulchyk')).to eq true
|
9
|
+
expect(aws.is_arn_iam_user?('arn:aws:iam::123:role/anosulchyk')).to eq false
|
10
|
+
end
|
11
|
+
|
12
|
+
it 'matches user by arn type and name' do
|
13
|
+
expect(aws.is_arn_iam_user?('arn:aws:iam::123:user/anosulchyk', 'anosulchyk')).to eq true
|
14
|
+
expect(aws.is_arn_iam_user?('arn:aws:iam::123:user/this/is/user/too', 'this/is/user/too')).to eq true
|
15
|
+
expect(aws.is_arn_iam_user?('arn:aws:iam::123:user/anosulchyk', 'anosulchik11')).to eq false
|
16
|
+
end
|
17
|
+
end
|
18
|
+
|
19
|
+
describe 'is_arn_iam_role?' do
|
20
|
+
it 'matches role by arn type' do
|
21
|
+
expect(aws.is_arn_iam_role?('arn:aws:iam::123:role/anosulchyk')).to eq true
|
22
|
+
expect(aws.is_arn_iam_role?('arn:aws:sts::123:role/anosulchyk')).to eq false
|
23
|
+
end
|
24
|
+
|
25
|
+
it 'matches role by arn type and name' do
|
26
|
+
expect(aws.is_arn_iam_role?('arn:aws:iam::123:role/anosulchyk', 'anosulchyk')).to eq true
|
27
|
+
expect(aws.is_arn_iam_role?('arn:aws:iam::123:role/anosulchyk', 'anosulchik11')).to eq false
|
28
|
+
end
|
29
|
+
end
|
30
|
+
|
31
|
+
describe 'is_arn_iam_assumed_role?' do
|
32
|
+
it 'matches role by arn type' do
|
33
|
+
expect(aws.is_arn_iam_assumed_role?('arn:aws:sts::123:assumed-role/anosulchyk/session')).to eq true
|
34
|
+
expect(aws.is_arn_iam_assumed_role?('arn:aws:sts::123:role/anosulchyk')).to eq false
|
35
|
+
end
|
36
|
+
|
37
|
+
it 'matches role by arn type and name' do
|
38
|
+
expect(aws.is_arn_iam_assumed_role?('arn:aws:sts::123:assumed-role/anosulchyk/session', 'anosulchyk')).to eq true
|
39
|
+
expect(aws.is_arn_iam_assumed_role?('arn:aws:sts::123:assumed-role/anosulchyk/session-name', '1anosulchyk1')).to eq false
|
40
|
+
end
|
41
|
+
end
|
42
|
+
|
43
|
+
end
|
data/spec/ssm_spec.rb
CHANGED
@@ -9,6 +9,8 @@ describe MovableInk::AWS::SSM do
|
|
9
9
|
value: 'too-many-secrets'
|
10
10
|
})
|
11
11
|
}
|
12
|
+
let(:mi_secrets_config_file_path) { '/etc/movableink/secrets_config.json' }
|
13
|
+
let(:mi_secrets_config_file_mock) { "{\"ssm_parameters_regions_map\": { \"us-east-1\": {\"primary_region\": \"us-east-1\", \"failover_region\": \"us-east-2\"}}}" }
|
12
14
|
let(:parameters) { ssm.stub_data(:get_parameters_by_path, parameters: [
|
13
15
|
{
|
14
16
|
name: '/test/zelda/Its',
|
@@ -113,4 +115,36 @@ describe MovableInk::AWS::SSM do
|
|
113
115
|
expect(results).to include(1, 2)
|
114
116
|
end
|
115
117
|
end
|
118
|
+
|
119
|
+
describe 'mi_secrets_config_file_path' do
|
120
|
+
it 'returns string' do
|
121
|
+
expect(aws.mi_secrets_config_file_path).to eq mi_secrets_config_file_path
|
122
|
+
end
|
123
|
+
end
|
124
|
+
|
125
|
+
describe 'mi_secrets_config' do
|
126
|
+
it 'parses config file with symbols' do
|
127
|
+
allow(File).to receive(:read).with(mi_secrets_config_file_path).and_return(mi_secrets_config_file_mock)
|
128
|
+
allow(File).to receive(:exist?).with(mi_secrets_config_file_path).and_return(true)
|
129
|
+
|
130
|
+
config = aws.mi_secrets_config
|
131
|
+
expect(config.keys).to eq([:ssm_parameters_regions_map])
|
132
|
+
expect(config[:ssm_parameters_regions_map][:"us-east-1"][:primary_region]).to eq 'us-east-1'
|
133
|
+
expect(config[:ssm_parameters_regions_map][:"us-east-1"][:failover_region]).to eq 'us-east-2'
|
134
|
+
end
|
135
|
+
end
|
136
|
+
|
137
|
+
describe 'mi_ssm_clients_regions' do
|
138
|
+
it 'returns values from config' do
|
139
|
+
allow(aws).to receive(:mi_secrets_config).and_return(JSON.parse(mi_secrets_config_file_mock, :symbolize_names => true))
|
140
|
+
allow(aws).to receive(:my_region).and_return('us-east-1')
|
141
|
+
expect(aws.mi_ssm_clients_regions).to eq ['us-east-1', 'us-east-2']
|
142
|
+
end
|
143
|
+
|
144
|
+
it 'returns default values if config is missing' do
|
145
|
+
allow(aws).to receive(:mi_secrets_config).and_return(nil)
|
146
|
+
allow(aws).to receive(:my_region).and_return('us-east-1')
|
147
|
+
expect(aws.mi_ssm_clients_regions).to eq ['us-east-1', 'us-west-2']
|
148
|
+
end
|
149
|
+
end
|
116
150
|
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: MovableInkAWS
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 2.6.
|
4
|
+
version: 2.6.3
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Matt Chesler
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2022-05-
|
11
|
+
date: 2022-05-12 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: aws-sdk-core
|
@@ -255,6 +255,7 @@ files:
|
|
255
255
|
- lib/movable_ink/aws/eks.rb
|
256
256
|
- lib/movable_ink/aws/elasticache.rb
|
257
257
|
- lib/movable_ink/aws/errors.rb
|
258
|
+
- lib/movable_ink/aws/iam.rb
|
258
259
|
- lib/movable_ink/aws/metadata.rb
|
259
260
|
- lib/movable_ink/aws/route53.rb
|
260
261
|
- lib/movable_ink/aws/s3.rb
|
@@ -267,6 +268,7 @@ files:
|
|
267
268
|
- spec/consul_spec.rb
|
268
269
|
- spec/ec2_spec.rb
|
269
270
|
- spec/elasticache_spec.rb
|
271
|
+
- spec/iam_spec.rb
|
270
272
|
- spec/metadata_spec.rb
|
271
273
|
- spec/route53_spec.rb
|
272
274
|
- spec/s3_spec.rb
|