MovableInkAWS 2.6.2 → 2.6.3

Sign up to get free protection for your applications and to get access to all the features.
Files changed (9) hide show
  1. checksums.yaml +4 -4
  2. data/Gemfile.lock +1 -1
  3. data/lib/movable_ink/aws/iam.rb +23 -0
  4. data/lib/movable_ink/aws/ssm.rb +21 -2
  5. data/lib/movable_ink/aws.rb +2 -2
  6. data/lib/movable_ink/version.rb +1 -1
  7. data/spec/iam_spec.rb +43 -0
  8. data/spec/ssm_spec.rb +34 -0
  9. metadata +4 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: fb359b343b37bc026f547aa8edc0dcd01fc85786947ef5dc8a6d9ef8b6da05d1
4
- data.tar.gz: f0c0c888ac995d1f1c895ae359ff19bc93e46b3ea621852733b39475cad138e1
3
+ metadata.gz: 4e7ad037cd5628c4064e602e7818305adf691666f178b1cba16f967c17021b1d
4
+ data.tar.gz: 7f6fbc76c3c7669aadd15682cd806c2e3268f39cd74dd395913910aa01b826f7
5
5
  SHA512:
6
- metadata.gz: 698f828137a5d649ebe788b5d9c4ab42f333e0a80eeca47708044121703c8afa79248bd86ab8ec0f6afac221c8506d3e52e10356a6f2a3213a09a45926d2d4f0
7
- data.tar.gz: 2d68a15e5b41f608411a498fad5db04ec837cdf88791605a73f285e64d1f58964bb7b6d49d7ff6d570e8c919f3c280f607bf6bbc84554339cfbf1ea29eb8de88
6
+ metadata.gz: 73af21192d6d001442427ed83f21e18b7aee0e214243b6e8572d1ca51f2b9d15a562e14435f666737f6158651285c2a95ac59f3c7a38d8a7539404a4f24a2559
7
+ data.tar.gz: 0cc73c99406611d2d6482149eea67a8c235b7b5caa0dd7d366ac0e6256c5a2b8faae3de6e83350ff71a464cac40f2b518c6b7a5b72e80613af8a8ee8042352c3
data/Gemfile.lock CHANGED
@@ -1,7 +1,7 @@
1
1
  PATH
2
2
  remote: .
3
3
  specs:
4
- MovableInkAWS (2.6.2)
4
+ MovableInkAWS (2.6.3)
5
5
  aws-sdk-athena (~> 1)
6
6
  aws-sdk-autoscaling (~> 1)
7
7
  aws-sdk-cloudwatch (~> 1)
data/lib/movable_ink/aws/iam.rb ADDED
@@ -0,0 +1,23 @@
1
+ require 'aws-sdk-iam'
2
+
3
+ module MovableInk
4
+ class AWS
5
+ module IAM
6
+ def is_arn_iam_user?(arn, username = nil)
7
+ # arn:aws:iam::account:user/user-name-with-path
8
+ !arn.match(/arn:aws:iam::\d+:user\/#{(username) ? username + '$' : ''}/).nil?
9
+ end
10
+
11
+ def is_arn_iam_role?(arn, rolename = nil)
12
+ # arn:aws:iam::account:role/role-name-with-path
13
+ !arn.match(/arn:aws:iam::\d+:role\/#{(rolename) ? rolename + '$' : ''}/).nil?
14
+ end
15
+
16
+ def is_arn_iam_assumed_role?(arn, rolename = nil, exact_match = true)
17
+ # arn:aws:sts::account:assumed-role/role-name/role-session-name
18
+ role_name_session_delimiter = (exact_match) ? '/' : ''
19
+ !arn.match(/arn:aws:sts::\d+:assumed\-role\/#{(rolename) ? rolename + role_name_session_delimiter : ''}/).nil?
20
+ end
21
+ end
22
+ end
23
+ end
data/lib/movable_ink/aws/ssm.rb CHANGED
@@ -4,14 +4,33 @@ module MovableInk
4
4
  class AWS
5
5
  module SSM
6
6
 
7
+ SSM_DEFAULT_REGION = 'us-east-1'
8
+ SSM_DEFAULT_FAILOVER_REGION = 'us-west-2'
9
+
10
+ def mi_secrets_config_file_path
11
+ '/etc/movableink/secrets_config.json'
12
+ end
13
+
14
+ def mi_secrets_config
15
+ @mi_secrets_config ||= (File.exist?(mi_secrets_config_file_path)) ? JSON.parse(File.read(mi_secrets_config_file_path), :symbolize_names => true) : nil
16
+ end
17
+
18
+ def mi_ssm_clients_regions
19
+ default_regions = [SSM_DEFAULT_REGION, SSM_DEFAULT_FAILOVER_REGION]
20
+
21
+ return default_regions if !mi_secrets_config || !mi_secrets_config[:ssm_parameters_regions_map] || !mi_secrets_config[:ssm_parameters_regions_map].key?(my_region.to_sym)
22
+ my_region_map = mi_secrets_config[:ssm_parameters_regions_map][my_region.to_sym]
23
+ (my_region_map.keys == [:primary_region, :failover_region]) ? my_region_map.values : default_regions
24
+ end
25
+
7
26
  def ssm_client(region = nil)
8
27
  @ssm_clients_map ||= {}
9
- @ssm_clients_map[region] ||= Aws::SSM::Client.new(region: (region.nil?) ? 'us-east-1' : region)
28
+ @ssm_clients_map[region] ||= Aws::SSM::Client.new(region: (region.nil?) ? mi_ssm_clients_regions[0] : region)
10
29
  end
11
30
 
12
31
  def ssm_client_failover(failregion = nil)
13
32
  @ssm_failover_clients_map ||= {}
14
- @ssm_failover_clients_map[failregion] ||= Aws::SSM::Client.new(region: (failregion.nil?) ? 'us-west-2' : failregion)
33
+ @ssm_failover_clients_map[failregion] ||= Aws::SSM::Client.new(region: (failregion.nil?) ? mi_ssm_clients_regions[1] : failregion)
15
34
  end
16
35
 
17
36
  def run_with_backoff_and_client_fallback(region = nil, failregion = nil, &block)
data/lib/movable_ink/aws.rb CHANGED
@@ -7,13 +7,12 @@ require_relative 'aws/route53'
7
7
  require_relative 'aws/ssm'
8
8
  require_relative 'aws/athena'
9
9
  require_relative 'aws/s3'
10
+ require_relative 'aws/iam'
10
11
  require_relative 'aws/eks'
11
12
  require_relative 'aws/elasticache'
12
13
  require_relative 'aws/api_gateway'
13
14
  require_relative 'consul/consul'
14
15
  require 'aws-sdk-cloudwatch'
15
- require 'aws-sdk-iam'
16
-
17
16
 
18
17
  module MovableInk
19
18
  class AWS
@@ -28,6 +27,7 @@ module MovableInk
28
27
  include ElastiCache
29
28
  include ApiGateway
30
29
  include EKS
30
+ include IAM
31
31
 
32
32
  class << self
33
33
  def regions
data/lib/movable_ink/version.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  module MovableInk
2
2
  class AWS
3
- VERSION = '2.6.2'
3
+ VERSION = '2.6.3'
4
4
  end
5
5
  end
data/spec/iam_spec.rb ADDED
@@ -0,0 +1,43 @@
1
+ require_relative '../lib/movable_ink/aws'
2
+
3
+ describe MovableInk::AWS::IAM do
4
+ let(:aws) { MovableInk::AWS.new }
5
+
6
+ describe 'is_arn_iam_user?' do
7
+ it 'matches user by arn type' do
8
+ expect(aws.is_arn_iam_user?('arn:aws:iam::123:user/anosulchyk')).to eq true
9
+ expect(aws.is_arn_iam_user?('arn:aws:iam::123:role/anosulchyk')).to eq false
10
+ end
11
+
12
+ it 'matches user by arn type and name' do
13
+ expect(aws.is_arn_iam_user?('arn:aws:iam::123:user/anosulchyk', 'anosulchyk')).to eq true
14
+ expect(aws.is_arn_iam_user?('arn:aws:iam::123:user/this/is/user/too', 'this/is/user/too')).to eq true
15
+ expect(aws.is_arn_iam_user?('arn:aws:iam::123:user/anosulchyk', 'anosulchik11')).to eq false
16
+ end
17
+ end
18
+
19
+ describe 'is_arn_iam_role?' do
20
+ it 'matches role by arn type' do
21
+ expect(aws.is_arn_iam_role?('arn:aws:iam::123:role/anosulchyk')).to eq true
22
+ expect(aws.is_arn_iam_role?('arn:aws:sts::123:role/anosulchyk')).to eq false
23
+ end
24
+
25
+ it 'matches role by arn type and name' do
26
+ expect(aws.is_arn_iam_role?('arn:aws:iam::123:role/anosulchyk', 'anosulchyk')).to eq true
27
+ expect(aws.is_arn_iam_role?('arn:aws:iam::123:role/anosulchyk', 'anosulchik11')).to eq false
28
+ end
29
+ end
30
+
31
+ describe 'is_arn_iam_assumed_role?' do
32
+ it 'matches role by arn type' do
33
+ expect(aws.is_arn_iam_assumed_role?('arn:aws:sts::123:assumed-role/anosulchyk/session')).to eq true
34
+ expect(aws.is_arn_iam_assumed_role?('arn:aws:sts::123:role/anosulchyk')).to eq false
35
+ end
36
+
37
+ it 'matches role by arn type and name' do
38
+ expect(aws.is_arn_iam_assumed_role?('arn:aws:sts::123:assumed-role/anosulchyk/session', 'anosulchyk')).to eq true
39
+ expect(aws.is_arn_iam_assumed_role?('arn:aws:sts::123:assumed-role/anosulchyk/session-name', '1anosulchyk1')).to eq false
40
+ end
41
+ end
42
+
43
+ end
data/spec/ssm_spec.rb CHANGED
@@ -9,6 +9,8 @@ describe MovableInk::AWS::SSM do
9
9
  value: 'too-many-secrets'
10
10
  })
11
11
  }
12
+ let(:mi_secrets_config_file_path) { '/etc/movableink/secrets_config.json' }
13
+ let(:mi_secrets_config_file_mock) { "{\"ssm_parameters_regions_map\": { \"us-east-1\": {\"primary_region\": \"us-east-1\", \"failover_region\": \"us-east-2\"}}}" }
12
14
  let(:parameters) { ssm.stub_data(:get_parameters_by_path, parameters: [
13
15
  {
14
16
  name: '/test/zelda/Its',
@@ -113,4 +115,36 @@ describe MovableInk::AWS::SSM do
113
115
  expect(results).to include(1, 2)
114
116
  end
115
117
  end
118
+
119
+ describe 'mi_secrets_config_file_path' do
120
+ it 'returns string' do
121
+ expect(aws.mi_secrets_config_file_path).to eq mi_secrets_config_file_path
122
+ end
123
+ end
124
+
125
+ describe 'mi_secrets_config' do
126
+ it 'parses config file with symbols' do
127
+ allow(File).to receive(:read).with(mi_secrets_config_file_path).and_return(mi_secrets_config_file_mock)
128
+ allow(File).to receive(:exist?).with(mi_secrets_config_file_path).and_return(true)
129
+
130
+ config = aws.mi_secrets_config
131
+ expect(config.keys).to eq([:ssm_parameters_regions_map])
132
+ expect(config[:ssm_parameters_regions_map][:"us-east-1"][:primary_region]).to eq 'us-east-1'
133
+ expect(config[:ssm_parameters_regions_map][:"us-east-1"][:failover_region]).to eq 'us-east-2'
134
+ end
135
+ end
136
+
137
+ describe 'mi_ssm_clients_regions' do
138
+ it 'returns values from config' do
139
+ allow(aws).to receive(:mi_secrets_config).and_return(JSON.parse(mi_secrets_config_file_mock, :symbolize_names => true))
140
+ allow(aws).to receive(:my_region).and_return('us-east-1')
141
+ expect(aws.mi_ssm_clients_regions).to eq ['us-east-1', 'us-east-2']
142
+ end
143
+
144
+ it 'returns default values if config is missing' do
145
+ allow(aws).to receive(:mi_secrets_config).and_return(nil)
146
+ allow(aws).to receive(:my_region).and_return('us-east-1')
147
+ expect(aws.mi_ssm_clients_regions).to eq ['us-east-1', 'us-west-2']
148
+ end
149
+ end
116
150
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: MovableInkAWS
3
3
  version: !ruby/object:Gem::Version
4
- version: 2.6.2
4
+ version: 2.6.3
5
5
  platform: ruby
6
6
  authors:
7
7
  - Matt Chesler
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2022-05-09 00:00:00.000000000 Z
11
+ date: 2022-05-12 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: aws-sdk-core
@@ -255,6 +255,7 @@ files:
255
255
  - lib/movable_ink/aws/eks.rb
256
256
  - lib/movable_ink/aws/elasticache.rb
257
257
  - lib/movable_ink/aws/errors.rb
258
+ - lib/movable_ink/aws/iam.rb
258
259
  - lib/movable_ink/aws/metadata.rb
259
260
  - lib/movable_ink/aws/route53.rb
260
261
  - lib/movable_ink/aws/s3.rb
@@ -267,6 +268,7 @@ files:
267
268
  - spec/consul_spec.rb
268
269
  - spec/ec2_spec.rb
269
270
  - spec/elasticache_spec.rb
271
+ - spec/iam_spec.rb
270
272
  - spec/metadata_spec.rb
271
273
  - spec/route53_spec.rb
272
274
  - spec/s3_spec.rb