cloud-mu 3.2.0 → 3.5.0

data/modules/mu/providers/aws/role.rb

@@ -30,7 +30,7 @@ module MU
             end
           end
 
-          @mu_name ||= @deploy.getResourceName(@config["name"])
+          @mu_name ||= @config['scrub_mu_isms'] ? @config['name'] : @deploy.getResourceName(@config["name"], max_length: 64)
         end
 
         # Called automatically by {MU::Deploy#createResources}
@@ -43,7 +43,7 @@ module MU
 
               policy_name = @mu_name+"-"+policy.keys.first.upcase
               MU.log "Creating IAM policy #{policy_name}"
-              MU::Cloud::AWS.iam(credentials: @config['credentials']).create_policy(
+              MU::Cloud::AWS.iam(credentials: @credentials).create_policy(
                 policy_name: policy_name,
                 path: "/"+@deploy.deploy_id+"/",
                 policy_document: JSON.generate(policy.values.first),
@@ -53,16 +53,18 @@ module MU
           end
 
           if !@config['bare_policies']
-            MU.log "Creating IAM role #{@mu_name}"
             @cloud_id = @mu_name
             path = @config['strip_path'] ? nil : "/"+@deploy.deploy_id+"/"
-            MU::Cloud::AWS.iam(credentials: @config['credentials']).create_role(
-              path: path,
-              role_name: @mu_name,
-              description: "Generated by Mu",
-              assume_role_policy_document: gen_assume_role_policy_doc,
-              tags: get_tag_params
-            )
+            params = {
+              :path => path,
+              :role_name => @mu_name,
+              :description => "Generated by Mu",
+              :assume_role_policy_document => gen_assume_role_policy_doc,
+              :tags => get_tag_params(@config['scrub_mu_isms'])
+            }
+
+            MU.log "Creating IAM role #{@mu_name} (#{@credentials})", details: params
+            MU::Cloud::AWS.iam(credentials: @credentials).create_role(params)
           end
         end
 
@@ -75,7 +77,7 @@ module MU
           end
 
           if !@config['bare_policies']
-            resp = MU::Cloud::AWS.iam(credentials: @config['credentials']).get_role(
+            resp = MU::Cloud::AWS.iam(credentials: @credentials).get_role(
               role_name: @mu_name
             ).role
             ext_tags = resp.tags.map { |t| t.to_h }
@@ -84,7 +86,7 @@ module MU
 
             if tag_param.size > 0
               MU.log "Updating tags on IAM role #{@mu_name}", MU::NOTICE, details: tag_param
-              MU::Cloud::AWS.iam(credentials: @config['credentials']).tag_role(role_name: @mu_name, tags: tag_param)
+              MU::Cloud::AWS.iam(credentials: @credentials).tag_role(role_name: @mu_name, tags: tag_param)
             end
           end
 
@@ -92,13 +94,14 @@ module MU
             configured_policies = []
 
             if @config['raw_policies']
+              MU.log "Attaching #{@config['raw_policies'].size.to_s} raw #{@config['raw_policies'].size > 1 ? "policies" : "policy"} to role #{@mu_name}", MU::NOTICE
               configured_policies = @config['raw_policies'].map { |p|
                 @mu_name+"-"+p.keys.first.upcase
               }
             end
 
             if @config['attachable_policies']
-              MU.log "Attaching #{@config['attachable_policies'].size.to_s} #{@config['attachable_policies'].size > 1 ? "policies" : "policy"} to role #{@mu_name}", MU::NOTICE
+              MU.log "Attaching #{@config['attachable_policies'].size.to_s} external #{@config['attachable_policies'].size > 1 ? "policies" : "policy"} to role #{@mu_name}", MU::NOTICE
               configured_policies.concat(@config['attachable_policies'].map { |p|
                 id = if p.is_a?(MU::Config::Ref)
                   p.cloud_id
@@ -109,18 +112,17 @@ module MU
                 end
                 id.gsub(/.*?\/([^:\/]+)$/, '\1')
               })
-              configured_policies.each { |pol|
-              }
             end
 
+            # Purge anything that doesn't belong
             if !@config['bare_policies']
-              attached_policies = MU::Cloud::AWS.iam(credentials: @config['credentials']).list_attached_role_policies(
+              attached_policies = MU::Cloud::AWS.iam(credentials: @credentials).list_attached_role_policies(
                 role_name: @mu_name
               ).attached_policies
               attached_policies.each { |a|
                 if !configured_policies.include?(a.policy_name)
-                  MU.log "Removing IAM policy #{a.policy_name} from role #{@mu_name}", MU::NOTICE
-                  MU::Cloud::AWS::Role.purgePolicy(a.policy_arn, @config['credentials'])
+                  MU.log "Removing IAM policy #{a.policy_name} from role #{@mu_name}", MU::NOTICE, details: configured_policies
+                  MU::Cloud::AWS::Role.purgePolicy(a.policy_arn, @credentials)
                 end
               }
             end
@@ -153,8 +155,8 @@ module MU
             policy.values.each { |p|
               p["Version"] ||= "2012-10-17"
             }
-            policy_name = basename+"-"+policy.keys.first.upcase
 
+            policy_name = basename+"-"+policy.keys.first.upcase
             arn = "arn:"+(MU::Cloud::AWS.isGovCloud? ? "aws-us-gov" : "aws")+":iam::"+MU::Cloud::AWS.credToAcct(credentials)+":policy#{path}/#{policy_name}"
             resp = begin
               desc = MU::Cloud::AWS.iam(credentials: credentials).get_policy(policy_arn: arn)
@@ -164,7 +166,7 @@ module MU
                 version_id: desc.policy.default_version_id
               )
 
-              ext = JSON.parse(URI.decode(version.policy_version.document))
+              ext = JSON.parse(CGI.unescape(version.policy_version.document))
               if ext != policy.values.first
                 # Special exception- we don't want to overwrite extra rules
                 # in MuSecrets policies, because our siblings might have 
@@ -184,12 +186,16 @@ module MU
 
             rescue Aws::IAM::Errors::NoSuchEntity
               MU.log "Creating IAM policy #{policy_name}", details: policy.values.first
-              MU::Cloud::AWS.iam(credentials: credentials).create_policy(
+              desc = MU::Cloud::AWS.iam(credentials: credentials).create_policy(
                 policy_name: policy_name,
                 path: path+"/",
                 policy_document: JSON.generate(policy.values.first),
                 description: "Raw policy from #{basename}"
               )
+              MU.retrier([Aws::IAM::Errors::NoSuchEntity], loop_if: Proc.new { desc.nil? }) {
+                desc = MU::Cloud::AWS.iam(credentials: credentials).get_policy(policy_arn: arn)
+              }
+              desc
             end
             arns << resp.policy.arn
           }
@@ -216,7 +222,23 @@ module MU
         # populated with one or both depending on what this resource has
         # defined.
         def cloud_desc(use_cache: true)
-          return @cloud_desc_cache if @cloud_desc_cache and use_cache
+          require 'aws-sdk-iam'
+
+          # we might inherit a naive cached description from the base cloud
+          # layer; rearrange it to our tastes
+          if @cloud_desc_cache.is_a?(::Aws::IAM::Types::Role)
+            new_desc = {
+              "role" => @cloud_desc_cache
+            }
+            @cloud_desc_cache = new_desc
+          elsif @cloud_desc_cache.is_a?(::Aws::IAM::Types::Policy)
+            new_desc = {
+              "policies" => [@cloud_desc_cache]
+            }
+            @cloud_desc_cache = new_desc
+          end
+
+          return @cloud_desc_cache if @cloud_desc_cache and !@cloud_desc_cache.empty? and use_cache
 
           @cloud_desc_cache = {}
           if @config['bare_policies']
@@ -290,8 +312,8 @@ end
         # Insert a new target entity into an existing policy. 
         # @param policy [String]: The name of the policy to which we're appending, which must already exist as part of this role resource
         # @param targets [Array<String>]: The target resource. If +target_type+ isn't specified, this should be a fully-resolved ARN.
-        def injectPolicyTargets(policy, targets)
-          if !policy.match(/^#{@deploy.deploy_id}/)
+        def injectPolicyTargets(policy, targets, attach: false)
+          if @deploy and !policy.match(/^#{@deploy.deploy_id}/)
             policy = @mu_name+"-"+policy.upcase
           end
           my_policies = cloud_desc(use_cache: false)["policies"]
@@ -301,19 +323,19 @@ end
           my_policies.each { |p|
             if p.policy_name == policy
               seen_policy = true
-              old = MU::Cloud::AWS.iam(credentials: @config['credentials']).get_policy_version(
+              old = MU::Cloud::AWS.iam(credentials: @credentials).get_policy_version(
                 policy_arn: p.arn,
                 version_id: p.default_version_id
               ).policy_version
 
-              doc = JSON.parse URI.decode_www_form_component old.document
+              doc = JSON.parse CGI.unescape_www_form_component old.document
               need_update = false
 
               doc["Statement"].each { |s|
                 targets.each { |target|
                   target_string = target
 
-                  if target['type']
+                  if target['type'] and @deploy
                     sibling = @deploy.findLitterMate(
                       name: target["identifier"],
                       type: target["type"]
@@ -419,14 +441,14 @@ end
         # @param noop [Boolean]: If true, will only print what would be done
         # @param ignoremaster [Boolean]: If true, will remove resources not flagged as originating from this Mu server
         # @return [void]
-        def self.cleanup(noop: false, ignoremaster: false, credentials: nil, flags: {})
+        def self.cleanup(noop: false, deploy_id: MU.deploy_id, ignoremaster: false, credentials: nil, flags: {})
 
           resp = MU::Cloud::AWS.iam(credentials: credentials).list_policies(
-            path_prefix: "/"+MU.deploy_id+"/"
+            path_prefix: "/"+deploy_id+"/"
           )
           if resp and resp.policies
             resp.policies.each { |policy|
-              MU.log "Deleting IAM policy /#{MU.deploy_id}/#{policy.policy_name}"
+              MU.log "Deleting IAM policy /#{deploy_id}/#{policy.policy_name}"
               if !noop
                 purgePolicy(policy.arn, credentials)
               end
@@ -437,19 +459,23 @@ end
           roles = MU::Cloud::AWS::Role.find(credentials: credentials).values
           roles.each { |r|
             next if !r.respond_to?(:role_name)
-            if r.path.match(/^\/#{Regexp.quote(MU.deploy_id)}/)
+            if r.path.match(/^\/#{Regexp.quote(deploy_id)}/)
               deleteme << r
               next
             end
             # For some dumb reason, the list output that .find gets doesn't
             # include the tags, so we need to fetch each role individually to
             # check tags. Hardly seems efficient.
-            desc = MU::Cloud::AWS.iam(credentials: credentials).get_role(role_name: r.role_name)
+            desc = begin
+              MU::Cloud::AWS.iam(credentials: credentials).get_role(role_name: r.role_name)
+            rescue Aws::IAM::Errors::NoSuchEntity
+              next
+            end
             if desc.role and desc.role.tags and desc.role.tags
               master_match = false
               deploy_match = false
               desc.role.tags.each { |t|
-                if t.key == "MU-ID" and t.value == MU.deploy_id
+                if t.key == "MU-ID" and t.value == deploy_id
                   deploy_match = true
                 elsif t.key == "MU-MASTER-IP" and t.value == MU.mu_public_ip
                   master_match = true
@@ -516,7 +542,7 @@ end
 
             begin
               # managed policies get fetched by ARN, roles by plain name. Ok!
-              if args[:cloud_id].match(/^arn:/)
+              if args[:cloud_id].match(/^arn:.*?:policy\//)
                 resp = MU::Cloud::AWS.iam(credentials: args[:credentials]).get_policy(
                   policy_arn: args[:cloud_id]
                 )
@@ -525,39 +551,26 @@ end
                 end
               else
                 resp = MU::Cloud::AWS.iam(credentials: args[:credentials]).get_role(
-                  role_name: args[:cloud_id]
+                  role_name: args[:cloud_id].sub(/^arn:.*?\/([^:\/]+)$/, '\1') # XXX if it's an ARN, actually parse it and look in the correct account when applicable
                 )
+
                 if resp and resp.role
-                  found[args[:cloud_id]] = resp.role
+                  found[resp.role.role_name] = resp.role
                 end
               end
             rescue ::Aws::IAM::Errors::NoSuchEntity
             end
 
           else
-            marker = nil
-            begin
-              resp = MU::Cloud::AWS.iam(credentials: args[:credentials]).list_roles(
-                marker: marker
-              )
-              break if !resp or !resp.roles
-              resp.roles.each { |role|
-                found[role.role_name] = role
-              }
-              marker = resp.marker
-            end while marker
+            resp = MU::Cloud::AWS.iam(credentials: args[:credentials]).list_roles
+            resp.roles.each { |role|
+              found[role.role_name] = role
+            }
 
-            begin
-              resp = MU::Cloud::AWS.iam(credentials: args[:credentials]).list_policies(
-                scope: "Local",
-                marker: marker
-              )
-              break if !resp or !resp.policies
-              resp.policies.each { |pol|
-                found[pol.arn] = pol
-              }
-              marker = resp.marker
-            end while marker
+            resp = MU::Cloud::AWS.iam(credentials: args[:credentials]).list_policies(scope: "Local")
+            resp.policies.each { |pol|
+              found[pol.arn] = pol
+            }
           end
 
           found
@@ -569,7 +582,7 @@ end
         def toKitten(**_args)
           bok = {
             "cloud" => "AWS",
-            "credentials" => @config['credentials'],
+            "credentials" => @credentials,
             "cloud_id" => @cloud_id
           }
 
@@ -603,7 +616,7 @@ end
                     policy_name: pol.policy_name
                   )
                   if resp and resp.policy_document
-                    JSON.parse(URI.decode(resp.policy_document))
+                    JSON.parse(CGI.unescape(resp.policy_document))
                   end
                 rescue ::Aws::IAM::Errors::NoSuchEntity, ::Aws::IAM::Errors::ValidationError
                   resp = MU::Cloud::AWS.iam(credentials: @credentials).get_policy(
@@ -613,7 +626,7 @@ end
                     policy_arn: pol.arn,
                     version_id: resp.policy.default_version_id
                   )
-                  JSON.parse(URI.decode(version.policy_version.document))
+                  JSON.parse(CGI.unescape(version.policy_version.document))
                 end
                 bok["policies"] = MU::Cloud::AWS::Role.doc2MuPolicies(pol.policy_name, doc, bok["policies"])
               end
@@ -629,7 +642,7 @@ end
           bok["strip_path"] = true if desc.path == "/"
 
           if desc.assume_role_policy_document
-            assume_doc = JSON.parse(URI.decode(desc.assume_role_policy_document))
+            assume_doc = JSON.parse(CGI.unescape(desc.assume_role_policy_document))
             assume_doc["Statement"].each { |s|
               bok["can_assume"] ||= []
               method = if s["Action"] == "sts:AssumeRoleWithWebIdentity"
@@ -762,12 +775,12 @@ end
         def bindTo(entitytype, entityname)
           if entitytype == "instance_profile"
             begin
-              resp = MU::Cloud::AWS.iam(credentials: @config['credentials']).get_instance_profile(
+              resp = MU::Cloud::AWS.iam(credentials: @credentials).get_instance_profile(
                 instance_profile_name: entityname
               ).instance_profile
 
               if !resp.roles.map { |r| r.role_name}.include?(@mu_name)
-                MU::Cloud::AWS.iam(credentials: @config['credentials']).add_role_to_instance_profile(
+                MU::Cloud::AWS.iam(credentials: @credentials).add_role_to_instance_profile(
                   instance_profile_name: entityname,
                   role_name: @mu_name
                 )
@@ -777,30 +790,30 @@ end
               raise e
             end
           elsif ["user", "group", "role"].include?(entitytype)
-            mypolicies = MU::Cloud::AWS.iam(credentials: @config['credentials']).list_policies(
+            mypolicies = MU::Cloud::AWS.iam(credentials: @credentials).list_policies(
               path_prefix: "/"+@deploy.deploy_id+"/"
             ).policies
             mypolicies.reject! { |p|
-              !p.policy_name.match(/^#{Regexp.quote(@mu_name)}-/)
+              !p.policy_name.match(/^#{Regexp.quote(@mu_name)}(-|$)/)
             }
 
             if @config['attachable_policies']
               @config['attachable_policies'].each { |policy_hash|
                 policy = policy_hash["id"]
                 p_arn = if !policy.match(/^arn:/i)
-                  "arn:"+(MU::Cloud::AWS.isGovCloud?(@config["region"]) ? "aws-us-gov" : "aws")+":iam::aws:policy/"+policy
+                  "arn:"+(MU::Cloud::AWS.isGovCloud?(@region) ? "aws-us-gov" : "aws")+":iam::aws:policy/"+policy
                 else
                   policy
                 end
 
                 subpaths = ["service-role", "aws-service-role", "job-function"]
                 begin
-                  mypolicies << MU::Cloud::AWS.iam(credentials: @config['credentials']).get_policy(
+                  mypolicies << MU::Cloud::AWS.iam(credentials: @credentials).get_policy(
                     policy_arn: p_arn
                   ).policy
                 rescue Aws::IAM::Errors::NoSuchEntity => e
                   if subpaths.size > 0
-                    p_arn = "arn:"+(MU::Cloud::AWS.isGovCloud?(@config["region"]) ? "aws-us-gov" : "aws")+":iam::aws:policy/#{subpaths.shift}/"+policy
+                    p_arn = "arn:"+(MU::Cloud::AWS.isGovCloud?(@region) ? "aws-us-gov" : "aws")+":iam::aws:policy/#{subpaths.shift}/"+policy
                     retry
                   end
                   raise e
@@ -808,39 +821,52 @@ end
               }
             end
 
+            if @config['raw_policies']
+              raw_arns = MU::Cloud::AWS::Role.manageRawPolicies(
+                @config['raw_policies'],
+                basename: @deploy.getResourceName(@config['name']),
+                credentials: @credentials
+              )
+              raw_arns.each { |p_arn|
+                mypolicies << MU::Cloud::AWS.iam(credentials: @credentials).get_policy(
+                  policy_arn: p_arn
+                ).policy
+              }
+            end
+
             mypolicies.each { |p|
               if entitytype == "user"
-                resp = MU::Cloud::AWS.iam(credentials: @config['credentials']).list_attached_user_policies(
+                resp = MU::Cloud::AWS.iam(credentials: @credentials).list_attached_user_policies(
                   path_prefix: "/"+@deploy.deploy_id+"/",
                   user_name: entityname
                 )
                 if !resp or !resp.attached_policies.map { |a_p| a_p.policy_name }.include?(p.policy_name)
                   MU.log "Attaching IAM policy #{p.policy_name} to user #{entityname}", MU::NOTICE
-                  MU::Cloud::AWS.iam(credentials: @config['credentials']).attach_user_policy(
+                  MU::Cloud::AWS.iam(credentials: @credentials).attach_user_policy(
                     policy_arn: p.arn,
                     user_name: entityname
                   )
                 end
               elsif entitytype == "group"
-                resp = MU::Cloud::AWS.iam(credentials: @config['credentials']).list_attached_group_policies(
+                resp = MU::Cloud::AWS.iam(credentials: @credentials).list_attached_group_policies(
                   path_prefix: "/"+@deploy.deploy_id+"/",
                   group_name: entityname
                 )
                 if !resp or !resp.attached_policies.map { |a_p| a_p.policy_name }.include?(p.policy_name)
                   MU.log "Attaching policy #{p.policy_name} to group #{entityname}", MU::NOTICE
-                  MU::Cloud::AWS.iam(credentials: @config['credentials']).attach_group_policy(
+                  MU::Cloud::AWS.iam(credentials: @credentials).attach_group_policy(
                     policy_arn: p.arn,
                     group_name: entityname
                   )
                 end
               elsif entitytype == "role"
-                resp = MU::Cloud::AWS.iam(credentials: @config['credentials']).list_attached_role_policies(
+                resp = MU::Cloud::AWS.iam(credentials: @credentials).list_attached_role_policies(
                   role_name: entityname
                 )
 
                 if !resp or !resp.attached_policies.map { |a_p| a_p.policy_name }.include?(p.policy_name)
                   MU.log "Attaching policy #{p.policy_name} to role #{entityname}", MU::NOTICE
-                  MU::Cloud::AWS.iam(credentials: @config['credentials']).attach_role_policy(
+                  MU::Cloud::AWS.iam(credentials: @credentials).attach_role_policy(
                     policy_arn: p.arn,
                     role_name: entityname
                   )
@@ -861,19 +887,19 @@ end
           end
 
           resp = begin
-            MU.log "Creating instance profile #{@mu_name} #{@config['credentials']}"
-            MU::Cloud::AWS.iam(credentials: @config['credentials']).create_instance_profile(
+            MU.log "Creating instance profile #{@mu_name} #{@credentials}"
+            MU::Cloud::AWS.iam(credentials: @credentials).create_instance_profile(
               instance_profile_name: @mu_name
             )
           rescue Aws::IAM::Errors::EntityAlreadyExists
-            MU::Cloud::AWS.iam(credentials: @config['credentials']).get_instance_profile(
+            MU::Cloud::AWS.iam(credentials: @credentials).get_instance_profile(
               instance_profile_name: @mu_name
             )
           end
 
           # make sure it's really there before moving on
           begin
-            MU::Cloud::AWS.iam(credentials: @config['credentials']).get_instance_profile(instance_profile_name: @mu_name)
+            MU::Cloud::AWS.iam(credentials: @credentials).get_instance_profile(instance_profile_name: @mu_name)
           rescue Aws::IAM::Errors::NoSuchEntity => e
             MU.log e.inspect, MU::WARN
             sleep 10
@@ -1061,6 +1087,8 @@ end
             role.delete("import")
           end
 
+          role['strip_path'] = true if role['scrub_mu_isms']
+
           # If we're attaching some managed policies, make sure all of the ones
           # that should already exist do indeed exist
           if role['attachable_policies']
@@ -1091,7 +1119,7 @@ end
             role['policies'].each { |policy|
               policy['targets'].each { |target|
                 if target['type']
-                  MU::Config.addDependency(role, target['identifier'], target['type'])
+                  MU::Config.addDependency(role, target['identifier'], target['type'], my_phase: "groom")
                 end
               }
             }
@@ -1107,13 +1135,14 @@ end
         # @param policies [Array<Hash>]: One or more policy chunks
         # @param deploy_obj [MU::MommaCat]: Deployment object to use when looking up sibling Mu resources
         # @return [Array<Hash>]
-        def self.genPolicyDocument(policies, deploy_obj: nil, bucket_style: false)
+        def self.genPolicyDocument(policies, deploy_obj: nil, bucket_style: false, version: "2012-10-17", doc_id: nil)
           if policies
             name = nil
             doc = {
-              "Version" => "2012-10-17",
+              "Version" => version,
               "Statement" => []
             }
+            doc["Id"] = doc_id if doc_id
             policies.each { |policy|
               policy["flag"] ||= "Allow"
               statement = {
@@ -1154,7 +1183,14 @@ end
                       raise MuError, "Couldn't find a #{grantee["type"]} named #{grantee["identifier"]} when generating IAM policy"
                     end
                   else
-                    bucket_prefix = grantee["identifier"].match(/^[^\.]+\.amazonaws\.com$/) ? "Service" : "AWS"
+                    bucket_prefix = if grantee["identifier"].match(/^[^\.]+\.amazonaws\.com$/)
+                      "Service"
+                    elsif grantee["identifier"] =~ /^[a-f0-9]+$/
+                      "CanonicalUser"
+                    else
+                      "AWS"
+                    end
+
                     if bucket_style
                       statement["Principal"] << { bucket_prefix => grantee["identifier"] }
                     else