cloud-mu 3.3.2 → 3.4.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/cloud-mu.gemspec +3 -3
- data/cookbooks/mu-tools/attributes/default.rb +7 -0
- data/cookbooks/mu-tools/libraries/helper.rb +86 -2
- data/cookbooks/mu-tools/recipes/apply_security.rb +25 -9
- data/cookbooks/mu-tools/recipes/aws_api.rb +4 -0
- data/cookbooks/mu-tools/recipes/google_api.rb +4 -0
- data/cookbooks/mu-tools/recipes/rsyslog.rb +8 -1
- data/cookbooks/mu-tools/resources/disk.rb +33 -12
- data/cookbooks/mu-tools/resources/mommacat_request.rb +1 -2
- data/cookbooks/mu-tools/templates/centos-8/sshd_config.erb +215 -0
- data/extras/clean-stock-amis +10 -2
- data/extras/generate-stock-images +6 -3
- data/extras/image-generators/AWS/centos7.yaml +19 -16
- data/extras/image-generators/AWS/{rhel7.yaml → rhel71.yaml} +0 -0
- data/extras/image-generators/AWS/{win2k12.yaml → win2k12r2.yaml} +0 -0
- data/modules/mommacat.ru +2 -2
- data/modules/mu/cloud/wrappers.rb +16 -7
- data/modules/mu/config/ref.rb +1 -1
- data/modules/mu/defaults/AWS.yaml +96 -96
- data/modules/mu/mommacat.rb +10 -2
- data/modules/mu/mommacat/search.rb +11 -2
- data/modules/mu/mommacat/storage.rb +30 -15
- data/modules/mu/providers/aws.rb +43 -23
- data/modules/mu/providers/aws/database.rb +9 -6
- data/modules/mu/providers/aws/function.rb +8 -5
- data/modules/mu/providers/aws/job.rb +29 -26
- data/modules/mu/providers/aws/role.rb +38 -32
- data/modules/mu/providers/aws/server.rb +58 -51
- data/modules/mu/providers/aws/vpc.rb +3 -0
- data/modules/mu/providers/google.rb +1 -1
- data/modules/mu/providers/google/role.rb +1 -0
- metadata +10 -9
data/modules/mu/providers/aws.rb
CHANGED
@@ -550,7 +550,9 @@ end
|
|
550
550
|
def self.credToAcct(name = nil)
|
551
551
|
creds = credConfig(name)
|
552
552
|
|
553
|
-
|
553
|
+
if creds['account_number'] and !creds['account_number'].empty?
|
554
|
+
return creds['account_number']
|
555
|
+
end
|
554
556
|
|
555
557
|
acct_num = MU::Cloud::AWS.iam(credentials: name).list_users.users.first.arn.split(/:/)[4]
|
556
558
|
acct_num.to_s
|
@@ -672,8 +674,8 @@ end
|
|
672
674
|
next
|
673
675
|
end
|
674
676
|
acct_num = MU::Cloud::AWS.iam(credentials: acctname).list_users.users.first.arn.split(/:/)[4]
|
675
|
-
|
676
|
-
|
677
|
+
cfg['account_number'] ||= acct_num.to_s
|
678
|
+
if acct_num.to_s == name.to_s
|
677
679
|
@@acct_to_profile_map[name.to_s] = cfg
|
678
680
|
return name_only ? name.to_s : cfg
|
679
681
|
end
|
@@ -1516,6 +1518,7 @@ end
|
|
1516
1518
|
def initialize(region: nil, api: "EC2", credentials: nil)
|
1517
1519
|
@cred_obj = MU::Cloud::AWS.loadCredentials(credentials)
|
1518
1520
|
@credentials = MU::Cloud::AWS.credConfig(credentials, name_only: true)
|
1521
|
+
@api_name = api
|
1519
1522
|
|
1520
1523
|
if !@cred_obj
|
1521
1524
|
raise MuError, "Unable to locate valid AWS credentials for #{api} API. #{credentials ? "Credentials requested were '#{credentials}'": ""}"
|
@@ -1533,6 +1536,8 @@ end
|
|
1533
1536
|
params[:credentials] = @cred_obj
|
1534
1537
|
|
1535
1538
|
MU.log "Initializing #{api} object with credentials #{credentials}", MU::DEBUG, details: params
|
1539
|
+
require "aws-sdk-#{api.downcase}"
|
1540
|
+
|
1536
1541
|
@api = Object.const_get("Aws::#{api}::Client").new(params)
|
1537
1542
|
end
|
1538
1543
|
|
@@ -1541,27 +1546,31 @@ end
|
|
1541
1546
|
# rescues for known silly endpoint behavior.
|
1542
1547
|
def method_missing(method_sym, *arguments)
|
1543
1548
|
# make sure error symbols are loaded for our exception handling later
|
1544
|
-
require "aws-sdk-
|
1545
|
-
require "aws-sdk-
|
1546
|
-
require "aws-sdk-
|
1547
|
-
require "aws-sdk-
|
1548
|
-
require "aws-sdk-
|
1549
|
-
require "aws-sdk-
|
1550
|
-
require "aws-sdk-
|
1551
|
-
require "aws-sdk-
|
1552
|
-
require "aws-sdk-
|
1553
|
-
require "aws-sdk-
|
1554
|
-
require "aws-sdk-
|
1555
|
-
require "aws-sdk-
|
1556
|
-
require "aws-sdk-
|
1557
|
-
require "aws-sdk-
|
1558
|
-
require "aws-sdk-
|
1559
|
-
|
1560
|
-
|
1549
|
+
require "aws-sdk-lambda"
|
1550
|
+
require "aws-sdk-rds"
|
1551
|
+
require "aws-sdk-ec2"
|
1552
|
+
require "aws-sdk-route53"
|
1553
|
+
require "aws-sdk-iam"
|
1554
|
+
require "aws-sdk-efs"
|
1555
|
+
require "aws-sdk-pricing"
|
1556
|
+
require "aws-sdk-apigateway"
|
1557
|
+
require "aws-sdk-ecs"
|
1558
|
+
require "aws-sdk-eks"
|
1559
|
+
require "aws-sdk-cloudwatchlogs"
|
1560
|
+
require "aws-sdk-cloudwatchevents"
|
1561
|
+
require "aws-sdk-elasticloadbalancing"
|
1562
|
+
require "aws-sdk-elasticloadbalancingv2"
|
1563
|
+
require "aws-sdk-autoscaling"
|
1564
|
+
|
1565
|
+
known_concats = {
|
1566
|
+
"Pricing" => {
|
1567
|
+
:get_products => :price_list
|
1568
|
+
}
|
1569
|
+
}
|
1561
1570
|
|
1562
1571
|
retries = 0
|
1563
1572
|
begin
|
1564
|
-
MU.log "Calling #{method_sym} in #{@region}", MU::DEBUG, details: arguments
|
1573
|
+
MU.log "Calling #{@api_name}.#{method_sym} in #{@region}", MU::DEBUG, details: arguments
|
1565
1574
|
|
1566
1575
|
retval = if !arguments.nil? and arguments.size == 1
|
1567
1576
|
@api.method(method_sym).call(arguments[0])
|
@@ -1590,11 +1599,22 @@ end
|
|
1590
1599
|
|
1591
1600
|
if paginator and new_page and !new_page.empty?
|
1592
1601
|
resp = retval.respond_to?(:__getobj__) ? retval.__getobj__ : retval
|
1593
|
-
concat_to =
|
1602
|
+
concat_to = MU.structToHash(resp).keys.reject { |m|
|
1594
1603
|
m.to_s.match(/=$/) or m == paginator or resp.send(m).nil? or !resp.send(m).is_a?(Array)
|
1595
1604
|
}
|
1605
|
+
|
1606
|
+
if concat_to.empty? and known_concats[@api_name] and
|
1607
|
+
known_concats[@api_name][method_sym]
|
1608
|
+
concat_to << known_concats[@api_name][method_sym]
|
1609
|
+
end
|
1610
|
+
|
1611
|
+
if concat_to.empty? and method_sym.to_s.match(/^(?:describe|list)_(.*)/)
|
1612
|
+
my_attr = Regexp.last_match[1].to_sym
|
1613
|
+
concat_to << my_attr if resp.respond_to?(my_attr)
|
1614
|
+
end
|
1615
|
+
|
1596
1616
|
if concat_to.size != 1
|
1597
|
-
|
1617
|
+
raise MuError.new "Tried to figure out where I might append paginated results for a #{@api_name}.#{method_sym}, but failed", details: MU.structToHash(resp).keys
|
1598
1618
|
else
|
1599
1619
|
concat_to = concat_to.first
|
1600
1620
|
new_args = arguments ? arguments.dup : [{}]
|
@@ -797,14 +797,17 @@ dependencies
|
|
797
797
|
# @return [void]
|
798
798
|
def self.cleanup(noop: false, deploy_id: MU.deploy_id, ignoremaster: false, credentials: nil, region: MU.curRegion, flags: {})
|
799
799
|
|
800
|
+
threads = []
|
801
|
+
|
800
802
|
["instance", "cluster"].each { |type|
|
801
|
-
threaded_resource_purge("describe_db_#{type}s".to_sym, "db_#{type}s".to_sym, "db_#{type}_identifier".to_sym, (type == "instance" ? "db" : "cluster"), region, credentials, ignoremaster, known: flags['known'], deploy_id: deploy_id) { |id|
|
803
|
+
threads.concat threaded_resource_purge("describe_db_#{type}s".to_sym, "db_#{type}s".to_sym, "db_#{type}_identifier".to_sym, (type == "instance" ? "db" : "cluster"), region, credentials, ignoremaster, known: flags['known'], deploy_id: deploy_id) { |id|
|
802
804
|
terminate_rds_instance(nil, noop: noop, skipsnapshots: flags["skipsnapshots"], region: region, deploy_id: deploy_id, cloud_id: id, mu_name: id.upcase, credentials: credentials, cluster: (type == "cluster"), known: flags['known'])
|
803
805
|
|
804
|
-
}.each { |t|
|
805
|
-
t.join
|
806
806
|
}
|
807
807
|
}
|
808
|
+
threads.each { |t|
|
809
|
+
t.join
|
810
|
+
}
|
808
811
|
|
809
812
|
threads = threaded_resource_purge(:describe_db_subnet_groups, :db_subnet_groups, :db_subnet_group_name, "subgrp", region, credentials, ignoremaster, known: flags['known'], deploy_id: deploy_id) { |id|
|
810
813
|
MU.log "Deleting RDS subnet group #{id}"
|
@@ -1653,7 +1656,7 @@ dependencies
|
|
1653
1656
|
|
1654
1657
|
raise MuError, "terminate_rds_instance requires a non-nil database descriptor (#{cloud_id})" if db.nil? or cloud_id.nil?
|
1655
1658
|
|
1656
|
-
MU.retrier([], wait: 60, loop_if: Proc.new { %w{creating modifying backing-up}.include?(cluster ? db.status : db.db_instance_status) }) {
|
1659
|
+
MU.retrier([], wait: 60, loop_if: Proc.new { %w{creating modifying backing-up}.include?(cluster ? db.status : db.db_instance_status) }, loop_msg: "Waiting for RDS #{cluster ? "cluster" : "instance"} #{cloud_id} to be in a valid state for deletion") {
|
1657
1660
|
db = MU::Cloud::AWS::Database.find(cloud_id: cloud_id, region: region, credentials: credentials, cluster: cluster).values.first
|
1658
1661
|
return if db.nil?
|
1659
1662
|
}
|
@@ -1673,7 +1676,7 @@ dependencies
|
|
1673
1676
|
params[:skip_final_snapshot] = false
|
1674
1677
|
params[:final_db_snapshot_identifier] = "#{cloud_id}-mufinal"
|
1675
1678
|
end
|
1676
|
-
|
1679
|
+
sleep 30
|
1677
1680
|
if !noop
|
1678
1681
|
on_retry = Proc.new { |e|
|
1679
1682
|
if [Aws::RDS::Errors::DBSnapshotAlreadyExists, Aws::RDS::Errors::DBClusterSnapshotAlreadyExistsFault, Aws::RDS::Errors::DBClusterQuotaExceeded].include?(e.class)
|
@@ -1688,7 +1691,7 @@ dependencies
|
|
1688
1691
|
end
|
1689
1692
|
}
|
1690
1693
|
del_db = nil
|
1691
|
-
MU.retrier([], wait: 10, ignoreme: [Aws::RDS::Errors::DBInstanceNotFound], loop_if: Proc.new { del_db and ((!cluster and del_db.db_instance_status != "deleted") or (cluster and del_db.status != "deleted")) }) {
|
1694
|
+
MU.retrier([], wait: 10, ignoreme: [Aws::RDS::Errors::DBInstanceNotFound], loop_if: Proc.new { del_db and ((!cluster and del_db.db_instance_status != "deleted") or (cluster and del_db.status != "deleted")) }, loop_msg: "Waiting for RDS #{cluster ? "cluster" : "instance"} #{cloud_id} to delete") {
|
1692
1695
|
del_db = MU::Cloud::AWS::Database.find(cloud_id: cloud_id, region: region, cluster: cluster).values.first
|
1693
1696
|
}
|
1694
1697
|
end
|
@@ -58,16 +58,19 @@ module MU
|
|
58
58
|
lambda_properties = get_properties
|
59
59
|
|
60
60
|
MU.retrier([Aws::Lambda::Errors::InvalidParameterValueException], max: 5, wait: 10) {
|
61
|
-
resp = MU::Cloud::AWS.lambda(region: @config['region'], credentials: @
|
61
|
+
resp = MU::Cloud::AWS.lambda(region: @config['region'], credentials: @credentials).create_function(lambda_properties)
|
62
62
|
@cloud_id = resp.function_name
|
63
63
|
}
|
64
64
|
|
65
65
|
# the console does this and docs expect it to be there, so mimic the
|
66
66
|
# behavior
|
67
|
-
|
68
|
-
|
69
|
-
|
70
|
-
|
67
|
+
begin
|
68
|
+
MU::Cloud::AWS.cloudwatchlogs(region: @config["region"], credentials: @credentials).create_log_group(
|
69
|
+
log_group_name: "/aws/lambda/#{@cloud_id}",
|
70
|
+
tags: @tags
|
71
|
+
)
|
72
|
+
rescue Aws::CloudWatchLogs::Errors::ResourceAlreadyExistsException
|
73
|
+
end
|
71
74
|
end
|
72
75
|
|
73
76
|
# Called automatically by {MU::Deploy#createResources}
|
@@ -57,33 +57,36 @@ module MU
|
|
57
57
|
target_params = []
|
58
58
|
@config['targets'].each { |t|
|
59
59
|
MU.retrier([MuNonFatal], max:5, wait: 9) {
|
60
|
-
|
61
|
-
|
62
|
-
|
63
|
-
|
64
|
-
|
65
|
-
|
66
|
-
|
67
|
-
|
68
|
-
|
69
|
-
|
70
|
-
|
71
|
-
|
72
|
-
|
73
|
-
|
74
|
-
|
75
|
-
|
76
|
-
|
77
|
-
|
78
|
-
raise MuError.new "Failed to fetch object from role reference", details: t['role'].to_h if !role_obj
|
79
|
-
params[:role_arn] = role_obj.arn
|
80
|
-
end
|
81
|
-
[:input, :input_path, :input_transformer, :kinesis_parameters, :run_command_parameters, :batch_parameters, :sqs_parameters, :ecs_parameters].each { |attr|
|
82
|
-
if t[attr.to_s]
|
83
|
-
this_target[attr] = MU.structToHash(t[attr.to_s])
|
60
|
+
target_ref = MU::Config::Ref.get(t)
|
61
|
+
target_obj = target_ref.kitten(@deploy, cloud: "AWS")
|
62
|
+
this_target = if target_ref.is_mu_type? and target_obj and
|
63
|
+
!target_obj.arn.nil?
|
64
|
+
if target_ref.type == "functions"
|
65
|
+
target_obj.addTrigger(arn, "events", @mu_name)
|
66
|
+
end
|
67
|
+
{
|
68
|
+
id: target_obj.cloud_id,
|
69
|
+
arn: target_obj.arn
|
70
|
+
}
|
71
|
+
elsif target_ref.id and target_ref.id.match(/^arn:/)
|
72
|
+
{
|
73
|
+
id: target_ref.id || target_ref.name,
|
74
|
+
arn: target_ref.id
|
75
|
+
}
|
76
|
+
else
|
77
|
+
raise MuNonFatal.new "Failed to retrieve ARN from CLoudWatch Event target descriptor", details: target_ref.to_h
|
84
78
|
end
|
85
|
-
|
86
|
-
|
79
|
+
if t['role']
|
80
|
+
role_obj = MU::Config::Ref.get(t['role']).kitten(@deploy, cloud: "AWS")
|
81
|
+
raise MuError.new "Failed to fetch object from role reference", details: t['role'].to_h if !role_obj
|
82
|
+
params[:role_arn] = role_obj.arn
|
83
|
+
end
|
84
|
+
[:input, :input_path, :input_transformer, :kinesis_parameters, :run_command_parameters, :batch_parameters, :sqs_parameters, :ecs_parameters].each { |attr|
|
85
|
+
if t[attr.to_s]
|
86
|
+
this_target[attr] = MU.structToHash(t[attr.to_s])
|
87
|
+
end
|
88
|
+
}
|
89
|
+
target_params << this_target
|
87
90
|
}
|
88
91
|
}
|
89
92
|
MU::Cloud::AWS.cloudwatchevents(region: @config['region'], credentials: @credentials).put_targets(
|
@@ -43,7 +43,7 @@ module MU
|
|
43
43
|
|
44
44
|
policy_name = @mu_name+"-"+policy.keys.first.upcase
|
45
45
|
MU.log "Creating IAM policy #{policy_name}"
|
46
|
-
MU::Cloud::AWS.iam(credentials: @
|
46
|
+
MU::Cloud::AWS.iam(credentials: @credentials).create_policy(
|
47
47
|
policy_name: policy_name,
|
48
48
|
path: "/"+@deploy.deploy_id+"/",
|
49
49
|
policy_document: JSON.generate(policy.values.first),
|
@@ -53,16 +53,18 @@ module MU
|
|
53
53
|
end
|
54
54
|
|
55
55
|
if !@config['bare_policies']
|
56
|
-
MU.log "Creating IAM role #{@mu_name}"
|
57
56
|
@cloud_id = @mu_name
|
58
57
|
path = @config['strip_path'] ? nil : "/"+@deploy.deploy_id+"/"
|
59
|
-
|
60
|
-
path
|
61
|
-
role_name
|
62
|
-
description
|
63
|
-
assume_role_policy_document
|
64
|
-
tags
|
65
|
-
|
58
|
+
params = {
|
59
|
+
:path => path,
|
60
|
+
:role_name => @mu_name,
|
61
|
+
:description => "Generated by Mu",
|
62
|
+
:assume_role_policy_document => gen_assume_role_policy_doc,
|
63
|
+
:tags => get_tag_params
|
64
|
+
}
|
65
|
+
|
66
|
+
MU.log "Creating IAM role #{@mu_name} (#{@credentials})", details: params
|
67
|
+
MU::Cloud::AWS.iam(credentials: @credentials).create_role(params)
|
66
68
|
end
|
67
69
|
end
|
68
70
|
|
@@ -75,7 +77,7 @@ module MU
|
|
75
77
|
end
|
76
78
|
|
77
79
|
if !@config['bare_policies']
|
78
|
-
resp = MU::Cloud::AWS.iam(credentials: @
|
80
|
+
resp = MU::Cloud::AWS.iam(credentials: @credentials).get_role(
|
79
81
|
role_name: @mu_name
|
80
82
|
).role
|
81
83
|
ext_tags = resp.tags.map { |t| t.to_h }
|
@@ -84,7 +86,7 @@ module MU
|
|
84
86
|
|
85
87
|
if tag_param.size > 0
|
86
88
|
MU.log "Updating tags on IAM role #{@mu_name}", MU::NOTICE, details: tag_param
|
87
|
-
MU::Cloud::AWS.iam(credentials: @
|
89
|
+
MU::Cloud::AWS.iam(credentials: @credentials).tag_role(role_name: @mu_name, tags: tag_param)
|
88
90
|
end
|
89
91
|
end
|
90
92
|
|
@@ -114,13 +116,13 @@ module MU
|
|
114
116
|
|
115
117
|
# Purge anything that doesn't belong
|
116
118
|
if !@config['bare_policies']
|
117
|
-
attached_policies = MU::Cloud::AWS.iam(credentials: @
|
119
|
+
attached_policies = MU::Cloud::AWS.iam(credentials: @credentials).list_attached_role_policies(
|
118
120
|
role_name: @mu_name
|
119
121
|
).attached_policies
|
120
122
|
attached_policies.each { |a|
|
121
123
|
if !configured_policies.include?(a.policy_name)
|
122
124
|
MU.log "Removing IAM policy #{a.policy_name} from role #{@mu_name}", MU::NOTICE, details: configured_policies
|
123
|
-
MU::Cloud::AWS::Role.purgePolicy(a.policy_arn, @
|
125
|
+
MU::Cloud::AWS::Role.purgePolicy(a.policy_arn, @credentials)
|
124
126
|
end
|
125
127
|
}
|
126
128
|
end
|
@@ -155,7 +157,6 @@ module MU
|
|
155
157
|
}
|
156
158
|
|
157
159
|
policy_name = basename+"-"+policy.keys.first.upcase
|
158
|
-
|
159
160
|
arn = "arn:"+(MU::Cloud::AWS.isGovCloud? ? "aws-us-gov" : "aws")+":iam::"+MU::Cloud::AWS.credToAcct(credentials)+":policy#{path}/#{policy_name}"
|
160
161
|
resp = begin
|
161
162
|
desc = MU::Cloud::AWS.iam(credentials: credentials).get_policy(policy_arn: arn)
|
@@ -185,12 +186,17 @@ module MU
|
|
185
186
|
|
186
187
|
rescue Aws::IAM::Errors::NoSuchEntity
|
187
188
|
MU.log "Creating IAM policy #{policy_name}", details: policy.values.first
|
188
|
-
MU::Cloud::AWS.iam(credentials: credentials).create_policy(
|
189
|
+
desc = MU::Cloud::AWS.iam(credentials: credentials).create_policy(
|
189
190
|
policy_name: policy_name,
|
190
191
|
path: path+"/",
|
191
192
|
policy_document: JSON.generate(policy.values.first),
|
192
193
|
description: "Raw policy from #{basename}"
|
193
194
|
)
|
195
|
+
MU.retrier([Aws::IAM::Errors::NoSuchEntity], loop_if: Proc.new { desc.nil? }) {
|
196
|
+
desc = MU::Cloud::AWS.iam(credentials: credentials).get_policy(policy_arn: arn)
|
197
|
+
pp desc
|
198
|
+
}
|
199
|
+
desc
|
194
200
|
end
|
195
201
|
arns << resp.policy.arn
|
196
202
|
}
|
@@ -317,7 +323,7 @@ end
|
|
317
323
|
my_policies.each { |p|
|
318
324
|
if p.policy_name == policy
|
319
325
|
seen_policy = true
|
320
|
-
old = MU::Cloud::AWS.iam(credentials: @
|
326
|
+
old = MU::Cloud::AWS.iam(credentials: @credentials).get_policy_version(
|
321
327
|
policy_arn: p.arn,
|
322
328
|
version_id: p.default_version_id
|
323
329
|
).policy_version
|
@@ -576,7 +582,7 @@ end
|
|
576
582
|
def toKitten(**_args)
|
577
583
|
bok = {
|
578
584
|
"cloud" => "AWS",
|
579
|
-
"credentials" => @
|
585
|
+
"credentials" => @credentials,
|
580
586
|
"cloud_id" => @cloud_id
|
581
587
|
}
|
582
588
|
|
@@ -769,12 +775,12 @@ end
|
|
769
775
|
def bindTo(entitytype, entityname)
|
770
776
|
if entitytype == "instance_profile"
|
771
777
|
begin
|
772
|
-
resp = MU::Cloud::AWS.iam(credentials: @
|
778
|
+
resp = MU::Cloud::AWS.iam(credentials: @credentials).get_instance_profile(
|
773
779
|
instance_profile_name: entityname
|
774
780
|
).instance_profile
|
775
781
|
|
776
782
|
if !resp.roles.map { |r| r.role_name}.include?(@mu_name)
|
777
|
-
MU::Cloud::AWS.iam(credentials: @
|
783
|
+
MU::Cloud::AWS.iam(credentials: @credentials).add_role_to_instance_profile(
|
778
784
|
instance_profile_name: entityname,
|
779
785
|
role_name: @mu_name
|
780
786
|
)
|
@@ -784,7 +790,7 @@ end
|
|
784
790
|
raise e
|
785
791
|
end
|
786
792
|
elsif ["user", "group", "role"].include?(entitytype)
|
787
|
-
mypolicies = MU::Cloud::AWS.iam(credentials: @
|
793
|
+
mypolicies = MU::Cloud::AWS.iam(credentials: @credentials).list_policies(
|
788
794
|
path_prefix: "/"+@deploy.deploy_id+"/"
|
789
795
|
).policies
|
790
796
|
mypolicies.reject! { |p|
|
@@ -802,7 +808,7 @@ end
|
|
802
808
|
|
803
809
|
subpaths = ["service-role", "aws-service-role", "job-function"]
|
804
810
|
begin
|
805
|
-
mypolicies << MU::Cloud::AWS.iam(credentials: @
|
811
|
+
mypolicies << MU::Cloud::AWS.iam(credentials: @credentials).get_policy(
|
806
812
|
policy_arn: p_arn
|
807
813
|
).policy
|
808
814
|
rescue Aws::IAM::Errors::NoSuchEntity => e
|
@@ -822,7 +828,7 @@ end
|
|
822
828
|
credentials: @credentials
|
823
829
|
)
|
824
830
|
raw_arns.each { |p_arn|
|
825
|
-
mypolicies << MU::Cloud::AWS.iam(credentials: @
|
831
|
+
mypolicies << MU::Cloud::AWS.iam(credentials: @credentials).get_policy(
|
826
832
|
policy_arn: p_arn
|
827
833
|
).policy
|
828
834
|
}
|
@@ -830,37 +836,37 @@ end
|
|
830
836
|
|
831
837
|
mypolicies.each { |p|
|
832
838
|
if entitytype == "user"
|
833
|
-
resp = MU::Cloud::AWS.iam(credentials: @
|
839
|
+
resp = MU::Cloud::AWS.iam(credentials: @credentials).list_attached_user_policies(
|
834
840
|
path_prefix: "/"+@deploy.deploy_id+"/",
|
835
841
|
user_name: entityname
|
836
842
|
)
|
837
843
|
if !resp or !resp.attached_policies.map { |a_p| a_p.policy_name }.include?(p.policy_name)
|
838
844
|
MU.log "Attaching IAM policy #{p.policy_name} to user #{entityname}", MU::NOTICE
|
839
|
-
MU::Cloud::AWS.iam(credentials: @
|
845
|
+
MU::Cloud::AWS.iam(credentials: @credentials).attach_user_policy(
|
840
846
|
policy_arn: p.arn,
|
841
847
|
user_name: entityname
|
842
848
|
)
|
843
849
|
end
|
844
850
|
elsif entitytype == "group"
|
845
|
-
resp = MU::Cloud::AWS.iam(credentials: @
|
851
|
+
resp = MU::Cloud::AWS.iam(credentials: @credentials).list_attached_group_policies(
|
846
852
|
path_prefix: "/"+@deploy.deploy_id+"/",
|
847
853
|
group_name: entityname
|
848
854
|
)
|
849
855
|
if !resp or !resp.attached_policies.map { |a_p| a_p.policy_name }.include?(p.policy_name)
|
850
856
|
MU.log "Attaching policy #{p.policy_name} to group #{entityname}", MU::NOTICE
|
851
|
-
MU::Cloud::AWS.iam(credentials: @
|
857
|
+
MU::Cloud::AWS.iam(credentials: @credentials).attach_group_policy(
|
852
858
|
policy_arn: p.arn,
|
853
859
|
group_name: entityname
|
854
860
|
)
|
855
861
|
end
|
856
862
|
elsif entitytype == "role"
|
857
|
-
resp = MU::Cloud::AWS.iam(credentials: @
|
863
|
+
resp = MU::Cloud::AWS.iam(credentials: @credentials).list_attached_role_policies(
|
858
864
|
role_name: entityname
|
859
865
|
)
|
860
866
|
|
861
867
|
if !resp or !resp.attached_policies.map { |a_p| a_p.policy_name }.include?(p.policy_name)
|
862
868
|
MU.log "Attaching policy #{p.policy_name} to role #{entityname}", MU::NOTICE
|
863
|
-
MU::Cloud::AWS.iam(credentials: @
|
869
|
+
MU::Cloud::AWS.iam(credentials: @credentials).attach_role_policy(
|
864
870
|
policy_arn: p.arn,
|
865
871
|
role_name: entityname
|
866
872
|
)
|
@@ -881,19 +887,19 @@ end
|
|
881
887
|
end
|
882
888
|
|
883
889
|
resp = begin
|
884
|
-
MU.log "Creating instance profile #{@mu_name} #{@
|
885
|
-
MU::Cloud::AWS.iam(credentials: @
|
890
|
+
MU.log "Creating instance profile #{@mu_name} #{@credentials}"
|
891
|
+
MU::Cloud::AWS.iam(credentials: @credentials).create_instance_profile(
|
886
892
|
instance_profile_name: @mu_name
|
887
893
|
)
|
888
894
|
rescue Aws::IAM::Errors::EntityAlreadyExists
|
889
|
-
MU::Cloud::AWS.iam(credentials: @
|
895
|
+
MU::Cloud::AWS.iam(credentials: @credentials).get_instance_profile(
|
890
896
|
instance_profile_name: @mu_name
|
891
897
|
)
|
892
898
|
end
|
893
899
|
|
894
900
|
# make sure it's really there before moving on
|
895
901
|
begin
|
896
|
-
MU::Cloud::AWS.iam(credentials: @
|
902
|
+
MU::Cloud::AWS.iam(credentials: @credentials).get_instance_profile(instance_profile_name: @mu_name)
|
897
903
|
rescue Aws::IAM::Errors::NoSuchEntity => e
|
898
904
|
MU.log e.inspect, MU::WARN
|
899
905
|
sleep 10
|