cloud-mu 3.3.2 → 3.4.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/cloud-mu.gemspec +3 -3
- data/cookbooks/mu-tools/attributes/default.rb +7 -0
- data/cookbooks/mu-tools/libraries/helper.rb +86 -2
- data/cookbooks/mu-tools/recipes/apply_security.rb +25 -9
- data/cookbooks/mu-tools/recipes/aws_api.rb +4 -0
- data/cookbooks/mu-tools/recipes/google_api.rb +4 -0
- data/cookbooks/mu-tools/recipes/rsyslog.rb +8 -1
- data/cookbooks/mu-tools/resources/disk.rb +33 -12
- data/cookbooks/mu-tools/resources/mommacat_request.rb +1 -2
- data/cookbooks/mu-tools/templates/centos-8/sshd_config.erb +215 -0
- data/extras/clean-stock-amis +10 -2
- data/extras/generate-stock-images +6 -3
- data/extras/image-generators/AWS/centos7.yaml +19 -16
- data/extras/image-generators/AWS/{rhel7.yaml → rhel71.yaml} +0 -0
- data/extras/image-generators/AWS/{win2k12.yaml → win2k12r2.yaml} +0 -0
- data/modules/mommacat.ru +2 -2
- data/modules/mu/cloud/wrappers.rb +16 -7
- data/modules/mu/config/ref.rb +1 -1
- data/modules/mu/defaults/AWS.yaml +96 -96
- data/modules/mu/mommacat.rb +10 -2
- data/modules/mu/mommacat/search.rb +11 -2
- data/modules/mu/mommacat/storage.rb +30 -15
- data/modules/mu/providers/aws.rb +43 -23
- data/modules/mu/providers/aws/database.rb +9 -6
- data/modules/mu/providers/aws/function.rb +8 -5
- data/modules/mu/providers/aws/job.rb +29 -26
- data/modules/mu/providers/aws/role.rb +38 -32
- data/modules/mu/providers/aws/server.rb +58 -51
- data/modules/mu/providers/aws/vpc.rb +3 -0
- data/modules/mu/providers/google.rb +1 -1
- data/modules/mu/providers/google/role.rb +1 -0
- metadata +10 -9
data/modules/mu/providers/aws.rb
CHANGED
@@ -550,7 +550,9 @@ end
|
|
550
550
|
def self.credToAcct(name = nil)
|
551
551
|
creds = credConfig(name)
|
552
552
|
|
553
|
-
|
553
|
+
if creds['account_number'] and !creds['account_number'].empty?
|
554
|
+
return creds['account_number']
|
555
|
+
end
|
554
556
|
|
555
557
|
acct_num = MU::Cloud::AWS.iam(credentials: name).list_users.users.first.arn.split(/:/)[4]
|
556
558
|
acct_num.to_s
|
@@ -672,8 +674,8 @@ end
|
|
672
674
|
next
|
673
675
|
end
|
674
676
|
acct_num = MU::Cloud::AWS.iam(credentials: acctname).list_users.users.first.arn.split(/:/)[4]
|
675
|
-
|
676
|
-
|
677
|
+
cfg['account_number'] ||= acct_num.to_s
|
678
|
+
if acct_num.to_s == name.to_s
|
677
679
|
@@acct_to_profile_map[name.to_s] = cfg
|
678
680
|
return name_only ? name.to_s : cfg
|
679
681
|
end
|
@@ -1516,6 +1518,7 @@ end
|
|
1516
1518
|
def initialize(region: nil, api: "EC2", credentials: nil)
|
1517
1519
|
@cred_obj = MU::Cloud::AWS.loadCredentials(credentials)
|
1518
1520
|
@credentials = MU::Cloud::AWS.credConfig(credentials, name_only: true)
|
1521
|
+
@api_name = api
|
1519
1522
|
|
1520
1523
|
if !@cred_obj
|
1521
1524
|
raise MuError, "Unable to locate valid AWS credentials for #{api} API. #{credentials ? "Credentials requested were '#{credentials}'": ""}"
|
@@ -1533,6 +1536,8 @@ end
|
|
1533
1536
|
params[:credentials] = @cred_obj
|
1534
1537
|
|
1535
1538
|
MU.log "Initializing #{api} object with credentials #{credentials}", MU::DEBUG, details: params
|
1539
|
+
require "aws-sdk-#{api.downcase}"
|
1540
|
+
|
1536
1541
|
@api = Object.const_get("Aws::#{api}::Client").new(params)
|
1537
1542
|
end
|
1538
1543
|
|
@@ -1541,27 +1546,31 @@ end
|
|
1541
1546
|
# rescues for known silly endpoint behavior.
|
1542
1547
|
def method_missing(method_sym, *arguments)
|
1543
1548
|
# make sure error symbols are loaded for our exception handling later
|
1544
|
-
require "aws-sdk-
|
1545
|
-
require "aws-sdk-
|
1546
|
-
require "aws-sdk-
|
1547
|
-
require "aws-sdk-
|
1548
|
-
require "aws-sdk-
|
1549
|
-
require "aws-sdk-
|
1550
|
-
require "aws-sdk-
|
1551
|
-
require "aws-sdk-
|
1552
|
-
require "aws-sdk-
|
1553
|
-
require "aws-sdk-
|
1554
|
-
require "aws-sdk-
|
1555
|
-
require "aws-sdk-
|
1556
|
-
require "aws-sdk-
|
1557
|
-
require "aws-sdk-
|
1558
|
-
require "aws-sdk-
|
1559
|
-
|
1560
|
-
|
1549
|
+
require "aws-sdk-lambda"
|
1550
|
+
require "aws-sdk-rds"
|
1551
|
+
require "aws-sdk-ec2"
|
1552
|
+
require "aws-sdk-route53"
|
1553
|
+
require "aws-sdk-iam"
|
1554
|
+
require "aws-sdk-efs"
|
1555
|
+
require "aws-sdk-pricing"
|
1556
|
+
require "aws-sdk-apigateway"
|
1557
|
+
require "aws-sdk-ecs"
|
1558
|
+
require "aws-sdk-eks"
|
1559
|
+
require "aws-sdk-cloudwatchlogs"
|
1560
|
+
require "aws-sdk-cloudwatchevents"
|
1561
|
+
require "aws-sdk-elasticloadbalancing"
|
1562
|
+
require "aws-sdk-elasticloadbalancingv2"
|
1563
|
+
require "aws-sdk-autoscaling"
|
1564
|
+
|
1565
|
+
known_concats = {
|
1566
|
+
"Pricing" => {
|
1567
|
+
:get_products => :price_list
|
1568
|
+
}
|
1569
|
+
}
|
1561
1570
|
|
1562
1571
|
retries = 0
|
1563
1572
|
begin
|
1564
|
-
MU.log "Calling #{method_sym} in #{@region}", MU::DEBUG, details: arguments
|
1573
|
+
MU.log "Calling #{@api_name}.#{method_sym} in #{@region}", MU::DEBUG, details: arguments
|
1565
1574
|
|
1566
1575
|
retval = if !arguments.nil? and arguments.size == 1
|
1567
1576
|
@api.method(method_sym).call(arguments[0])
|
@@ -1590,11 +1599,22 @@ end
|
|
1590
1599
|
|
1591
1600
|
if paginator and new_page and !new_page.empty?
|
1592
1601
|
resp = retval.respond_to?(:__getobj__) ? retval.__getobj__ : retval
|
1593
|
-
concat_to =
|
1602
|
+
concat_to = MU.structToHash(resp).keys.reject { |m|
|
1594
1603
|
m.to_s.match(/=$/) or m == paginator or resp.send(m).nil? or !resp.send(m).is_a?(Array)
|
1595
1604
|
}
|
1605
|
+
|
1606
|
+
if concat_to.empty? and known_concats[@api_name] and
|
1607
|
+
known_concats[@api_name][method_sym]
|
1608
|
+
concat_to << known_concats[@api_name][method_sym]
|
1609
|
+
end
|
1610
|
+
|
1611
|
+
if concat_to.empty? and method_sym.to_s.match(/^(?:describe|list)_(.*)/)
|
1612
|
+
my_attr = Regexp.last_match[1].to_sym
|
1613
|
+
concat_to << my_attr if resp.respond_to?(my_attr)
|
1614
|
+
end
|
1615
|
+
|
1596
1616
|
if concat_to.size != 1
|
1597
|
-
|
1617
|
+
raise MuError.new "Tried to figure out where I might append paginated results for a #{@api_name}.#{method_sym}, but failed", details: MU.structToHash(resp).keys
|
1598
1618
|
else
|
1599
1619
|
concat_to = concat_to.first
|
1600
1620
|
new_args = arguments ? arguments.dup : [{}]
|
@@ -797,14 +797,17 @@ dependencies
|
|
797
797
|
# @return [void]
|
798
798
|
def self.cleanup(noop: false, deploy_id: MU.deploy_id, ignoremaster: false, credentials: nil, region: MU.curRegion, flags: {})
|
799
799
|
|
800
|
+
threads = []
|
801
|
+
|
800
802
|
["instance", "cluster"].each { |type|
|
801
|
-
threaded_resource_purge("describe_db_#{type}s".to_sym, "db_#{type}s".to_sym, "db_#{type}_identifier".to_sym, (type == "instance" ? "db" : "cluster"), region, credentials, ignoremaster, known: flags['known'], deploy_id: deploy_id) { |id|
|
803
|
+
threads.concat threaded_resource_purge("describe_db_#{type}s".to_sym, "db_#{type}s".to_sym, "db_#{type}_identifier".to_sym, (type == "instance" ? "db" : "cluster"), region, credentials, ignoremaster, known: flags['known'], deploy_id: deploy_id) { |id|
|
802
804
|
terminate_rds_instance(nil, noop: noop, skipsnapshots: flags["skipsnapshots"], region: region, deploy_id: deploy_id, cloud_id: id, mu_name: id.upcase, credentials: credentials, cluster: (type == "cluster"), known: flags['known'])
|
803
805
|
|
804
|
-
}.each { |t|
|
805
|
-
t.join
|
806
806
|
}
|
807
807
|
}
|
808
|
+
threads.each { |t|
|
809
|
+
t.join
|
810
|
+
}
|
808
811
|
|
809
812
|
threads = threaded_resource_purge(:describe_db_subnet_groups, :db_subnet_groups, :db_subnet_group_name, "subgrp", region, credentials, ignoremaster, known: flags['known'], deploy_id: deploy_id) { |id|
|
810
813
|
MU.log "Deleting RDS subnet group #{id}"
|
@@ -1653,7 +1656,7 @@ dependencies
|
|
1653
1656
|
|
1654
1657
|
raise MuError, "terminate_rds_instance requires a non-nil database descriptor (#{cloud_id})" if db.nil? or cloud_id.nil?
|
1655
1658
|
|
1656
|
-
MU.retrier([], wait: 60, loop_if: Proc.new { %w{creating modifying backing-up}.include?(cluster ? db.status : db.db_instance_status) }) {
|
1659
|
+
MU.retrier([], wait: 60, loop_if: Proc.new { %w{creating modifying backing-up}.include?(cluster ? db.status : db.db_instance_status) }, loop_msg: "Waiting for RDS #{cluster ? "cluster" : "instance"} #{cloud_id} to be in a valid state for deletion") {
|
1657
1660
|
db = MU::Cloud::AWS::Database.find(cloud_id: cloud_id, region: region, credentials: credentials, cluster: cluster).values.first
|
1658
1661
|
return if db.nil?
|
1659
1662
|
}
|
@@ -1673,7 +1676,7 @@ dependencies
|
|
1673
1676
|
params[:skip_final_snapshot] = false
|
1674
1677
|
params[:final_db_snapshot_identifier] = "#{cloud_id}-mufinal"
|
1675
1678
|
end
|
1676
|
-
|
1679
|
+
sleep 30
|
1677
1680
|
if !noop
|
1678
1681
|
on_retry = Proc.new { |e|
|
1679
1682
|
if [Aws::RDS::Errors::DBSnapshotAlreadyExists, Aws::RDS::Errors::DBClusterSnapshotAlreadyExistsFault, Aws::RDS::Errors::DBClusterQuotaExceeded].include?(e.class)
|
@@ -1688,7 +1691,7 @@ dependencies
|
|
1688
1691
|
end
|
1689
1692
|
}
|
1690
1693
|
del_db = nil
|
1691
|
-
MU.retrier([], wait: 10, ignoreme: [Aws::RDS::Errors::DBInstanceNotFound], loop_if: Proc.new { del_db and ((!cluster and del_db.db_instance_status != "deleted") or (cluster and del_db.status != "deleted")) }) {
|
1694
|
+
MU.retrier([], wait: 10, ignoreme: [Aws::RDS::Errors::DBInstanceNotFound], loop_if: Proc.new { del_db and ((!cluster and del_db.db_instance_status != "deleted") or (cluster and del_db.status != "deleted")) }, loop_msg: "Waiting for RDS #{cluster ? "cluster" : "instance"} #{cloud_id} to delete") {
|
1692
1695
|
del_db = MU::Cloud::AWS::Database.find(cloud_id: cloud_id, region: region, cluster: cluster).values.first
|
1693
1696
|
}
|
1694
1697
|
end
|
@@ -58,16 +58,19 @@ module MU
|
|
58
58
|
lambda_properties = get_properties
|
59
59
|
|
60
60
|
MU.retrier([Aws::Lambda::Errors::InvalidParameterValueException], max: 5, wait: 10) {
|
61
|
-
resp = MU::Cloud::AWS.lambda(region: @config['region'], credentials: @
|
61
|
+
resp = MU::Cloud::AWS.lambda(region: @config['region'], credentials: @credentials).create_function(lambda_properties)
|
62
62
|
@cloud_id = resp.function_name
|
63
63
|
}
|
64
64
|
|
65
65
|
# the console does this and docs expect it to be there, so mimic the
|
66
66
|
# behavior
|
67
|
-
|
68
|
-
|
69
|
-
|
70
|
-
|
67
|
+
begin
|
68
|
+
MU::Cloud::AWS.cloudwatchlogs(region: @config["region"], credentials: @credentials).create_log_group(
|
69
|
+
log_group_name: "/aws/lambda/#{@cloud_id}",
|
70
|
+
tags: @tags
|
71
|
+
)
|
72
|
+
rescue Aws::CloudWatchLogs::Errors::ResourceAlreadyExistsException
|
73
|
+
end
|
71
74
|
end
|
72
75
|
|
73
76
|
# Called automatically by {MU::Deploy#createResources}
|
@@ -57,33 +57,36 @@ module MU
|
|
57
57
|
target_params = []
|
58
58
|
@config['targets'].each { |t|
|
59
59
|
MU.retrier([MuNonFatal], max:5, wait: 9) {
|
60
|
-
|
61
|
-
|
62
|
-
|
63
|
-
|
64
|
-
|
65
|
-
|
66
|
-
|
67
|
-
|
68
|
-
|
69
|
-
|
70
|
-
|
71
|
-
|
72
|
-
|
73
|
-
|
74
|
-
|
75
|
-
|
76
|
-
|
77
|
-
|
78
|
-
raise MuError.new "Failed to fetch object from role reference", details: t['role'].to_h if !role_obj
|
79
|
-
params[:role_arn] = role_obj.arn
|
80
|
-
end
|
81
|
-
[:input, :input_path, :input_transformer, :kinesis_parameters, :run_command_parameters, :batch_parameters, :sqs_parameters, :ecs_parameters].each { |attr|
|
82
|
-
if t[attr.to_s]
|
83
|
-
this_target[attr] = MU.structToHash(t[attr.to_s])
|
60
|
+
target_ref = MU::Config::Ref.get(t)
|
61
|
+
target_obj = target_ref.kitten(@deploy, cloud: "AWS")
|
62
|
+
this_target = if target_ref.is_mu_type? and target_obj and
|
63
|
+
!target_obj.arn.nil?
|
64
|
+
if target_ref.type == "functions"
|
65
|
+
target_obj.addTrigger(arn, "events", @mu_name)
|
66
|
+
end
|
67
|
+
{
|
68
|
+
id: target_obj.cloud_id,
|
69
|
+
arn: target_obj.arn
|
70
|
+
}
|
71
|
+
elsif target_ref.id and target_ref.id.match(/^arn:/)
|
72
|
+
{
|
73
|
+
id: target_ref.id || target_ref.name,
|
74
|
+
arn: target_ref.id
|
75
|
+
}
|
76
|
+
else
|
77
|
+
raise MuNonFatal.new "Failed to retrieve ARN from CLoudWatch Event target descriptor", details: target_ref.to_h
|
84
78
|
end
|
85
|
-
|
86
|
-
|
79
|
+
if t['role']
|
80
|
+
role_obj = MU::Config::Ref.get(t['role']).kitten(@deploy, cloud: "AWS")
|
81
|
+
raise MuError.new "Failed to fetch object from role reference", details: t['role'].to_h if !role_obj
|
82
|
+
params[:role_arn] = role_obj.arn
|
83
|
+
end
|
84
|
+
[:input, :input_path, :input_transformer, :kinesis_parameters, :run_command_parameters, :batch_parameters, :sqs_parameters, :ecs_parameters].each { |attr|
|
85
|
+
if t[attr.to_s]
|
86
|
+
this_target[attr] = MU.structToHash(t[attr.to_s])
|
87
|
+
end
|
88
|
+
}
|
89
|
+
target_params << this_target
|
87
90
|
}
|
88
91
|
}
|
89
92
|
MU::Cloud::AWS.cloudwatchevents(region: @config['region'], credentials: @credentials).put_targets(
|
@@ -43,7 +43,7 @@ module MU
|
|
43
43
|
|
44
44
|
policy_name = @mu_name+"-"+policy.keys.first.upcase
|
45
45
|
MU.log "Creating IAM policy #{policy_name}"
|
46
|
-
MU::Cloud::AWS.iam(credentials: @
|
46
|
+
MU::Cloud::AWS.iam(credentials: @credentials).create_policy(
|
47
47
|
policy_name: policy_name,
|
48
48
|
path: "/"+@deploy.deploy_id+"/",
|
49
49
|
policy_document: JSON.generate(policy.values.first),
|
@@ -53,16 +53,18 @@ module MU
|
|
53
53
|
end
|
54
54
|
|
55
55
|
if !@config['bare_policies']
|
56
|
-
MU.log "Creating IAM role #{@mu_name}"
|
57
56
|
@cloud_id = @mu_name
|
58
57
|
path = @config['strip_path'] ? nil : "/"+@deploy.deploy_id+"/"
|
59
|
-
|
60
|
-
path
|
61
|
-
role_name
|
62
|
-
description
|
63
|
-
assume_role_policy_document
|
64
|
-
tags
|
65
|
-
|
58
|
+
params = {
|
59
|
+
:path => path,
|
60
|
+
:role_name => @mu_name,
|
61
|
+
:description => "Generated by Mu",
|
62
|
+
:assume_role_policy_document => gen_assume_role_policy_doc,
|
63
|
+
:tags => get_tag_params
|
64
|
+
}
|
65
|
+
|
66
|
+
MU.log "Creating IAM role #{@mu_name} (#{@credentials})", details: params
|
67
|
+
MU::Cloud::AWS.iam(credentials: @credentials).create_role(params)
|
66
68
|
end
|
67
69
|
end
|
68
70
|
|
@@ -75,7 +77,7 @@ module MU
|
|
75
77
|
end
|
76
78
|
|
77
79
|
if !@config['bare_policies']
|
78
|
-
resp = MU::Cloud::AWS.iam(credentials: @
|
80
|
+
resp = MU::Cloud::AWS.iam(credentials: @credentials).get_role(
|
79
81
|
role_name: @mu_name
|
80
82
|
).role
|
81
83
|
ext_tags = resp.tags.map { |t| t.to_h }
|
@@ -84,7 +86,7 @@ module MU
|
|
84
86
|
|
85
87
|
if tag_param.size > 0
|
86
88
|
MU.log "Updating tags on IAM role #{@mu_name}", MU::NOTICE, details: tag_param
|
87
|
-
MU::Cloud::AWS.iam(credentials: @
|
89
|
+
MU::Cloud::AWS.iam(credentials: @credentials).tag_role(role_name: @mu_name, tags: tag_param)
|
88
90
|
end
|
89
91
|
end
|
90
92
|
|
@@ -114,13 +116,13 @@ module MU
|
|
114
116
|
|
115
117
|
# Purge anything that doesn't belong
|
116
118
|
if !@config['bare_policies']
|
117
|
-
attached_policies = MU::Cloud::AWS.iam(credentials: @
|
119
|
+
attached_policies = MU::Cloud::AWS.iam(credentials: @credentials).list_attached_role_policies(
|
118
120
|
role_name: @mu_name
|
119
121
|
).attached_policies
|
120
122
|
attached_policies.each { |a|
|
121
123
|
if !configured_policies.include?(a.policy_name)
|
122
124
|
MU.log "Removing IAM policy #{a.policy_name} from role #{@mu_name}", MU::NOTICE, details: configured_policies
|
123
|
-
MU::Cloud::AWS::Role.purgePolicy(a.policy_arn, @
|
125
|
+
MU::Cloud::AWS::Role.purgePolicy(a.policy_arn, @credentials)
|
124
126
|
end
|
125
127
|
}
|
126
128
|
end
|
@@ -155,7 +157,6 @@ module MU
|
|
155
157
|
}
|
156
158
|
|
157
159
|
policy_name = basename+"-"+policy.keys.first.upcase
|
158
|
-
|
159
160
|
arn = "arn:"+(MU::Cloud::AWS.isGovCloud? ? "aws-us-gov" : "aws")+":iam::"+MU::Cloud::AWS.credToAcct(credentials)+":policy#{path}/#{policy_name}"
|
160
161
|
resp = begin
|
161
162
|
desc = MU::Cloud::AWS.iam(credentials: credentials).get_policy(policy_arn: arn)
|
@@ -185,12 +186,17 @@ module MU
|
|
185
186
|
|
186
187
|
rescue Aws::IAM::Errors::NoSuchEntity
|
187
188
|
MU.log "Creating IAM policy #{policy_name}", details: policy.values.first
|
188
|
-
MU::Cloud::AWS.iam(credentials: credentials).create_policy(
|
189
|
+
desc = MU::Cloud::AWS.iam(credentials: credentials).create_policy(
|
189
190
|
policy_name: policy_name,
|
190
191
|
path: path+"/",
|
191
192
|
policy_document: JSON.generate(policy.values.first),
|
192
193
|
description: "Raw policy from #{basename}"
|
193
194
|
)
|
195
|
+
MU.retrier([Aws::IAM::Errors::NoSuchEntity], loop_if: Proc.new { desc.nil? }) {
|
196
|
+
desc = MU::Cloud::AWS.iam(credentials: credentials).get_policy(policy_arn: arn)
|
197
|
+
pp desc
|
198
|
+
}
|
199
|
+
desc
|
194
200
|
end
|
195
201
|
arns << resp.policy.arn
|
196
202
|
}
|
@@ -317,7 +323,7 @@ end
|
|
317
323
|
my_policies.each { |p|
|
318
324
|
if p.policy_name == policy
|
319
325
|
seen_policy = true
|
320
|
-
old = MU::Cloud::AWS.iam(credentials: @
|
326
|
+
old = MU::Cloud::AWS.iam(credentials: @credentials).get_policy_version(
|
321
327
|
policy_arn: p.arn,
|
322
328
|
version_id: p.default_version_id
|
323
329
|
).policy_version
|
@@ -576,7 +582,7 @@ end
|
|
576
582
|
def toKitten(**_args)
|
577
583
|
bok = {
|
578
584
|
"cloud" => "AWS",
|
579
|
-
"credentials" => @
|
585
|
+
"credentials" => @credentials,
|
580
586
|
"cloud_id" => @cloud_id
|
581
587
|
}
|
582
588
|
|
@@ -769,12 +775,12 @@ end
|
|
769
775
|
def bindTo(entitytype, entityname)
|
770
776
|
if entitytype == "instance_profile"
|
771
777
|
begin
|
772
|
-
resp = MU::Cloud::AWS.iam(credentials: @
|
778
|
+
resp = MU::Cloud::AWS.iam(credentials: @credentials).get_instance_profile(
|
773
779
|
instance_profile_name: entityname
|
774
780
|
).instance_profile
|
775
781
|
|
776
782
|
if !resp.roles.map { |r| r.role_name}.include?(@mu_name)
|
777
|
-
MU::Cloud::AWS.iam(credentials: @
|
783
|
+
MU::Cloud::AWS.iam(credentials: @credentials).add_role_to_instance_profile(
|
778
784
|
instance_profile_name: entityname,
|
779
785
|
role_name: @mu_name
|
780
786
|
)
|
@@ -784,7 +790,7 @@ end
|
|
784
790
|
raise e
|
785
791
|
end
|
786
792
|
elsif ["user", "group", "role"].include?(entitytype)
|
787
|
-
mypolicies = MU::Cloud::AWS.iam(credentials: @
|
793
|
+
mypolicies = MU::Cloud::AWS.iam(credentials: @credentials).list_policies(
|
788
794
|
path_prefix: "/"+@deploy.deploy_id+"/"
|
789
795
|
).policies
|
790
796
|
mypolicies.reject! { |p|
|
@@ -802,7 +808,7 @@ end
|
|
802
808
|
|
803
809
|
subpaths = ["service-role", "aws-service-role", "job-function"]
|
804
810
|
begin
|
805
|
-
mypolicies << MU::Cloud::AWS.iam(credentials: @
|
811
|
+
mypolicies << MU::Cloud::AWS.iam(credentials: @credentials).get_policy(
|
806
812
|
policy_arn: p_arn
|
807
813
|
).policy
|
808
814
|
rescue Aws::IAM::Errors::NoSuchEntity => e
|
@@ -822,7 +828,7 @@ end
|
|
822
828
|
credentials: @credentials
|
823
829
|
)
|
824
830
|
raw_arns.each { |p_arn|
|
825
|
-
mypolicies << MU::Cloud::AWS.iam(credentials: @
|
831
|
+
mypolicies << MU::Cloud::AWS.iam(credentials: @credentials).get_policy(
|
826
832
|
policy_arn: p_arn
|
827
833
|
).policy
|
828
834
|
}
|
@@ -830,37 +836,37 @@ end
|
|
830
836
|
|
831
837
|
mypolicies.each { |p|
|
832
838
|
if entitytype == "user"
|
833
|
-
resp = MU::Cloud::AWS.iam(credentials: @
|
839
|
+
resp = MU::Cloud::AWS.iam(credentials: @credentials).list_attached_user_policies(
|
834
840
|
path_prefix: "/"+@deploy.deploy_id+"/",
|
835
841
|
user_name: entityname
|
836
842
|
)
|
837
843
|
if !resp or !resp.attached_policies.map { |a_p| a_p.policy_name }.include?(p.policy_name)
|
838
844
|
MU.log "Attaching IAM policy #{p.policy_name} to user #{entityname}", MU::NOTICE
|
839
|
-
MU::Cloud::AWS.iam(credentials: @
|
845
|
+
MU::Cloud::AWS.iam(credentials: @credentials).attach_user_policy(
|
840
846
|
policy_arn: p.arn,
|
841
847
|
user_name: entityname
|
842
848
|
)
|
843
849
|
end
|
844
850
|
elsif entitytype == "group"
|
845
|
-
resp = MU::Cloud::AWS.iam(credentials: @
|
851
|
+
resp = MU::Cloud::AWS.iam(credentials: @credentials).list_attached_group_policies(
|
846
852
|
path_prefix: "/"+@deploy.deploy_id+"/",
|
847
853
|
group_name: entityname
|
848
854
|
)
|
849
855
|
if !resp or !resp.attached_policies.map { |a_p| a_p.policy_name }.include?(p.policy_name)
|
850
856
|
MU.log "Attaching policy #{p.policy_name} to group #{entityname}", MU::NOTICE
|
851
|
-
MU::Cloud::AWS.iam(credentials: @
|
857
|
+
MU::Cloud::AWS.iam(credentials: @credentials).attach_group_policy(
|
852
858
|
policy_arn: p.arn,
|
853
859
|
group_name: entityname
|
854
860
|
)
|
855
861
|
end
|
856
862
|
elsif entitytype == "role"
|
857
|
-
resp = MU::Cloud::AWS.iam(credentials: @
|
863
|
+
resp = MU::Cloud::AWS.iam(credentials: @credentials).list_attached_role_policies(
|
858
864
|
role_name: entityname
|
859
865
|
)
|
860
866
|
|
861
867
|
if !resp or !resp.attached_policies.map { |a_p| a_p.policy_name }.include?(p.policy_name)
|
862
868
|
MU.log "Attaching policy #{p.policy_name} to role #{entityname}", MU::NOTICE
|
863
|
-
MU::Cloud::AWS.iam(credentials: @
|
869
|
+
MU::Cloud::AWS.iam(credentials: @credentials).attach_role_policy(
|
864
870
|
policy_arn: p.arn,
|
865
871
|
role_name: entityname
|
866
872
|
)
|
@@ -881,19 +887,19 @@ end
|
|
881
887
|
end
|
882
888
|
|
883
889
|
resp = begin
|
884
|
-
MU.log "Creating instance profile #{@mu_name} #{@
|
885
|
-
MU::Cloud::AWS.iam(credentials: @
|
890
|
+
MU.log "Creating instance profile #{@mu_name} #{@credentials}"
|
891
|
+
MU::Cloud::AWS.iam(credentials: @credentials).create_instance_profile(
|
886
892
|
instance_profile_name: @mu_name
|
887
893
|
)
|
888
894
|
rescue Aws::IAM::Errors::EntityAlreadyExists
|
889
|
-
MU::Cloud::AWS.iam(credentials: @
|
895
|
+
MU::Cloud::AWS.iam(credentials: @credentials).get_instance_profile(
|
890
896
|
instance_profile_name: @mu_name
|
891
897
|
)
|
892
898
|
end
|
893
899
|
|
894
900
|
# make sure it's really there before moving on
|
895
901
|
begin
|
896
|
-
MU::Cloud::AWS.iam(credentials: @
|
902
|
+
MU::Cloud::AWS.iam(credentials: @credentials).get_instance_profile(instance_profile_name: @mu_name)
|
897
903
|
rescue Aws::IAM::Errors::NoSuchEntity => e
|
898
904
|
MU.log e.inspect, MU::WARN
|
899
905
|
sleep 10
|