RubyGems - conjur-asset-layer-api - Versions diffs - 0.3.1 → 0.4.0 - Mend

conjur-asset-layer-api 0.3.1 → 0.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

checksums.yaml +4 -4
data/conjur-asset-layer.gemspec +1 -0
data/lib/conjur/command/layers.rb +29 -1
data/lib/conjur/provisioner/layer/aws.rb +143 -0
data/lib/conjur-asset-layer-version.rb +1 -1
metadata +3 -2

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 75c346bdbbbec93a6f0cf0e089bf17c8f21bc5a4
-  data.tar.gz: e2f4155db409c0e607d8f7fe6a76136c3797f8bf
+  metadata.gz: e6ed26817bdc07935f87aa6fd739aeb23d334751
+  data.tar.gz: 853310d1208e67ebb1b3115a94f2934dda0293df
 SHA512:
-  metadata.gz: b8a00cc6e4dd4140e7e83e1ab92ae98a8b76db8a5f4b9218b4a97827058387e764ce4bd01d1b852c3bf340c434629c30c00f487caf2ad35c0a1f260b6429f7e6
-  data.tar.gz: 61b0dde9e21e3e97cd189407464da496ece39d8b644265529c5a89471dc6a359cfd140a81ab6f977ed71cfe93e9984b2311e8856914bb0a21a4598aa4a3d774b
+  metadata.gz: 0d3f6f126a4eb1c37fda76302681ce6fa9cac97580c9b1050b45a363dfd3b844ae2daf9cb710e1477aad42c39c1583efad8fd70db17364438116e5ccb71df068
+  data.tar.gz: feae14898a11262a406b2a8efede4dc20c9423011a9844183d2e76bf28b4d39642632e084d3d4cca049c6620eb338838e50b616255a818029d99e2100d95de20

data/conjur-asset-layer.gemspec CHANGED Viewed

@@ -57,5 +57,6 @@ Gem::Specification.new do |s|
     s.add_development_dependency "webmock"
     s.add_development_dependency "json_spec"
     s.add_development_dependency "ci_reporter"
+    s.add_development_dependency "aws-sdk"
   end
 end

data/lib/conjur/command/layers.rb CHANGED Viewed

@@ -13,7 +13,35 @@ class Conjur::Command::Layers < Conjur::Command
     hostid
   end
-  desc "Add a host to an layer (note: host id should be provided in fully-qualified format, i.e. <conjur_account>:host:<id>)"
+  desc "Provision a layer by creating backing resources in an IaaS / PaaS system"
+  arg_name "layer"
+  command :provision do |c|
+    c.desc "Provisioner to use (aws)"
+    c.arg_name "provisioner"
+    c.flag [ :provisioner ]
+    c.desc "Variable holding a credential used to connect to the provisioner"
+    c.arg_name "variableid"
+    c.flag [ :credential ]
+    c.action do |global_options, options, args|
+      id = require_arg(args, 'layer')
+      provisioner = options[:provisioner] or exit_now!("Missing argument: provisioner")
+      credential = options[:credential] or exit_now!("Missing argument: credential")
+      raise "Supported provisioners: aws" unless provisioner == "aws"
+      require "conjur/provisioner/layer/aws"
+      layer = api.layer(id)
+      class << layer
+        include Conjur::Provisioner::Layer::AWS
+      end
+      layer.aws_credentialid = credential
+      layer.provision
+    end
+  end
+  desc "Add a host to an layer"
   arg_name "layer host"
   command :"hosts:add" do |c|
     c.action do |global_options, options, args|

data/lib/conjur/provisioner/layer/aws.rb ADDED Viewed

@@ -0,0 +1,143 @@
+#
+# Copyright (C) 2013 Conjur Inc
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy of
+# this software and associated documentation files (the "Software"), to deal in
+# the Software without restriction, including without limitation the rights to
+# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+# the Software, and to permit persons to whom the Software is furnished to do so,
+# subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+#
+require 'aws'
+module Conjur
+  module Provisioner
+    module Layer
+      module AWS
+        def self.included(base)
+          base.instance_eval do
+            attr_accessor :aws_credentialid
+          end
+        end
+        def aws_role
+          aws_iam.role[self.id.parameterize]
+        end
+        # Creates an AWS IAM Role corresponding to the Layer. The Role can be assumed by EC2 instances.
+        # Creates a system user (deputy) and adds it to the layer.
+        # In S3, a file is created with the identity of the system user, along with other
+        # information needed by Conjur chef-solo. The file is in chef-solo JSON format.
+        # It will be used by the [conjur-client Upstart job](https://github.com/conjur-cookbooks/conjur-client/blob/master/templates/default/conjur-bootstrap.conf.erb)
+        # to finish the server configuration.
+        def provision
+          aws_create_role
+          aws_create_s3_bootstrap_file
+        end
+        protected
+        def aws_bucket_name
+          "conjur-#{Conjur.account}-bootstrap"
+        end
+        def aws_role_name
+          self.id.parameterize
+        end
+        def aws_bootstrap_file_name
+          [ aws_role_name, ".json" ].join
+        end
+        def aws_create_s3_bootstrap_file
+          bucket = aws_s3.buckets[aws_bucket_name]
+          bucket = aws_s3.buckets.create(aws_bucket_name) unless bucket.exists?
+          host = begin
+            conjur_api.create_host id: [ id, "ec2_instance" ].join('/')
+          rescue
+            conjur_api.host [ id, "ec2_instance" ].join('/')
+          end
+          add_host host.roleid
+          solo_json = {
+            "conjur" =>  {
+              "host_identity" =>  {
+                "id" =>  host.id,
+                "api_key" =>  host.api_key
+              }
+            },
+            "run_list" => [
+              "terminal-login::configure"
+            ]
+          }
+          bucket.objects[aws_bootstrap_file_name].write JSON.pretty_generate(solo_json)
+        end
+        def aws_credentials
+          raise "No aws credentialid provided" unless aws_credentialid
+          require 'json'
+          @aws_credentials ||= JSON.parse(conjur_api.variable(aws_credentialid).value).symbolize_keys
+        end
+        def aws_iam
+          @aws_iam ||= ::AWS::IAM.new aws_credentials
+        end
+        def aws_s3
+          @aws_s3 ||= ::AWS::S3.new aws_credentials
+        end
+        def aws_create_role
+          path = self.id.split('/')[0...-1].join('/')
+          policy = {
+            "Version" => "2012-10-17",
+            "Statement" => [
+              {
+                "Effect" => "Allow",
+                "Principal" => {
+                  "Service" => "ec2.amazonaws.com"
+                },
+                "Action" => "sts:AssumeRole"
+              }
+            ]
+          }
+          role_params = {
+            role_name: aws_role_name,
+            assume_role_policy_document: JSON.pretty_generate(policy)
+          }
+          instance_profile_params = {
+            instance_profile_name: aws_role_name
+          }
+          # keg: I don't really get the purpose of 'path'
+          # instance_profile_params[:path] = role_params[:path] = [ '/', path, '/' ].join unless path.blank?
+          role = aws_iam.client.create_role role_params
+          instance_profile = aws_iam.client.create_instance_profile instance_profile_params
+          aws_iam.client.add_role_to_instance_profile role_name: aws_role_name, instance_profile_name: aws_role_name
+          aws_iam.client.put_role_policy role_name: aws_role_name, policy_name: 'read-bootstrap-file', policy_document: JSON.pretty_generate({
+            "Statement" => [{
+              "Effect" =>  "Allow",
+              "Action" =>  "s3:GetObject",
+              "Resource" =>  ["arn:aws:s3:::#{aws_bucket_name}/#{aws_bootstrap_file_name}"]
+              }
+            ]
+          })
+        end
+      end
+    end
+  end
+end

data/lib/conjur-asset-layer-version.rb CHANGED Viewed

@@ -1,7 +1,7 @@
 module Conjur
   module Asset
     module Layer
-      VERSION = "0.3.1"
+      VERSION = "0.4.0"
     end
   end
 end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: conjur-asset-layer-api
 version: !ruby/object:Gem::Version
-  version: 0.3.1
+  version: 0.4.0
 platform: ruby
 authors:
 - Kevin Gilpin
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2014-03-09 00:00:00.000000000 Z
+date: 2014-03-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: conjur-api
@@ -71,6 +71,7 @@ files:
 - lib/conjur/command/layers.rb
 - lib/conjur/layer-api.rb
 - lib/conjur/layer.rb
+- lib/conjur/provisioner/layer/aws.rb
 homepage: http://conjur.net
 licenses: []
 metadata: {}