RubyGems - conjur-asset-layer-api - Versions diffs - 0.3.1 → 0.4.0 - Mend

conjur-asset-layer-api 0.3.1 → 0.4.0

Files changed (6) hide show

checksums.yaml +4 -4
data/conjur-asset-layer.gemspec +1 -0
data/lib/conjur/command/layers.rb +29 -1
data/lib/conjur/provisioner/layer/aws.rb +143 -0
data/lib/conjur-asset-layer-version.rb +1 -1
metadata +3 -2

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 75c346bdbbbec93a6f0cf0e089bf17c8f21bc5a4
-  data.tar.gz: e2f4155db409c0e607d8f7fe6a76136c3797f8bf
+  metadata.gz: e6ed26817bdc07935f87aa6fd739aeb23d334751
+  data.tar.gz: 853310d1208e67ebb1b3115a94f2934dda0293df
 SHA512:
-  metadata.gz: b8a00cc6e4dd4140e7e83e1ab92ae98a8b76db8a5f4b9218b4a97827058387e764ce4bd01d1b852c3bf340c434629c30c00f487caf2ad35c0a1f260b6429f7e6
-  data.tar.gz: 61b0dde9e21e3e97cd189407464da496ece39d8b644265529c5a89471dc6a359cfd140a81ab6f977ed71cfe93e9984b2311e8856914bb0a21a4598aa4a3d774b
+  metadata.gz: 0d3f6f126a4eb1c37fda76302681ce6fa9cac97580c9b1050b45a363dfd3b844ae2daf9cb710e1477aad42c39c1583efad8fd70db17364438116e5ccb71df068
+  data.tar.gz: feae14898a11262a406b2a8efede4dc20c9423011a9844183d2e76bf28b4d39642632e084d3d4cca049c6620eb338838e50b616255a818029d99e2100d95de20

data/conjur-asset-layer.gemspec CHANGED Viewed

@@ -57,5 +57,6 @@ Gem::Specification.new do |s|
     s.add_development_dependency "webmock"
     s.add_development_dependency "json_spec"
     s.add_development_dependency "ci_reporter"
+    s.add_development_dependency "aws-sdk"
   end
 end

data/lib/conjur/command/layers.rb CHANGED Viewed

@@ -13,7 +13,35 @@ class Conjur::Command::Layers < Conjur::Command
     hostid
   end
-  desc "Add a host to an layer (note: host id should be provided in fully-qualified format, i.e. <conjur_account>:host:<id>)"
+  desc "Provision a layer by creating backing resources in an IaaS / PaaS system"
+  arg_name "layer"
+  command :provision do |c|
+    c.desc "Provisioner to use (aws)"
+    c.arg_name "provisioner"
+    c.flag [ :provisioner ]
+    c.desc "Variable holding a credential used to connect to the provisioner"
+    c.arg_name "variableid"
+    c.flag [ :credential ]
+    c.action do |global_options, options, args|
+      id = require_arg(args, 'layer')
+      provisioner = options[:provisioner] or exit_now!("Missing argument: provisioner")
+      credential = options[:credential] or exit_now!("Missing argument: credential")
+      raise "Supported provisioners: aws" unless provisioner == "aws"
+      require "conjur/provisioner/layer/aws"
+      layer = api.layer(id)
+      class << layer
+        include Conjur::Provisioner::Layer::AWS
+      end
+      layer.aws_credentialid = credential
+      layer.provision
+    end
+  end
+  desc "Add a host to an layer"
   arg_name "layer host"
   command :"hosts:add" do |c|
     c.action do |global_options, options, args|

data/lib/conjur/provisioner/layer/aws.rb ADDED Viewed

@@ -0,0 +1,143 @@
+#
+# Copyright (C) 2013 Conjur Inc
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy of
+# this software and associated documentation files (the "Software"), to deal in
+# the Software without restriction, including without limitation the rights to
+# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+# the Software, and to permit persons to whom the Software is furnished to do so,
+# subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+#
+require 'aws'
+module Conjur
+  module Provisioner
+    module Layer
+      module AWS
+        def self.included(base)
+          base.instance_eval do
+            attr_accessor :aws_credentialid
+          end
+        end
+        def aws_role
+          aws_iam.role[self.id.parameterize]
+        end
+        # Creates an AWS IAM Role corresponding to the Layer. The Role can be assumed by EC2 instances.
+        # Creates a system user (deputy) and adds it to the layer.
+        # In S3, a file is created with the identity of the system user, along with other
+        # information needed by Conjur chef-solo. The file is in chef-solo JSON format.
+        # It will be used by the [conjur-client Upstart job](https://github.com/conjur-cookbooks/conjur-client/blob/master/templates/default/conjur-bootstrap.conf.erb)
+        # to finish the server configuration.
+        def provision
+          aws_create_role
+          aws_create_s3_bootstrap_file
+        end
+        protected
+        def aws_bucket_name
+          "conjur-#{Conjur.account}-bootstrap"
+        end
+        def aws_role_name
+          self.id.parameterize
+        end
+        def aws_bootstrap_file_name
+          [ aws_role_name, ".json" ].join
+        end
+        def aws_create_s3_bootstrap_file
+          bucket = aws_s3.buckets[aws_bucket_name]
+          bucket = aws_s3.buckets.create(aws_bucket_name) unless bucket.exists?
+          host = begin
+            conjur_api.create_host id: [ id, "ec2_instance" ].join('/')
+          rescue
+            conjur_api.host [ id, "ec2_instance" ].join('/')
+          end
+          add_host host.roleid
+          solo_json = {
+            "conjur" =>  {
+              "host_identity" =>  {
+                "id" =>  host.id,
+                "api_key" =>  host.api_key
+              }
+            },
+            "run_list" => [
+              "terminal-login::configure"
+            ]
+          }
+          bucket.objects[aws_bootstrap_file_name].write JSON.pretty_generate(solo_json)
+        end
+        def aws_credentials
+          raise "No aws credentialid provided" unless aws_credentialid
+          require 'json'
+          @aws_credentials ||= JSON.parse(conjur_api.variable(aws_credentialid).value).symbolize_keys
+        end
+        def aws_iam
+          @aws_iam ||= ::AWS::IAM.new aws_credentials
+        end
+        def aws_s3
+          @aws_s3 ||= ::AWS::S3.new aws_credentials
+        end
+        def aws_create_role
+          path = self.id.split('/')[0...-1].join('/')
+          policy = {
+            "Version" => "2012-10-17",
+            "Statement" => [
+              {
+                "Effect" => "Allow",
+                "Principal" => {
+                  "Service" => "ec2.amazonaws.com"
+                },
+                "Action" => "sts:AssumeRole"
+              }
+            ]
+          }
+          role_params = {
+            role_name: aws_role_name,
+            assume_role_policy_document: JSON.pretty_generate(policy)
+          }
+          instance_profile_params = {
+            instance_profile_name: aws_role_name
+          }
+          # keg: I don't really get the purpose of 'path'
+          # instance_profile_params[:path] = role_params[:path] = [ '/', path, '/' ].join unless path.blank?
+          role = aws_iam.client.create_role role_params
+          instance_profile = aws_iam.client.create_instance_profile instance_profile_params
+          aws_iam.client.add_role_to_instance_profile role_name: aws_role_name, instance_profile_name: aws_role_name
+          aws_iam.client.put_role_policy role_name: aws_role_name, policy_name: 'read-bootstrap-file', policy_document: JSON.pretty_generate({
+            "Statement" => [{
+              "Effect" =>  "Allow",
+              "Action" =>  "s3:GetObject",
+              "Resource" =>  ["arn:aws:s3:::#{aws_bucket_name}/#{aws_bootstrap_file_name}"]
+              }
+            ]
+          })
+        end
+      end
+    end
+  end
+end

data/lib/conjur-asset-layer-version.rb CHANGED Viewed

@@ -1,7 +1,7 @@
 module Conjur
   module Asset
     module Layer
-      VERSION = "0.3.1"
+      VERSION = "0.4.0"
     end
   end
 end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: conjur-asset-layer-api
 version: !ruby/object:Gem::Version
-  version: 0.3.1
+  version: 0.4.0
 platform: ruby
 authors:
 - Kevin Gilpin
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2014-03-09 00:00:00.000000000 Z
+date: 2014-03-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: conjur-api
@@ -71,6 +71,7 @@ files:
 - lib/conjur/command/layers.rb
 - lib/conjur/layer-api.rb
 - lib/conjur/layer.rb
+- lib/conjur/provisioner/layer/aws.rb
 homepage: http://conjur.net
 licenses: []
 metadata: {}