cumulus-aws 0.11.1

data/lib/iam/IAM.rb

@@ -0,0 +1,36 @@
+require "conf/Configuration"
+
+require "aws-sdk"
+
+module Cumulus
+  module IAM
+    class << self
+      @@client = Aws::IAM::Client.new(Configuration.instance.client)
+
+      # Public: Static method that will get the ARN of an IAM Role
+      #
+      # name - the name of the role to get
+      #
+      # Returns the String ARN or nil if there is no role
+      def get_role_arn(name)
+        @@client.get_role({
+          role_name: name
+        }).role.arn
+      rescue Aws::IAM::Errors::NoSuchEntity
+        nil
+      end
+
+      # Public: Get the instance profile arn for a role
+      #
+      # name - the name of the role
+      def get_instance_profile_arn(name)
+        @@client.get_instance_profile({
+          instance_profile_name: name
+        }).instance_profile.arn
+      rescue Aws::IAM::Errors::NoSuchEntity
+        nil
+      end
+
+    end
+  end
+end

data/lib/iam/loader/Loader.rb

@@ -0,0 +1,117 @@
+require "conf/Configuration"
+require "iam/models/GroupConfig"
+require "iam/models/StatementConfig"
+require "iam/models/RoleConfig"
+require "iam/models/UserConfig"
+require "common/BaseLoader"
+
+require "json"
+
+module Cumulus
+  module IAM
+    # Public: A module that handles loading all the json configuration files and
+    # creating objects from them.
+    module Loader
+      include Common::BaseLoader
+
+      @@group_loader = Proc.new { |name, json| GroupConfig.new(name, json) }
+      @@groups_dir = Configuration.instance.iam.groups_directory
+      @@role_loader = Proc.new { |name, json| RoleConfig.new(name, json) }
+      @@roles_dir = Configuration.instance.iam.roles_directory
+      @@user_loader = Proc.new { |name, json| UserConfig.new(name, json) }
+      @@users_dir = Configuration.instance.iam.users_directory
+      @@static_policy_dir = Configuration.instance.iam.static_policy_directory
+      @@template_dir = Configuration.instance.iam.template_policy_directory
+      @@policy_loader = Proc.new do |name, json|
+        if json.is_a?(Array)
+          json.map do |s|
+            StatementConfig.new(s)
+          end
+        else
+          StatementConfig.new(json)
+        end
+      end
+
+      # Public: Load all the roles defined in configuration.
+      #
+      # Returns an Array of RoleConfig objects defined by the roles configuration
+      # files.
+      def Loader.roles
+        Common::BaseLoader.resources(@@roles_dir, &@@role_loader)
+      end
+
+      # Public: Load a role defined in configuration
+      #
+      # file - the name of the role to load
+      #
+      # Returns a RoleConfig object defined by the role configuration files.
+      def Loader.role(file)
+        Common::BaseLoader.resource(file, @@roles_dir, &@@role_loader)
+      end
+
+      # Public: Load all the users defined in configuration.
+      #
+      # Returns an Array of UserConfig objects defined in user configuration files.
+      def Loader.users
+        Common::BaseLoader.resources(@@users_dir, &@@user_loader)
+      end
+
+      # Public: Load a user defined in configuration
+      #
+      # file - the file the user definition is found in
+      #
+      # Returns the UserConfig object defined by the file.
+      def Loader.user(file)
+        Common::BaseLoader.resource(file, @@users_dir, &@@user_loader)
+      end
+
+      # Public: Load all the groups defined in configuration.
+      #
+      # Returns an Array of GroupConfig objects defined by the groups configuration
+      # files.
+      def Loader.groups
+        Common::BaseLoader.resources(@@groups_dir, &@@group_loader)
+      end
+
+      # Public: Load a group defined in configuration
+      #
+      # file - the file the group definition is found in
+      #
+      # Returns the GroupConfig object defined by the file
+      def Loader.group(file)
+        Common::BaseLoader.resource(file, @@groups_dir, &@@group_loader)
+      end
+
+      # Public: Load in a static policy as StatementConfig object
+      #
+      # file - the String name of the static policy file to load
+      #
+      # Returns a StatementConfig object corresponding to the static policy
+      def Loader.static_policy(file)
+        Common::BaseLoader.resource(file, @@static_policy_dir, &@@policy_loader)
+      end
+
+      # Public: Load in a template policy, apply variables, and create a
+      # StatementConfig object from the result
+      #
+      # file      - the String name of the template policy file to load
+      # variables - a Hash of variables to apply to the template
+      #
+      # Returns a StatementConfig object corresponding to the applied template policy
+      def Loader.template_policy(file, variables)
+        Common::BaseLoader.template(file, @@template_dir, variables, &@@policy_loader)
+      end
+
+      # Public: Load the JSON string that is a role's policy document from a file.
+      #
+      # file - the String name of the policy document file to load
+      #
+      # Returns the String contents of the policy document file
+      def Loader.policy_document(file)
+        policy_dir = Configuration.instance.iam.policy_document_directory
+        Common::BaseLoader.load_file(file, policy_dir)
+      end
+
+    end
+  end
+end

data/lib/iam/manager/IamGroups.rb

@@ -0,0 +1,98 @@
+require "common/models/Diff"
+require "iam/loader/Loader"
+require "iam/models/IamDiff"
+require "iam/manager/IamResource"
+require "iam/models/GroupConfig"
+require "util/Colors"
+
+require "aws-sdk"
+
+module Cumulus
+  module IAM
+    # Public: Manager class for IAM Groups
+    class IamGroups < IamResource
+
+      def initialize(iam)
+        super(iam)
+        @type = "group"
+        @migration_dir = "groups"
+      end
+
+      def local_resources
+        local = {}
+        Loader.groups.each do |group|
+          local[group.name] = group
+        end
+        local
+      end
+
+      def one_local(name)
+        Loader.group(name)
+      end
+
+      def aws_resources
+        @aws_groups ||= init_aws_groups
+      end
+
+      def init_aws_groups
+        @iam.list_groups().groups.map do |group|
+          Aws::IAM::Group.new(group.group_name, { :client => @iam })
+        end
+      end
+
+      def create(difference)
+        @iam.create_group({
+          :group_name => difference.local.name
+        })
+        resource = Aws::IAM::Group.new(difference.local.name, { :client => @iam })
+        add_users(resource, difference.local.users)
+        resource
+      end
+
+      def update(resource, diffs)
+        super(resource, diffs)
+
+        if diffs.size == 1 and diffs[0].type == Common::DiffChange::ADD
+          puts Colors.blue("\tadding users...")
+          add_users(resource, diffs[0].local.users)
+        else
+          diffs.each do |diff|
+            if diff.type == IamChange::USER
+              puts Colors.blue("\tupdating users...")
+              add_users(resource, diff.added_users)
+              diff.removed_users.each { |u| resource.remove_user({ :user_name => u }) }
+            end
+          end
+        end
+      end
+
+      def empty_config
+        GroupConfig.new
+      end
+
+      def migrate_additional(configs_to_aws)
+        configs_to_aws.map do |config, resource|
+          config.users = resource.users.map { |u| u.name }
+        end
+      end
+
+      private
+
+      # Internal: Add the users assigned to the group to the group, handling the
+      # case that the user doesn't exist
+      #
+      # resource - the aws group resource
+      # users    - the users to add
+      def add_users(resource, users)
+        users.each do |u|
+          begin
+            resource.add_user({ :user_name => u })
+          rescue Aws::IAM::Errors::NoSuchEntity
+            puts Colors.red("\tNo such user #{u}!")
+          end
+        end
+      end
+
+    end
+  end
+end

data/lib/iam/manager/IamResource.rb

@@ -0,0 +1,288 @@
+require "common/models/Diff"
+require "iam/migration/PolicyUnifier"
+require "iam/models/IamDiff"
+require "util/Colors"
+require "util/StatusCodes"
+
+require 'uri'
+
+module Cumulus
+  module IAM
+    # Internal: Represents the manager of a type of IamResource. Base class for
+    # groups, roles, and users.
+    class IamResource
+      @@diff = Proc.new do |name, diffs|
+        if diffs.size > 0
+
+          if diffs.reject(&:info_only).size > 0
+            StatusCodes::set_status(StatusCodes::DIFFS)
+          end
+
+          if diffs.size == 1 and (diffs[0].type == Common::DiffChange::ADD or
+            diffs[0].type == Common::DiffChange::UNMANAGED)
+            puts diffs[0]
+          else
+            puts "#{name} has the following changes:"
+            diffs.each do |diff|
+              diff_string = diff.to_s.lines.map { |s| "\t#{s}" }.join
+              puts diff_string
+            end
+          end
+        end
+      end
+
+      # =====================================================
+      # Methods to be overridden
+      # =====================================================
+      # Public: Get the local resources
+      #
+      # Returns an array of resources
+      def local_resources
+        nil
+      end
+
+      # Public: Get one local resource
+      #
+      # name - the name of the resource to load
+      #
+      # Returns one local resource
+      def one_local(name)
+        nil
+      end
+
+      # Public: Get resources from AWS
+      #
+      # Returns an array of resources from AWS
+      def aws_resources
+        nil
+      end
+
+      # Public: Create a resource in AWS
+      #
+      # difference - the Diff object that contains the local differences
+      #
+      # Returns the created resource
+      def create(difference)
+        nil
+      end
+
+      # Public: Create an empty config object
+      #
+      # Returns the created config object
+      def empty_config
+        nil
+      end
+
+      # Public: When migrating, provide a config with any resource type specific
+      # data.
+      #
+      # configs_to_aws - an array of arrays where each inner array's first element
+      #                  is the configuration generated so far, and the second
+      #                  element is the corresponding aws resource
+      def migrate_additional(configs_to_aws)
+      end
+
+      # =====================================================
+      # End methods to be overridden
+      # =====================================================
+
+      # Public: Constructor
+      #
+      # iam - the IAM client to use
+      def initialize(iam)
+        @iam = iam
+        @migration_root = "generated"
+      end
+
+      # Public: Print out the diff between the local configuration and the IAMS
+      # in AWS
+      def diff
+        each_difference(local_resources, true, &@@diff)
+      end
+
+      # Public: Print out the diff between local configuration and AWS for one
+      # resource
+      #
+      # name - the name of the resource to diff
+      def diff_one(name)
+        each_difference({ name => one_local(name) }, false, &@@diff)
+      end
+
+      # Public: Print out a list of resources defined by local configuration.
+      def list
+        puts local_resources.map { |name, resource| name }.join(" ")
+      end
+
+      # Public: Sync the local configuration with the configuration in AWS. Will
+      # not delete resources that are not locally configured; also will not remove
+      # inline policies that are not locally configured.
+      def sync
+        each_difference(local_resources, true) { |name, diffs| sync_difference(name, diffs) }
+      end
+
+      # Public: Sync the local configuration for one resource with AWS
+      #
+      # name - the name of the resource to sync
+      def sync_one(name)
+        each_difference({ name => one_local(name) }, false) { |name, diffs| sync_difference(name, diffs) }
+      end
+
+      # Public: Migrate AWS IAMs to Cumulus configuration.
+      def migrate
+        assets = "#{@migration_root}/#{@migration_dir}"
+        policies_dir = "#{@migration_root}/policies"
+        statics_dir = "#{policies_dir}/static"
+
+        if !Dir.exists?(@migration_root)
+          Dir.mkdir(@migration_root)
+        end
+        if !Dir.exists?(assets)
+          Dir.mkdir(assets)
+        end
+        if !Dir.exists?(policies_dir)
+          Dir.mkdir(policies_dir)
+        end
+        if !Dir.exists?(statics_dir)
+          Dir.mkdir(statics_dir)
+        end
+
+        # generate the configuration objects. This MUST be done separate from
+        # writing to file, because the unifier will change the configuration objects
+        # as it finds ways to unify configured attributes.
+        policy_unifier = PolicyUnifier.new(statics_dir)
+        configs = aws_resources.map do |resource|
+          puts "Processing #{@type} #{resource.name}..."
+          config = empty_config
+          config.name = resource.name
+
+          config.attached_policies = resource.attached_policies.map { |p| p.arn }
+
+          resource.policies.each do |policy|
+            statements = JSON.parse(URI.decode(policy.policy_document))["Statement"]
+            statements.each { |statement| statement.delete("Sid") }
+            policy_unifier.unify(config, statements, policy.name)
+          end
+
+          [config, resource]
+        end
+
+        migrate_additional(configs)
+        configs = configs.map { |config, resource| config }
+
+        # write the configuration to file
+        puts "Writing configuration to file..."
+        configs.each do |config|
+          File.open("#{assets}/#{config.name}.json", 'w') { |f| f.write(config.json) }
+        end
+
+        puts "Done."
+      end
+
+      # Public: Update a resource in AWS
+      #
+      # resource  - the resource to update
+      # diffs     - the diff objects to be used when updating the resource
+      def update(resource, diffs)
+        if diffs.size == 1 and diffs[0].type == Common::DiffChange::ADD
+          if !diffs[0].local.policy.empty?
+            update_policy(resource, diffs[0].local.generated_policy_name, diffs[0].local.policy)
+          end
+          if !diffs[0].local.attached_policies.empty?
+            update_attached(resource, diffs[0].local.attached_policies, [])
+          end
+        else
+          diffs.each do |diff|
+            case diff.type
+            when IamChange::POLICY
+              update_policy(resource, diff.policy_name, diff.local)
+            when IamChange::ATTACHED
+              update_attached(resource, diff.attached, diff.detached)
+            when IamChange::ADDED_POLICY
+              update_policy(resource, diff.policy_name, diff.local)
+            when IamChange::UNMANAGED_POLICY
+              puts Colors.unmanaged("\t#{diff.policy_name} is not managed by Cumulus")
+            end
+          end
+        end
+      end
+
+      private
+
+      # Internal: Loop through the differences between local configuration and AWS
+      #
+      # locals            - the local configurations to compare against
+      # include_unmanaged - whether to include unmanaged resources in the list of
+      #                     changes
+      # f                 - will be passed the name of the resource and an array of
+      #                     IamDiffs
+      def each_difference(locals, include_unmanaged, &f)
+        aws = Hash[aws_resources.map { |aws| [aws.name, aws] }]
+
+        if include_unmanaged
+          aws.each do |name, resource|
+            f.call(name, [IamDiff.unmanaged(resource)]) if !locals.include?(name)
+          end
+        end
+        locals.each do |name, resource|
+          if !aws.include?(name)
+            f.call(name, [IamDiff.added(resource)])
+          else
+            f.call(name, resource.diff(aws[name]))
+          end
+        end
+      end
+
+      # Internal: Sync differences
+      #
+      # name  - the name of the resource to sync
+      # diffs - the differences between the configuration and AWS
+      def sync_difference(name, diffs)
+        aws = Hash[aws_resources.map { |aws| [aws.name, aws] }]
+        if diffs.size > 0
+          StatusCodes::set_status(StatusCodes::SYNC_DIFFS)
+
+          if diffs[0].type == Common::DiffChange::UNMANAGED
+            puts diffs[0]
+          elsif diffs[0].type == Common::DiffChange::ADD
+            puts Colors.added("creating #{name}...")
+            resource = create(diffs[0])
+            update(resource, diffs)
+          else
+            puts Colors.blue("updating #{name}...")
+            resource = aws[name]
+            update(resource, diffs)
+          end
+        end
+      end
+
+      # Internal: Update the generated policy
+      #
+      # resource - the AWS resource to update
+      # name     - the name of the policy to update
+      # config   - the policy config to use when updating
+      def update_policy(resource, name, config)
+        puts Colors.blue("\tupdating policy #{name}...")
+        policy = resource.policy(name)
+        if config.empty?
+          policy.delete()
+        else
+          policy.put({
+            :policy_document => config.as_pretty_json
+          })
+        end
+      end
+
+      # Internal: Update the attached policies
+      #
+      # resource - the AWS resource to update
+      # attach   - the policy arns to attach
+      # detach   - the policy arns to detach
+      def update_attached(resource, attach, detach)
+        puts Colors.blue("\tupdating attached policies...")
+        attach.each { |arn| resource.attach_policy({ :policy_arn => arn }) }
+        detach.each { |arn| resource.detach_policy({ :policy_arn => arn }) }
+      end
+
+    end
+  end
+end