cumulus-aws 0.11.1

data/lib/iam/manager/IamRoles.rb

@@ -0,0 +1,112 @@
+require "iam/loader/Loader"
+require "iam/manager/IamResource"
+require "iam/migration/AssumeRoleUnifier"
+require "iam/models/IamDiff"
+require "iam/models/RoleConfig"
+require "util/Colors"
+
+require "aws-sdk"
+
+module Cumulus
+  module IAM
+    # Public: Manager class for IAM Roles.
+    class IamRoles < IamResource
+
+      def initialize(iam)
+        super(iam)
+        @type = "role"
+        @migration_dir = "roles"
+      end
+
+      def local_resources
+        local = {}
+        Loader.roles.each do |role|
+          local[role.name] = role
+        end
+        local
+      end
+
+      def one_local(name)
+        Loader.role(name)
+      end
+
+      def aws_resources
+        @aws_roles ||= init_aws_roles
+      end
+
+      # Internal: Load all the roles from AWS
+      #
+      # Returns the Array of AWS roles
+      def init_aws_roles
+        @iam.list_roles().roles.map do |role|
+          Aws::IAM::Role.new(role.role_name, { :client => @iam })
+        end
+      end
+      private :init_aws_roles
+
+      def create(difference)
+        # create the role
+        @iam.create_role({
+          :role_name => difference.local.name,
+          :assume_role_policy_document => difference.local.policy_document
+        })
+        role = Aws::IAM::Role.new(difference.local.name, { :client => @iam })
+
+        # try to create the instance profile, but if it already exists, just warn
+        # the user
+        begin
+          @iam.create_instance_profile({
+            :instance_profile_name => difference.local.name
+          })
+        rescue Aws::IAM::Errors::EntityAlreadyExists
+          Colors.red("Instance profile already exists")
+        end
+
+        # assign the role to the instance profile
+        instance_profile = Aws::IAM::InstanceProfile.new(difference.local.name, { :client => @iam })
+        instance_profile.add_role({
+          :role_name => difference.local.name
+        })
+        role
+      end
+
+      def update(resource, diffs)
+        super(resource, diffs)
+
+        diffs.each do |diff|
+          if diff.type == IamChange::POLICY_DOC
+            puts Colors.blue("updating assume role policy document...")
+            resource.assume_role_policy.update({
+              policy_document: diff.local.policy_document
+            })
+          end
+        end
+      end
+
+      def empty_config
+        RoleConfig.new
+      end
+
+      def migrate_additional(configs_to_aws)
+        policy_document_dir = "#{@migration_root}/#{@migration_dir}/policy-documents"
+
+        if !Dir.exists?(policy_document_dir)
+          Dir.mkdir(policy_document_dir)
+        end
+
+        unifier = AssumeRoleUnifier.new(
+          policy_document_dir,
+          &Proc.new { |c, v| c.policy_document = v }
+        )
+        configs_to_aws.map do |config, resource|
+          unifier.unify(
+            config,
+            URI.unescape(resource.assume_role_policy_document),
+            config.name
+          )
+        end
+      end
+
+    end
+  end
+end

data/lib/iam/manager/IamUsers.rb

@@ -0,0 +1,54 @@
+require "iam/loader/Loader"
+require "iam/manager/IamResource"
+require "iam/models/UserConfig"
+
+require "aws-sdk"
+
+module Cumulus
+  module IAM
+    # Public: Manager class for IAM Users
+    class IamUsers < IamResource
+
+      def initialize(iam)
+        super(iam)
+        @type = "user"
+        @migration_dir = "users"
+      end
+
+      def local_resources
+        local = {}
+        Loader.users.each do |user|
+          local[user.name] = user
+        end
+        local
+      end
+
+      def one_local(name)
+        Loader.user(name)
+      end
+
+      def aws_resources
+        @aws_users ||= init_aws_users
+      end
+
+      def init_aws_users
+        @iam.list_users().users.map do |user|
+          Aws::IAM::User.new(user.user_name, { :client => @iam })
+        end
+      end
+      private :init_aws_users
+
+      def create(difference)
+        @iam.create_user({
+          :user_name => difference.local.name
+        })
+        Aws::IAM::User.new(difference.local.name, { :client => @iam })
+      end
+
+      def empty_config
+        UserConfig.new
+      end
+
+    end
+  end
+end

data/lib/iam/manager/Manager.rb

@@ -0,0 +1,29 @@
+require "conf/Configuration"
+require "iam/manager/IamGroups"
+require "iam/manager/IamRoles"
+require "iam/manager/IamUsers"
+
+require "aws-sdk"
+
+module Cumulus
+  module IAM
+
+    # Public: The main class for the IAM management module.
+    class Manager
+
+      attr_reader :groups
+      attr_reader :roles
+      attr_reader :users
+
+      # Public: Constructor
+      def initialize
+        iam = Aws::IAM::Client.new(Configuration.instance.client)
+
+        @groups = IamGroups.new(iam)
+        @roles = IamRoles.new(iam)
+        @users = IamUsers.new(iam)
+      end
+
+    end
+  end
+end

data/lib/iam/migration/AssumeRoleUnifier.rb

@@ -0,0 +1,34 @@
+module Cumulus
+  module IAM
+    # Public: A class that keeps track of strings, writing them to file and unifying
+    # them if they are identical. Specifically, this is use for the assume role
+    # document on roles
+    class AssumeRoleUnifier
+      # Public: Constructor.
+      #
+      # dir   - the directory to write assets to
+      # save  - a function that will save a value to a config. Takes the value and
+      #         the config as paramters.
+      def initialize(dir, &save)
+        @dir = dir
+        @strings = {}
+        @save = save
+      end
+
+      # Public: Unify a string with any previous instances of the string
+      #
+      # config - the config object that the string should belong to
+      # s      - the string to unify
+      # name   - the name of the file this string should be saved to if needed
+      def unify(config, s, name)
+        if !@strings.has_key?(s)
+          File.open("#{@dir}/#{name}", 'w') { |f| f.write(s) }
+          @strings[s] = name
+          @save.call(config, name)
+        else
+          @save.call(config, @strings[s])
+        end
+      end
+    end
+  end
+end

data/lib/iam/migration/PolicyUnifier.rb

@@ -0,0 +1,90 @@
+module Cumulus
+  module IAM
+    # Public: A class that keeps track of policy statements, determining when to put
+    # a policy into the inline definition of the resource, or to create a static
+    # policy that can apply to multiple resources. It does this by keeping track of
+    # policies that it's seen before, and putting everything into inlines. When it
+    # sees something for the second time, it will remove the policy from the first
+    # resource's inlines, and creates a static policy definition.
+    class PolicyUnifier
+
+      # the following inner classes are used to keep track of whether we've seen
+      # a policy before. `SingleInstance` and `MultipleInstances` both extend
+      # `Instance`, as both of them have a `name` attribute.
+      class Instance
+        attr_reader :name
+        def initialize(name)
+          @name = name
+        end
+      end
+
+      class SingleInstance < Instance
+        attr_reader :config
+        def initialize(config, name)
+          super(name)
+          @config = config
+        end
+      end
+
+      class MultipleInstances < Instance
+      end
+
+      # Public: Constructor
+      #
+      # dir - the directory to write static policies to
+      def initialize(dir)
+        @dir = dir
+        @policies = {}
+      end
+
+      # Public: Unify a particular policy for a configuration object. If `policy`
+      # has not been encountered before, it will be put into the config's inlines,
+      # but if it has, it will be written to static and added to the static array
+      # of the configuration. Will also go back and fix the inlines for the first
+      # time `policy` was encountered.
+      #
+      # config - the config object to change
+      # policy - the policy to unify
+      # name   - the name of the file to write, if needed
+      def unify(config, policy, name)
+        # if we haven't seen the policy before, add it to the inlines
+        if !@policies.has_key?(policy)
+          @policies[policy] = SingleInstance.new(config, name)
+          config.inlines << policy
+        else
+          case @policies[policy]
+          # if we've only seen the policy once before, write it to file and fix the
+          # previous configuration that had the policy
+          when SingleInstance
+            single = @policies[policy]
+
+            # write to file, checking for naming conflicts
+            file = "#{@dir}/#{single.name}"
+            contents = JSON.pretty_generate(policy)
+            if File.exists?(file)
+              original_contents = File.read(file)
+              if original_contents != contents
+                file = "#{file}-#{single.config.name}"
+              end
+            end
+            File.open(file, 'w') { |f| f.write(contents) }
+            file = file[(file.rindex("/") + 1)..-1]
+
+            # update the config objects
+            single.config.inlines.delete(policy)
+            single.config.statics << file
+            config.statics << file
+            @policies[policy] = MultipleInstances.new(file)
+
+          # if the policy has already been written to file, we just use the static
+          # in the configuration
+          when MultipleInstances
+            multiple = @policies[policy]
+            config.statics << multiple.name
+          end
+        end
+      end
+
+    end
+  end
+end

data/lib/iam/models/GroupConfig.rb

@@ -0,0 +1,40 @@
+require "iam/models/IamDiff"
+require "iam/models/ResourceWithPolicy"
+require "util/Colors"
+
+module Cumulus
+  module IAM
+    # Public: Represents a config file for a group
+    class GroupConfig < ResourceWithPolicy
+
+      attr_accessor :users
+
+      # Public: Constructor
+      #
+      # name - the name of the group
+      # json - the Hash containing the JSON configuration for this GroupConfig, if
+      #        nil, this will be an "empty GroupConfig"
+      def initialize(name = nil, json = nil)
+        super(name, json)
+        @type = "group"
+        @users = json["users"] unless json.nil?
+      end
+
+      # override diff to check for changes in users
+      def diff(aws_resource)
+        differences = super(aws_resource)
+
+        aws_users = aws_resource.users.map { |user| user.name }
+        new_users = @users.select { |local| !aws_users.include?(local) }
+        unmanaged = aws_users.select { |aws| !@users.include?(aws) }
+
+        if !unmanaged.empty? or !new_users.empty?
+          differences << IamDiff.users(new_users, unmanaged)
+        end
+
+        differences
+      end
+
+    end
+  end
+end

data/lib/iam/models/IamDiff.rb

@@ -0,0 +1,132 @@
+require "common/models/Diff"
+require "util/Colors"
+
+require "json"
+
+module Cumulus
+  module IAM
+    # Public: The types of changes that can be made to IAM resources
+    module IamChange
+      include Common::DiffChange
+
+      ADDED_POLICY = Common::DiffChange::next_change_id
+      ATTACHED = Common::DiffChange::next_change_id
+      POLICY = Common::DiffChange::next_change_id
+      POLICY_DOC = Common::DiffChange::next_change_id
+      UNMANAGED_POLICY = Common::DiffChange::next_change_id
+      USER = Common::DiffChange::next_change_id
+    end
+
+    # Public: Represents a single difference between local configuration and AWS
+    # configuration of an IAM resource
+    class IamDiff < Common::Diff
+      include IamChange
+
+      attr_accessor :added_users
+      attr_accessor :attached
+      attr_accessor :policy_name
+      attr_accessor :removed_users
+      attr_accessor :detached
+
+      # Public: Create an IamDiff that represents an unmanaged policy
+      #
+      # policy_name - the name of the policy that is unmanaged
+      #
+      # Returns an IamDiff representing the changes
+      def self.unmanaged_policy(policy_name)
+        diff = IamDiff.new(UNMANAGED_POLICY)
+        diff.policy_name = policy_name
+        diff
+      end
+
+      # Public: Create an IamDiff that represents an added policy
+      #
+      # policy_name - the name of the policy that is added
+      # config      - the configuration for the policy
+      #
+      # Returns an IamDiff representing the changes
+      def self.added_policy(policy_name, config)
+        diff = IamDiff.new(ADDED_POLICY, nil, config)
+        diff.policy_name = policy_name
+        diff
+      end
+
+      # Public: Create an IamDiff to represent the changes in users for an IAM group
+      #
+      # added   - the added users
+      # removed - the removed users
+      #
+      # Returns an IamDiff representing those changes
+      def self.users(added, removed)
+        diff = IamDiff.new(USER)
+        diff.added_users = added
+        diff.removed_users = removed
+        diff
+      end
+
+      # Public: Create an IamDiff to represent changes in attached policies
+      #
+      # added   - the added attached policies
+      # removed - the removed attached policies
+      #
+      # Returns an IamDiff representing those changes
+      def self.attached(added, removed)
+        diff = IamDiff.new(ATTACHED)
+        diff.attached = added
+        diff.detached = removed
+        diff
+      end
+
+      def diff_string
+        case @type
+        when ADDED_POLICY
+          Colors.added("Policy #{@policy_name} will be created.")
+        when ATTACHED
+          lines = ["Attached policies:"]
+          lines << @attached.map { |arn| Colors.added("\t#{arn}") }
+          lines << @detached.map { |arn| Colors.removed("\t#{arn}") }
+          lines.flatten.join("\n")
+        when POLICY
+          lines = ["Policy differences:"]
+          locals = @local.as_hash["Statement"]
+
+          @aws.each do |aws|
+            if !locals.include?(aws)
+              lines << "\tAWS:\t#{Colors.aws_changes(aws.to_json)}"
+            end
+          end
+
+          locals.each do |local|
+            if !@aws.include?(local)
+              lines << "\tLocal:\t#{Colors.local_changes(local.to_json)}"
+            end
+          end
+
+          lines.join("\n")
+        when POLICY_DOC
+          aws = JSON.parse(URI.unescape(@aws.assume_role_policy_document)).to_s
+          [
+            "Assume role policy document:",
+            Colors.aws_changes("\tAWS -\t#{aws}"),
+            Colors.local_changes("\tLocal -\t#{@local.one_line_policy_document}")
+          ].join("\n")
+        when UNMANAGED_POLICY
+          Colors.unmanaged("Policy #{@policy_name} is not managed by Cumulus")
+        when USER
+          lines = ["User differences:"]
+          lines << @added_users.map { |u| Colors.added("\t#{u}") }
+          lines << @removed_users.map { |u| Colors.removed("\t#{u}") }
+          lines.flatten.join("\n")
+        end
+      end
+
+      def asset_type
+        "IAM resource"
+      end
+
+      def aws_name
+        @aws.name
+      end
+    end
+  end
+end