kubes_aws 0.0.0.beta → 0.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 19d8e8171c4111b246797f27545db16dfcf6f4f8fcf97586e193b82e40e58e47
-  data.tar.gz: 26326b10b3ce96e90468db2917930d3e4c93e5ca58dfc8cb713a3ef6a15ff99f
+  metadata.gz: 216f223229ec7e134e52a869f36507518c8376d768e3ae72ec5b557c7e1a31a7
+  data.tar.gz: 3fd50925b7906fe8c18f6b6e5c20065e895097aeaa57926093cf57ad1b445121
 SHA512:
-  metadata.gz: 5b97552f1de27b0abfe4342e03f8206c931304dede4b4ca357b616dc7c80882c5fe04754146431d8433dcf11cf2b2606daba4b70e3a8dd8f3dbd9c373fe3a6d8
-  data.tar.gz: 86eab18a16e46413767866558f17ff743d101fa58e4e03ab3f982194e31d2810f55cb4a61d9c908cb26bd84681f4b565a3ca2a9da14b5fc7f245813f03564f49
+  metadata.gz: ef86d09153f32cb9bd6ae87eb905ef4de3a07ffa86abae0ed039655ee2305bae228de3d895c7d77cc3112fa2166ffa25fa4632163bd17969034947b067d30446
+  data.tar.gz: 4437ae6bdc30d96afd98b0261893d52a4c195eeb135b14b8823d6024d601743f431eaefaccf787a90cb1600c6eedc405d59c8f94f958c76ef8109be39b6b6243

data/CHANGELOG.md

@@ -0,0 +1,7 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+This project *loosely tries* to adhere to [Semantic Versioning](http://semver.org/), even before v1.0.
+
+## [0.1.0]
+- Initial release.

data/Gemfile

@@ -3,5 +3,5 @@ source "https://rubygems.org"
 # Specify your gem's dependencies in kubes_aws.gemspec
 gemspec
 
-gem "rake"
-gem "rspec"
+gem "rake", "~> 12.0"
+gem "rspec", "~> 3.0"

data/README.md

@@ -1,10 +1,14 @@
-# Kubes AWS Helpers Library
+# Kubes AWS
 
-Starter example.
+[![Gem Version](https://badge.fury.io/rb/kubes_aws.png)](http://badge.fury.io/rb/kubes_aws)
+
+[![BoltOps Badge](https://img.boltops.com/boltops/badges/boltops-badge.png)](https://www.boltops.com)
+
+[Kubes](https://kubes.guru) Library with AWS helpers.
 
 ## Usage
 
-    ...
+For more detailed usage instructions refer to the [Kubes Helpers docs](https://kubes.guru/docs/helpers/aws/).
 
 ## Contributing
 

data/kubes_aws.gemspec

@@ -21,4 +21,13 @@ Gem::Specification.new do |spec|
   spec.bindir        = "exe"
   spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
   spec.require_paths = ["lib"]
+
+  spec.add_dependency "activesupport"
+  spec.add_dependency "aws-sdk-eks"
+  spec.add_dependency "aws-sdk-iam"
+  spec.add_dependency "aws-sdk-secretsmanager"
+  spec.add_dependency "aws-sdk-ssm"
+  spec.add_dependency "aws_data"
+  spec.add_dependency "memoist"
+  spec.add_dependency "zeitwerk"
 end

data/lib/kubes_aws.rb

@@ -1,6 +1,20 @@
 require "kubes_aws/version"
+require "logger"
+
+require "kubes_aws/autoloader"
+KubesAws::Autoloader.setup
 
 module KubesAws
   class Error < StandardError; end
-  # Your code goes here...
+
+  @@logger = nil
+  def logger
+    @@logger ||= Kubes.logger
+  end
+
+  def logger=(v)
+    @@logger = v
+  end
+
+  extend self
 end

data/lib/kubes_aws/autoloader.rb

@@ -0,0 +1,22 @@
+require "zeitwerk"
+
+module KubesAws
+  class Autoloader
+    class Inflector < Zeitwerk::Inflector
+      def camelize(basename, _abspath)
+        map = { cli: "CLI", ssm: "SSM", version: "VERSION" }
+        map[basename.to_sym] || super
+      end
+    end
+
+    class << self
+      def setup
+        loader = Zeitwerk::Loader.new
+        loader.inflector = Inflector.new
+        lib = File.expand_path("../", __dir__)
+        loader.push_dir(lib)
+        loader.setup
+      end
+    end
+  end
+end

data/lib/kubes_aws/aws_services.rb

@@ -0,0 +1,28 @@
+require "aws-sdk-eks"
+require "aws-sdk-iam"
+
+module KubesAws
+  module AwsServices
+    extend Memoist
+
+    def eks
+      Aws::EKS::Client.new
+    end
+    memoize :eks
+
+    def iam
+      Aws::IAM::Client.new
+    end
+    memoize :iam
+
+    def secrets
+      Aws::SecretsManager::Client.new
+    end
+    memoize :secrets
+
+    def ssm
+      Aws::SSM::Client.new
+    end
+    memoize :ssm
+  end
+end

data/lib/kubes_aws/iam_role.rb

@@ -0,0 +1,141 @@
+require "active_support/core_ext/string"
+require "aws_data"
+require "json"
+
+module KubesAws
+  class IamRole
+    extend Memoist
+    include AwsServices
+    include Logging
+    include Prebaked
+
+    # public method to keep: role_name
+    attr_reader :role_name
+    def initialize(app:, cluster:, namespace:nil, managed_policies: [], inline_policies: [], role_name: nil, ksa: nil)
+      @app, @cluster, @managed_policies, @inline_policies = app, cluster, managed_policies, inline_policies
+
+      # conventional names
+      @ksa = ksa || @app                               # convention: app
+      @namespace = namespace || "#{@app}-#{Kubes.env}" # convention: app-env
+      @role_name = role_name || "#{@app}-#{Kubes.env}" # convention: app-env
+    end
+
+    def call
+      create_open_id_connect_provider
+      create_iam_role
+      add_mananged_policies
+      add_inline_policies
+    end
+
+    def add_inline_policies
+      @inline_policies.each do |policy|
+        params = normalize_inline_policy(policy)
+        iam.put_role_policy(params)
+      end
+    end
+
+    # resp = client.put_role_policy(
+    #   policy_document: "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":\"s3:*\",\"Resource\":\"*\"}}",
+    #   policy_name: "S3AccessPolicy",
+    #   role_name: "S3Access",
+    # )
+    def normalize_inline_policy(policy)
+      prebaked = prebaked_policies[policy]
+      policy = prebaked if prebaked
+
+      policy_document = policy[:policy_document]
+      policy[:policy_document] = JSON.dump(policy_document) if policy_document.is_a?(Hash)
+      policy[:role_name] = @role_name
+      policy
+    end
+
+    def create_open_id_connect_provider
+      open_id = OpenId.new(@cluster)
+      open_id.create_provider
+    end
+
+    def create_iam_role
+      return if role_exist?
+      iam.create_role(
+        role_name: @role_name,
+        assume_role_policy_document: trust_policy,
+      )
+      logger.debug "Created IAM Role #{@role_name}"
+    end
+
+    def add_mananged_policies
+      @managed_policies.each do |policy|
+        policy_arn = normalize_managed_policy(policy)
+        iam.attach_role_policy(
+          role_name: @role_name,
+          policy_arn: policy_arn,
+        )
+      end
+      logger.debug "IAM Policies added to #{@role_name}"
+    end
+
+    # AmazonS3ReadOnlyAccess => arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess
+    def normalize_managed_policy(policy)
+      if policy.include?("arn:")
+        policy
+      else
+        "arn:aws:iam::aws:policy/#{policy}"
+      end
+    end
+
+    def role_exist?
+      iam.get_role(role_name: @role_name)
+      true
+    rescue Aws::IAM::Errors::NoSuchEntity
+      false
+    end
+
+    # public method to keep: arn
+    def arn
+      "arn:aws:iam::#{aws_account}:role/#{@role_name}"
+    end
+
+    # public method to keep: aws_account
+    def aws_account
+      aws.account
+    end
+
+    def trust_policy
+      issuer_host = issuer_url.sub('https://','')
+      provider_arn = "arn:aws:iam::#{aws_account}:oidc-provider/#{issuer_host}"
+      <<~JSON
+      {
+        "Version": "2012-10-17",
+        "Statement": [
+          {
+            "Effect": "Allow",
+            "Principal": {
+              "Federated": "#{provider_arn}"
+            },
+            "Action": "sts:AssumeRoleWithWebIdentity",
+            "Condition": {
+              "StringEquals": {
+                "#{issuer_host}:sub": "system:serviceaccount:#{@namespace}:#{@ksa}"
+              }
+            }
+          }
+        ]
+      }
+      JSON
+    end
+
+    def issuer_url
+      resp = eks.describe_cluster(name: @cluster)
+      resp.cluster.identity.oidc.issuer
+    end
+    memoize :issuer_url
+
+    def aws
+      AwsData.new
+    end
+    memoize :aws
+
+    # useful to store data used later
+    class_attribute :data, :role_arn
+  end
+end

data/lib/kubes_aws/iam_role/prebaked.rb

@@ -0,0 +1,27 @@
+class KubesAws::IamRole
+  module Prebaked
+    def prebaked_policies
+      {
+        secrets_read_only: secrets_read_only
+      }
+    end
+
+    def secrets_read_only
+      {
+        policy_document: {
+          Version: "2012-10-17",
+          Statement: {
+            Effect: "Allow",
+            Action: [
+              "secretsmanager:Describe*",
+              "secretsmanager:Get*",
+              "secretsmanager:List*"
+            ],
+            Resource: "*"
+          }
+        },
+        policy_name: "SecretsReadOnly",
+      }
+    end
+  end
+end

data/lib/kubes_aws/logging.rb

@@ -0,0 +1,7 @@
+module KubesAws
+  module Logging
+    def logger
+      KubesAws.logger
+    end
+  end
+end

data/lib/kubes_aws/open_id.rb

@@ -0,0 +1,49 @@
+require "aws-sdk-iam"
+require "aws_data"
+require "openssl"
+
+module KubesAws
+  class OpenId
+    extend Memoist
+    include AwsServices
+    include Logging
+
+    def initialize(cluster)
+      @cluster = cluster
+    end
+
+    # Method is idempotent
+    def create_provider
+      fingerprint = OpenSSL::Digest::SHA1.new(cert.to_der).to_s
+      iam.create_open_id_connect_provider(
+        url: issuer_url,
+        thumbprint_list: [fingerprint],
+        client_id_list: ["sts.amazonaws.com"]
+      )
+    rescue Aws::IAM::Errors::EntityAlreadyExists => e
+      logger.debug "#{e.class}: #{e.message}"
+      logger.debug "Open ID Provider already exists"
+    end
+
+    def issuer_url
+      resp = eks.describe_cluster(name: @cluster)
+      resp.cluster.identity.oidc.issuer
+    end
+    memoize :issuer_url
+
+    # https://stackoverflow.com/questions/34601260/using-ruby-openssl-to-download-and-read-certificates
+    def cert
+      uri = URI(issuer_url)
+      ctx = OpenSSL::SSL::SSLContext.new
+      sock = TCPSocket.new(uri.host, 443)
+      ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
+      ssl.connect
+      ssl.peer_cert_chain.last
+    end
+    memoize :cert
+
+    def aws_region
+      AwsData.new.region
+    end
+  end
+end

data/lib/kubes_aws/secrets.rb

@@ -0,0 +1,56 @@
+require "aws-sdk-secretsmanager"
+
+module KubesAws
+  class Secrets
+    include AwsServices
+
+    def initialize(upcase: false, base64: false, prefix: nil, filters: [])
+      @upcase, @base64, @filters = upcase, base64, filters
+      @prefix = ENV['AWS_SECRET_PREFIX'] || prefix # IE: prefix: demo/dev/
+    end
+
+    def call
+      items.each do |item|
+        next unless item.name.include?(@prefix) if @prefix
+
+        secret_value = secrets.get_secret_value(secret_id: item.name)
+        value = secret_value.secret_string
+        value = Base64.strict_encode64(value).strip if @base64
+
+        key = item.name
+        key = key.sub(@prefix,'') if @prefix
+        key = key.upcase if @upcase
+        self.class.data[key] = value
+      end
+    end
+
+    # Returns flattened lazy Enumerator
+    def items
+      Enumerator.new do |y|
+        next_token = nil
+        loop do
+          args = {max_results: PAGE_SIZE, sort_order: "asc"}
+          args[:next_token] = next_token if next_token
+          args.merge!(filters: @filters)
+
+          resp = secrets.list_secrets(args)
+
+          items = resp.secret_list
+          next_token = resp.next_token
+
+          y.yield(items, resp) # also provided the original resp always in case it is useful
+          break unless next_token
+        end
+      end.lazy.flat_map { |v| v }
+    end
+
+    PAGE_SIZE = 20
+
+    def data
+      self.class.data
+    end
+
+    class_attribute :data
+    self.data = {}
+  end
+end

data/lib/kubes_aws/ssm.rb

@@ -0,0 +1,59 @@
+require "aws-sdk-ssm"
+
+module KubesAws
+  class SSM
+    include AwsServices
+
+    def initialize(upcase: false, base64: false, prefix: nil, filters: [])
+      @upcase, @base64, @filters = upcase, base64, filters
+      @prefix = ENV['AWS_SSM_PREFIX'] || prefix # IE: prefix: /demo/dev/
+    end
+
+    def call
+      items.each do |item|
+        next unless item.name.include?(@prefix)
+
+        resp = ssm.get_parameter(name: item.name, with_decryption: true)
+        parameter = resp.parameter
+
+        key = parameter.name.sub(@prefix,'')
+        value = parameter.value
+        value = Base64.strict_encode64(value).strip if @base64
+
+        key = key.upcase if @upcase
+        self.class.data[key] = value
+      end
+    end
+
+    # Returns flattened lazy Enumerator
+    def items
+      Enumerator.new do |y|
+        next_token = nil
+        loop do
+          args = {max_results: PAGE_SIZE}
+          args[:next_token] = next_token if next_token
+          args.merge!(parameter_filters: @filters)
+
+          resp = ssm.get_parameters_by_path(
+            path: @prefix,
+          )
+
+          items = resp.parameters
+          next_token = resp.next_token
+
+          y.yield(items, resp) # also provided the original resp always in case it is useful
+          break unless next_token
+        end
+      end.lazy.flat_map { |v| v }
+    end
+
+    PAGE_SIZE = 1
+
+    def data
+      self.class.data
+    end
+
+    class_attribute :data
+    self.data = {}
+  end
+end

data/lib/kubes_aws/version.rb

@@ -1,3 +1,3 @@
 module KubesAws
-  VERSION = "0.0.0.beta"
+  VERSION = "0.1.0"
 end

metadata

@@ -1,15 +1,127 @@
 --- !ruby/object:Gem::Specification
 name: kubes_aws
 version: !ruby/object:Gem::Version
-  version: 0.0.0.beta
+  version: 0.1.0
 platform: ruby
 authors:
 - Tung Nguyen
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2020-10-13 00:00:00.000000000 Z
-dependencies: []
+date: 2020-10-28 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: activesupport
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: aws-sdk-eks
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: aws-sdk-iam
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: aws-sdk-secretsmanager
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: aws-sdk-ssm
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: aws_data
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: memoist
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: zeitwerk
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 description: 
 email:
 - tung@boltops.com
@@ -19,12 +131,21 @@ extra_rdoc_files: []
 files:
 - ".gitignore"
 - ".rspec"
+- CHANGELOG.md
 - Gemfile
 - LICENSE.txt
 - README.md
 - Rakefile
 - kubes_aws.gemspec
 - lib/kubes_aws.rb
+- lib/kubes_aws/autoloader.rb
+- lib/kubes_aws/aws_services.rb
+- lib/kubes_aws/iam_role.rb
+- lib/kubes_aws/iam_role/prebaked.rb
+- lib/kubes_aws/logging.rb
+- lib/kubes_aws/open_id.rb
+- lib/kubes_aws/secrets.rb
+- lib/kubes_aws/ssm.rb
 - lib/kubes_aws/version.rb
 homepage: https://github.com/boltops-tools/kubes_aws
 licenses:
@@ -42,9 +163,9 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: 2.3.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">"
+  - - ">="
     - !ruby/object:Gem::Version
-      version: 1.3.1
+      version: '0'
 requirements: []
 rubygems_version: 3.1.2
 signing_key: