stack_master 1.13.1 → 1.14.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3c61a62b352e2b92b35889b4adbf9f723c65b815cbb04c81f9716cc10000d220
-  data.tar.gz: 02f8827f12a3f1321c4f51984a23f23e66d1ad5c82e28612c56e64b8c7553cbc
+  metadata.gz: c6272dd327e82ec747c26129191c4c8e262a4350d6634941f14035746399cb77
+  data.tar.gz: 6dc8058810bee48a3aed457669ffdda94e9d88fdc2ab1e1c12b9a689a3799c46
 SHA512:
-  metadata.gz: c0990e86ffb2dd1d8c745a74b2e39c24adfb430fc7678f647ab88bdd6153bbf45a9aa0bd744f00c3a527165bee5ce6b5f6980c161403f86950e0737ab52f4dd9
-  data.tar.gz: d0941fc85e852593683bfd976cbc5e872c260ab9e5f297938dbacfb16ec1c73b7c56e52eebb4e7b4f897c423383961fa6b4768b7361bb2e6ff1dded2a4d2dc0e
+  metadata.gz: 6dad4bcffbc40f9a45377625ef7769f122b5880bbcc61bead8a9ffdd75ee063001f322f9e62079aa00b370f791afd2f76c7acb9b668f6d4f7f41128c63954b65
+  data.tar.gz: a12c14c9024e187a5b734020cda2adc1c40d7983f58450022ea5f2301412968a167f4ebd6233f02097b8341541dc5ae50b213b6b59730f540594df90b327fd5f

data/README.md

@@ -31,10 +31,18 @@ etc.
 
 ## Installation
 
-System-wide: `gem install stack_master`
+### System-wide
 
-With bundler:
+```shell
+gem install stack_master
 
+# if you want linting capabilities:
+pip install cfn-lint
+```
+
+### Bundler
+
+- `pip install cfn-lint` if you need lint functionality
 - Add `gem 'stack_master'` to your Gemfile.
 - Run `bundle install`
 - Run `bundle exec stack_master init` to generate a directory structure and stack_master.yml file
@@ -83,10 +91,14 @@ stacks:
   staging:
     myapp-vpc:
       template: myapp_vpc.rb
+      allowed_accounts: '123456789'
       tags:
         purpose: front-end
     myapp-db:
       template: myapp_db.rb
+      allowed_accounts:
+        - '1234567890'
+        - '9876543210'
       tags:
         purpose: back-end
     myapp-web:
@@ -537,6 +549,44 @@ end
 
 Note though that if a dynamic with the same name exists in your `templates/dynamics/` directory it will get loaded since it has higher precedence.
 
+## Allowed accounts
+
+The AWS account the command is executing in can be restricted to a specific list of allowed accounts. This is useful in reducing the possibility of applying non-production changes in a production account. Each stack definition can specify the `allowed_accounts` property with an array of AWS account IDs the stack is allowed to work with.
+
+This is an opt-in feature which is enabled by specifying at least one account to allow.
+
+Unlike other stack defaults, the `allowed_accounts` property values specified in the stack definition override values specified in the stack defaults (i.e., other stack property values are merged together with those specified in the stack defaults). This allows specifying allowed accounts in the stack defaults (inherited by all stacks) and override them for specific stacks. See below example config for an example.
+
+```yaml
+stack_defaults:
+  allowed_accounts: '555555555'
+stacks:
+  us-east-1:
+    myapp-vpc: # only allow account 555555555 (inherited from the stack defaults)
+      template: myapp_vpc.rb
+      tags:
+        purpose: front-end
+    myapp-db:
+      template: myapp_db.rb
+      allowed_accounts: # only allow these accounts (overrides the stack defaults)
+        - '1234567890'
+        - '9876543210'
+      tags:
+        purpose: back-end
+    myapp-web:
+      template: myapp_web.rb
+      allowed_accounts: [] # allow all accounts (overrides the stack defaults)
+      tags:
+        purpose: front-end
+    myapp-redis:
+      template: myapp_redis.rb
+      allowed_accounts: '888888888' # only allow this account (overrides the stack defaults)
+      tags:
+        purpose: back-end
+```
+
+In the cases where you want to bypass the account check, there is StackMaster flag `--skip-account-check` that can be used.
+
 ## Commands
 
 ```bash

data/lib/stack_master/cli.rb

@@ -34,6 +34,9 @@ module StackMaster
       global_option '-q', '--quiet', 'Do not output the resulting Stack Events, just return immediately' do
         StackMaster.quiet!
       end
+      global_option '--skip-account-check', 'Do not check if command is allowed to execute in account' do
+        StackMaster.skip_account_check!
+      end
 
       command :apply do |c|
         c.syntax = 'stack_master apply [region_or_alias] [stack_name]'
@@ -178,18 +181,22 @@ module StackMaster
             return
           end
 
+          stack_name = Utils.underscore_to_hyphen(args[1])
+          allowed_accounts = []
+
           # Because delete can work without a stack_master.yml
           if options.config and File.file?(options.config)
             config = load_config(options.config)
             region = Utils.underscore_to_hyphen(config.unalias_region(args[0]))
+            allowed_accounts = config.find_stack(region, stack_name)&.allowed_accounts
           else
             region = args[0]
           end
 
-          stack_name = Utils.underscore_to_hyphen(args[1])
-
-          StackMaster.cloud_formation_driver.set_region(region)
-          StackMaster::Commands::Delete.perform(region, stack_name)
+          execute_if_allowed_account(allowed_accounts) do
+            StackMaster.cloud_formation_driver.set_region(region)
+            StackMaster::Commands::Delete.perform(region, stack_name)
+          end
         end
       end
 
@@ -223,15 +230,35 @@ module StackMaster
           success = false
         end
         stack_definitions = stack_definitions.select do |stack_definition|
-          StackStatus.new(config, stack_definition).changed?
+          running_in_allowed_account?(stack_definition.allowed_accounts) && StackStatus.new(config, stack_definition).changed?
         end if options.changed
         stack_definitions.each do |stack_definition|
           StackMaster.cloud_formation_driver.set_region(stack_definition.region)
           StackMaster.stdout.puts "Executing #{command.command_name} on #{stack_definition.stack_name} in #{stack_definition.region}"
-          success = false unless command.perform(config, stack_definition, options).success?
+          success = execute_if_allowed_account(stack_definition.allowed_accounts) do
+            command.perform(config, stack_definition, options).success?
+          end
         end
       end
       success
     end
+
+    def execute_if_allowed_account(allowed_accounts, &block)
+      raise ArgumentError, "Block required to execute this method" unless block_given?
+      if running_in_allowed_account?(allowed_accounts)
+        block.call
+      else
+        StackMaster.stdout.puts "Account '#{identity.account}' is not an allowed account. Allowed accounts are #{allowed_accounts}."
+        false
+      end
+    end
+
+    def running_in_allowed_account?(allowed_accounts)
+      StackMaster.skip_account_check? || identity.running_in_allowed_account?(allowed_accounts)
+    end
+
+    def identity
+      @identity ||= StackMaster::Identity.new
+    end
   end
 end

data/lib/stack_master/commands/lint.rb

@@ -13,7 +13,11 @@ module StackMaster
 
       def perform
         unless cfn_lint_available
-          failed! "Failed to run cfn-lint, do you have it installed and available in $PATH?"
+          failed! 'Failed to run cfn-lint. You may need to install it using'\
+                  '`pip install cfn-lint`, or add it to $PATH.'\
+                  "\n"\
+                  '(See https://github.com/aws-cloudformation/cfn-python-lint'\
+                  ' for package information)'
         end
 
         Tempfile.open(['stack', ".#{proposed_stack.template_format}"]) do |f|

data/lib/stack_master/commands/status.rb

@@ -16,12 +16,13 @@ module StackMaster
         progress if @show_progress
         status = @config.stacks.map do |stack_definition|
           stack_status = StackStatus.new(@config, stack_definition)
+          allowed_accounts = stack_definition.allowed_accounts
           progress.increment if @show_progress
           {
             region: stack_definition.region,
             stack_name: stack_definition.stack_name,
-            stack_status: stack_status.status,
-            different: stack_status.changed_message,
+            stack_status: running_in_allowed_account?(allowed_accounts) ? stack_status.status : "Disallowed account",
+            different: running_in_allowed_account?(allowed_accounts) ? stack_status.changed_message : "N/A",
           }
         end
         tp.set :max_width, self.window_size
@@ -41,6 +42,14 @@ module StackMaster
       def sort_params(hash)
         hash.sort.to_h
       end
+
+      def running_in_allowed_account?(allowed_accounts)
+        StackMaster.skip_account_check? || identity.running_in_allowed_account?(allowed_accounts)
+      end
+
+      def identity
+        @identity ||= StackMaster::Identity.new
+      end
     end
   end
 end

data/lib/stack_master/config.rb

@@ -116,6 +116,7 @@ module StackMaster
             'base_dir' => @base_dir,
             'template_dir' => @template_dir,
             'additional_parameter_lookup_dirs' => @region_to_aliases[region])
+          stack_attributes['allowed_accounts'] = attributes['allowed_accounts'] if attributes['allowed_accounts']
           @stacks << StackDefinition.new(stack_attributes)
         end
       end

data/lib/stack_master/identity.rb

@@ -0,0 +1,23 @@
+module StackMaster
+  class Identity
+    def running_in_allowed_account?(allowed_accounts)
+      allowed_accounts.nil? || allowed_accounts.empty? || allowed_accounts.include?(account)
+    end
+
+    def account
+      @account ||= sts.get_caller_identity.account
+    end
+
+    private
+
+    attr_reader :sts
+
+    def region
+      @region ||= ENV['AWS_REGION'] || Aws.config[:region] || Aws.shared_config.region || 'us-east-1'
+    end
+
+    def sts
+      @sts ||= Aws::STS::Client.new(region: region)
+    end
+  end
+end

data/lib/stack_master/stack_definition.rb

@@ -5,6 +5,7 @@ module StackMaster
                   :template,
                   :tags,
                   :role_arn,
+                  :allowed_accounts,
                   :notification_arns,
                   :base_dir,
                   :template_dir,
@@ -23,8 +24,10 @@ module StackMaster
       @notification_arns = []
       @s3 = {}
       @files = []
+      @allowed_accounts = nil
       super
       @template_dir ||= File.join(@base_dir, 'templates')
+      @allowed_accounts = Array(@allowed_accounts)
     end
 
     def ==(other)
@@ -34,6 +37,7 @@ module StackMaster
         @template == other.template &&
         @tags == other.tags &&
         @role_arn == other.role_arn &&
+        @allowed_accounts == other.allowed_accounts &&
         @notification_arns == other.notification_arns &&
         @base_dir == other.base_dir &&
         @secret_file == other.secret_file &&

data/lib/stack_master/version.rb

@@ -1,3 +1,3 @@
 module StackMaster
-  VERSION = "1.13.1"
+  VERSION = "1.14.0"
 end

data/lib/stack_master.rb

@@ -38,6 +38,7 @@ module StackMaster
   autoload :PagedResponseAccumulator, 'stack_master/paged_response_accumulator'
   autoload :StackDefinition, 'stack_master/stack_definition'
   autoload :TemplateCompiler, 'stack_master/template_compiler'
+  autoload :Identity, 'stack_master/identity'
 
   autoload :StackDiffer, 'stack_master/stack_differ'
   autoload :Validator, 'stack_master/validator'
@@ -97,6 +98,7 @@ module StackMaster
   NON_INTERACTIVE_DEFAULT = false
   DEBUG_DEFAULT = false
   QUIET_DEFAULT = false
+  SKIP_ACCOUNT_CHECK_DEFAULT = false
 
   def interactive?
     !non_interactive?
@@ -136,6 +138,16 @@ module StackMaster
 
   def reset_flags
     @quiet = QUIET_DEFAULT
+    @skip_account_check = SKIP_ACCOUNT_CHECK_DEFAULT
+  end
+
+  def skip_account_check!
+    @skip_account_check = true
+  end
+  @skip_account_check = SKIP_ACCOUNT_CHECK_DEFAULT
+
+  def skip_account_check?
+    @skip_account_check
   end
 
   attr_accessor :non_interactive_answer

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: stack_master
 version: !ruby/object:Gem::Version
-  version: 1.13.1
+  version: 1.14.0
 platform: ruby
 authors:
 - Steve Hodgkiss
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-03-20 00:00:00.000000000 Z
+date: 2019-07-03 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -417,7 +417,6 @@ files:
 - lib/stack_master.rb
 - lib/stack_master/aws_driver/cloud_formation.rb
 - lib/stack_master/aws_driver/s3.rb
-- lib/stack_master/aws_driver/sts.rb
 - lib/stack_master/change_set.rb
 - lib/stack_master/cli.rb
 - lib/stack_master/command.rb
@@ -436,6 +435,7 @@ files:
 - lib/stack_master/commands/validate.rb
 - lib/stack_master/config.rb
 - lib/stack_master/ctrl_c.rb
+- lib/stack_master/identity.rb
 - lib/stack_master/paged_response_accumulator.rb
 - lib/stack_master/parameter_loader.rb
 - lib/stack_master/parameter_resolver.rb
@@ -479,7 +479,6 @@ files:
 - lib/stack_master/stack_events/streamer.rb
 - lib/stack_master/stack_states.rb
 - lib/stack_master/stack_status.rb
-- lib/stack_master/target_definition.rb
 - lib/stack_master/template_compiler.rb
 - lib/stack_master/template_compilers/cfndsl.rb
 - lib/stack_master/template_compilers/json.rb
@@ -488,7 +487,6 @@ files:
 - lib/stack_master/template_utils.rb
 - lib/stack_master/test_driver/cloud_formation.rb
 - lib/stack_master/test_driver/s3.rb
-- lib/stack_master/test_driver/sts.rb
 - lib/stack_master/testing.rb
 - lib/stack_master/utils.rb
 - lib/stack_master/validator.rb
@@ -516,7 +514,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3
+rubyforge_project: 
+rubygems_version: 2.7.6
 signing_key: 
 specification_version: 4
 summary: StackMaster is a sure-footed way of creating, updating and keeping track

data/lib/stack_master/aws_driver/sts.rb

@@ -1,22 +0,0 @@
-module StackMaster
-  module AwsDriver
-    class STS
-      def set_region(region)
-        @region = region
-      end
-
-      def get_account_id
-        sts = new_sts_client
-        # This should always work as you cannot allow/deny access to this API
-        identity = sts.get_caller_identity
-        return identity['account']
-      end
-
-      private
-
-      def new_sts_client
-        Aws::STS::Client.new(region: @region)
-      end
-    end
-  end
-end

data/lib/stack_master/target_definition.rb

@@ -1,13 +0,0 @@
-module StackMaster
-  class TargetDefinition
-    attr_reader :region,
-                :account_id,
-                :stack_definition
-
-    def initialize(region:, account_id:, stack_definition:)
-      @region = region
-      @account_id = account_id
-      @stack_definition = stack_definition
-    end
-  end
-end

data/lib/stack_master/test_driver/sts.rb

@@ -1,22 +0,0 @@
-module StackMaster
-  module TestDriver
-    class STS
-      attr_accessor :account_id
-      def initialize
-        reset
-      end
-
-      def reset
-        @account_id = "12345678910"
-      end
-
-      def set_region(region)
-        @region = region
-      end
-
-      def get_account_id
-        @account_id
-      end
-    end
-  end
-end