stack_master 1.17.1-x64-mingw32 → 1.18.0-x64-mingw32

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 118dcd91cc2b5b9ae3c7dc9911fb59714c8562af
-  data.tar.gz: 46c2fc8ba4d25944d958b243c8b7e298ca39e53c
+  metadata.gz: d3532d5cf6c91f4980b7f7f8173a93e39a6aa4ed
+  data.tar.gz: e19a8b88d91d49f20a6f351c9f071c0074e3b5bf
 SHA512:
-  metadata.gz: a0b5bc48a5b7fd17d7f379a5852f33dcddcd5fae2350f72bb17c1320bb3711c38f192399e8768dae66b221da7d13e61569903be244b4b5e102ccaee281955a4b
-  data.tar.gz: d13c6bcc6c47c28547e49e06768fa155f2d6d39e3a5f53dd0305d250f7bb8293c261436a9307f00203573771da022133c5fe6c69a9200ad650d86ed9c8f76c85
+  metadata.gz: d6cb5727e7d430164ab187159baf057bd42dcc423baf2dd84f2c9ea08ed7f2f6d1ad9926b62882f4cf401baa8ac0768a1dc1437518840c71cb26cfe5a007a817
+  data.tar.gz: 3726f1557c815827bd22f2eb1e40708b911b5e03174ecc45ee519be33ea6ce88541499d7a3bf0ecf31267379e9dfa19b223e64fc120e4ab604bac3b675ff452a

data/README.md

@@ -198,6 +198,47 @@ One benefit of using parameter resolvers instead of hard coding values like VPC
 IDs and resource ARNs is that the same configuration works cross
 region/account, even though the resolved values will be different.
 
+### Cross-account parameter resolving
+
+One way to resolve parameter values from different accounts to the one StackMaster runs in, is to
+assume a role in another account with the relevant IAM permissions to execute successfully.
+
+This is supported in StackMaster by specifying the `role` and `account` properties for the
+parameter resolver in the stack's parameters file.
+
+All parameter resolvers are supported.
+
+```yaml
+vpc_peering_id:
+  role: cross-account-parameter-resolver
+  account: 1234567890
+  stack_output: vpc-peering-stack-in-other-account/peering_name
+
+an_array_param:
+  role: cross-account-parameter-resolver
+  account: 1234567890
+  stack_outputs:
+    - stack-in-account1/output
+    - stack-in-account1/another_output
+
+another_array_param:
+  - role: cross-account-parameter-resolver
+    account: 1234567890
+    stack_output: stack-in-account1/output
+  - role: cross-account-parameter-resolver
+    account: 0987654321
+    stack_output: stack-in-account2/output
+
+my_secret:
+  role: cross-account-parameter-resolver
+  account: 1234567890
+  parameter_store: ssm_parameter_name
+```
+
+An example of use case where cross-account parameter resolving is particularly useful is when
+setting up VPC peering where you need the VPC ID of the peer. Without the ability to assume
+a role in another account, the only option was to hard code the peer's VPC ID.
+
 ### Stack Output
 
 The stack output parameter resolver looks up outputs from other stacks in the
@@ -270,7 +311,7 @@ db_password:
 ```
 
 ### 1Password Lookup
-An Alternative to the alternative secret store is accessing 1password secrets using the 1password cli (`op`).
+An alternative to the secrets store is accessing 1password secrets using the 1password cli (`op`).
 You declare a 1password lookup with the following parameters in your parameters file:
 
 ```

data/lib/stack_master.rb

@@ -30,6 +30,7 @@ module StackMaster
   autoload :SecurityGroupFinder, 'stack_master/security_group_finder'
   autoload :ParameterLoader, 'stack_master/parameter_loader'
   autoload :ParameterResolver, 'stack_master/parameter_resolver'
+  autoload :RoleAssumer, 'stack_master/role_assumer'
   autoload :ResolverArray, 'stack_master/resolver_array'
   autoload :Resolver, 'stack_master/resolver_array'
   autoload :Utils, 'stack_master/utils'

data/lib/stack_master/parameter_resolver.rb

@@ -49,16 +49,37 @@ module StackMaster
       return parameter_value.to_s if Numeric === parameter_value || parameter_value == true || parameter_value == false
       return resolve_array_parameter_values(key, parameter_value).join(',') if Array === parameter_value
       return parameter_value unless Hash === parameter_value
-      validate_parameter_value!(key, parameter_value)
+      resolve_parameter_resolver_hash(key, parameter_value)
+    rescue Aws::CloudFormation::Errors::ValidationError
+      raise InvalidParameter, $!.message
+    end
+
+    def resolve_parameter_resolver_hash(key, parameter_value)
+      # strip out account and role
+      resolver_hash = parameter_value.except('account', 'role')
+      account, role = parameter_value.values_at('account', 'role')
 
-      resolver_name = parameter_value.keys.first.to_s
+      validate_parameter_value!(key, resolver_hash)
+
+      resolver_name = resolver_hash.keys.first.to_s
       load_parameter_resolver(resolver_name)
 
-      value = parameter_value.values.first
+      value = resolver_hash.values.first
       resolver_class_name = resolver_name.camelize
-      call_resolver(resolver_class_name, value)
-    rescue Aws::CloudFormation::Errors::ValidationError
-      raise InvalidParameter, $!.message
+
+      assume_role_if_present(account, role, key) do
+        call_resolver(resolver_class_name, value)
+      end
+    end
+
+    def assume_role_if_present(account, role, key)
+      return yield if account.nil? && role.nil?
+      if account.nil? || role.nil?
+        raise InvalidParameter, "Both 'account' and 'role' are required to assume role for parameter '#{key}'"
+      end
+      role_assumer.assume_role(account, role) do
+        yield
+      end
     end
 
     def resolve_array_parameter_values(key, parameter_values)
@@ -94,5 +115,9 @@ module StackMaster
         raise InvalidParameter, "#{key} hash contained more than one key: #{parameter_value.inspect}"
       end
     end
+
+    def role_assumer
+      @role_assumer ||= RoleAssumer.new
+    end
   end
 end

data/lib/stack_master/parameter_resolvers/ejson.rb

@@ -8,6 +8,7 @@ module StackMaster
       def initialize(config, stack_definition)
         @config = config
         @stack_definition = stack_definition
+        @decrypted_ejson_files = {}
       end
 
       def resolve(secret_key)
@@ -27,9 +28,12 @@ module StackMaster
       end
 
       def decrypt_ejson_file
-        @decrypt_ejson_file ||= EJSONWrapper.decrypt(ejson_file_path,
-                                                     use_kms: @stack_definition.ejson_file_kms,
-                                                     region: ejson_file_region)
+        ejson_file_key = credentials_key
+        @decrypted_ejson_files.fetch(ejson_file_key) do
+          @decrypted_ejson_files[ejson_file_key] = EJSONWrapper.decrypt(ejson_file_path,
+                                                                        use_kms: @stack_definition.ejson_file_kms,
+                                                                        region: ejson_file_region)
+        end
       end
 
       def ejson_file_region
@@ -43,6 +47,10 @@ module StackMaster
       def secret_path_relative_to_base
         @secret_path_relative_to_base ||= File.join('secrets', @stack_definition.ejson_file)
       end
+
+      def credentials_key
+        Aws.config[:credentials]&.object_id
+      end
     end
   end
 end

data/lib/stack_master/parameter_resolvers/latest_ami.rb

@@ -6,13 +6,13 @@ module StackMaster
       def initialize(config, stack_definition)
         @config = config
         @stack_definition = stack_definition
-        @ami_finder = AmiFinder.new(@stack_definition.region)
       end
 
       def resolve(value)
         owners = Array(value.fetch('owners', 'self').to_s)
-        filters = @ami_finder.build_filters_from_hash(value.fetch('filters'))
-        @ami_finder.find_latest_ami(filters, owners).try(:image_id)
+        ami_finder = AmiFinder.new(@stack_definition.region)
+        filters = ami_finder.build_filters_from_hash(value.fetch('filters'))
+        ami_finder.find_latest_ami(filters, owners).try(:image_id)
       end
     end
   end

data/lib/stack_master/parameter_resolvers/parameter_store.rb

@@ -11,6 +11,7 @@ module StackMaster
 
       def resolve(value)
         begin
+          ssm = Aws::SSM::Client.new(region: @stack_definition.region)
           resp = ssm.get_parameter(
             name: value,
             with_decryption: true
@@ -20,12 +21,6 @@ module StackMaster
         end
         resp.parameter.value
       end
-
-      private
-
-      def ssm
-        @ssm ||= Aws::SSM::Client.new(region: @stack_definition.region)
-      end
     end
   end
 end

data/lib/stack_master/parameter_resolvers/sns_topic_name.rb

@@ -8,7 +8,6 @@ module StackMaster
       def initialize(config, stack_definition)
         @config = config
         @stack_definition = stack_definition
-        @stacks = {}
       end
 
       def resolve(value)
@@ -19,10 +18,6 @@ module StackMaster
 
       private
 
-      def cf
-        @cf ||= StackMaster.cloud_formation_driver
-      end
-
       def sns_topic_finder
         StackMaster::SnsTopicFinder.new(@stack_definition.region)
       end

data/lib/stack_master/parameter_resolvers/stack_output.rb

@@ -32,7 +32,7 @@ module StackMaster
       private
 
       def cf
-        @cf ||= StackMaster.cloud_formation_driver
+        StackMaster.cloud_formation_driver
       end
 
       def parse!(value)
@@ -49,7 +49,7 @@ module StackMaster
 
       def find_stack(stack_name, region)
         unaliased_region = @config.unalias_region(region)
-        stack_key = stack_key(stack_name, unaliased_region)
+        stack_key = "#{unaliased_region}:#{stack_name}:#{credentials_key}"
 
         @stacks.fetch(stack_key) do
           regional_cf = cf_for_region(unaliased_region)
@@ -58,19 +58,19 @@ module StackMaster
         end
       end
 
-      def stack_key(stack_name, region)
-        "#{region}:#{stack_name}"
-      end
-
       def cf_for_region(region)
-        return cf if cf.region == region
+        driver_key = "#{region}:#{credentials_key}"
 
-        @cf_drivers.fetch(region) do
+        @cf_drivers.fetch(driver_key) do
           cloud_formation_driver = cf.class.new
           cloud_formation_driver.set_region(region)
-          @cf_drivers[region] = cloud_formation_driver
+          @cf_drivers[driver_key] = cloud_formation_driver
         end
       end
+
+      def credentials_key
+        Aws.config[:credentials]&.object_id
+      end
     end
   end
 end

data/lib/stack_master/role_assumer.rb

@@ -0,0 +1,54 @@
+require 'active_support/core_ext/object/deep_dup'
+
+module StackMaster
+  class RoleAssumer
+    BlockNotSpecified = Class.new(StandardError)
+
+    def initialize
+      @credentials = {}
+    end
+
+    def assume_role(account, role, &block)
+      raise BlockNotSpecified unless block_given?
+      raise ArgumentError, "Both 'account' and 'role' are required to assume a role" if account.nil? || role.nil?
+
+      role_credentials = assume_role_credentials(account, role)
+      with_temporary_credentials(role_credentials) do
+        with_temporary_cf_driver do
+          block.call
+        end
+      end
+    end
+
+    private
+
+    def with_temporary_credentials(credentials, &block)
+      original_aws_config = Aws.config
+      Aws.config = original_aws_config.deep_dup
+      Aws.config[:credentials] = credentials
+      block.call
+    ensure
+      Aws.config = original_aws_config
+    end
+
+    def with_temporary_cf_driver(&block)
+      original_driver = StackMaster.cloud_formation_driver
+      new_driver = original_driver.class.new
+      new_driver.set_region(original_driver.region)
+      StackMaster.cloud_formation_driver = new_driver
+      block.call
+    ensure
+      StackMaster.cloud_formation_driver = original_driver
+    end
+
+    def assume_role_credentials(account, role)
+      credentials_key = "#{account}:#{role}"
+      @credentials.fetch(credentials_key) do
+        @credentials[credentials_key] = Aws::AssumeRoleCredentials.new(
+          role_arn: "arn:aws:iam::#{account}:role/#{role}",
+          role_session_name: "stack-master-role-assumer"
+        )
+      end
+    end
+  end
+end

data/lib/stack_master/version.rb

@@ -1,3 +1,3 @@
 module StackMaster
-  VERSION = "1.17.1"
+  VERSION = "1.18.0"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: stack_master
 version: !ruby/object:Gem::Version
-  version: 1.17.1
+  version: 1.18.0
 platform: x64-mingw32
 authors:
 - Steve Hodgkiss
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-10-03 00:00:00.000000000 Z
+date: 2019-12-23 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -468,6 +468,7 @@ files:
 - lib/stack_master/parameter_resolvers/stack_output.rb
 - lib/stack_master/prompter.rb
 - lib/stack_master/resolver_array.rb
+- lib/stack_master/role_assumer.rb
 - lib/stack_master/security_group_finder.rb
 - lib/stack_master/sns_topic_finder.rb
 - lib/stack_master/sparkle_formation/compile_time/allowed_pattern_validator.rb
@@ -510,10 +511,14 @@ files:
 - stacktemplates/parameter_stack_name.yml
 - stacktemplates/stack.json.erb
 - stacktemplates/stack_master.yml.erb
-homepage: https://github.com/envato/stack_master
+homepage: https://opensource.envato.com/projects/stack_master.html
 licenses:
 - MIT
-metadata: {}
+metadata:
+  bug_tracker_uri: https://github.com/envato/stack_master/issues
+  changelog_uri: https://github.com/envato/stack_master/blob/master/CHANGELOG.md
+  documentation_uri: https://www.rubydoc.info/gems/stack_master/1.18.0
+  source_code_uri: https://github.com/envato/stack_master/tree/v1.18.0
 post_install_message: 
 rdoc_options: []
 require_paths: