stack_master 1.13.1-x64-mingw32 → 1.14.0-x64-mingw32

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 0755258ff7cba30456cd24938695d9a77c3adecd
-  data.tar.gz: e4b85c2320e76fdcbf1fb9a4fd1776abf37b6850
+  metadata.gz: a0c3168b5e279ae1b4944be5eb01d4fa799e5794
+  data.tar.gz: d4da17e1b54e40434c60060204a4d9e96f720833
 SHA512:
-  metadata.gz: 0f3016ebb8e05399a46ef049fc205e7a7e279454f065a9a4c69bb9242b0ab8365c23daea09b23d3f874026b4a27ec6a314d62940417ab9313d4fb57119747f83
-  data.tar.gz: 39a3377087ada41dff9b5e1072d3bdb7905b8e64e5231e82b214a37330e1f34208115ccf70385a5b84c7a72e11df053f97208427e19afe08c352ea8478b76992
+  metadata.gz: d2b34d6a2f518904738c2cbfb18c1f57bbbe89637fb322f7e4706ff3683f8986f700ff440196168664689d5fd4082e200109df6d89e13e3a9928565fe3c5082c
+  data.tar.gz: 5797d1e8cc5e595ff7f91b86ba97296bdcd68862c30e0e64ab3ca5ac11bd9d4a68417b814831703aa292c48d7cb7ec3f40d1199ed5553b2bb0d3618edbb27f09

data/README.md

@@ -31,10 +31,18 @@ etc.
 
 ## Installation
 
-System-wide: `gem install stack_master`
+### System-wide
 
-With bundler:
+```shell
+gem install stack_master
 
+# if you want linting capabilities:
+pip install cfn-lint
+```
+
+### Bundler
+
+- `pip install cfn-lint` if you need lint functionality
 - Add `gem 'stack_master'` to your Gemfile.
 - Run `bundle install`
 - Run `bundle exec stack_master init` to generate a directory structure and stack_master.yml file
@@ -83,10 +91,14 @@ stacks:
   staging:
     myapp-vpc:
       template: myapp_vpc.rb
+      allowed_accounts: '123456789'
       tags:
         purpose: front-end
     myapp-db:
       template: myapp_db.rb
+      allowed_accounts:
+        - '1234567890'
+        - '9876543210'
       tags:
         purpose: back-end
     myapp-web:
@@ -537,6 +549,44 @@ end
 
 Note though that if a dynamic with the same name exists in your `templates/dynamics/` directory it will get loaded since it has higher precedence.
 
+## Allowed accounts
+
+The AWS account the command is executing in can be restricted to a specific list of allowed accounts. This is useful in reducing the possibility of applying non-production changes in a production account. Each stack definition can specify the `allowed_accounts` property with an array of AWS account IDs the stack is allowed to work with.
+
+This is an opt-in feature which is enabled by specifying at least one account to allow.
+
+Unlike other stack defaults, the `allowed_accounts` property values specified in the stack definition override values specified in the stack defaults (i.e., other stack property values are merged together with those specified in the stack defaults). This allows specifying allowed accounts in the stack defaults (inherited by all stacks) and override them for specific stacks. See below example config for an example.
+
+```yaml
+stack_defaults:
+  allowed_accounts: '555555555'
+stacks:
+  us-east-1:
+    myapp-vpc: # only allow account 555555555 (inherited from the stack defaults)
+      template: myapp_vpc.rb
+      tags:
+        purpose: front-end
+    myapp-db:
+      template: myapp_db.rb
+      allowed_accounts: # only allow these accounts (overrides the stack defaults)
+        - '1234567890'
+        - '9876543210'
+      tags:
+        purpose: back-end
+    myapp-web:
+      template: myapp_web.rb
+      allowed_accounts: [] # allow all accounts (overrides the stack defaults)
+      tags:
+        purpose: front-end
+    myapp-redis:
+      template: myapp_redis.rb
+      allowed_accounts: '888888888' # only allow this account (overrides the stack defaults)
+      tags:
+        purpose: back-end
+```
+
+In the cases where you want to bypass the account check, there is StackMaster flag `--skip-account-check` that can be used.
+
 ## Commands
 
 ```bash

data/lib/stack_master.rb

@@ -38,6 +38,7 @@ module StackMaster
   autoload :PagedResponseAccumulator, 'stack_master/paged_response_accumulator'
   autoload :StackDefinition, 'stack_master/stack_definition'
   autoload :TemplateCompiler, 'stack_master/template_compiler'
+  autoload :Identity, 'stack_master/identity'
 
   autoload :StackDiffer, 'stack_master/stack_differ'
   autoload :Validator, 'stack_master/validator'
@@ -97,6 +98,7 @@ module StackMaster
   NON_INTERACTIVE_DEFAULT = false
   DEBUG_DEFAULT = false
   QUIET_DEFAULT = false
+  SKIP_ACCOUNT_CHECK_DEFAULT = false
 
   def interactive?
     !non_interactive?
@@ -136,6 +138,16 @@ module StackMaster
 
   def reset_flags
     @quiet = QUIET_DEFAULT
+    @skip_account_check = SKIP_ACCOUNT_CHECK_DEFAULT
+  end
+
+  def skip_account_check!
+    @skip_account_check = true
+  end
+  @skip_account_check = SKIP_ACCOUNT_CHECK_DEFAULT
+
+  def skip_account_check?
+    @skip_account_check
   end
 
   attr_accessor :non_interactive_answer

data/lib/stack_master/cli.rb

@@ -34,6 +34,9 @@ module StackMaster
       global_option '-q', '--quiet', 'Do not output the resulting Stack Events, just return immediately' do
         StackMaster.quiet!
       end
+      global_option '--skip-account-check', 'Do not check if command is allowed to execute in account' do
+        StackMaster.skip_account_check!
+      end
 
       command :apply do |c|
         c.syntax = 'stack_master apply [region_or_alias] [stack_name]'
@@ -178,18 +181,22 @@ module StackMaster
             return
           end
 
+          stack_name = Utils.underscore_to_hyphen(args[1])
+          allowed_accounts = []
+
           # Because delete can work without a stack_master.yml
           if options.config and File.file?(options.config)
             config = load_config(options.config)
             region = Utils.underscore_to_hyphen(config.unalias_region(args[0]))
+            allowed_accounts = config.find_stack(region, stack_name)&.allowed_accounts
           else
             region = args[0]
           end
 
-          stack_name = Utils.underscore_to_hyphen(args[1])
-
-          StackMaster.cloud_formation_driver.set_region(region)
-          StackMaster::Commands::Delete.perform(region, stack_name)
+          execute_if_allowed_account(allowed_accounts) do
+            StackMaster.cloud_formation_driver.set_region(region)
+            StackMaster::Commands::Delete.perform(region, stack_name)
+          end
         end
       end
 
@@ -223,15 +230,35 @@ module StackMaster
           success = false
         end
         stack_definitions = stack_definitions.select do |stack_definition|
-          StackStatus.new(config, stack_definition).changed?
+          running_in_allowed_account?(stack_definition.allowed_accounts) && StackStatus.new(config, stack_definition).changed?
         end if options.changed
         stack_definitions.each do |stack_definition|
           StackMaster.cloud_formation_driver.set_region(stack_definition.region)
           StackMaster.stdout.puts "Executing #{command.command_name} on #{stack_definition.stack_name} in #{stack_definition.region}"
-          success = false unless command.perform(config, stack_definition, options).success?
+          success = execute_if_allowed_account(stack_definition.allowed_accounts) do
+            command.perform(config, stack_definition, options).success?
+          end
         end
       end
       success
     end
+
+    def execute_if_allowed_account(allowed_accounts, &block)
+      raise ArgumentError, "Block required to execute this method" unless block_given?
+      if running_in_allowed_account?(allowed_accounts)
+        block.call
+      else
+        StackMaster.stdout.puts "Account '#{identity.account}' is not an allowed account. Allowed accounts are #{allowed_accounts}."
+        false
+      end
+    end
+
+    def running_in_allowed_account?(allowed_accounts)
+      StackMaster.skip_account_check? || identity.running_in_allowed_account?(allowed_accounts)
+    end
+
+    def identity
+      @identity ||= StackMaster::Identity.new
+    end
   end
 end

data/lib/stack_master/commands/lint.rb

@@ -13,7 +13,11 @@ module StackMaster
 
       def perform
         unless cfn_lint_available
-          failed! "Failed to run cfn-lint, do you have it installed and available in $PATH?"
+          failed! 'Failed to run cfn-lint. You may need to install it using'\
+                  '`pip install cfn-lint`, or add it to $PATH.'\
+                  "\n"\
+                  '(See https://github.com/aws-cloudformation/cfn-python-lint'\
+                  ' for package information)'
         end
 
         Tempfile.open(['stack', ".#{proposed_stack.template_format}"]) do |f|

data/lib/stack_master/commands/status.rb

@@ -16,12 +16,13 @@ module StackMaster
         progress if @show_progress
         status = @config.stacks.map do |stack_definition|
           stack_status = StackStatus.new(@config, stack_definition)
+          allowed_accounts = stack_definition.allowed_accounts
           progress.increment if @show_progress
           {
             region: stack_definition.region,
             stack_name: stack_definition.stack_name,
-            stack_status: stack_status.status,
-            different: stack_status.changed_message,
+            stack_status: running_in_allowed_account?(allowed_accounts) ? stack_status.status : "Disallowed account",
+            different: running_in_allowed_account?(allowed_accounts) ? stack_status.changed_message : "N/A",
           }
         end
         tp.set :max_width, self.window_size
@@ -41,6 +42,14 @@ module StackMaster
       def sort_params(hash)
         hash.sort.to_h
       end
+
+      def running_in_allowed_account?(allowed_accounts)
+        StackMaster.skip_account_check? || identity.running_in_allowed_account?(allowed_accounts)
+      end
+
+      def identity
+        @identity ||= StackMaster::Identity.new
+      end
     end
   end
 end

data/lib/stack_master/config.rb

@@ -116,6 +116,7 @@ module StackMaster
             'base_dir' => @base_dir,
             'template_dir' => @template_dir,
             'additional_parameter_lookup_dirs' => @region_to_aliases[region])
+          stack_attributes['allowed_accounts'] = attributes['allowed_accounts'] if attributes['allowed_accounts']
           @stacks << StackDefinition.new(stack_attributes)
         end
       end

data/lib/stack_master/identity.rb

@@ -0,0 +1,23 @@
+module StackMaster
+  class Identity
+    def running_in_allowed_account?(allowed_accounts)
+      allowed_accounts.nil? || allowed_accounts.empty? || allowed_accounts.include?(account)
+    end
+
+    def account
+      @account ||= sts.get_caller_identity.account
+    end
+
+    private
+
+    attr_reader :sts
+
+    def region
+      @region ||= ENV['AWS_REGION'] || Aws.config[:region] || Aws.shared_config.region || 'us-east-1'
+    end
+
+    def sts
+      @sts ||= Aws::STS::Client.new(region: region)
+    end
+  end
+end

data/lib/stack_master/stack_definition.rb

@@ -5,6 +5,7 @@ module StackMaster
                   :template,
                   :tags,
                   :role_arn,
+                  :allowed_accounts,
                   :notification_arns,
                   :base_dir,
                   :template_dir,
@@ -23,8 +24,10 @@ module StackMaster
       @notification_arns = []
       @s3 = {}
       @files = []
+      @allowed_accounts = nil
       super
       @template_dir ||= File.join(@base_dir, 'templates')
+      @allowed_accounts = Array(@allowed_accounts)
     end
 
     def ==(other)
@@ -34,6 +37,7 @@ module StackMaster
         @template == other.template &&
         @tags == other.tags &&
         @role_arn == other.role_arn &&
+        @allowed_accounts == other.allowed_accounts &&
         @notification_arns == other.notification_arns &&
         @base_dir == other.base_dir &&
         @secret_file == other.secret_file &&

data/lib/stack_master/version.rb

@@ -1,3 +1,3 @@
 module StackMaster
-  VERSION = "1.13.1"
+  VERSION = "1.14.0"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: stack_master
 version: !ruby/object:Gem::Version
-  version: 1.13.1
+  version: 1.14.0
 platform: x64-mingw32
 authors:
 - Steve Hodgkiss
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-03-20 00:00:00.000000000 Z
+date: 2019-07-03 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -435,6 +435,7 @@ files:
 - lib/stack_master/commands/validate.rb
 - lib/stack_master/config.rb
 - lib/stack_master/ctrl_c.rb
+- lib/stack_master/identity.rb
 - lib/stack_master/paged_response_accumulator.rb
 - lib/stack_master/parameter_loader.rb
 - lib/stack_master/parameter_resolver.rb