npm - @itentialopensource/adapter-amazon_route53 - Versions diffs - 0.4.4 → 0.4.6 - Mend

@itentialopensource/adapter-amazon_route53 0.4.4 → 0.4.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

package/AUTH.md +31 -8
package/CHANGELOG.md +16 -0
package/TAB2.md +38 -9
package/package.json +2 -2
package/propertiesSchema.json +37 -0
package/refs?service=git-upload-pack +0 -0
package/report/adapterInfo.json +2 -2
package/sampleProperties.json +7 -1
package/compliance-report.json +0 -9
package/compliance-report.txt +0 -5

package/AUTH.md CHANGED Viewed

@@ -36,35 +36,58 @@ you can leave all of the other properties in the authentication section, they wi
 ### AWS Security Token Service
 The Amazon Route53 adapter also supports AWS Security Token Service (STS) Authentication. For using this authentication, you need to use the calls in the Adapter that have the STSRole suffix on them and pass the STS information into the method.
+```json
+{
+  "RoleArn": "arn:aws:iam::1234567:role/my_role",
+  "RoleSessionName": "mySession"
+}
+```
+The AWS STS Authentication goes to the AWS STS Service endpoint in order to validate that the primary "service" account the adapter has authenticated with has the permission to assume the role. This call is made to sts.amazonaws.com or a regional sts sevice (e.g. sts.us-east-1.amazonaws.com). By default traffic to these endpoints will go out through the Internet. In the case where you would prefer these route through your network, it is possible to change the STS config for the adapter. The proxy field should point to the AWS loadbalancer or a proxy server that forwards to AWS STS. In Itential Cloud, this can be NAT'd to your network. In addition to this, you may need to set the endpoint in order to have the STS SSL certificate validated successfully. By default the adapter will use sts regional servers. If the loadbalancer and proxy are set up for that you should be fine. If however, they point to the global STS service (sts.amazonaws.com) You will need to set the global as the endpoint or the STS certificate will be rejected due to the hosts not matching.
+```json
+"authentication": {
+  "aws_sts": {
+    "endpoint": "<sts certificate endpoint>",
+    "proxy": "<proxy/loadbalancer ip>",
+  }
+}
+```
 ### AWS IAM Role
 The Amazon Route53 adapter also supports AWS IAM Role Authentication. For using this authentication, you need to use the calls in the Adapter that have the STSRole suffix on them and pass the RoleName into the method.
+```json
+"authentication": {
+  "auth_method": "aws_authentication",
+  "aws_iam_role": "role_arn"
+}
+```
 ### AMAZON STEPS FOR IAM ROLE
-Increase number of hops if running IAP inside of docker on EC2 instance
+Increase number of hops if running IAP inside of docker on an AWS instance
 ```bash
 aws sso login --profile aws-bota-1
 <export aws keys for CLI access>
-aws ec2 modify-instance-metadata-options  --instance-id i-0e150236026b7c45d  --http-put-response-hop-limit 3 --http-endpoint enabled --region us-east-1
+Amazon ec2 modify-instance-metadata-options  --instance-id i-0e150236026b7c45d  --http-put-response-hop-limit 3 --http-endpoint enabled --region us-east-1
 ```
 Create a new role and attach to it policies:
-- go to your EC2 instance, select it
+- go to your Route53 instance, select it
 - Actions->Security->Modify IAM Role
 - Click 'Create New IAM Role'
 - Create a role:
 ```text
 Trusted entity type: AWS service
-Use Case: EC2
+Use Case: Route53
 ```
-Add policies to the role
-- AmazonEC2FullAccess (Provides full access to Amazon EC2 via the AWS Management Console.)
-- AmazonRoute53FullAccess (Provides full access to all Amazon Route 53 via the AWS Management Console.)
+Add needed Route53 policies to the role
 Save the role
-Go back to your EC2 instance and Actions->Security->Modify IAM Role, associate newly created role with your EC2 instance
+Go back to Route53 and Actions->Security->Modify IAM Role, associate newly created role with your Route53 instance
 ### Troubleshooting
 - Make sure you copied over the correct access key, secret key and session token.

package/CHANGELOG.md CHANGED Viewed

@@ -1,4 +1,20 @@
+## 0.4.6 [09-30-2024]
+* update auth docs
+See merge request itentialopensource/adapters/adapter-amazon_route53!22
+---
+## 0.4.5 [09-12-2024]
+* add properties for sts
+See merge request itentialopensource/adapters/adapter-amazon_route53!21
+---
 ## 0.4.4 [08-22-2024]
 * update dependencies and metadata

package/TAB2.md CHANGED Viewed

@@ -47,35 +47,58 @@ you can leave all of the other properties in the authentication section, they wi
 #### AWS Security Token Service
 The Amazon Route53 adapter also supports AWS Security Token Service (STS) Authentication. For using this authentication, you need to use the calls in the Adapter that have the STSRole suffix on them and pass the STS information into the method.
+```json
+{
+  "RoleArn": "arn:aws:iam::1234567:role/my_role",
+  "RoleSessionName": "mySession"
+}
+```
+The AWS STS Authentication goes to the AWS STS Service endpoint in order to validate that the primary "service" account the adapter has authenticated with has the permission to assume the role. This call is made to sts.amazonaws.com or a regional sts sevice (e.g. sts.us-east-1.amazonaws.com). By default traffic to these endpoints will go out through the Internet. In the case where you would prefer these route through your network, it is possible to change the STS config for the adapter. The proxy field should point to the AWS loadbalancer or a proxy server that forwards to AWS STS. In Itential Cloud, this can be NAT'd to your network. In addition to this, you may need to set the endpoint in order to have the STS SSL certificate validated successfully. By default the adapter will use sts regional servers. If the loadbalancer and proxy are set up for that you should be fine. If however, they point to the global STS service (sts.amazonaws.com) You will need to set the global as the endpoint or the STS certificate will be rejected due to the hosts not matching.
+```json
+"authentication": {
+  "aws_sts": {
+    "endpoint": "<sts certificate endpoint>",
+    "proxy": "<proxy/loadbalancer ip>",
+  }
+}
+```
 #### AWS IAM Role
 The Amazon Route53 adapter also supports AWS IAM Role Authentication. For using this authentication, you need to use the calls in the Adapter that have the STSRole suffix on them and pass the RoleName into the method.
+```json
+"authentication": {
+  "auth_method": "aws_authentication",
+  "aws_iam_role": "role_arn"
+}
+```
 #### AMAZON STEPS FOR IAM ROLE
-Increase number of hops if running IAP inside of docker on EC2 instance
+Increase number of hops if running IAP inside of docker on an AWS instance
 ```bash
 aws sso login --profile aws-bota-1
 <export aws keys for CLI access>
-aws ec2 modify-instance-metadata-options  --instance-id i-0e150236026b7c45d  --http-put-response-hop-limit 3 --http-endpoint enabled --region us-east-1
+Amazon ec2 modify-instance-metadata-options  --instance-id i-0e150236026b7c45d  --http-put-response-hop-limit 3 --http-endpoint enabled --region us-east-1
 ```
 Create a new role and attach to it policies:
-- go to your EC2 instance, select it
+- go to your Route53 instance, select it
 - Actions->Security->Modify IAM Role
 - Click 'Create New IAM Role'
 - Create a role:
 ```text
 Trusted entity type: AWS service
-Use Case: EC2
+Use Case: Route53
 ```
-Add policies to the role
-- AmazonEC2FullAccess (Provides full access to Amazon EC2 via the AWS Management Console.)
-- AmazonRoute53FullAccess (Provides full access to all Amazon Route 53 via the AWS Management Console.)
+Add needed Route53 policies to the role
 Save the role
-Go back to your EC2 instance and Actions->Security->Modify IAM Role, associate newly created role with your EC2 instance
+Go back to Route53 and Actions->Security->Modify IAM Role, associate newly created role with your Route53 instance
 #### Troubleshooting
 - Make sure you copied over the correct access key, secret key and session token.
@@ -141,7 +164,13 @@ Sample Properties can be used to help you configure the adapter in the Itential
       "aws_access_key": "aws_access_key",
       "aws_secret_key": "aws_secret_key",
       "aws_session_token": "aws_session_token",
-      "aws_iam_role": ""
+      "aws_iam_role": "",
+      "aws_sts": {
+        "sslEnable": true,
+        "endpoint": "",
+        "proxy": "",
+        "proxyagent": ""
+      }
     },
     "healthcheck": {
       "type": "startup",

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@itentialopensource/adapter-amazon_route53",
-  "version": "0.4.4",
+  "version": "0.4.6",
   "description": "This adapter integrates with system described as: Amazon Route53.",
   "main": "adapter.js",
   "systemName": "Amazon AWS Route53",
@@ -55,7 +55,7 @@
   "author": "Itential",
   "homepage": "https://gitlab.com/itentialopensource/adapters/adapter-amazon_route53#readme",
   "dependencies": {
-    "@itentialopensource/adapter-utils": "^5.7.0",
+    "@itentialopensource/adapter-utils": "^5.7.2",
     "acorn": "^8.12.1",
     "ajv": "^8.17.1",
     "axios": "^1.7.4",

package/propertiesSchema.json CHANGED Viewed

@@ -381,6 +381,43 @@
           "examples": [
             "roleOnAllCalls"
           ]
+        },
+        "aws_sts": {
+          "type": "object",
+          "properties": {
+            "sslEnable": {
+              "type": "boolean",
+              "description": "This can disable the ssl for the sts requests",
+              "default": true
+            },
+            "endpoint": {
+              "type": "string",
+              "description": "change the sts endpoint used for assume role",
+              "default": "",
+              "enum": [
+                "sts.amazonaws.com",
+                "sts.us-east-2.amazonaws.com",
+                ""
+              ]
+            },
+            "proxy": {
+              "type": "string",
+              "description": "add a proxy to calls used for assume role",
+              "default": "",
+              "examples": [
+                "https://1.1.1.1"
+              ]
+            },
+            "proxyagent": {
+              "type": "string",
+              "description": "define a proxy agent for calls to assume role",
+              "default": "",
+              "examples": [
+                "https",
+                "http"
+              ]
+            }
+          }
         }
       },
       "required": [

package/refs?service=git-upload-pack CHANGED Viewed

Binary file

package/report/adapterInfo.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
-  "version": "0.4.3",
-  "configLines": 9898,
+  "version": "0.4.5",
+  "configLines": 9935,
   "scriptLines": 1783,
   "codeLines": 9292,
   "testLines": 6920,

package/sampleProperties.json CHANGED Viewed

@@ -46,7 +46,13 @@
       "aws_access_key": "aws_access_key",
       "aws_secret_key": "aws_secret_key",
       "aws_session_token": "aws_session_token",
-      "aws_iam_role": ""
+      "aws_iam_role": "",
+      "aws_sts": {
+        "sslEnable": true,
+        "endpoint": "",
+        "proxy": "",
+        "proxyagent": ""
+      }
     },
     "healthcheck": {
       "type": "startup",

package/compliance-report.json DELETED Viewed

@@ -1,9 +0,0 @@
-{
-  "ComplianceEntries": [
-    {
-      "name": "Compliance Summary",
-      "numInvalidProjects": 0,
-      "numValidProjects": 0
-    }
-  ]
-}

package/compliance-report.txt DELETED Viewed

@@ -1,5 +0,0 @@
----------------------------------------------------------------------------------------------
-**** Project Compliance Summary ****
-0 project(s) are not valid
-0 project(s) are valid
----------------------------------------------------------------------------------------------