cloudzero 0.0.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/out/cli.js +2 -0
- package/package.json +47 -0
package/out/cli.js
ADDED
|
@@ -0,0 +1,2 @@
|
|
|
1
|
+
#!/usr/bin/env node
|
|
2
|
+
import{consoleLogSink as I,LogContext as S}from"@rocicorp/logger";import{AttachRolePolicyCommand as w,CreateRoleCommand as y,EntityAlreadyExistsException as R,IAMClient as A,PutRolePolicyCommand as C}from"@aws-sdk/client-iam";function r(e){return JSON.stringify({Version:"2012-10-17",...e})}var s=process.env.CLOUDZERO_ACCOUNT_ID??"347116755803";import{AssumeRoleCommand as G,GetCallerIdentityCommand as d,STSClient as g}from"@aws-sdk/client-sts";function a(e,n){if(e==null)throw new Error(n??`Unexpected ${e} value`);return e}async function c(e={}){let o=await new g(e).send(new d);return a(o.Account)}var P="cloudzero-cluster-admin-role",D="cloudzero-cluster-debug-role";var E={Statement:[{Effect:"Allow",Action:["eks:CreateAccessEntry","eks:Describe*","eks:List*","eks:TagResource","kms:CreateAlias","kms:CreateGrant","kms:DescribeKey","kms:ListKeys","logs:PutRetentionPolicy"],Resource:"*"},{Effect:"Allow",Action:["ecr-public:GetAuthorizationToken","sts:GetServiceBearerToken"],Resource:"*"},{Effect:"Allow",Action:["eks:*","kms:CreateKey","kms:TagResource"],Resource:"*",Condition:{StringEquals:{"aws:ResourceTag/ManagedBy":"cloudzero"}}},{Effect:"Allow",Action:["ssm:GetParameter","ssm:GetParameters"],Resource:["arn:aws:ssm:*:*:parameter/aws/*","arn:aws:ssm:*::parameter/aws/*"]},{Effect:"Allow",Action:["iam:CreateInstanceProfile","iam:DeleteInstanceProfile","iam:GetInstanceProfile","iam:RemoveRoleFromInstanceProfile","iam:GetRole","iam:CreateRole","iam:DeleteRole","iam:AttachRolePolicy","iam:PutRolePolicy","iam:UpdateAssumeRolePolicy","iam:AddRoleToInstanceProfile","iam:ListInstanceProfilesForRole","iam:PassRole","iam:DetachRolePolicy","iam:DeleteRolePolicy","iam:GetRolePolicy","iam:GetOpenIDConnectProvider","iam:CreateOpenIDConnectProvider","iam:DeleteOpenIDConnectProvider","iam:TagOpenIDConnectProvider","iam:ListAttachedRolePolicies","iam:TagRole","iam:UntagRole","iam:GetPolicy","iam:CreatePolicy","iam:DeletePolicy","iam:ListPolicyVersions"],Resource:["arn:aws:iam::*:instance-profile/eksctl-*","arn:aws:iam::*:role/eksctl-*","arn:aws:iam::*:policy/eksctl-*","arn:aws:iam::*:oidc-provider/*","arn:aws:iam::*:role/aws-service-role/eks-nodegroup.amazonaws.com/AWSServiceRoleForAmazonEKSNodegroup","arn:aws:iam::*:role/eksctl-managed-*"]},{Effect:"Allow",Action:["iam:GetRole","iam:GetUser"],Resource:["arn:aws:iam::*:role/*","arn:aws:iam::*:user/*"]},{Effect:"Allow",Action:["iam:CreateServiceLinkedRole"],Resource:"*",Condition:{StringEquals:{"iam:AWSServiceName":["eks.amazonaws.com","eks-nodegroup.amazonaws.com","eks-fargate.amazonaws.com"]}}}]},k={Statement:[{Effect:"Allow",Action:["iam:CreateInstanceProfile","iam:DeleteInstanceProfile","iam:GetInstanceProfile","iam:RemoveRoleFromInstanceProfile","iam:GetRole","iam:CreateRole","iam:DeleteRole","iam:AttachRolePolicy","iam:PutRolePolicy","iam:UpdateAssumeRolePolicy","iam:AddRoleToInstanceProfile","iam:ListInstanceProfilesForRole","iam:PassRole","iam:DetachRolePolicy","iam:DeleteRolePolicy","iam:GetRolePolicy","iam:GetOpenIDConnectProvider","iam:CreateOpenIDConnectProvider","iam:DeleteOpenIDConnectProvider","iam:TagOpenIDConnectProvider","iam:ListAttachedRolePolicies","iam:TagRole","iam:UntagRole","iam:GetPolicy","iam:CreatePolicy","iam:DeletePolicy","iam:ListPolicyVersions"],Resource:["arn:aws:iam::*:role/cloudzero-*","arn:aws:iam::*:role/cloudzero.*","arn:aws:iam::*:policy/cloudzero-*","arn:aws:iam::*:policy/cloudzero.*"]},{Effect:"Allow",Action:["sts:AssumeRole","sts:TagSession"],Resource:`arn:aws:iam::${s}:role/*`}]},T={Statement:[{Effect:"Allow",Action:["eks:DescribeAddonConfiguration","eks:DescribeAddonVersions","eks:DescribeClusterVersions","eks:ListClusters","logs:DescribeLogGroups","logs:ListLogGroups"],Resource:"*"},{Effect:"Allow",Action:["eks:AccessKubernetesApi","eks:Describe*","eks:List*"],Resource:"*",Condition:{StringEquals:{"aws:ResourceTag/ManagedBy":"cloudzero"}}},{Effect:"Allow",Action:["logs:Describe*","logs:Filter*","logs:Get*"],Resource:["arn:aws:logs:*:*:log-group:/cloudzero/*"]}]};async function u(e,n={}){let o=await c(n);e.info?.(`Configuring CloudZero access for account ${o}`);let i=new A(n);await l(e,i,P,"Role for automated management of cloudzero clusters",{"cluster-management-policy":E,"cluster-runtime-policy":k},"AmazonEC2FullAccess","AWSCloudFormationFullAccess"),await l(e,i,D,"Role for debugging cloudzero clusters",{"cluster-debug-policy":T})}async function l(e,n,o,i,m,...p){try{let t=await n.send(new y({RoleName:o,Description:i,AssumeRolePolicyDocument:r({Statement:[{Effect:"Allow",Principal:{AWS:s},Action:["sts:AssumeRole","sts:TagSession"]}]})}));e.info?.(`Created ${o}`,t.Role)}catch(t){if(t instanceof R)e.info?.(`${o} already exists`);else throw t}for(let t of p)await n.send(new w({RoleName:o,PolicyArn:`arn:aws:iam::aws:policy/${t}`}));for(let[t,f]of Object.entries(m))await n.send(new C({RoleName:o,PolicyName:t,PolicyDocument:r(f)}));e.info?.(`Configured ${o}`)}var x=new S("debug",{},I);await u(x);
|
package/package.json
ADDED
|
@@ -0,0 +1,47 @@
|
|
|
1
|
+
{
|
|
2
|
+
"name": "cloudzero",
|
|
3
|
+
"version": "0.0.1",
|
|
4
|
+
"description": "Application for initializing CloudZero",
|
|
5
|
+
"author": "Rocicorp, Inc.",
|
|
6
|
+
"repository": {
|
|
7
|
+
"type": "git",
|
|
8
|
+
"url": "git+https://github.com/rocicorp/cloudzero.git",
|
|
9
|
+
"directory": "cluster/init"
|
|
10
|
+
},
|
|
11
|
+
"type": "module",
|
|
12
|
+
"files": [
|
|
13
|
+
"out"
|
|
14
|
+
],
|
|
15
|
+
"bin": {
|
|
16
|
+
"cloudzero": "./out/cli.js"
|
|
17
|
+
},
|
|
18
|
+
"scripts": {
|
|
19
|
+
"build": "rm -rf out && tsc && npx tsx tool/build.ts",
|
|
20
|
+
"format": "prettier --write .",
|
|
21
|
+
"check-format": "prettier --check .",
|
|
22
|
+
"check-types": "tsc",
|
|
23
|
+
"check-types:watch": "tsc --watch",
|
|
24
|
+
"lint": "eslint --ext .ts,.tsx,.js,.jsx src/",
|
|
25
|
+
"prepack": "npm run build"
|
|
26
|
+
},
|
|
27
|
+
"dependencies": {
|
|
28
|
+
"@aws-sdk/client-iam": "^3.873.0",
|
|
29
|
+
"@aws-sdk/client-sts": "^3.873.0",
|
|
30
|
+
"@rocicorp/logger": "^5.4.0"
|
|
31
|
+
},
|
|
32
|
+
"devDependencies": {
|
|
33
|
+
"@rocicorp/eslint-config": "^0.7.0",
|
|
34
|
+
"@rocicorp/prettier-config": "^0.3.0",
|
|
35
|
+
"cluster-setup": "0.0.0",
|
|
36
|
+
"esbuild": "^0.25.0",
|
|
37
|
+
"prettier": "^3.6.0",
|
|
38
|
+
"typescript": "^5.8.3"
|
|
39
|
+
},
|
|
40
|
+
"eslintConfig": {
|
|
41
|
+
"extends": "../../eslint-config.json",
|
|
42
|
+
"rules": {
|
|
43
|
+
"@typescript-eslint/naming-convention": "off"
|
|
44
|
+
}
|
|
45
|
+
},
|
|
46
|
+
"prettier": "@rocicorp/prettier-config"
|
|
47
|
+
}
|