cloudzero 0.0.1 → 0.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/out/cli.js +9 -1
- package/package.json +4 -4
package/out/cli.js
CHANGED
|
@@ -1,2 +1,10 @@
|
|
|
1
1
|
#!/usr/bin/env node
|
|
2
|
-
import{consoleLogSink as I,LogContext as S}from"@rocicorp/logger";import{AttachRolePolicyCommand as w,CreateRoleCommand as y,EntityAlreadyExistsException as R,IAMClient as A,PutRolePolicyCommand as C}from"@aws-sdk/client-iam";function r(e){return JSON.stringify({Version:"2012-10-17",...e})}var s=process.env.CLOUDZERO_ACCOUNT_ID??"347116755803";import{AssumeRoleCommand as G,GetCallerIdentityCommand as d,STSClient as g}from"@aws-sdk/client-sts";function a(e,n){if(e==null)throw new Error(n??`Unexpected ${e} value`);return e}async function c(e={}){let o=await new g(e).send(new d);return a(o.Account)}var P="cloudzero-cluster-admin-role",D="cloudzero-cluster-debug-role";var E={Statement:[{Effect:"Allow",Action:["eks:CreateAccessEntry","eks:Describe*","eks:List*","eks:TagResource","kms:CreateAlias","kms:CreateGrant","kms:DescribeKey","kms:ListKeys","logs:PutRetentionPolicy"],Resource:"*"},{Effect:"Allow",Action:["ecr-public:GetAuthorizationToken","sts:GetServiceBearerToken"],Resource:"*"},{Effect:"Allow",Action:["eks:*","kms:CreateKey","kms:TagResource"],Resource:"*",Condition:{StringEquals:{"aws:ResourceTag/ManagedBy":"cloudzero"}}},{Effect:"Allow",Action:["ssm:GetParameter","ssm:GetParameters"],Resource:["arn:aws:ssm:*:*:parameter/aws/*","arn:aws:ssm:*::parameter/aws/*"]},{Effect:"Allow",Action:["iam:CreateInstanceProfile","iam:DeleteInstanceProfile","iam:GetInstanceProfile","iam:RemoveRoleFromInstanceProfile","iam:GetRole","iam:CreateRole","iam:DeleteRole","iam:AttachRolePolicy","iam:PutRolePolicy","iam:UpdateAssumeRolePolicy","iam:AddRoleToInstanceProfile","iam:ListInstanceProfilesForRole","iam:PassRole","iam:DetachRolePolicy","iam:DeleteRolePolicy","iam:GetRolePolicy","iam:GetOpenIDConnectProvider","iam:CreateOpenIDConnectProvider","iam:DeleteOpenIDConnectProvider","iam:TagOpenIDConnectProvider","iam:ListAttachedRolePolicies","iam:TagRole","iam:UntagRole","iam:GetPolicy","iam:CreatePolicy","iam:DeletePolicy","iam:ListPolicyVersions"],Resource:["arn:aws:iam::*:instance-profile/eksctl-*","arn:aws:iam::*:role/eksctl-*","arn:aws:iam::*:policy/eksctl-*","arn:aws:iam::*:oidc-provider/*","arn:aws:iam::*:role/aws-service-role/eks-nodegroup.amazonaws.com/AWSServiceRoleForAmazonEKSNodegroup","arn:aws:iam::*:role/eksctl-managed-*"]},{Effect:"Allow",Action:["iam:GetRole","iam:GetUser"],Resource:["arn:aws:iam::*:role/*","arn:aws:iam::*:user/*"]},{Effect:"Allow",Action:["iam:CreateServiceLinkedRole"],Resource:"*",Condition:{StringEquals:{"iam:AWSServiceName":["eks.amazonaws.com","eks-nodegroup.amazonaws.com","eks-fargate.amazonaws.com"]}}}]},k={Statement:[{Effect:"Allow",Action:["iam:CreateInstanceProfile","iam:DeleteInstanceProfile","iam:GetInstanceProfile","iam:RemoveRoleFromInstanceProfile","iam:GetRole","iam:CreateRole","iam:DeleteRole","iam:AttachRolePolicy","iam:PutRolePolicy","iam:UpdateAssumeRolePolicy","iam:AddRoleToInstanceProfile","iam:ListInstanceProfilesForRole","iam:PassRole","iam:DetachRolePolicy","iam:DeleteRolePolicy","iam:GetRolePolicy","iam:GetOpenIDConnectProvider","iam:CreateOpenIDConnectProvider","iam:DeleteOpenIDConnectProvider","iam:TagOpenIDConnectProvider","iam:ListAttachedRolePolicies","iam:TagRole","iam:UntagRole","iam:GetPolicy","iam:CreatePolicy","iam:DeletePolicy","iam:ListPolicyVersions"],Resource:["arn:aws:iam::*:role/cloudzero-*","arn:aws:iam::*:role/cloudzero.*","arn:aws:iam::*:policy/cloudzero-*","arn:aws:iam::*:policy/cloudzero.*"]},{Effect:"Allow",Action:["sts:AssumeRole","sts:TagSession"],Resource:`arn:aws:iam::${s}:role/*`}]},T={Statement:[{Effect:"Allow",Action:["eks:DescribeAddonConfiguration","eks:DescribeAddonVersions","eks:DescribeClusterVersions","eks:ListClusters","logs:DescribeLogGroups","logs:ListLogGroups"],Resource:"*"},{Effect:"Allow",Action:["eks:AccessKubernetesApi","eks:Describe*","eks:List*"],Resource:"*",Condition:{StringEquals:{"aws:ResourceTag/ManagedBy":"cloudzero"}}},{Effect:"Allow",Action:["logs:Describe*","logs:Filter*","logs:Get*"],Resource:["arn:aws:logs:*:*:log-group:/cloudzero/*"]}]};async function u(e,n={}){let o=await c(n);e.info?.(`Configuring CloudZero access for account ${o}`);let i=new A(n);await l(e,i,P,"Role for automated management of cloudzero clusters",{"cluster-management-policy":E,"cluster-runtime-policy":k},"AmazonEC2FullAccess","AWSCloudFormationFullAccess"),await l(e,i,D,"Role for debugging cloudzero clusters",{"cluster-debug-policy":T})}async function l(e,n,o,i,m,...p){try{let t=await n.send(new y({RoleName:o,Description:i,AssumeRolePolicyDocument:r({Statement:[{Effect:"Allow",Principal:{AWS:s},Action:["sts:AssumeRole","sts:TagSession"]}]})}));e.info?.(`Created ${o}`,t.Role)}catch(t){if(t instanceof R)e.info?.(`${o} already exists`);else throw t}for(let t of p)await n.send(new w({RoleName:o,PolicyArn:`arn:aws:iam::aws:policy/${t}`}));for(let[t,f]of Object.entries(m))await n.send(new C({RoleName:o,PolicyName:t,PolicyDocument:r(f)}));e.info?.(`Configured ${o}`)}var x=new S("debug",{},I);await u(x);
|
|
2
|
+
import{consoleLogSink as v,LogContext as B}from"@rocicorp/logger";import{exit as N,stdin as $,stdout as z}from"node:process";import{createInterface as M}from"node:readline/promises";import{AttachRolePolicyCommand as C,CreateRoleCommand as w,EntityAlreadyExistsException as R,IAMClient as P,PutRolePolicyCommand as O}from"@aws-sdk/client-iam";function n(r){return{arrayItems:r}}function e(...r){return{unionMembers:r}}function g(r,o){return{props:r,additional:o}}function s(r){return{props:[],additional:r}}function a(r){return{ref:r}}var J={PolicyDocument:g([{json:"Id",js:"Id",typ:e(void 0,"")},{json:"Statement",js:"Statement",typ:e(n(a("Statement")),a("Statement"))},{json:"Version",js:"Version",typ:e(void 0,a("Version"))}],!1),Statement:g([{json:"Action",js:"Action",typ:e(void 0,e(n(""),""))},{json:"NotAction",js:"NotAction",typ:e(void 0,e(n(""),""))},{json:"Resource",js:"Resource",typ:e(void 0,e(n(""),""))},{json:"NotResource",js:"NotResource",typ:e(void 0,e(n(""),""))},{json:"Condition",js:"Condition",typ:e(void 0,a("Condition"))},{json:"Effect",js:"Effect",typ:a("Effect")},{json:"NotPrincipal",js:"NotPrincipal",typ:e(void 0,e(a("Wildcard"),a("PrincipalObject")))},{json:"Principal",js:"Principal",typ:e(void 0,e(a("Wildcard"),a("PrincipalObject")))},{json:"Sid",js:"Sid",typ:e(void 0,"")}],!1),Condition:g([{json:"ArnEquals",js:"ArnEquals",typ:e(void 0,s(e(n(""),!0,3.14,"")))},{json:"ArnEqualsIfExists",js:"ArnEqualsIfExists",typ:e(void 0,s(e(n(""),!0,3.14,"")))},{json:"ArnLike",js:"ArnLike",typ:e(void 0,s(e(n(""),!0,3.14,"")))},{json:"ArnLikeIfExists",js:"ArnLikeIfExists",typ:e(void 0,s(e(n(""),!0,3.14,"")))},{json:"ArnNotEquals",js:"ArnNotEquals",typ:e(void 0,s(e(n(""),!0,3.14,"")))},{json:"ArnNotEqualsIfExists",js:"ArnNotEqualsIfExists",typ:e(void 0,s(e(n(""),!0,3.14,"")))},{json:"ArnNotLike",js:"ArnNotLike",typ:e(void 0,s(e(n(""),!0,3.14,"")))},{json:"ArnNotLikeIfExists",js:"ArnNotLikeIfExists",typ:e(void 0,s(e(n(""),!0,3.14,"")))},{json:"BinaryEquals",js:"BinaryEquals",typ:e(void 0,s(e(n(""),!0,3.14,"")))},{json:"BinaryEqualsIfExists",js:"BinaryEqualsIfExists",typ:e(void 0,s(e(n(""),!0,3.14,"")))},{json:"Bool",js:"Bool",typ:e(void 0,s(e(n(""),!0,3.14,"")))},{json:"BoolIfExists",js:"BoolIfExists",typ:e(void 0,s(e(n(""),!0,3.14,"")))},{json:"DateEquals",js:"DateEquals",typ:e(void 0,s(e(n(""),!0,3.14,"")))},{json:"DateEqualsIfExists",js:"DateEqualsIfExists",typ:e(void 0,s(e(n(""),!0,3.14,"")))},{json:"DateGreaterThan",js:"DateGreaterThan",typ:e(void 0,s(e(n(""),!0,3.14,"")))},{json:"DateGreaterThanEquals",js:"DateGreaterThanEquals",typ:e(void 0,s(e(n(""),!0,3.14,"")))},{json:"DateGreaterThanEqualsIfExists",js:"DateGreaterThanEqualsIfExists",typ:e(void 0,s(e(n(""),!0,3.14,"")))},{json:"DateGreaterThanIfExists",js:"DateGreaterThanIfExists",typ:e(void 0,s(e(n(""),!0,3.14,"")))},{json:"DateLessThan",js:"DateLessThan",typ:e(void 0,s(e(n(""),!0,3.14,"")))},{json:"DateLessThanEquals",js:"DateLessThanEquals",typ:e(void 0,s(e(n(""),!0,3.14,"")))},{json:"DateLessThanEqualsIfExists",js:"DateLessThanEqualsIfExists",typ:e(void 0,s(e(n(""),!0,3.14,"")))},{json:"DateLessThanIfExists",js:"DateLessThanIfExists",typ:e(void 0,s(e(n(""),!0,3.14,"")))},{json:"DateNotEquals",js:"DateNotEquals",typ:e(void 0,s(e(n(""),!0,3.14,"")))},{json:"DateNotEqualsIfExists",js:"DateNotEqualsIfExists",typ:e(void 0,s(e(n(""),!0,3.14,"")))},{json:"ForAllValues:ArnEquals",js:"ForAllValues:ArnEquals",typ:e(void 0,s(n("")))},{json:"ForAllValues:ArnLike",js:"ForAllValues:ArnLike",typ:e(void 0,s(n("")))},{json:"ForAllValues:ArnNotEquals",js:"ForAllValues:ArnNotEquals",typ:e(void 0,s(n("")))},{json:"ForAllValues:ArnNotLike",js:"ForAllValues:ArnNotLike",typ:e(void 0,s(n("")))},{json:"ForAllValues:BinaryEquals",js:"ForAllValues:BinaryEquals",typ:e(void 0,s(n("")))},{json:"ForAllValues:Bool",js:"ForAllValues:Bool",typ:e(void 0,s(n("")))},{json:"ForAllValues:DateEquals",js:"ForAllValues:DateEquals",typ:e(void 0,s(n("")))},{json:"ForAllValues:DateGreaterThan",js:"ForAllValues:DateGreaterThan",typ:e(void 0,s(n("")))},{json:"ForAllValues:DateGreaterThanEquals",js:"ForAllValues:DateGreaterThanEquals",typ:e(void 0,s(n("")))},{json:"ForAllValues:DateLessThan",js:"ForAllValues:DateLessThan",typ:e(void 0,s(n("")))},{json:"ForAllValues:DateLessThanEquals",js:"ForAllValues:DateLessThanEquals",typ:e(void 0,s(n("")))},{json:"ForAllValues:DateNotEquals",js:"ForAllValues:DateNotEquals",typ:e(void 0,s(n("")))},{json:"ForAllValues:IpAddress",js:"ForAllValues:IpAddress",typ:e(void 0,s(n("")))},{json:"ForAllValues:NotIpAddress",js:"ForAllValues:NotIpAddress",typ:e(void 0,s(n("")))},{json:"ForAllValues:NumericEquals",js:"ForAllValues:NumericEquals",typ:e(void 0,s(n("")))},{json:"ForAllValues:NumericGreaterThan",js:"ForAllValues:NumericGreaterThan",typ:e(void 0,s(n("")))},{json:"ForAllValues:NumericGreaterThanEquals",js:"ForAllValues:NumericGreaterThanEquals",typ:e(void 0,s(n("")))},{json:"ForAllValues:NumericLessThan",js:"ForAllValues:NumericLessThan",typ:e(void 0,s(n("")))},{json:"ForAllValues:NumericLessThanEquals",js:"ForAllValues:NumericLessThanEquals",typ:e(void 0,s(n("")))},{json:"ForAllValues:NumericNotEquals",js:"ForAllValues:NumericNotEquals",typ:e(void 0,s(n("")))},{json:"ForAllValues:StringEquals",js:"ForAllValues:StringEquals",typ:e(void 0,s(n("")))},{json:"ForAllValues:StringEqualsIgnoreCase",js:"ForAllValues:StringEqualsIgnoreCase",typ:e(void 0,s(n("")))},{json:"ForAllValues:StringLike",js:"ForAllValues:StringLike",typ:e(void 0,s(n("")))},{json:"ForAllValues:StringNotEquals",js:"ForAllValues:StringNotEquals",typ:e(void 0,s(n("")))},{json:"ForAllValues:StringNotEqualsIgnoreCase",js:"ForAllValues:StringNotEqualsIgnoreCase",typ:e(void 0,s(n("")))},{json:"ForAllValues:StringNotLike",js:"ForAllValues:StringNotLike",typ:e(void 0,s(n("")))},{json:"ForAnyValues:ArnEquals",js:"ForAnyValues:ArnEquals",typ:e(void 0,s(n("")))},{json:"ForAnyValues:ArnLike",js:"ForAnyValues:ArnLike",typ:e(void 0,s(n("")))},{json:"ForAnyValues:ArnNotEquals",js:"ForAnyValues:ArnNotEquals",typ:e(void 0,s(n("")))},{json:"ForAnyValues:ArnNotLike",js:"ForAnyValues:ArnNotLike",typ:e(void 0,s(n("")))},{json:"ForAnyValues:BinaryEquals",js:"ForAnyValues:BinaryEquals",typ:e(void 0,s(n("")))},{json:"ForAnyValues:Bool",js:"ForAnyValues:Bool",typ:e(void 0,s(n("")))},{json:"ForAnyValues:DateEquals",js:"ForAnyValues:DateEquals",typ:e(void 0,s(n("")))},{json:"ForAnyValues:DateGreaterThan",js:"ForAnyValues:DateGreaterThan",typ:e(void 0,s(n("")))},{json:"ForAnyValues:DateGreaterThanEquals",js:"ForAnyValues:DateGreaterThanEquals",typ:e(void 0,s(n("")))},{json:"ForAnyValues:DateLessThan",js:"ForAnyValues:DateLessThan",typ:e(void 0,s(n("")))},{json:"ForAnyValues:DateLessThanEquals",js:"ForAnyValues:DateLessThanEquals",typ:e(void 0,s(n("")))},{json:"ForAnyValues:DateNotEquals",js:"ForAnyValues:DateNotEquals",typ:e(void 0,s(n("")))},{json:"ForAnyValues:IpAddress",js:"ForAnyValues:IpAddress",typ:e(void 0,s(n("")))},{json:"ForAnyValues:NotIpAddress",js:"ForAnyValues:NotIpAddress",typ:e(void 0,s(n("")))},{json:"ForAnyValues:NumericEquals",js:"ForAnyValues:NumericEquals",typ:e(void 0,s(n("")))},{json:"ForAnyValues:NumericGreaterThan",js:"ForAnyValues:NumericGreaterThan",typ:e(void 0,s(n("")))},{json:"ForAnyValues:NumericGreaterThanEquals",js:"ForAnyValues:NumericGreaterThanEquals",typ:e(void 0,s(n("")))},{json:"ForAnyValues:NumericLessThan",js:"ForAnyValues:NumericLessThan",typ:e(void 0,s(n("")))},{json:"ForAnyValues:NumericLessThanEquals",js:"ForAnyValues:NumericLessThanEquals",typ:e(void 0,s(n("")))},{json:"ForAnyValues:NumericNotEquals",js:"ForAnyValues:NumericNotEquals",typ:e(void 0,s(n("")))},{json:"ForAnyValues:StringEquals",js:"ForAnyValues:StringEquals",typ:e(void 0,s(n("")))},{json:"ForAnyValues:StringEqualsIgnoreCase",js:"ForAnyValues:StringEqualsIgnoreCase",typ:e(void 0,s(n("")))},{json:"ForAnyValues:StringLike",js:"ForAnyValues:StringLike",typ:e(void 0,s(n("")))},{json:"ForAnyValues:StringNotEquals",js:"ForAnyValues:StringNotEquals",typ:e(void 0,s(n("")))},{json:"ForAnyValues:StringNotEqualsIgnoreCase",js:"ForAnyValues:StringNotEqualsIgnoreCase",typ:e(void 0,s(n("")))},{json:"ForAnyValues:StringNotLike",js:"ForAnyValues:StringNotLike",typ:e(void 0,s(n("")))},{json:"IpAddress",js:"IpAddress",typ:e(void 0,s(e(n(""),!0,3.14,"")))},{json:"IpAddressIfExists",js:"IpAddressIfExists",typ:e(void 0,s(e(n(""),!0,3.14,"")))},{json:"NotIpAddress",js:"NotIpAddress",typ:e(void 0,s(e(n(""),!0,3.14,"")))},{json:"NotIpAddressIfExists",js:"NotIpAddressIfExists",typ:e(void 0,s(e(n(""),!0,3.14,"")))},{json:"Null",js:"Null",typ:e(void 0,s(e(!0,a("NullEnum"))))},{json:"NumericEquals",js:"NumericEquals",typ:e(void 0,s(e(n(""),!0,3.14,"")))},{json:"NumericEqualsIfExists",js:"NumericEqualsIfExists",typ:e(void 0,s(e(n(""),!0,3.14,"")))},{json:"NumericGreaterThan",js:"NumericGreaterThan",typ:e(void 0,s(e(n(""),!0,3.14,"")))},{json:"NumericGreaterThanEquals",js:"NumericGreaterThanEquals",typ:e(void 0,s(e(n(""),!0,3.14,"")))},{json:"NumericGreaterThanEqualsIfExists",js:"NumericGreaterThanEqualsIfExists",typ:e(void 0,s(e(n(""),!0,3.14,"")))},{json:"NumericGreaterThanIfExists",js:"NumericGreaterThanIfExists",typ:e(void 0,s(e(n(""),!0,3.14,"")))},{json:"NumericLessThan",js:"NumericLessThan",typ:e(void 0,s(e(n(""),!0,3.14,"")))},{json:"NumericLessThanEquals",js:"NumericLessThanEquals",typ:e(void 0,s(e(n(""),!0,3.14,"")))},{json:"NumericLessThanEqualsIfExists",js:"NumericLessThanEqualsIfExists",typ:e(void 0,s(e(n(""),!0,3.14,"")))},{json:"NumericLessThanIfExists",js:"NumericLessThanIfExists",typ:e(void 0,s(e(n(""),!0,3.14,"")))},{json:"NumericNotEquals",js:"NumericNotEquals",typ:e(void 0,s(e(n(""),!0,3.14,"")))},{json:"NumericNotEqualsIfExists",js:"NumericNotEqualsIfExists",typ:e(void 0,s(e(n(""),!0,3.14,"")))},{json:"StringEquals",js:"StringEquals",typ:e(void 0,s(e(n(""),!0,3.14,"")))},{json:"StringEqualsIfExists",js:"StringEqualsIfExists",typ:e(void 0,s(e(n(""),!0,3.14,"")))},{json:"StringEqualsIgnoreCase",js:"StringEqualsIgnoreCase",typ:e(void 0,s(e(n(""),!0,3.14,"")))},{json:"StringEqualsIgnoreCaseIfExists",js:"StringEqualsIgnoreCaseIfExists",typ:e(void 0,s(e(n(""),!0,3.14,"")))},{json:"StringLike",js:"StringLike",typ:e(void 0,s(e(n(""),!0,3.14,"")))},{json:"StringLikeIfExists",js:"StringLikeIfExists",typ:e(void 0,s(e(n(""),!0,3.14,"")))},{json:"StringNotEquals",js:"StringNotEquals",typ:e(void 0,s(e(n(""),!0,3.14,"")))},{json:"StringNotEqualsIfExists",js:"StringNotEqualsIfExists",typ:e(void 0,s(e(n(""),!0,3.14,"")))},{json:"StringNotEqualsIgnoreCase",js:"StringNotEqualsIgnoreCase",typ:e(void 0,s(e(n(""),!0,3.14,"")))},{json:"StringNotEqualsIgnoreCaseIfExists",js:"StringNotEqualsIgnoreCaseIfExists",typ:e(void 0,s(e(n(""),!0,3.14,"")))},{json:"StringNotLike",js:"StringNotLike",typ:e(void 0,s(e(n(""),!0,3.14,"")))},{json:"StringNotLikeIfExists",js:"StringNotLikeIfExists",typ:e(void 0,s(e(n(""),!0,3.14,"")))}],"any"),PrincipalObject:g([{json:"AWS",js:"AWS",typ:e(void 0,e(n(""),""))},{json:"CanonicalUser",js:"CanonicalUser",typ:e(void 0,e(n(""),""))},{json:"Federated",js:"Federated",typ:e(void 0,e(n(""),""))}],"any"),NullEnum:["false","true"],Effect:["Allow","Deny"],Wildcard:["*"],Version:["2008-10-17","2012-10-17"]};function E(r){return JSON.stringify({Version:"2012-10-17",...r})}import{AssumeRoleCommand as ne,GetCallerIdentityCommand as F,STSClient as V}from"@aws-sdk/client-sts";function T(r,o){if(r==null)throw new Error(o??`Unexpected ${r} value`);return r}async function y(r={}){let u=await new V(r).send(new F);return T(u.Account)}var S="347116755803",h="798429904820";function x(){return process.env.CLOUDZERO_STAGING==="1"}var A=x()?h:S;var d="zero-cluster-admin-role",f="zero-cluster-debug-role";var G={Statement:[{Effect:"Allow",Action:["eks:CreateAccessEntry","eks:Describe*","eks:List*","eks:TagResource","kms:CreateAlias","kms:CreateGrant","kms:DescribeKey","kms:ListKeys","logs:PutRetentionPolicy"],Resource:"*"},{Effect:"Allow",Action:["ecr-public:GetAuthorizationToken","sts:GetServiceBearerToken"],Resource:"*"},{Effect:"Allow",Action:["eks:*","kms:CreateKey","kms:TagResource"],Resource:"*",Condition:{StringEquals:{"aws:ResourceTag/ManagedBy":"zero"}}},{Effect:"Allow",Action:["ssm:GetParameter","ssm:GetParameters"],Resource:["arn:aws:ssm:*:*:parameter/aws/*","arn:aws:ssm:*::parameter/aws/*"]},{Effect:"Allow",Action:["iam:CreateInstanceProfile","iam:DeleteInstanceProfile","iam:GetInstanceProfile","iam:RemoveRoleFromInstanceProfile","iam:GetRole","iam:CreateRole","iam:DeleteRole","iam:AttachRolePolicy","iam:PutRolePolicy","iam:UpdateAssumeRolePolicy","iam:AddRoleToInstanceProfile","iam:ListInstanceProfilesForRole","iam:PassRole","iam:DetachRolePolicy","iam:DeleteRolePolicy","iam:GetRolePolicy","iam:GetOpenIDConnectProvider","iam:CreateOpenIDConnectProvider","iam:DeleteOpenIDConnectProvider","iam:TagOpenIDConnectProvider","iam:ListAttachedRolePolicies","iam:TagRole","iam:UntagRole","iam:GetPolicy","iam:CreatePolicy","iam:DeletePolicy","iam:ListPolicyVersions"],Resource:["arn:aws:iam::*:instance-profile/eksctl-*","arn:aws:iam::*:role/eksctl-*","arn:aws:iam::*:policy/eksctl-*","arn:aws:iam::*:oidc-provider/*","arn:aws:iam::*:role/aws-service-role/eks-nodegroup.amazonaws.com/AWSServiceRoleForAmazonEKSNodegroup","arn:aws:iam::*:role/eksctl-managed-*"]},{Effect:"Allow",Action:["iam:GetRole","iam:GetUser"],Resource:["arn:aws:iam::*:role/*","arn:aws:iam::*:user/*"]},{Effect:"Allow",Action:["iam:CreateServiceLinkedRole"],Resource:"*",Condition:{StringEquals:{"iam:AWSServiceName":["eks.amazonaws.com","eks-nodegroup.amazonaws.com","eks-fargate.amazonaws.com"]}}}]},_={Statement:[{Effect:"Allow",Action:["iam:CreateInstanceProfile","iam:DeleteInstanceProfile","iam:GetInstanceProfile","iam:RemoveRoleFromInstanceProfile","iam:GetRole","iam:CreateRole","iam:DeleteRole","iam:AttachRolePolicy","iam:PutRolePolicy","iam:UpdateAssumeRolePolicy","iam:AddRoleToInstanceProfile","iam:ListInstanceProfilesForRole","iam:PassRole","iam:DetachRolePolicy","iam:DeleteRolePolicy","iam:GetRolePolicy","iam:GetOpenIDConnectProvider","iam:CreateOpenIDConnectProvider","iam:DeleteOpenIDConnectProvider","iam:TagOpenIDConnectProvider","iam:ListAttachedRolePolicies","iam:TagRole","iam:UntagRole","iam:GetPolicy","iam:CreatePolicy","iam:DeletePolicy","iam:ListPolicyVersions"],Resource:["arn:aws:iam::*:role/zero-*","arn:aws:iam::*:role/zero.*","arn:aws:iam::*:policy/zero-*","arn:aws:iam::*:policy/zero.*"]},{Effect:"Allow",Action:["sts:AssumeRole","sts:TagSession"],Resource:`arn:aws:iam::${A}:role/*`}]},U={Statement:[{Effect:"Allow",Action:["eks:DescribeAddonConfiguration","eks:DescribeAddonVersions","eks:DescribeClusterVersions","eks:ListClusters","logs:DescribeLogGroups","logs:ListLogGroups"],Resource:"*"},{Effect:"Allow",Action:["eks:AccessKubernetesApi","eks:Describe*","eks:List*"],Resource:"*",Condition:{StringEquals:{"aws:ResourceTag/ManagedBy":"zero"}}},{Effect:"Allow",Action:["logs:Describe*","logs:Filter*","logs:Get*"],Resource:["arn:aws:logs:*:*:log-group:/zero/*"]}]};async function p(r,o=!1,u={}){if(!o){let c=await y(u);r.info?.(`Configuring access for account ${c}`)}let i=new P(u);await q(r,o,i,d,"Role for automated management of zero clusters",{"cluster-management-policy":G,"cluster-runtime-policy":_},{AmazonEC2FullAccess:"https://docs.aws.amazon.com/eks/latest/eksctl/minimum-iam-policies.html",AWSCloudFormationFullAccess:"https://docs.aws.amazon.com/eks/latest/eksctl/minimum-iam-policies.html"}),await q(r,o,i,f,"Role for debugging zero clusters",{"cluster-debug-policy":U})}async function q(r,o,u,i,c,k,I={}){if(o){r.info?.(`\u2022 ${i}: ${c}`),r.info?.(JSON.stringify({...k,...I},null,2)),r.info?.(`
|
|
3
|
+
`);return}try{let l=await u.send(new w({RoleName:i,Description:c,AssumeRolePolicyDocument:E({Statement:[{Effect:"Allow",Principal:{AWS:A},Action:["sts:AssumeRole","sts:TagSession"]}]})}));r.debug?.(`Created ${i}`,l.Role)}catch(l){if(l instanceof R)r.debug?.(`${i} already exists`);else throw l}for(let l of Object.keys(I))await u.send(new C({RoleName:i,PolicyArn:`arn:aws:iam::aws:policy/${l}`}));for(let[l,D]of Object.entries(k))await u.send(new O({RoleName:i,PolicyName:l,PolicyDocument:E(D)}));r.info?.(`Configured ${i}`)}var t=new B(process.env.LOG_LEVEL??"info",{},v),m;try{m=await y(),t.debug?.("AWS account ID",m)}catch(r){t.error?.(`
|
|
4
|
+
AWS account ID could not be found:
|
|
5
|
+
${String(r)}
|
|
6
|
+
|
|
7
|
+
Please run the command with the necessary environment variables:
|
|
8
|
+
https://docs.aws.amazon.com/cli/v1/userguide/cli-configure-envvars.html#envvars-list
|
|
9
|
+
|
|
10
|
+
`),N(-1)}t.info?.("");t.info?.("This command creates the roles:");t.info?.("");t.info?.(`\u2022 ${d}`);t.info?.(`\u2022 ${f}`);t.info?.("");t.info?.("These roles will be granted the permissions required to administer");t.info?.(`and debug the zero-cache cluster within your AWS account ${m}.`);t.info?.("");t.info?.("Rocicorp will use these roles to run zero-cache for you.");t.info?.("No permissions are created outside of this account.");t.info?.("");t.info?.("You can see the complete set of permissions by pressing 'p'.");t.info?.("");var j=M($,z);try{let r=await j.question("Continue? [Y/n/p] ");r.toLowerCase()==="p"&&(t.info?.(""),await p(t,!0),r=await j.question("Continue? [Y/n] ")),r!==""&&r.toLowerCase()!=="y"&&(t.info?.("Command canceled"),N(-1)),t.info?.("")}catch(r){throw r instanceof Error&&r.name==="AbortError"&&(t.info?.("Command canceled"),N(-1)),r}finally{j.close()}await p(t);t.info?.("");t.info?.(`Account ${m} is ready to run a managed cluster!`);t.info?.("");
|
package/package.json
CHANGED
|
@@ -1,8 +1,8 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "cloudzero",
|
|
3
|
-
"version": "0.0
|
|
4
|
-
"description": "Application for
|
|
5
|
-
"author": "Rocicorp,
|
|
3
|
+
"version": "0.1.0",
|
|
4
|
+
"description": "Application preparing an account for a managed Zero cluster",
|
|
5
|
+
"author": "Rocicorp, LLC",
|
|
6
6
|
"repository": {
|
|
7
7
|
"type": "git",
|
|
8
8
|
"url": "git+https://github.com/rocicorp/cloudzero.git",
|
|
@@ -32,7 +32,7 @@
|
|
|
32
32
|
"devDependencies": {
|
|
33
33
|
"@rocicorp/eslint-config": "^0.7.0",
|
|
34
34
|
"@rocicorp/prettier-config": "^0.3.0",
|
|
35
|
-
"cluster-setup": "0.0.
|
|
35
|
+
"cluster-setup": "0.0.6",
|
|
36
36
|
"esbuild": "^0.25.0",
|
|
37
37
|
"prettier": "^3.6.0",
|
|
38
38
|
"typescript": "^5.8.3"
|