modules/mu/clouds/aws/role.rb in cloud-mu-2.0.4 vs modules/mu/clouds/aws/role.rb in cloud-mu-2.1.0beta
- old
+ new
@@ -28,10 +28,11 @@
def initialize(mommacat: nil, kitten_cfg: nil, mu_name: nil, cloud_id: nil)
@deploy = mommacat
@config = MU::Config.manxify(kitten_cfg)
@cloud_id ||= cloud_id
@mu_name = mu_name
+ @cloud_id ||= @mu_name # should be the same
@mu_name ||= @deploy.getResourceName(@config["name"])
end
# Called automatically by {MU::Deploy#createResources}
def create
@@ -52,12 +53,14 @@
}
end
if !@config['bare_policies']
MU.log "Creating IAM role #{@mu_name}"
+ @cloud_id = @mu_name
+ path = @config['strip_path'] ? nil : "/"+@deploy.deploy_id+"/"
resp = MU::Cloud::AWS.iam(credentials: @config['credentials']).create_role(
- path: "/"+@deploy.deploy_id+"/",
+ path: nil,
role_name: @mu_name,
description: "Generated by Mu",
assume_role_policy_document: gen_role_policy_doc,
tags: get_tag_params
)
@@ -126,10 +129,11 @@
version = MU::Cloud::AWS.iam(credentials: @config['credentials']).get_policy_version(
policy_arn: arn,
version_id: desc.policy.default_version_id
)
+
if version.policy_version.document != URI.encode(JSON.generate(policy.values.first), /[^a-z0-9\-]/i)
MU.log "Updating IAM policy #{policy_name}", MU::NOTICE, details: policy.values.first
update_policy(arn, policy.values.first)
MU::Cloud::AWS.iam(credentials: @config['credentials']).get_policy(policy_arn: arn)
else
@@ -194,10 +198,11 @@
).policy
}
end
end
+ desc['cloud_id'] ||= @cloud_id
desc
end
# Return the metadata for this user cofiguration
@@ -214,10 +219,11 @@
if !policy.match(/^#{@deploy.deploy_id}/)
policy = @mu_name+"-"+policy.upcase
end
my_policies = cloud_desc["policies"]
+ my_policies ||= []
my_policies.each { |p|
if p.policy_name == policy
old = MU::Cloud::AWS.iam(credentials: @config['credentials']).get_policy_version(
policy_arn: p.arn,
@@ -561,10 +567,15 @@
schema = {
"tags" => MU::Config.tags_primitive,
"optional_tags" => MU::Config.optional_tags_primitive,
"policies" => self.condition_schema,
+ "strip_path" => {
+ "type" => "boolean",
+ "default" => false,
+ "description" => "Normally we namespace IAM roles with a +path+ set to match our +deploy_id+; this disables that behavior. Temporary workaround for a bug in EKS/IAM integration."
+ },
"import" => {
"items" => {
"description" => "Can be a shorthand reference to a canned IAM policy like +AdministratorAccess+, or a full ARN like +arn:aws:iam::aws:policy/AmazonESCognitoAccess+"
}
},
@@ -732,11 +743,16 @@
name: target["identifier"],
type: target["type"]
)
if sibling
id = sibling.cloudobj.arn
- id += target["path"] if target["path"]
+ id.sub!(/:([^:]+)$/, ":"+target["path"]) if target["path"]
doc["Statement"].first["Resource"] << id
+ if id.match(/:log-group:/)
+ stream_id = id.sub(/:([^:]+)$/, ":log-stream:*")
+# "arn:aws:logs:us-east-2:accountID:log-group:log_group_name:log-stream:CloudTrail_log_stream_name_prefix*"
+ doc["Statement"].first["Resource"] << stream_id
+ end
else
raise MuError, "Couldn't find a #{target["entity_type"]} named #{target["identifier"]} when generating IAM policy"
end
else
target["identifier"] += target["path"] if target["path"]