Merge pull request #195 from cloudamatic/development

AWS::Role: Be sure we're binding custom inline policies properly on groom

AWS::Lambda: Adopt tags correctly

mu-deploy Slightly more informative console and Slack messages on completion

cloud-mu.gemspec

@@ -17,8 +17,8 @@ end
 
 Gem::Specification.new do |s|
   s.name        = 'cloud-mu'
-  s.version     = '3.3.0'
-  s.date        = '2020-09-22'
+  s.version     = '3.3.1'
+  s.date        = '2020-09-29'
   s.require_paths = ['modules']
   s.required_ruby_version = '>= 2.4'
   s.summary     = "The eGTLabs Mu toolkit for unified cloud deployments"

modules/Gemfile.lock

@@ -10,7 +10,7 @@ GIT
 PATH
   remote: ..
   specs:
-    cloud-mu (3.3.0)
+    cloud-mu (3.3.1)
       addressable (~> 2.5)
       aws-sdk-core (< 3)
       azure_sdk (~> 0.52)

modules/mu/deploy.rb

@@ -437,10 +437,10 @@ def run
           MU.log "Failed to generate AWS cost-calculation URL. Skipping.", MU::WARN, details: "Deployment uses a feature not available in CloudFormation layer.", verbosity: MU::Logger::NORMAL
         ensure
           MU.setLogging(@verbosity)
-          MU.log "Deployment #{MU.deploy_id} \"#{MU.handle}\" complete", details: deployment, verbosity: @verbosity
+          MU.log "Deployment #{MU.deploy_id} \"#{MU.handle}\" #{@updating ? "updated" : "complete"}", details: deployment, verbosity: @verbosity
         end
       else
-        MU.log "Deployment #{MU.deploy_id} \"#{MU.handle}\" complete", details: deployment, verbosity: @verbosity
+        MU.log "Deployment #{MU.deploy_id} \"#{MU.handle}\" #{@updating ? "updated" : "complete"}", details: deployment, verbosity: @verbosity
       end
 
 
@@ -450,7 +450,7 @@ def run
         }
       end
 
-      @mommacat.sendAdminSlack("Deploy completed succesfully", msg: MU.summary.join("\n"))
+      @mommacat.sendAdminSlack("Deploy #{MU.deploy_id} \"#{MU.handle}\" #{@updating ? "updated" : "complete"}", msg: MU.summary.join("\n"))
     end
 
     private

modules/mu/providers/aws/function.rb

@@ -705,7 +705,7 @@ def get_properties
           }
           if @config['tags']
             @config['tags'].each { |tag|
-              lambda_properties[:tags][tag.key.first] = tag.values.first
+              lambda_properties[:tags][tag['key']] = tag['value']
             }
           end
 

modules/mu/providers/aws/role.rb

@@ -92,13 +92,14 @@ def groom
             configured_policies = []
 
             if @config['raw_policies']
+              MU.log "Attaching #{@config['raw_policies'].size.to_s} raw #{@config['raw_policies'].size > 1 ? "policies" : "policy"} to role #{@mu_name}", MU::NOTICE
               configured_policies = @config['raw_policies'].map { |p|
                 @mu_name+"-"+p.keys.first.upcase
               }
             end
 
             if @config['attachable_policies']
-              MU.log "Attaching #{@config['attachable_policies'].size.to_s} #{@config['attachable_policies'].size > 1 ? "policies" : "policy"} to role #{@mu_name}", MU::NOTICE
+              MU.log "Attaching #{@config['attachable_policies'].size.to_s} external #{@config['attachable_policies'].size > 1 ? "policies" : "policy"} to role #{@mu_name}", MU::NOTICE
               configured_policies.concat(@config['attachable_policies'].map { |p|
                 id = if p.is_a?(MU::Config::Ref)
                   p.cloud_id
@@ -109,17 +110,16 @@ def groom
                 end
                 id.gsub(/.*?\/([^:\/]+)$/, '\1')
               })
-              configured_policies.each { |pol|
-              }
             end
 
+            # Purge anything that doesn't belong
             if !@config['bare_policies']
               attached_policies = MU::Cloud::AWS.iam(credentials: @config['credentials']).list_attached_role_policies(
                 role_name: @mu_name
               ).attached_policies
               attached_policies.each { |a|
                 if !configured_policies.include?(a.policy_name)
-                  MU.log "Removing IAM policy #{a.policy_name} from role #{@mu_name}", MU::NOTICE
+                  MU.log "Removing IAM policy #{a.policy_name} from role #{@mu_name}", MU::NOTICE, details: configured_policies
                   MU::Cloud::AWS::Role.purgePolicy(a.policy_arn, @config['credentials'])
                 end
               }
@@ -137,7 +137,7 @@ def groom
 
           if !@config['bare_policies'] and
              (@config['raw_policies'] or @config['attachable_policies'])
-            bindTo("role", @mu_name)
+#            bindTo("role", @mu_name)
           end
         end
 
@@ -153,6 +153,7 @@ def self.manageRawPolicies(raw_policies, basename: "", credentials: nil, path: "
             policy.values.each { |p|
               p["Version"] ||= "2012-10-17"
             }
+
             policy_name = basename+"-"+policy.keys.first.upcase
 
             arn = "arn:"+(MU::Cloud::AWS.isGovCloud? ? "aws-us-gov" : "aws")+":iam::"+MU::Cloud::AWS.credToAcct(credentials)+":policy#{path}/#{policy_name}"
@@ -814,6 +815,19 @@ def bindTo(entitytype, entityname)
               }
             end
 
+            if @config['raw_policies']
+              raw_arns = MU::Cloud::AWS::Role.manageRawPolicies(
+                @config['raw_policies'],
+                basename: @deploy.getResourceName(@config['name']),
+                credentials: @credentials
+              )
+              raw_arns.each { |p_arn|
+                mypolicies << MU::Cloud::AWS.iam(credentials: @config['credentials']).get_policy(
+                  policy_arn: p_arn
+                ).policy
+              }
+            end
+
             mypolicies.each { |p|
               if entitytype == "user"
                 resp = MU::Cloud::AWS.iam(credentials: @config['credentials']).list_attached_user_policies(