From 5519e24e02049b8d1b0334a007146b3f463f5acd Mon Sep 17 00:00:00 2001 From: John Stange Date: Mon, 28 Sep 2020 18:14:06 -0400 Subject: [PATCH 1/2] AWS::Function, AWS::Role: adopt and update bugfixlets --- modules/mu/deploy.rb | 6 +++--- modules/mu/providers/aws/function.rb | 2 +- modules/mu/providers/aws/role.rb | 24 +++++++++++++++++++----- 3 files changed, 23 insertions(+), 9 deletions(-) diff --git a/modules/mu/deploy.rb b/modules/mu/deploy.rb index 27e385ab6..e585c5529 100644 --- a/modules/mu/deploy.rb +++ b/modules/mu/deploy.rb @@ -437,10 +437,10 @@ def run MU.log "Failed to generate AWS cost-calculation URL. Skipping.", MU::WARN, details: "Deployment uses a feature not available in CloudFormation layer.", verbosity: MU::Logger::NORMAL ensure MU.setLogging(@verbosity) - MU.log "Deployment #{MU.deploy_id} \"#{MU.handle}\" complete", details: deployment, verbosity: @verbosity + MU.log "Deployment #{MU.deploy_id} \"#{MU.handle}\" #{@updating ? "updated" : "complete"}", details: deployment, verbosity: @verbosity end else - MU.log "Deployment #{MU.deploy_id} \"#{MU.handle}\" complete", details: deployment, verbosity: @verbosity + MU.log "Deployment #{MU.deploy_id} \"#{MU.handle}\" #{@updating ? "updated" : "complete"}", details: deployment, verbosity: @verbosity end @@ -450,7 +450,7 @@ def run } end - @mommacat.sendAdminSlack("Deploy completed succesfully", msg: MU.summary.join("\n")) + @mommacat.sendAdminSlack("Deploy #{MU.deploy_id} \"#{MU.handle}\" #{@updating ? "updated" : "complete"}", msg: MU.summary.join("\n")) end private diff --git a/modules/mu/providers/aws/function.rb b/modules/mu/providers/aws/function.rb index 7bd13f3af..2a4ee2cf7 100644 --- a/modules/mu/providers/aws/function.rb +++ b/modules/mu/providers/aws/function.rb @@ -705,7 +705,7 @@ def get_properties } if @config['tags'] @config['tags'].each { |tag| - lambda_properties[:tags][tag.key.first] = tag.values.first + lambda_properties[:tags][tag['key']] = tag['value'] } end diff --git a/modules/mu/providers/aws/role.rb b/modules/mu/providers/aws/role.rb index 22efeff00..2bbc8a3d2 100644 --- a/modules/mu/providers/aws/role.rb +++ b/modules/mu/providers/aws/role.rb @@ -92,13 +92,14 @@ def groom configured_policies = [] if @config['raw_policies'] + MU.log "Attaching #{@config['raw_policies'].size.to_s} raw #{@config['raw_policies'].size > 1 ? "policies" : "policy"} to role #{@mu_name}", MU::NOTICE configured_policies = @config['raw_policies'].map { |p| @mu_name+"-"+p.keys.first.upcase } end if @config['attachable_policies'] - MU.log "Attaching #{@config['attachable_policies'].size.to_s} #{@config['attachable_policies'].size > 1 ? "policies" : "policy"} to role #{@mu_name}", MU::NOTICE + MU.log "Attaching #{@config['attachable_policies'].size.to_s} external #{@config['attachable_policies'].size > 1 ? "policies" : "policy"} to role #{@mu_name}", MU::NOTICE configured_policies.concat(@config['attachable_policies'].map { |p| id = if p.is_a?(MU::Config::Ref) p.cloud_id @@ -109,17 +110,16 @@ def groom end id.gsub(/.*?\/([^:\/]+)$/, '\1') }) - configured_policies.each { |pol| - } end + # Purge anything that doesn't belong if !@config['bare_policies'] attached_policies = MU::Cloud::AWS.iam(credentials: @config['credentials']).list_attached_role_policies( role_name: @mu_name ).attached_policies attached_policies.each { |a| if !configured_policies.include?(a.policy_name) - MU.log "Removing IAM policy #{a.policy_name} from role #{@mu_name}", MU::NOTICE + MU.log "Removing IAM policy #{a.policy_name} from role #{@mu_name}", MU::NOTICE, details: configured_policies MU::Cloud::AWS::Role.purgePolicy(a.policy_arn, @config['credentials']) end } @@ -137,7 +137,7 @@ def groom if !@config['bare_policies'] and (@config['raw_policies'] or @config['attachable_policies']) - bindTo("role", @mu_name) +# bindTo("role", @mu_name) end end @@ -153,6 +153,7 @@ def self.manageRawPolicies(raw_policies, basename: "", credentials: nil, path: " policy.values.each { |p| p["Version"] ||= "2012-10-17" } + policy_name = basename+"-"+policy.keys.first.upcase arn = "arn:"+(MU::Cloud::AWS.isGovCloud? ? "aws-us-gov" : "aws")+":iam::"+MU::Cloud::AWS.credToAcct(credentials)+":policy#{path}/#{policy_name}" @@ -814,6 +815,19 @@ def bindTo(entitytype, entityname) } end + if @config['raw_policies'] + raw_arns = MU::Cloud::AWS::Role.manageRawPolicies( + @config['raw_policies'], + basename: @deploy.getResourceName(@config['name']), + credentials: @credentials + ) + raw_arns.each { |p_arn| + mypolicies << MU::Cloud::AWS.iam(credentials: @config['credentials']).get_policy( + policy_arn: p_arn + ).policy + } + end + mypolicies.each { |p| if entitytype == "user" resp = MU::Cloud::AWS.iam(credentials: @config['credentials']).list_attached_user_policies( From 0d96c963901213d3516b90c668d5778f2c445eb7 Mon Sep 17 00:00:00 2001 From: John Stange Date: Tue, 29 Sep 2020 16:00:35 -0400 Subject: [PATCH 2/2] nudge versions for a minor bugfix release --- cloud-mu.gemspec | 4 ++-- modules/Gemfile.lock | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/cloud-mu.gemspec b/cloud-mu.gemspec index 8e37ff486..0d27da775 100644 --- a/cloud-mu.gemspec +++ b/cloud-mu.gemspec @@ -17,8 +17,8 @@ end Gem::Specification.new do |s| s.name = 'cloud-mu' - s.version = '3.3.0' - s.date = '2020-09-22' + s.version = '3.3.1' + s.date = '2020-09-29' s.require_paths = ['modules'] s.required_ruby_version = '>= 2.4' s.summary = "The eGTLabs Mu toolkit for unified cloud deployments" diff --git a/modules/Gemfile.lock b/modules/Gemfile.lock index faf6c59db..c5fe34fba 100644 --- a/modules/Gemfile.lock +++ b/modules/Gemfile.lock @@ -10,7 +10,7 @@ GIT PATH remote: .. specs: - cloud-mu (3.3.0) + cloud-mu (3.3.1) addressable (~> 2.5) aws-sdk-core (< 3) azure_sdk (~> 0.52)