account

package
v0.0.0-...-4c2872b Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Oct 24, 2024 License: Apache-2.0 Imports: 37 Imported by: 0

Documentation

Index

Constants

View Source 
const (

	// AccountPending indicates an account is pending
	AccountPending = "Pending"
	// AccountCreating indicates an account is being created
	AccountCreating = "Creating"
	// AccountFailed indicates account creation has failed
	AccountFailed = "Failed"
	// AccountInitializingRegions indicates we've kicked off the process of creating and terminating
	// instances in all supported regions
	AccountInitializingRegions = "InitializingRegions"
	// AccountReady indicates account creation is ready
	AccountReady = "Ready"
	// AccountPendingVerification indicates verification (of AWS limits and Enterprise Support) is pending
	AccountPendingVerification = "PendingVerification"
	// AccountOptingInRegions indicates region enablement for supported Opt-In regions is in progress
	AccountOptingInRegions = "OptingInRegions"
	// AccountOptInRegionEnabled indicates that supported Opt-In regions have been enabled
	AccountOptInRegionEnabled = "OptInRegionsEnabled"

	// number of service quota requests we are allowed to open concurrently in AWS
	MaxOpenQuotaRequests = 20

	// MaxOptInRegionRequest maximum number of regions that AWS allows to be concurrently enabled
	MaxOptInRegionRequest = 6
	// MaxAccountRegionEnablement maximum number of AWS accounts allowed to enable all regions simultaneously
	MaxAccountRegionEnablement = 9
)
View Source 
const EXECUTABLEBY = "all"

Constants used to retrieve instance types and AMIs: AMIs we use should be executable by everyone

View Source 
const T2INSTANCETYPE = "t2.micro"
View Source 
const T3INSTANCETYPE = "t3.micro"

T3 and T2 micro instanes are free to start

Variables

View Source 
var AssumeRoleAndCreateClient = stsclient.AssumeRoleAndCreateClient

Functions

func AttachAdminUserPolicy 

func AttachAdminUserPolicy(client awsclient.Client, iamUser *iam.User) (*iam.AttachUserPolicyOutput, error)

AttachAdminUserPolicy attaches the AdministratorAccess policy to a target user Takes a logger, an AWS client for the target account, and the target IAM user's username

func CalculateOptingInRegionAccounts 

func CalculateOptingInRegionAccounts(reqLogger logr.Logger, c client.Client) (int, error)

func ClaimAccount 

func ClaimAccount(r *AccountReconciler, currentAcctInstance *awsv1alpha1.Account) error

func CleanUpIAM 

func CleanUpIAM(reqLogger logr.Logger, awsClient awsclient.Client, accountCR *awsv1alpha1.Account) error

func CreateAccount 

func CreateAccount(reqLogger logr.Logger, client awsclient.Client, accountName, accountEmail string) (*organizations.DescribeCreateAccountStatusOutput, error)

CreateAccount creates an AWS account for the specified accountName and accountEmail in the organization

func CreateEC2Instance 

func CreateEC2Instance(reqLogger logr.Logger, account *awsv1alpha1.Account, client awsclient.Client, instanceInfo awsv1alpha1.AmiSpec, managedTags []awsclient.AWSTag, customerTags []awsclient.AWSTag, customerKmsKeyId string) (string, error)

CreateEC2Instance creates ec2 instance and returns its instance ID

func CreateIAMUser 

func CreateIAMUser(reqLogger logr.Logger, client awsclient.Client, userName string) (*iam.CreateUserOutput, error)

CreateIAMUser creates a new IAM user in the target AWS account Takes a logger, an AWS client for the target account, and the desired IAM username

func CreateRole 

func CreateRole(reqLogger logr.Logger, byocRole string, accessArnList []string, byocAWSClient awsclient.Client, tags []*iam.Tag) (string, error)

CreateRole creates the role with the correct assume policy for BYOC for a given roleName

func CreateSecret 

func CreateSecret(name string, namespace string, data map[string][]byte) *corev1.Secret

CreateSecret takes in a secret name, the namespace to store the secret, and a map of string: bytearray and gives you a corev1.Secret to store.

func CreateUserAccessKey 

func CreateUserAccessKey(client awsclient.Client, iamUser *iam.User) (*iam.CreateAccessKeyOutput, error)

CreateUserAccessKey creates a new IAM Access Key in AWS and returns aws.CreateAccessKeyOutput struct containing access key and secret

func DeleteIAMUsers 

func DeleteIAMUsers(reqLogger logr.Logger, awsClient awsclient.Client, accountCR *awsv1alpha1.Account) error

func DeleteRole 

func DeleteRole(reqLogger logr.Logger, byocRole string, byocAWSClient awsclient.Client) error

DeleteRole deletes an existing role from AWS and handles the error

func DescribeEC2Instances 

func DescribeEC2Instances(reqLogger logr.Logger, client awsclient.Client, instanceID string) (int, error)

DescribeEC2Instances returns the InstanceState code

func DetachPolicyFromRole 

func DetachPolicyFromRole(reqLogger logr.Logger, policy *iam.AttachedPolicy, byocRole string, byocAWSClient awsclient.Client) error

DetachPolicyFromRole detaches a given AttachedPolicy from a role

func GenerateAccountCR 

func GenerateAccountCR(namespace string) *awsv1alpha1.Account

GenerateAccountCR returns new account CR struct

func GenerateAccountCRName 

func GenerateAccountCRName(uuid string) string

GenerateAccountCRName return a formatted Account CR name

func GetAttachedPolicies 

func GetAttachedPolicies(reqLogger logr.Logger, byocRole string, byocAWSClient awsclient.Client) (*iam.ListAttachedRolePoliciesOutput, error)

GetAttachedPolicies gets a list of policies attached to a role

func GetExistingRole 

func GetExistingRole(reqLogger logr.Logger, byocRole string, byocAWSClient awsclient.Client) (*iam.GetRoleOutput, error)

GetExistingRole checks to see if a given role exists in the AWS account already. If it does not, we return an empty response and nil for an error. If it does, we return the existing role. Otherwise, we return any error we get.

func GetOptInRegionStatus 

func GetOptInRegionStatus(reqLogger logr.Logger, awsClientBuilder awsclient.IBuilder, awsSetupClient awsclient.Client, currentAcctInstance *awsv1alpha1.Account, client client.Client) (reconcile.Result, error)

func GetServiceQuotaRequest 

func GetServiceQuotaRequest(reqLogger logr.Logger, awsClientBuilder awsclient.IBuilder, awsSetupClient awsclient.Client, currentAcctInstance *awsv1alpha1.Account, client client.Client) (reconcile.Result, error)

func HandleOptInRegionRequests 

func HandleOptInRegionRequests(reqLogger logr.Logger, awsClient awsclient.Client, optInRegion string, optInRegionRequest *awsv1alpha1.OptInRegionStatus, currentAcctInstance *awsv1alpha1.Account) error

func HandleServiceQuotaRequests 

func HandleServiceQuotaRequests(reqLogger logr.Logger, awsClient awsclient.Client, quotaCode awsv1alpha1.SupportedServiceQuotas, serviceQuotaStatus *awsv1alpha1.ServiceQuotaStatus) error

func ListEC2InstanceStatus 

func ListEC2InstanceStatus(reqLogger logr.Logger, client awsclient.Client) (*ec2.DescribeInstanceStatusOutput, error)

ListEC2InstanceStatus returns a slice of EC2 instance statuses

func RegionNeedsOptIn 

func RegionNeedsOptIn(reqLogger logr.Logger, client awsclient.Client, regionCode string) (bool, error)

func RetrieveAmi 

func RetrieveAmi(awsClient awsclient.Client, amiOwner string) (string, error)

func RetrieveAvailableMicroInstanceType 

func RetrieveAvailableMicroInstanceType(logger logr.Logger, awsClient awsclient.Client) (string, error)

Get the free instance type for the client's region

func SetCurrentAccountServiceQuotas 

func SetCurrentAccountServiceQuotas(reqLogger logr.Logger, awsClientBuilder awsclient.IBuilder, awsSetupClient awsclient.Client, currentAcctInstance *awsv1alpha1.Account, client client.Client) error

This function takes any service quotas defined in the account CR spec and builds them out in the status. The struct for the service quoats in spec and status will differ as the spec uses a 'default' region to reduce configuation complexity, whereas the status lists all regions and their service quoata values as it's easier to iterate over.

func SetOptRegionStatus 

func SetOptRegionStatus(reqLogger logr.Logger, optInRegions []string, currentAcctInstance *awsv1alpha1.Account) error

func TagAccount 

func TagAccount(awsSetupClient awsclient.Client, awsAccountID string, shardName string) error

func TerminateEC2Instance 

func TerminateEC2Instance(reqLogger logr.Logger, client awsclient.Client, instanceID string) error

TerminateEC2Instance terminates the ec2 instance from the instanceID provided

func UpdateServiceQuotaRequests 

func UpdateServiceQuotaRequests(reqLogger logr.Logger, awsClientBuilder awsclient.IBuilder, awsSetupClient awsclient.Client, currentAcctInstance *awsv1alpha1.Account, client client.Client, serviceQuotaRequests awsv1alpha1.RegionalServiceQuotas, count int) error

Types

type AccountReconciler 

type AccountReconciler struct {
	client.Client
	Scheme *runtime.Scheme
	// contains filtered or unexported fields
}

AccountReconciler reconciles a Account object

func (*AccountReconciler) BuildAccount 

func (r *AccountReconciler) BuildAccount(reqLogger logr.Logger, awsClient awsclient.Client, account *awsv1alpha1.Account) (string, error)

BuildAccount take all parameters required and uses those to make an aws call to CreateAccount. It returns an account ID and and error

func (*AccountReconciler) BuildAndDestroyEC2Instances 

func (r *AccountReconciler) BuildAndDestroyEC2Instances(
	reqLogger logr.Logger,
	account *awsv1alpha1.Account,
	awsClient awsclient.Client,
	instanceInfo awsv1alpha1.AmiSpec,
	managedTags []awsclient.AWSTag,
	customerTags []awsclient.AWSTag,
	kmsKeyId string) error

BuildAndDestroyEC2Instances runs an ec2 instance and terminates it

func (*AccountReconciler) BuildIAMUser 

func (r *AccountReconciler) BuildIAMUser(reqLogger logr.Logger, awsClient awsclient.Client, account *awsv1alpha1.Account, iamUserName string, nameSpace string) (*string, error)

BuildIAMUser creates and initializes all resources needed for a new IAM user Takes a logger, an AWS client, an Account CR, the desired IAM username and a namespace to create resources in

func (*AccountReconciler) CreateSecret 

func (r *AccountReconciler) CreateSecret(reqLogger logr.Logger, account *awsv1alpha1.Account, secret *corev1.Secret) error

CreateSecret creates a secret for placing IAM Credentials Takes a logger, the desired name of the secret, the Account CR that will own the secret, and pointer to an empty secret object to fill

func (*AccountReconciler) DoesSecretExist 

func (r *AccountReconciler) DoesSecretExist(namespacedName types.NamespacedName) (bool, error)

DoesSecretExist checks to see if a given secret exists

func (*AccountReconciler) GetSREAccessARN 

func (r *AccountReconciler) GetSREAccessARN(reqLogger logr.Logger, arnName string) (string, error)

func (*AccountReconciler) HandleNonCCSPendingVerification 

func (r *AccountReconciler) HandleNonCCSPendingVerification(reqLogger logr.Logger, currentAcctInstance *awsv1alpha1.Account, awsSetupClient awsclient.Client) (reconcile.Result, error)

func (*AccountReconciler) InitializeRegion 

func (r *AccountReconciler) InitializeRegion(
	reqLogger logr.Logger,
	account *awsv1alpha1.Account,
	region string,
	amiOwner string,
	vCPUQuota float64,
	ec2Notifications chan string,
	ec2Errors chan regionInitializationError,
	creds *sts.AssumeRoleOutput,
	managedTags []awsclient.AWSTag,
	customerTags []awsclient.AWSTag,
	kmsKeyId string,
) error

InitializeRegion sets up a connection to the AWS `region` and then creates and terminates an EC2 instance if necessary

func (*AccountReconciler) InitializeSupportedRegions 

func (r *AccountReconciler) InitializeSupportedRegions(reqLogger logr.Logger, account *awsv1alpha1.Account, regions []awsv1alpha1.AwsRegions, creds *sts.AssumeRoleOutput, amiOwner string)

InitializeSupportedRegions concurrently calls InitializeRegion to create instances in all supported regions This should ensure we don't see any AWS API "PendingVerification" errors when launching instances NOTE: This function does not have any returns. In particular, error conditions from the goroutines are logged, but do not result in a failure up the stack.

func (*AccountReconciler) Reconcile 

func (r *AccountReconciler) Reconcile(ctx context.Context, request ctrl.Request) (ctrl.Result, error)

Reconcile reads that state of the cluster for a Account object and makes changes based on the state read and what is in the Account.Spec The Controller will requeue the Request to be processed again if the returned error is non-nil or Result.Requeue is true, otherwise upon completion it will remove the work from the queue.

func (*AccountReconciler) RotateIAMAccessKeys 

func (r *AccountReconciler) RotateIAMAccessKeys(reqLogger logr.Logger, awsClient awsclient.Client, account *awsv1alpha1.Account, iamUser *iam.User) (*iam.CreateAccessKeyOutput, error)

RotateIAMAccessKeys will delete all AWS access keys assigned to the user and recreate them

func (*AccountReconciler) SetupWithManager 

func (r *AccountReconciler) SetupWithManager(mgr ctrl.Manager) error

SetupWithManager sets up the controller with the Manager.

type PolicyDocument 

type PolicyDocument struct {
	Version   string
	Statement []StatementEntry
}

PolicyDocument represents JSON object of an AWS Policy Document

type StatementEntry 

type StatementEntry struct {
	Effect   string
	Action   []string
	Resource string
}

StatementEntry represents JSON of a statement in a policy doc

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.