aws

package
v1.1.3 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Sep 30, 2021 License: Apache-2.0 Imports: 39 Imported by: 4

Documentation

Index

Constants

View Source 
const (
	AdminUserName        = "osdCcsAdmin"
	OsdCcsAdminStackName = "osdCcsAdminIAMUser"

	// Since CloudFormation stacks are region-dependent, we hard-code OCM's default region and
	// then use it to ensure that the user always gets the stack from the same region.
	DefaultRegion = "us-east-1"
)

Name of the AWS user that will be used to create all the resources of the cluster:

View Source 
const (
	OIDCClientIDOpenShift = "openshift"
	OIDCClientIDSTSAWS    = "sts.amazonaws.com"
)

Variables

View Source 
var AccountRoles map[string]AccountRole = map[string]AccountRole{
	"installer":             {Name: "Installer", Flag: "role-arn"},
	"instance_controlplane": {Name: "ControlPlane", Flag: "master-iam-role"},
	"instance_worker":       {Name: "Worker", Flag: "worker-iam-role"},
	"support":               {Name: "Support", Flag: "support-role-arn"},
}
View Source 
var CredentialRequests map[string]Operator = map[string]Operator{
	"machine_api_aws_cloud_credentials": {
		Name:      "aws-cloud-credentials",
		Namespace: "openshift-machine-api",
		ServiceAccountNames: []string{
			"machine-api-controllers",
		},
	},
	"cloud_credential_operator_cloud_credential_operator_iam_ro_creds": {
		Name:      "cloud-credential-operator-iam-ro-creds",
		Namespace: "openshift-cloud-credential-operator",
		ServiceAccountNames: []string{
			"cloud-credential-operator",
		},
	},
	"image_registry_installer_cloud_credentials": {
		Name:      "installer-cloud-credentials",
		Namespace: "openshift-image-registry",
		ServiceAccountNames: []string{
			"cluster-image-registry-operator",
			"registry",
		},
	},
	"ingress_operator_cloud_credentials": {
		Name:      "cloud-credentials",
		Namespace: "openshift-ingress-operator",
		ServiceAccountNames: []string{
			"ingress-operator",
		},
	},
	"cluster_csi_drivers_ebs_cloud_credentials": {
		Name:      "ebs-cloud-credentials",
		Namespace: "openshift-cluster-csi-drivers",
		ServiceAccountNames: []string{
			"aws-ebs-csi-driver-operator",
			"aws-ebs-csi-driver-controller-sa",
		},
	},
}
View Source 
var DefaultPrefix = "ManagedOpenShift"
View Source 
var JumpAccounts = map[string]string{
	"production":  "710019948333",
	"staging":     "644306948063",
	"integration": "896164604406",
}

JumpAccounts are the various of AWS accounts used for the installer jump role in the various OCM environments

View Source 
var RoleNameRE = regexp.MustCompile(`^[\w+=,.@-]+$`)
View Source 
var UserTagKeyRE = regexp.MustCompile(`^[\pL\pZ\pN_.:/=+\-@]{1,128}$`)

UserTagKeyRE , UserTagValueRE - https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html#tag-conventions

View Source 
var UserTagValueRE = regexp.MustCompile(`^[\pL\pZ\pN_.:/=+\-@]{0,256}$`)

Functions

func ARNValidator added in v1.1.1 

func ARNValidator(input interface{}) error

func CheckStackReadyForCreateCluster added in v1.0.8 

func CheckStackReadyForCreateCluster(reporter *rprtr.Object, logger *logrus.Logger)

Validations will validate if CF stack/users exist

func GetRegion 

func GetRegion(region string) (string, error)

GetRegion will return a region selected by the user or given as a default to the AWS client. If the region given is empty, it will first attempt to use the default, and, failing that, will prompt for user input.

func GetServiceQuota 

func GetServiceQuota(serviceQuotas []*servicequotas.ServiceQuota,
	quotaCode string) (*servicequotas.ServiceQuota, error)

GetServiceQuota extract service quota for the list of service quotas

func GetTagValues added in v1.1.3 

func GetTagValues(tagsValue []*iam.Tag) (roleType string, version string)

func HasDuplicateTagKey added in v1.1.2 

func HasDuplicateTagKey(tags []string) (string, bool)

func ListServiceQuotas 

func ListServiceQuotas(client *awsClient, serviceCode string) ([]*servicequotas.ServiceQuota, error)

ListServiceQuotas list available quotas for service

func MarshalRoles added in v1.1.3 

func MarshalRoles(role []Role, b *bytes.Buffer) error

func ReadPolicyDocument added in v1.1.0 

func ReadPolicyDocument(path string, args ...map[string]string) ([]byte, error)

func UserTagDuplicateValidator added in v1.1.2 

func UserTagDuplicateValidator(input interface{}) error

func UserTagValidator added in v1.1.2 

func UserTagValidator(input interface{}) error

Types

type AccessKey 

type AccessKey struct {
	AccessKeyID     string
	SecretAccessKey string
}

type AccountRole added in v1.1.0 

type AccountRole struct {
	Name string
	Flag string
}

type Client 

type Client interface {
	CheckAdminUserNotExisting(userName string) (err error)
	CheckAdminUserExists(userName string) (err error)
	CheckStackReadyOrNotExisting(stackName string) (stackReady bool, stackStatus *string, err error)
	CheckRoleExists(roleName string) (bool, error)
	GetIAMCredentials() (credentials.Value, error)
	GetRegion() string
	ValidateCredentials() (isValid bool, err error)
	EnsureOsdCcsAdminUser(stackName string, adminUserName string, awsRegion string) (bool, error)
	DeleteOsdCcsAdminUser(stackName string) error
	GetAWSAccessKeys() (*AccessKey, error)
	GetCreator() (*Creator, error)
	ValidateSCP(*string) (bool, error)
	GetSubnetIDs() ([]*ec2.Subnet, error)
	ValidateQuota() (bool, error)
	TagUserRegion(username string, region string) error
	GetClusterRegionTagForUser(username string) (string, error)
	EnsureRole(name string, policy string, permissionsBoundary string,
		version string, tagList map[string]string) (string, error)
	PutRolePolicy(roleName string, policyName string, policy string) error
	EnsurePolicy(policyArn string, document string, version string, tagList map[string]string) (string, error)
	AttachRolePolicy(roleName string, policyARN string) error
	CreateOpenIDConnectProvider(issuerURL string, thumbprint string) (string, error)
	HasOpenIDConnectProvider(issuerURL string, accountID string) (bool, error)
	FindRoleARNs(roleType string, version string) ([]string, error)
	FindPolicyARN(operator Operator, version string) (string, error)
	ListAccountRoles(version string) ([]Role, error)
}

Client defines a client interface

func GetAWSClientForUserRegion added in v1.0.8 

func GetAWSClientForUserRegion(reporter *rprtr.Object, logger *logrus.Logger) Client

* Currently user can rosa init using the region from their config or using --region When checking for cloud formation we need to check in the region used by the user

func New 

func New(
	logger *logrus.Logger,
	iamClient iamiface.IAMAPI,
	ec2Client ec2iface.EC2API,
	orgClient organizationsiface.OrganizationsAPI,
	stsClient stsiface.STSAPI,
	cfClient cloudformationiface.CloudFormationAPI,
	servicequotasClient servicequotasiface.ServiceQuotasAPI,
	awsSession *session.Session,
	awsAccessKeys *AccessKey,

) Client

type ClientBuilder 

type ClientBuilder struct {
	// contains filtered or unexported fields
}

ClientBuilder contains the information and logic needed to build a new AWS client.

func NewClient 

func NewClient() *ClientBuilder

NewClient creates a builder that can then be used to configure and build a new AWS client.

func (*ClientBuilder) AccessKeys 

func (b *ClientBuilder) AccessKeys(value *AccessKey) *ClientBuilder

func (*ClientBuilder) Build 

func (b *ClientBuilder) Build() (Client, error)

Build uses the information stored in the builder to build a new AWS client.

func (*ClientBuilder) BuildSessionWithOptions 

func (b *ClientBuilder) BuildSessionWithOptions() (*session.Session, error)

func (*ClientBuilder) BuildSessionWithOptionsCredentials 

func (b *ClientBuilder) BuildSessionWithOptionsCredentials(value *AccessKey) (*session.Session, error)

Create AWS session with a specific set of credentials

func (*ClientBuilder) Logger 

func (b *ClientBuilder) Logger(value *logrus.Logger) *ClientBuilder

Logger sets the logger that the AWS client will use to send messages to the log.

func (*ClientBuilder) Region 

func (b *ClientBuilder) Region(value string) *ClientBuilder

type Creator 

type Creator struct {
	ARN       string
	AccountID string
	IsSTS     bool
}

type Operator added in v1.1.0 

type Operator struct {
	Name                string
	Namespace           string
	ServiceAccountNames []string
}

type Policy added in v1.1.3 

type Policy struct {
	PolicyName     string         `json:"PolicyName,omitempty"`
	PolicyDocument PolicyDocument `json:"PolicyDocument,omitempty"`
}

type PolicyDocument 

type PolicyDocument struct {
	ID string `json:"Id,omitempty"`
	// Specify the version of the policy language that you want to use.
	// As a best practice, use the latest 2012-10-17 version.
	Version string `json:"Version,omitempty"`
	// Use this main policy element as a container for the following elements.
	// You can include more than one statement in a policy.
	Statement []PolicyStatement `json:"Statement"`
}

PolicyDocument models an AWS IAM policy document

type PolicyStatement 

type PolicyStatement struct {
	// Include an optional statement ID to differentiate between your statements.
	Sid string `json:"Sid,omitempty"`
	// Use `Allow` or `Deny` to indicate whether the policy allows or denies access.
	Effect string `json:"Effect"`
	// If you create a resource-based policy, you must indicate the account, user, role, or
	// federated user to which you would like to allow or deny access. If you are creating an
	// IAM permissions policy to attach to a user or role, you cannot include this element.
	// The principal is implied as that user or role.
	Principal PolicyStatementPrincipal `json:"Principal,omitempty"`
	// Include a list of actions that the policy allows or denies.
	// (i.e. ec2:StartInstances, iam:ChangePassword)
	Action interface{} `json:"Action,omitempty"`
	// If you create an IAM permissions policy, you must specify a list of resources to which
	// the actions apply. If you create a resource-based policy, this element is optional. If
	// you do not include this element, then the resource to which the action applies is the
	// resource to which the policy is attached.
	Resource interface{} `json:"Resource,omitempty"`
}

PolicyStatement models an AWS policy statement entry.

type PolicyStatementPrincipal added in v1.1.0 

type PolicyStatementPrincipal struct {
	// A service principal is an identifier that is used to grant permissions to a service.
	// The identifier for a service principal includes the service name, and is usually in the
	// following format: service-name.amazonaws.com
	Service []string `json:"Service,omitempty"`
	// You can specify an individual IAM role ARN (or array of role ARNs) as the principal.
	// In IAM roles, the Principal element in the role's trust policy specifies who can assume the role.
	// When you specify more than one principal in the element, you grant permissions to each principal.
	AWS []string `json:"AWS,omitempty"`
	// A federated principal uses a web identity token or SAML federation
	Federated string `json:"Federated,omitempty"`
}

type Role added in v1.1.3 

type Role struct {
	RoleType   string   `json:"RoleType,omitempty"`
	Version    string   `json:"Version,omitempty"`
	RolePrefix string   `json:"RolePrefix,omitempty"`
	RoleName   string   `json:"RoleName,omitempty"`
	RoleARN    string   `json:"RoleARN,omitempty"`
	Policy     []Policy `json:"Policy,omitempty"`
}

type SimulateParams 

type SimulateParams struct {
	Region string
}

SimulateParams captures any additional details that should be used when simulating permissions.

Source Files

View all Source files

Directories

Path Synopsis
Package mocks is a generated GoMock package.
 Package mocks is a generated GoMock package.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.