Documentation ¶
Index ¶
- Constants
- Variables
- func ARNPathValidator(input interface{}) error
- func ARNValidator(input interface{}) error
- func AddModeFlag(cmd *cobra.Command)
- func BuildOperatorRoleCommands(prefix string, accountID string, awsClient Client, defaultPolicyVersion string, ...) []string
- func BuildOperatorRolePolicies(prefix string, accountID string, awsClient Client, commands []string, ...) []string
- func GenerateAddonPolicyDoc(cluster *cmv1.Cluster, accountID string, cr *cmv1.CredentialRequest, ...) (string, error)
- func GenerateOperatorRolePolicyDoc(cluster *cmv1.Cluster, accountID string, operator *cmv1.STSOperator, ...) (string, error)
- func GeneratePolicyFiles(reporter *rprtr.Object, env string, generateAccountRolePolicies bool, ...) error
- func GenerateRolePolicyDoc(cluster *cmv1.Cluster, accountID, serviceAccounts, policyDetails string) (string, error)
- func GetAccountRoleName(cluster *cmv1.Cluster) (string, error)
- func GetFormattedFileName(filename string) string
- func GetJumpAccount(env string) string
- func GetMode() (string, error)
- func GetOCMRoleName(prefix string, role string, postfix string) string
- func GetOIDCProviderARN(accountID string, providerURL string) string
- func GetOperatorPolicyARN(accountID string, prefix string, namespace string, name string, path string) string
- func GetPartition() string
- func GetPathFromARN(arnStr string) (string, error)
- func GetPolicyARN(accountID string, name string, path string) string
- func GetPolicyName(prefix string, namespace string, name string) string
- func GetPrefixFromAccountRole(cluster *cmv1.Cluster) (string, error)
- func GetPrefixFromOperatorRole(cluster *cmv1.Cluster) string
- func GetRegion(region string) (string, error)
- func GetResourceIdFromARN(stringARN string) (string, error)
- func GetRoleARN(accountID string, name string, path string) string
- func GetRoleName(prefix string, role string) string
- func GetServiceQuota(serviceQuotas []*servicequotas.ServiceQuota, quotaCode string) (*servicequotas.ServiceQuota, error)
- func GetTagValues(tagsValue []*iam.Tag) (roleType string, version string)
- func GetUserRoleName(prefix string, role string, userName string) string
- func HasDuplicateTagKey(tags []string) (string, bool)
- func HasDuplicates(valSlice []string) (string, bool)
- func InterpolatePolicyDocument(doc string, replacements map[string]string) string
- func IsOCMRole(roleName *string) bool
- func ListServiceQuotas(client *awsClient, serviceCode string) ([]*servicequotas.ServiceQuota, error)
- func MarshalRoles(role []Role, b *bytes.Buffer) error
- func ParseSubnet(subnetOption string) string
- func SetModeKey(key string)
- func SetSubnetOption(subnet, zone string) string
- func SortRolesByLinkedRole(roles []Role)
- func TrimRoleSuffix(orig, sufix string) string
- func UpggradeOperatorRolePolicies(reporter *rprtr.Object, awsClient Client, accountID string, prefix string, ...) error
- func UpgradeOperatorPolicies(reporter *rprtr.Object, awsClient Client, accountID string, prefix string, ...) error
- func UserNoProxyDuplicateValidator(input interface{}) error
- func UserNoProxyValidator(input interface{}) error
- func UserTagDuplicateValidator(input interface{}) error
- func UserTagValidator(input interface{}) error
- type AccessKey
- type AccountRole
- type Client
- type ClientBuilder
- func (b *ClientBuilder) AccessKeys(value *AccessKey) *ClientBuilder
- func (b *ClientBuilder) Build() (Client, error)
- func (b *ClientBuilder) BuildSessionWithOptions() (*session.Session, error)
- func (b *ClientBuilder) BuildSessionWithOptionsCredentials(value *AccessKey) (*session.Session, error)
- func (b *ClientBuilder) Logger(value *logrus.Logger) *ClientBuilder
- func (b *ClientBuilder) Region(value string) *ClientBuilder
- type Creator
- type CustomRetryer
- type Operator
- type Policy
- type PolicyDetail
- type PolicyDocument
- type PolicyStatement
- type PolicyStatementPrincipal
- type Role
- type SimulateParams
Constants ¶
const ( AdminUserName = "osdCcsAdmin" OsdCcsAdminStackName = "osdCcsAdminIAMUser" // Since CloudFormation stacks are region-dependent, we hard-code OCM's default region and // then use it to ensure that the user always gets the stack from the same region. DefaultRegion = "us-east-1" Inline = "inline" Attached = "attached" )
Name of the AWS user that will be used to create all the resources of the cluster:
const ( ModeAuto = "auto" ModeManual = "manual" )
const ( OIDCClientIDOpenShift = "openshift" OIDCClientIDSTSAWS = "sts.amazonaws.com" )
const ( InstallerAccountRole = "installer" ControlPlaneAccountRole = "instance_controlplane" WorkerAccountRole = "instance_worker" SupportAccountRole = "support" OCMRole = "OCM" OCMUserRole = "User" )
Variables ¶
var ARNPath = regexp.MustCompile(`^\/[a-zA-Z0-9\/]*\/$`)
var AccountRoles map[string]AccountRole = map[string]AccountRole{ InstallerAccountRole: {Name: "Installer", Flag: "role-arn"}, ControlPlaneAccountRole: {Name: "ControlPlane", Flag: "controlplane-iam-role"}, WorkerAccountRole: {Name: "Worker", Flag: "worker-iam-role"}, SupportAccountRole: {Name: "Support", Flag: "support-role-arn"}, }
var DefaultPrefix = "ManagedOpenShift"
var JumpAccounts = map[string]string{
"production": "710019948333",
"staging": "644306948063",
"integration": "896164604406",
"local": "765374464689",
"local-proxy": "765374464689",
"crc": "765374464689",
}
JumpAccounts are the various of AWS accounts used for the installer jump role in the various OCM environments
var Modes = []string{ModeAuto, ModeManual}
var OCMAdminRolePolicyFile = "ocm_admin"
var OCMRolePolicyFile = "ocm"
var OCMUserRolePolicyFile = "ocm_user"
var RoleNameRE = regexp.MustCompile(`^[\w+=,.@-]+$`)
var UserNoProxyRE = regexp.MustCompile(`^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$|^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(3[0-2]|[1-2][0-9]|[0-9]))$|^(.?[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?\.)+[a-z0-9][a-z0-9-]{0,61}[a-z0-9]$|^""$`)
the following regex defines five different patterns: first pattern is to validate IPv4 address second,is for IPv4 CIDR range validation third pattern is to validate domains and the fifth petterrn is to be able to remove the existing no-proxy value by typing empty string (""). nolint
var UserTagKeyRE = regexp.MustCompile(`^[\pL\pZ\pN_.:/=+\-@]{1,128}$`)
UserTagKeyRE , UserTagValueRE - https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html#tag-conventions
var UserTagValueRE = regexp.MustCompile(`^[\pL\pZ\pN_.:/=+\-@]{0,256}$`)
Functions ¶
func ARNPathValidator ¶ added in v1.2.7
func ARNPathValidator(input interface{}) error
func ARNValidator ¶ added in v1.1.1
func ARNValidator(input interface{}) error
func AddModeFlag ¶ added in v1.1.6
func BuildOperatorRoleCommands ¶ added in v1.1.12
func BuildOperatorRolePolicies ¶ added in v1.2.0
func GenerateAddonPolicyDoc ¶ added in v1.2.4
func GenerateOperatorRolePolicyDoc ¶ added in v1.2.4
func GeneratePolicyFiles ¶ added in v1.1.6
func GenerateRolePolicyDoc ¶ added in v1.1.12
func GetAccountRoleName ¶ added in v1.1.6
func GetFormattedFileName ¶ added in v1.2.0
func GetJumpAccount ¶ added in v1.2.5
func GetOCMRoleName ¶ added in v1.1.7
func GetOIDCProviderARN ¶ added in v1.2.5
func GetOperatorPolicyARN ¶ added in v1.1.6
func GetPartition ¶ added in v1.2.5
func GetPartition() string
func GetPathFromARN ¶ added in v1.2.7
func GetPolicyARN ¶ added in v1.1.6
func GetPolicyName ¶ added in v1.1.6
func GetPrefixFromAccountRole ¶ added in v1.1.6
func GetPrefixFromOperatorRole ¶ added in v1.2.3
func GetRegion ¶
GetRegion will return a region selected by the user or given as a default to the AWS client. If the region given is empty, it will first attempt to use the default, and, failing that, will prompt for user input.
func GetResourceIdFromARN ¶ added in v1.2.7
GetResourceIdFromARN function takes a full AWS ARN, parses it and extracts the last part of the resource field e.g. arn:partition:service:region:account-id:resource-type/<some-path>/resource-id an assumption is made that there is always a resource-type if resource-id is empty then error is returned
func GetRoleARN ¶ added in v1.1.6
func GetRoleName ¶ added in v1.1.6
func GetServiceQuota ¶
func GetServiceQuota(serviceQuotas []*servicequotas.ServiceQuota, quotaCode string) (*servicequotas.ServiceQuota, error)
GetServiceQuota extract service quota for the list of service quotas
func GetTagValues ¶ added in v1.1.3
func GetUserRoleName ¶ added in v1.1.6
func HasDuplicateTagKey ¶ added in v1.1.2
func HasDuplicates ¶ added in v1.2.3
func InterpolatePolicyDocument ¶ added in v1.2.3
func ListServiceQuotas ¶
func ListServiceQuotas(client *awsClient, serviceCode string) ([]*servicequotas.ServiceQuota, error)
ListServiceQuotas list available quotas for service
func ParseSubnet ¶ added in v1.2.4
ParseSubnet Parses the subnet from the option chosen by the user.
func SetModeKey ¶ added in v1.1.6
func SetModeKey(key string)
func SetSubnetOption ¶ added in v1.2.4
SetSubnetOption Creates a subnet options using a predefined template.
func SortRolesByLinkedRole ¶ added in v1.1.12
func SortRolesByLinkedRole(roles []Role)
func TrimRoleSuffix ¶ added in v1.2.3
Role names can be truncated if they are over 64 chars, so we need to make sure we aren't missing a truncated suffix
func UpggradeOperatorRolePolicies ¶ added in v1.2.0
func UpgradeOperatorPolicies ¶ added in v1.1.12
func UserNoProxyDuplicateValidator ¶ added in v1.2.3
func UserNoProxyDuplicateValidator(input interface{}) error
func UserNoProxyValidator ¶ added in v1.2.3
func UserNoProxyValidator(input interface{}) error
func UserTagDuplicateValidator ¶ added in v1.1.2
func UserTagDuplicateValidator(input interface{}) error
func UserTagValidator ¶ added in v1.1.2
func UserTagValidator(input interface{}) error
Types ¶
type AccountRole ¶ added in v1.1.0
type Client ¶
type Client interface { CheckAdminUserNotExisting(userName string) (err error) CheckAdminUserExists(userName string) (err error) CheckStackReadyOrNotExisting(stackName string) (stackReady bool, stackStatus *string, err error) CheckRoleExists(roleName string) (bool, string, error) ValidateRoleARNAccountIDMatchCallerAccountID(roleARN string) error GetIAMCredentials() (credentials.Value, error) GetRegion() string ValidateCredentials() (isValid bool, err error) EnsureOsdCcsAdminUser(stackName string, adminUserName string, awsRegion string) (bool, error) DeleteOsdCcsAdminUser(stackName string) error GetAWSAccessKeys() (*AccessKey, error) GetLocalAWSAccessKeys() (*AccessKey, error) GetCreator() (*Creator, error) ValidateSCP(*string, map[string]string) (bool, error) GetSubnetIDs() ([]*ec2.Subnet, error) GetVPCPrivateSubnets(subnetID string) ([]*ec2.Subnet, error) ValidateQuota() (bool, error) TagUserRegion(username string, region string) error GetClusterRegionTagForUser(username string) (string, error) EnsureRole(name string, policy string, permissionsBoundary string, version string, tagList map[string]string, path string) (string, error) ValidateRoleNameAvailable(name string) (err error) PutRolePolicy(roleName string, policyName string, policy string) error EnsurePolicy(policyArn string, document string, version string, tagList map[string]string, path string) (string, error) AttachRolePolicy(roleName string, policyARN string) error CreateOpenIDConnectProvider(issuerURL string, thumbprint string, clusterID string) (string, error) DeleteOpenIDConnectProvider(providerURL string) error HasOpenIDConnectProvider(issuerURL string, accountID string) (bool, error) FindRoleARNs(roleType string, version string) ([]string, error) FindPolicyARN(operator Operator, version string) (string, error) ListUserRoles() ([]Role, error) ListOCMRoles() ([]Role, error) ListAccountRoles(version string) ([]Role, error) GetRoleByARN(roleARN string) (*iam.Role, error) HasCompatibleVersionTags(iamTags []*iam.Tag, version string) (bool, error) DeleteOperatorRole(roles string) error GetOperatorRolesFromAccount(clusterID string, credRequests map[string]*cmv1.STSOperator) ([]string, error) GetPolicies(roles []string) (map[string][]string, error) GetAccountRolesForCurrentEnv(env string, accountID string) ([]Role, error) GetAccountRoleForCurrentEnv(env string, roleName string) (Role, error) GetAccountRoleForCurrentEnvWithPrefix(env string, rolePrefix string) ([]Role, error) DeleteAccountRole(roles string) error DeleteOCMRole(roleARN string) error DeleteUserRole(roleName string) error GetAccountRolePolicies(roles []string) (map[string][]PolicyDetail, error) GetAttachedPolicy(role *string) ([]PolicyDetail, error) HasPermissionsBoundary(roleName string) (bool, error) GetOpenIDConnectProvider(clusterID string) (string, error) GetInstanceProfilesForRole(role string) ([]string, error) IsUpgradedNeededForAccountRolePolicies(rolePrefix string, version string) (bool, error) IsUpgradedNeededForAccountRolePoliciesForCluster(clusterID *cmv1.Cluster, version string) (bool, error) IsUpgradedNeededForOperatorRolePolicies(cluster *cmv1.Cluster, accountID string, version string) (bool, error) IsUpgradedNeededForOperatorRolePoliciesUsingPrefix(rolePrefix string, accountID string, version string, credRequests map[string]*cmv1.STSOperator, path string) (bool, error) UpdateTag(roleName string, defaultPolicyVersion string) error AddRoleTag(roleName string, key string, value string) error IsPolicyCompatible(policyArn string, version string) (bool, error) GetAccountRoleVersion(roleName string) (string, error) IsPolicyExists(policyARN string) (*iam.GetPolicyOutput, error) IsRolePolicyExists(roleName string, policyName string) (*iam.GetRolePolicyOutput, error) IsAdminRole(roleName string) (bool, error) DeleteInlineRolePolicies(roleName string) error IsUserRole(roleName *string) (bool, error) GetRoleARNPath(prefix string) (string, error) DescribeAvailabilityZones() ([]string, error) }
Client defines a client interface
func CreateNewClientOrExit ¶ added in v1.1.10
func GetAWSClientForUserRegion ¶ added in v1.0.8
Currently user can rosa init using the region from their config or using --region When checking for cloud formation we need to check in the region used by the user
func New ¶
func New( logger *logrus.Logger, iamClient iamiface.IAMAPI, ec2Client ec2iface.EC2API, orgClient organizationsiface.OrganizationsAPI, stsClient stsiface.STSAPI, cfClient cloudformationiface.CloudFormationAPI, servicequotasClient servicequotasiface.ServiceQuotasAPI, awsSession *session.Session, awsAccessKeys *AccessKey, ) Client
type ClientBuilder ¶
type ClientBuilder struct {
// contains filtered or unexported fields
}
ClientBuilder contains the information and logic needed to build a new AWS client.
func NewClient ¶
func NewClient() *ClientBuilder
NewClient creates a builder that can then be used to configure and build a new AWS client.
func (*ClientBuilder) AccessKeys ¶
func (b *ClientBuilder) AccessKeys(value *AccessKey) *ClientBuilder
func (*ClientBuilder) Build ¶
func (b *ClientBuilder) Build() (Client, error)
Build uses the information stored in the builder to build a new AWS client.
func (*ClientBuilder) BuildSessionWithOptions ¶
func (b *ClientBuilder) BuildSessionWithOptions() (*session.Session, error)
func (*ClientBuilder) BuildSessionWithOptionsCredentials ¶
func (b *ClientBuilder) BuildSessionWithOptionsCredentials(value *AccessKey) (*session.Session, error)
Create AWS session with a specific set of credentials
func (*ClientBuilder) Logger ¶
func (b *ClientBuilder) Logger(value *logrus.Logger) *ClientBuilder
Logger sets the logger that the AWS client will use to send messages to the log.
func (*ClientBuilder) Region ¶
func (b *ClientBuilder) Region(value string) *ClientBuilder
type CustomRetryer ¶ added in v1.1.5
type CustomRetryer struct {
client.DefaultRetryer
}
CustomRetryer wraps the aws SDK's built in DefaultRetryer allowing for additional custom features
func (CustomRetryer) ShouldRetry ¶ added in v1.1.5
func (r CustomRetryer) ShouldRetry(req *request.Request) bool
ShouldRetry overrides the SDK's built in DefaultRetryer adding customization to not retry 5xx status codes.
type Policy ¶ added in v1.1.3
type Policy struct { PolicyName string `json:"PolicyName,omitempty"` PolicyDocument PolicyDocument `json:"PolicyDocument,omitempty"` }
type PolicyDetail ¶ added in v1.1.5
type PolicyDocument ¶
type PolicyDocument struct { ID string `json:"Id,omitempty"` // Specify the version of the policy language that you want to use. // As a best practice, use the latest 2012-10-17 version. Version string `json:"Version,omitempty"` // Use this main policy element as a container for the following elements. // You can include more than one statement in a policy. Statement []PolicyStatement `json:"Statement"` }
PolicyDocument models an AWS IAM policy document
func NewPolicyDocument ¶ added in v1.2.3
func NewPolicyDocument() *PolicyDocument
func ParsePolicyDocument ¶ added in v1.2.3
func ParsePolicyDocument(doc string) (*PolicyDocument, error)
func (*PolicyDocument) AllowActions ¶ added in v1.2.3
func (p *PolicyDocument) AllowActions(actions ...string)
AllowActions adds a statement to a policy allowing the provided actions for all Resources. If you need a more compilex statement it is better to construct it manually.
func (*PolicyDocument) GetAllowedActions ¶ added in v1.2.3
func (p *PolicyDocument) GetAllowedActions() []string
func (*PolicyDocument) IsActionAllowed ¶ added in v1.2.3
func (p *PolicyDocument) IsActionAllowed(wanted string) bool
IsActionAllowed checks if any of the statements in the document allows the wanted action. It does not take into account Resource or Principal constraints on the action.
func (PolicyDocument) String ¶ added in v1.2.3
func (p PolicyDocument) String() string
type PolicyStatement ¶
type PolicyStatement struct { // Include an optional statement ID to differentiate between your statements. Sid string `json:"Sid,omitempty"` // Use `Allow` or `Deny` to indicate whether the policy allows or denies access. Effect string `json:"Effect"` // If you create a resource-based policy, you must indicate the account, user, role, or // federated user to which you would like to allow or deny access. If you are creating an // IAM permissions policy to attach to a user or role, you cannot include this element. // The principal is implied as that user or role. Principal *PolicyStatementPrincipal `json:"Principal,omitempty"` // Include a list of actions that the policy allows or denies. // (i.e. ec2:StartInstances, iam:ChangePassword) Action interface{} `json:"Action,omitempty"` // If you create an IAM permissions policy, you must specify a list of resources to which // the actions apply. If you create a resource-based policy, this element is optional. If // you do not include this element, then the resource to which the action applies is the // resource to which the policy is attached. Resource interface{} `json:"Resource,omitempty"` }
PolicyStatement models an AWS policy statement entry.
func (*PolicyStatement) GetAWSPrincipals ¶ added in v1.2.3
func (p *PolicyStatement) GetAWSPrincipals() []string
type PolicyStatementPrincipal ¶ added in v1.1.0
type PolicyStatementPrincipal struct { // A service principal is an identifier that is used to grant permissions to a service. // The identifier for a service principal includes the service name, and is usually in the // following format: service-name.amazonaws.com Service []string `json:"Service,omitempty"` // You can specify an individual IAM role ARN (or array of role ARNs) as the principal. // In IAM roles, the Principal element in the role's trust policy specifies who can assume the role. // When you specify more than one principal in the element, you grant permissions to each principal. AWS interface{} `json:"AWS,omitempty"` // A federated principal uses a web identity token or SAML federation Federated string `json:"Federated,omitempty"` }
type Role ¶ added in v1.1.3
type Role struct { RoleType string `json:"RoleType,omitempty"` Version string `json:"Version,omitempty"` RolePrefix string `json:"RolePrefix,omitempty"` RoleName string `json:"RoleName,omitempty"` RoleARN string `json:"RoleARN,omitempty"` Linked string `json:"Linked,omitempty"` Admin string `json:"Admin,omitempty"` Policy []Policy `json:"Policy,omitempty"` }
type SimulateParams ¶
type SimulateParams struct {
Region string
}
SimulateParams captures any additional details that should be used when simulating permissions.