Documentation ¶
Index ¶
- Constants
- Variables
- func ARNValidator(input interface{}) error
- func CheckStackReadyForCreateCluster(reporter *rprtr.Object, logger *logrus.Logger)
- func GetRegion(region string) (string, error)
- func GetServiceQuota(serviceQuotas []*servicequotas.ServiceQuota, quotaCode string) (*servicequotas.ServiceQuota, error)
- func HasDuplicateTagKey(tags []string) (string, bool)
- func ListServiceQuotas(client *awsClient, serviceCode string) ([]*servicequotas.ServiceQuota, error)
- func ReadPolicyDocument(path string, args ...map[string]string) ([]byte, error)
- func UserTagDuplicateValidator(input interface{}) error
- func UserTagValidator(input interface{}) error
- type AccessKey
- type AccountRole
- type Client
- type ClientBuilder
- func (b *ClientBuilder) AccessKeys(value *AccessKey) *ClientBuilder
- func (b *ClientBuilder) Build() (Client, error)
- func (b *ClientBuilder) BuildSessionWithOptions() (*session.Session, error)
- func (b *ClientBuilder) BuildSessionWithOptionsCredentials(value *AccessKey) (*session.Session, error)
- func (b *ClientBuilder) Logger(value *logrus.Logger) *ClientBuilder
- func (b *ClientBuilder) Region(value string) *ClientBuilder
- type Creator
- type Operator
- type PolicyDocument
- type PolicyStatement
- type PolicyStatementPrincipal
- type SimulateParams
Constants ¶
const ( AdminUserName = "osdCcsAdmin" OsdCcsAdminStackName = "osdCcsAdminIAMUser" // Since CloudFormation stacks are region-dependent, we hard-code OCM's default region and // then use it to ensure that the user always gets the stack from the same region. DefaultRegion = "us-east-1" )
Name of the AWS user that will be used to create all the resources of the cluster:
const ( OIDCClientIDOpenShift = "openshift" OIDCClientIDSTSAWS = "sts.amazonaws.com" )
Variables ¶
var AccountRoles map[string]AccountRole = map[string]AccountRole{
"installer": {Name: "Installer", Flag: "role-arn"},
"instance_controlplane": {Name: "ControlPlane", Flag: "master-iam-role"},
"instance_worker": {Name: "Worker", Flag: "worker-iam-role"},
"support": {Name: "Support", Flag: "support-role-arn"},
}
var CredentialRequests map[string]Operator = map[string]Operator{ "machine_api_aws_cloud_credentials": { Name: "aws-cloud-credentials", Namespace: "openshift-machine-api", ServiceAccountNames: []string{ "machine-api-controllers", }, }, "cloud_credential_operator_cloud_credential_operator_iam_ro_creds": { Name: "cloud-credential-operator-iam-ro-creds", Namespace: "openshift-cloud-credential-operator", ServiceAccountNames: []string{ "cloud-credential-operator", }, }, "image_registry_installer_cloud_credentials": { Name: "installer-cloud-credentials", Namespace: "openshift-image-registry", ServiceAccountNames: []string{ "cluster-image-registry-operator", "registry", }, }, "ingress_operator_cloud_credentials": { Name: "cloud-credentials", Namespace: "openshift-ingress-operator", ServiceAccountNames: []string{ "ingress-operator", }, }, "cluster_csi_drivers_ebs_cloud_credentials": { Name: "ebs-cloud-credentials", Namespace: "openshift-cluster-csi-drivers", ServiceAccountNames: []string{ "aws-ebs-csi-driver-operator", "aws-ebs-csi-driver-controller-sa", }, }, }
var DefaultPrefix = "ManagedOpenShift"
var JumpAccounts = map[string]string{
"production": "710019948333",
"staging": "644306948063",
"integration": "896164604406",
}
JumpAccounts are the various of AWS accounts used for the installer jump role in the various OCM environments
var RoleNameRE = regexp.MustCompile(`^[\w+=,.@-]+$`)
var UserTagKeyRE = regexp.MustCompile(`^[A-Za-zÀ-ȕ0-9_.:/=+\-@]{1,128}$`)
UserTagKeyRE , UserTagValueRE - https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html#tag-conventions
var UserTagValueRE = regexp.MustCompile(`^[A-Za-zÀ-ȕ0-9_.:/=+\-@]{0,256}$`)
Functions ¶
func ARNValidator ¶ added in v1.1.1
func ARNValidator(input interface{}) error
func CheckStackReadyForCreateCluster ¶ added in v1.0.8
Validations will validate if CF stack/users exist
func GetRegion ¶
GetRegion will return a region selected by the user or given as a default to the AWS client. If the region given is empty, it will first attempt to use the default, and, failing that, will prompt for user input.
func GetServiceQuota ¶
func GetServiceQuota(serviceQuotas []*servicequotas.ServiceQuota, quotaCode string) (*servicequotas.ServiceQuota, error)
GetServiceQuota extract service quota for the list of service quotas
func HasDuplicateTagKey ¶ added in v1.1.2
func ListServiceQuotas ¶
func ListServiceQuotas(client *awsClient, serviceCode string) ([]*servicequotas.ServiceQuota, error)
ListServiceQuotas list available quotas for service
func ReadPolicyDocument ¶ added in v1.1.0
func UserTagDuplicateValidator ¶ added in v1.1.2
func UserTagDuplicateValidator(input interface{}) error
func UserTagValidator ¶ added in v1.1.2
func UserTagValidator(input interface{}) error
Types ¶
type AccountRole ¶ added in v1.1.0
type Client ¶
type Client interface { CheckAdminUserNotExisting(userName string) (err error) CheckAdminUserExists(userName string) (err error) CheckStackReadyOrNotExisting(stackName string) (stackReady bool, stackStatus *string, err error) CheckRoleExists(roleName string) (bool, error) GetIAMCredentials() (credentials.Value, error) GetRegion() string ValidateCredentials() (isValid bool, err error) EnsureOsdCcsAdminUser(stackName string, adminUserName string, awsRegion string) (bool, error) DeleteOsdCcsAdminUser(stackName string) error GetAWSAccessKeys() (*AccessKey, error) GetCreator() (*Creator, error) ValidateSCP(*string) (bool, error) GetSubnetIDs() ([]*ec2.Subnet, error) ValidateQuota() (bool, error) TagUserRegion(username string, region string) error GetClusterRegionTagForUser(username string) (string, error) EnsureRole(name string, policy string, permissionsBoundary string, version string, tagList map[string]string) (string, error) PutRolePolicy(roleName string, policyName string, policy string) error EnsurePolicy(policyArn string, document string, version string, tagList map[string]string) (string, error) AttachRolePolicy(roleName string, policyARN string) error CreateOpenIDConnectProvider(issuerURL string, thumbprint string) (string, error) HasOpenIDConnectProvider(issuerURL string, accountID string) (bool, error) FindRoleARNs(roleType string, version string) ([]string, error) FindPolicyARN(operator Operator, version string) (string, error) }
Client defines a client interface
func GetAWSClientForUserRegion ¶ added in v1.0.8
* Currently user can rosa init using the region from their config or using --region When checking for cloud formation we need to check in the region used by the user
func New ¶
func New( logger *logrus.Logger, iamClient iamiface.IAMAPI, ec2Client ec2iface.EC2API, orgClient organizationsiface.OrganizationsAPI, stsClient stsiface.STSAPI, cfClient cloudformationiface.CloudFormationAPI, servicequotasClient servicequotasiface.ServiceQuotasAPI, awsSession *session.Session, awsAccessKeys *AccessKey, ) Client
type ClientBuilder ¶
type ClientBuilder struct {
// contains filtered or unexported fields
}
ClientBuilder contains the information and logic needed to build a new AWS client.
func NewClient ¶
func NewClient() *ClientBuilder
NewClient creates a builder that can then be used to configure and build a new AWS client.
func (*ClientBuilder) AccessKeys ¶
func (b *ClientBuilder) AccessKeys(value *AccessKey) *ClientBuilder
func (*ClientBuilder) Build ¶
func (b *ClientBuilder) Build() (Client, error)
Build uses the information stored in the builder to build a new AWS client.
func (*ClientBuilder) BuildSessionWithOptions ¶
func (b *ClientBuilder) BuildSessionWithOptions() (*session.Session, error)
func (*ClientBuilder) BuildSessionWithOptionsCredentials ¶
func (b *ClientBuilder) BuildSessionWithOptionsCredentials(value *AccessKey) (*session.Session, error)
Create AWS session with a specific set of credentials
func (*ClientBuilder) Logger ¶
func (b *ClientBuilder) Logger(value *logrus.Logger) *ClientBuilder
Logger sets the logger that the AWS client will use to send messages to the log.
func (*ClientBuilder) Region ¶
func (b *ClientBuilder) Region(value string) *ClientBuilder
type PolicyDocument ¶
type PolicyDocument struct { ID string `json:"Id,omitempty"` // Specify the version of the policy language that you want to use. // As a best practice, use the latest 2012-10-17 version. Version string `json:"Version,omitempty"` // Use this main policy element as a container for the following elements. // You can include more than one statement in a policy. Statement []PolicyStatement `json:"Statement"` }
PolicyDocument models an AWS IAM policy document
type PolicyStatement ¶
type PolicyStatement struct { // Include an optional statement ID to differentiate between your statements. Sid string `json:"Sid,omitempty"` // Use `Allow` or `Deny` to indicate whether the policy allows or denies access. Effect string `json:"Effect"` // If you create a resource-based policy, you must indicate the account, user, role, or // federated user to which you would like to allow or deny access. If you are creating an // IAM permissions policy to attach to a user or role, you cannot include this element. // The principal is implied as that user or role. Principal PolicyStatementPrincipal `json:"Principal"` // Include a list of actions that the policy allows or denies. // (i.e. ec2:StartInstances, iam:ChangePassword) Action []string `json:"Action"` // If you create an IAM permissions policy, you must specify a list of resources to which // the actions apply. If you create a resource-based policy, this element is optional. If // you do not include this element, then the resource to which the action applies is the // resource to which the policy is attached. Resource []string `json:"Resource"` }
PolicyStatement models an AWS policy statement entry.
type PolicyStatementPrincipal ¶ added in v1.1.0
type PolicyStatementPrincipal struct { // A service principal is an identifier that is used to grant permissions to a service. // The identifier for a service principal includes the service name, and is usually in the // following format: service-name.amazonaws.com Service []string `json:"Service"` // You can specify an individual IAM role ARN (or array of role ARNs) as the principal. // In IAM roles, the Principal element in the role's trust policy specifies who can assume the role. // When you specify more than one principal in the element, you grant permissions to each principal. AWS []string `json:"AWS"` // A federated principal uses a web identity token or SAML federation Federated string `json:"Federated"` }
type SimulateParams ¶
type SimulateParams struct {
Region string
}
SimulateParams captures any additional details that should be used when simulating permissions.