Documentation
¶
Index ¶
- Constants
- Variables
- func ARNValidator(input interface{}) error
- func AddModeFlag(cmd *cobra.Command)
- func BuildOperatorRoleCommands(prefix string, accountID string, awsClient Client) []string
- func BuildOperatorRolePolicies(prefix string, accountID string, awsClient Client, commands []string) []string
- func CheckStackReadyForCreateCluster(reporter *rprtr.Object, logger *logrus.Logger)
- func FindMissingOperatorRolesForUpgrade(cluster *cmv1.Cluster, newMinorVersion string) (map[string]Operator, error)
- func GeneratePolicyFiles(reporter *rprtr.Object, env string, generateAccountRolePolicies bool, ...) error
- func GenerateRolePolicyDoc(cluster *cmv1.Cluster, accountID string, operator Operator, ...) (string, error)
- func GetAccountRoleName(cluster *cmv1.Cluster) (string, error)
- func GetFormattedFileName(filename string) string
- func GetMode() (string, error)
- func GetOCMRoleName(prefix string, role string, postfix string) string
- func GetOperatorPolicyARN(accountID string, prefix string, namespace string, name string) string
- func GetOperatorRoleName(cluster *cmv1.Cluster, operator Operator) string
- func GetPolicyARN(accountID string, name string) string
- func GetPolicyName(prefix string, namespace string, name string) string
- func GetPrefixFromAccountRole(cluster *cmv1.Cluster) (string, error)
- func GetRegion(region string) (string, error)
- func GetRoleARN(accountID string, name string) string
- func GetRoleName(prefix string, role string) string
- func GetRolePolicyDocument(file string, args ...map[string]string) ([]byte, error)
- func GetServiceQuota(serviceQuotas []*servicequotas.ServiceQuota, quotaCode string) (*servicequotas.ServiceQuota, error)
- func GetTagValues(tagsValue []*iam.Tag) (roleType string, version string)
- func GetUserRoleName(prefix string, role string, userName string) string
- func HasDuplicateTagKey(tags []string) (string, bool)
- func IsOCMRole(roleName *string) bool
- func ListServiceQuotas(client *awsClient, serviceCode string) ([]*servicequotas.ServiceQuota, error)
- func MarshalRoles(role []Role, b *bytes.Buffer) error
- func ReadPolicyDocument(path string, args ...map[string]string) ([]byte, error)
- func RoleARNToRoleName(roleARN string) (string, error)
- func SaveDocument(doc []byte, filename string) error
- func SetModeKey(key string)
- func SortRolesByLinkedRole(roles []Role)
- func UpggradeOperatorRolePolicies(reporter *rprtr.Object, awsClient Client, accountID string, prefix string, ...) error
- func UpgradeOperatorPolicies(reporter *rprtr.Object, awsClient Client, accountID string, prefix string, ...) error
- func UserTagDuplicateValidator(input interface{}) error
- func UserTagValidator(input interface{}) error
- type AccessKey
- type AccountRole
- type Client
- type ClientBuilder
- func (b *ClientBuilder) AccessKeys(value *AccessKey) *ClientBuilder
- func (b *ClientBuilder) Build() (Client, error)
- func (b *ClientBuilder) BuildSessionWithOptions() (*session.Session, error)
- func (b *ClientBuilder) BuildSessionWithOptionsCredentials(value *AccessKey) (*session.Session, error)
- func (b *ClientBuilder) Logger(value *logrus.Logger) *ClientBuilder
- func (b *ClientBuilder) Region(value string) *ClientBuilder
- type Creator
- type CustomRetryer
- type Operator
- type Policy
- type PolicyDetail
- type PolicyDocument
- type PolicyStatement
- type PolicyStatementPrincipal
- type Role
- type SimulateParams
Constants ¶
View Source
const ( AdminUserName = "osdCcsAdmin" OsdCcsAdminStackName = "osdCcsAdminIAMUser" // Since CloudFormation stacks are region-dependent, we hard-code OCM's default region and // then use it to ensure that the user always gets the stack from the same region. DefaultRegion = "us-east-1" Inline = "inline" Attached = "attached" )
Name of the AWS user that will be used to create all the resources of the cluster:
View Source
const ( ModeAuto = "auto" ModeManual = "manual" )
View Source
const ( OIDCClientIDOpenShift = "openshift" OIDCClientIDSTSAWS = "sts.amazonaws.com" )
View Source
const ( InstallerAccountRole = "installer" ControlPlaneAccountRole = "instance_controlplane" WorkerAccountRole = "instance_worker" SupportAccountRole = "support" OCMRole = "OCM" OCMUserRole = "User" )
Variables ¶
View Source
var AccountRoles map[string]AccountRole = map[string]AccountRole{ InstallerAccountRole: {Name: "Installer", Flag: "role-arn"}, ControlPlaneAccountRole: {Name: "ControlPlane", Flag: "controlplane-iam-role"}, WorkerAccountRole: {Name: "Worker", Flag: "worker-iam-role"}, SupportAccountRole: {Name: "Support", Flag: "support-role-arn"}, }
View Source
var CredentialRequests map[string]Operator = map[string]Operator{ "machine_api_aws_cloud_credentials": { Name: "aws-cloud-credentials", Namespace: "openshift-machine-api", ServiceAccountNames: []string{ "machine-api-controllers", }, }, "cloud_credential_operator_cloud_credential_operator_iam_ro_creds": { Name: "cloud-credential-operator-iam-ro-creds", Namespace: "openshift-cloud-credential-operator", ServiceAccountNames: []string{ "cloud-credential-operator", }, }, "image_registry_installer_cloud_credentials": { Name: "installer-cloud-credentials", Namespace: "openshift-image-registry", ServiceAccountNames: []string{ "cluster-image-registry-operator", "registry", }, }, "ingress_operator_cloud_credentials": { Name: "cloud-credentials", Namespace: "openshift-ingress-operator", ServiceAccountNames: []string{ "ingress-operator", }, }, "cluster_csi_drivers_ebs_cloud_credentials": { Name: "ebs-cloud-credentials", Namespace: "openshift-cluster-csi-drivers", ServiceAccountNames: []string{ "aws-ebs-csi-driver-operator", "aws-ebs-csi-driver-controller-sa", }, }, "cloud_network_config_controller_cloud_credentials": { Name: "cloud-credentials", Namespace: "openshift-cloud-network-config-controller", ServiceAccountNames: []string{ "cloud-network-config-controller", }, MinVersion: "4.10", }, }
View Source
var DefaultPolicyVersion = "4.10"
View Source
var DefaultPrefix = "ManagedOpenShift"
View Source
var JumpAccounts = map[string]string{
"production": "710019948333",
"staging": "644306948063",
"integration": "896164604406",
}
JumpAccounts are the various of AWS accounts used for the installer jump role in the various OCM environments
View Source
var Modes = []string{ModeAuto, ModeManual}
View Source
var OCMAdminRolePolicyFile = "ocm_admin"
View Source
var OCMRolePolicyFile = "ocm"
View Source
var OCMUserRolePolicyFile = "ocm_user"
View Source
var RoleNameRE = regexp.MustCompile(`^[\w+=,.@-]+$`)
View Source
var UserTagKeyRE = regexp.MustCompile(`^[\pL\pZ\pN_.:/=+\-@]{1,128}$`)
UserTagKeyRE , UserTagValueRE - https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html#tag-conventions
View Source
var UserTagValueRE = regexp.MustCompile(`^[\pL\pZ\pN_.:/=+\-@]{0,256}$`)
Functions ¶
func ARNValidator ¶ added in v1.1.1
func ARNValidator(input interface{}) error
func AddModeFlag ¶ added in v1.1.6
func BuildOperatorRoleCommands ¶ added in v1.1.12
func BuildOperatorRolePolicies ¶ added in v1.2.0
func CheckStackReadyForCreateCluster ¶ added in v1.0.8
Validations will validate if CF stack/users exist
func FindMissingOperatorRolesForUpgrade ¶ added in v1.1.12
func GeneratePolicyFiles ¶ added in v1.1.6
func GenerateRolePolicyDoc ¶ added in v1.1.12
func GetAccountRoleName ¶ added in v1.1.6
func GetFormattedFileName ¶ added in v1.2.0
func GetOCMRoleName ¶ added in v1.1.7
func GetOperatorPolicyARN ¶ added in v1.1.6
func GetOperatorRoleName ¶ added in v1.1.6
func GetPolicyARN ¶ added in v1.1.6
func GetPolicyName ¶ added in v1.1.6
func GetPrefixFromAccountRole ¶ added in v1.1.6
func GetRegion ¶
GetRegion will return a region selected by the user or given as a default to the AWS client. If the region given is empty, it will first attempt to use the default, and, failing that, will prompt for user input.
func GetRoleARN ¶ added in v1.1.6
func GetRoleName ¶ added in v1.1.6
func GetRolePolicyDocument ¶ added in v1.2.0
func GetServiceQuota ¶
func GetServiceQuota(serviceQuotas []*servicequotas.ServiceQuota, quotaCode string) (*servicequotas.ServiceQuota, error)
GetServiceQuota extract service quota for the list of service quotas
func GetTagValues ¶ added in v1.1.3
func GetUserRoleName ¶ added in v1.1.6
func HasDuplicateTagKey ¶ added in v1.1.2
func ListServiceQuotas ¶
func ListServiceQuotas(client *awsClient, serviceCode string) ([]*servicequotas.ServiceQuota, error)
ListServiceQuotas list available quotas for service
func ReadPolicyDocument ¶ added in v1.1.0
func RoleARNToRoleName ¶ added in v1.1.10
func SaveDocument ¶ added in v1.1.6
func SetModeKey ¶ added in v1.1.6
func SetModeKey(key string)
func SortRolesByLinkedRole ¶ added in v1.1.12
func SortRolesByLinkedRole(roles []Role)
func UpggradeOperatorRolePolicies ¶ added in v1.2.0
func UpgradeOperatorPolicies ¶ added in v1.1.12
func UserTagDuplicateValidator ¶ added in v1.1.2
func UserTagDuplicateValidator(input interface{}) error
func UserTagValidator ¶ added in v1.1.2
func UserTagValidator(input interface{}) error
Types ¶
type AccountRole ¶ added in v1.1.0
type Client ¶
type Client interface {
CheckAdminUserNotExisting(userName string) (err error)
CheckAdminUserExists(userName string) (err error)
CheckStackReadyOrNotExisting(stackName string) (stackReady bool, stackStatus *string, err error)
CheckRoleExists(roleName string) (bool, string, error)
ValidateRoleARNAccountIDMatchCallerAccountID(roleARN string) error
GetIAMCredentials() (credentials.Value, error)
GetRegion() string
ValidateCredentials() (isValid bool, err error)
EnsureOsdCcsAdminUser(stackName string, adminUserName string, awsRegion string) (bool, error)
DeleteOsdCcsAdminUser(stackName string) error
GetAWSAccessKeys() (*AccessKey, error)
GetCreator() (*Creator, error)
ValidateSCP(*string, map[string]string) (bool, error)
GetSubnetIDs() ([]*ec2.Subnet, error)
ValidateQuota() (bool, error)
TagUserRegion(username string, region string) error
GetClusterRegionTagForUser(username string) (string, error)
EnsureRole(name string, policy string, permissionsBoundary string,
version string, tagList map[string]string) (string, error)
ValidateRoleNameAvailable(name string) (err error)
PutRolePolicy(roleName string, policyName string, policy string) error
EnsurePolicy(policyArn string, document string, version string, tagList map[string]string) (string, error)
AttachRolePolicy(roleName string, policyARN string) error
CreateOpenIDConnectProvider(issuerURL string, thumbprint string, clusterID string) (string, error)
DeleteOpenIDConnectProvider(providerURL string) error
HasOpenIDConnectProvider(issuerURL string, accountID string) (bool, error)
FindRoleARNs(roleType string, version string) ([]string, error)
FindPolicyARN(operator Operator, version string) (string, error)
ListUserRoles() ([]Role, error)
ListOCMRoles() ([]Role, error)
ListAccountRoles(version string) ([]Role, error)
GetRoleByARN(roleARN string) (*iam.Role, error)
HasCompatibleVersionTags(iamTags []*iam.Tag, version string) (bool, error)
DeleteOperatorRole(roles string) error
GetOperatorRolesFromAccount(clusterID string) ([]string, error)
GetPolicies(roles []string) (map[string][]string, error)
GetAccountRolesForCurrentEnv(env string, accountID string) ([]Role, error)
GetAccountRoleForCurrentEnv(env string, roleName string) (Role, error)
GetAccountRoleForCurrentEnvWithPrefix(env string, rolePrefix string) ([]Role, error)
DeleteAccountRole(roles string) error
DeleteOCMRole(roleARN string) error
DeleteUserRole(roleName string) error
GetAccountRolePolicies(roles []string) (map[string][]PolicyDetail, error)
GetAttachedPolicy(role *string) ([]PolicyDetail, error)
HasPermissionsBoundary(roleName string) (bool, error)
GetOpenIDConnectProvider(clusterID string) (string, error)
GetInstanceProfilesForRole(role string) ([]string, error)
IsUpgradedNeededForAccountRolePolicies(rolePrefix string, version string) (bool, error)
IsUpgradedNeededForOperatorRolePolicies(cluster *cmv1.Cluster, accountID string, version string) (bool, error)
IsUpgradedNeededForOperatorRolePoliciesUsingPrefix(rolePrefix string, accountID string, version string) (bool, error)
UpdateTag(roleName string) error
AddRoleTag(roleName string, key string, value string) error
IsPolicyCompatible(policyArn string, version string) (bool, error)
GetAccountRoleVersion(roleName string) (string, error)
IsPolicyExists(policyARN string) (*iam.GetPolicyOutput, error)
IsRolePolicyExists(roleName string, policyName string) (*iam.GetRolePolicyOutput, error)
IsAdminRole(roleName string) (bool, error)
DeleteInlineRolePolicies(roleName string) error
IsUserRole(roleName *string) (bool, error)
}
Client defines a client interface
func CreateNewClientOrExit ¶ added in v1.1.10
func GetAWSClientForUserRegion ¶ added in v1.0.8
* Currently user can rosa init using the region from their config or using --region When checking for cloud formation we need to check in the region used by the user
func New ¶
func New( logger *logrus.Logger, iamClient iamiface.IAMAPI, ec2Client ec2iface.EC2API, orgClient organizationsiface.OrganizationsAPI, stsClient stsiface.STSAPI, cfClient cloudformationiface.CloudFormationAPI, servicequotasClient servicequotasiface.ServiceQuotasAPI, awsSession *session.Session, awsAccessKeys *AccessKey, ) Client
type ClientBuilder ¶
type ClientBuilder struct {
// contains filtered or unexported fields
}
ClientBuilder contains the information and logic needed to build a new AWS client.
func NewClient ¶
func NewClient() *ClientBuilder
NewClient creates a builder that can then be used to configure and build a new AWS client.
func (*ClientBuilder) AccessKeys ¶
func (b *ClientBuilder) AccessKeys(value *AccessKey) *ClientBuilder
func (*ClientBuilder) Build ¶
func (b *ClientBuilder) Build() (Client, error)
Build uses the information stored in the builder to build a new AWS client.
func (*ClientBuilder) BuildSessionWithOptions ¶
func (b *ClientBuilder) BuildSessionWithOptions() (*session.Session, error)
func (*ClientBuilder) BuildSessionWithOptionsCredentials ¶
func (b *ClientBuilder) BuildSessionWithOptionsCredentials(value *AccessKey) (*session.Session, error)
Create AWS session with a specific set of credentials
func (*ClientBuilder) Logger ¶
func (b *ClientBuilder) Logger(value *logrus.Logger) *ClientBuilder
Logger sets the logger that the AWS client will use to send messages to the log.
func (*ClientBuilder) Region ¶
func (b *ClientBuilder) Region(value string) *ClientBuilder
type CustomRetryer ¶ added in v1.1.5
type CustomRetryer struct {
client.DefaultRetryer
}
CustomRetryer wraps the aws SDK's built in DefaultRetryer allowing for additional custom features
func (CustomRetryer) ShouldRetry ¶ added in v1.1.5
func (r CustomRetryer) ShouldRetry(req *request.Request) bool
ShouldRetry overrides the SDK's built in DefaultRetryer adding customization to not retry 5xx status codes.
type Policy ¶ added in v1.1.3
type Policy struct {
PolicyName string `json:"PolicyName,omitempty"`
PolicyDocument PolicyDocument `json:"PolicyDocument,omitempty"`
}
type PolicyDetail ¶ added in v1.1.5
type PolicyDocument ¶
type PolicyDocument struct {
ID string `json:"Id,omitempty"`
// Specify the version of the policy language that you want to use.
// As a best practice, use the latest 2012-10-17 version.
Version string `json:"Version,omitempty"`
// Use this main policy element as a container for the following elements.
// You can include more than one statement in a policy.
Statement []PolicyStatement `json:"Statement"`
}
PolicyDocument models an AWS IAM policy document
type PolicyStatement ¶
type PolicyStatement struct {
// Include an optional statement ID to differentiate between your statements.
Sid string `json:"Sid,omitempty"`
// Use `Allow` or `Deny` to indicate whether the policy allows or denies access.
Effect string `json:"Effect"`
// If you create a resource-based policy, you must indicate the account, user, role, or
// federated user to which you would like to allow or deny access. If you are creating an
// IAM permissions policy to attach to a user or role, you cannot include this element.
// The principal is implied as that user or role.
Principal PolicyStatementPrincipal `json:"Principal,omitempty"`
// Include a list of actions that the policy allows or denies.
// (i.e. ec2:StartInstances, iam:ChangePassword)
Action interface{} `json:"Action,omitempty"`
// If you create an IAM permissions policy, you must specify a list of resources to which
// the actions apply. If you create a resource-based policy, this element is optional. If
// you do not include this element, then the resource to which the action applies is the
// resource to which the policy is attached.
Resource interface{} `json:"Resource,omitempty"`
}
PolicyStatement models an AWS policy statement entry.
type PolicyStatementPrincipal ¶ added in v1.1.0
type PolicyStatementPrincipal struct {
// A service principal is an identifier that is used to grant permissions to a service.
// The identifier for a service principal includes the service name, and is usually in the
// following format: service-name.amazonaws.com
Service []string `json:"Service,omitempty"`
// You can specify an individual IAM role ARN (or array of role ARNs) as the principal.
// In IAM roles, the Principal element in the role's trust policy specifies who can assume the role.
// When you specify more than one principal in the element, you grant permissions to each principal.
AWS interface{} `json:"AWS,omitempty"`
// A federated principal uses a web identity token or SAML federation
Federated string `json:"Federated,omitempty"`
}
type Role ¶ added in v1.1.3
type Role struct {
RoleType string `json:"RoleType,omitempty"`
Version string `json:"Version,omitempty"`
RolePrefix string `json:"RolePrefix,omitempty"`
RoleName string `json:"RoleName,omitempty"`
RoleARN string `json:"RoleARN,omitempty"`
Linked string `json:"Linked,omitempty"`
Admin string `json:"Admin,omitempty"`
Policy []Policy `json:"Policy,omitempty"`
}
type SimulateParams ¶
type SimulateParams struct {
Region string
}
SimulateParams captures any additional details that should be used when simulating permissions.
Source Files
¶
Directories
Click to show internal directories.
Click to hide internal directories.