aws

package
v1.2.19 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: May 3, 2023 License: Apache-2.0 Imports: 55 Imported by: 4

Documentation

Index

Constants

View Source
const (
	AdminUserName        = "osdCcsAdmin"
	OsdCcsAdminStackName = "osdCcsAdminIAMUser"

	// Since CloudFormation stacks are region-dependent, we hard-code OCM's default region and
	// then use it to ensure that the user always gets the stack from the same region.
	DefaultRegion = "us-east-1"
	Inline        = "inline"
	Attached      = "attached"
)

Name of the AWS user that will be used to create all the resources of the cluster:

View Source
const (
	ModeAuto   = "auto"
	ModeManual = "manual"
)
View Source
const (
	OIDCClientIDOpenShift = "openshift"
	OIDCClientIDSTSAWS    = "sts.amazonaws.com"
)
View Source
const (
	InstallerAccountRole    = "installer"
	ControlPlaneAccountRole = "instance_controlplane"
	WorkerAccountRole       = "instance_worker"
	SupportAccountRole      = "support"

	HCPInstallerRole = "installer"
	HCPWorkerRole    = "instance_worker"
	HCPSupportRole   = "support"

	OCMRole     = "OCM"
	OCMUserRole = "User"
)
View Source
const (
	InstallerCoreKey        = "sts_installer_core_permission_policy"
	InstallerVPCKey         = "sts_installer_vpc_permission_policy"
	InstallerPrivateLinkKey = "sts_installer_privatelink_permission_policy"
)
View Source
const ReadOnlyAnonUserPolicyTemplate = `` /* 220-byte string literal not displayed */
View Source
const (
	SecretsManager = "secretsmanager"
)

Variables

View Source
var ARNPath = regexp.MustCompile(`^\/[a-zA-Z0-9\/]*\/$`)
View Source
var AccountRoles = map[string]AccountRole{
	InstallerAccountRole:    {Name: "Installer", Flag: "role-arn"},
	ControlPlaneAccountRole: {Name: "ControlPlane", Flag: "controlplane-iam-role"},
	WorkerAccountRole:       {Name: "Worker", Flag: "worker-iam-role"},
	SupportAccountRole:      {Name: "Support", Flag: "support-role-arn"},
}
View Source
var DefaultPrefix = "ManagedOpenShift"
View Source
var HCPAccountRoles = map[string]AccountRole{
	HCPInstallerRole: {Name: "HCP-Installer", Flag: "role-arn"},
	HCPSupportRole:   {Name: "HCP-Support", Flag: "support-role-arn"},
	HCPWorkerRole:    {Name: "HCP-Worker", Flag: "worker-iam-role"},
}
View Source
var JumpAccounts = map[string]string{
	"production":  "710019948333",
	"staging":     "644306948063",
	"integration": "896164604406",
	"local":       "765374464689",
	"local-proxy": "765374464689",
	"crc":         "765374464689",
}

JumpAccounts are the various of AWS accounts used for the installer jump role in the various OCM environments

View Source
var OCMAdminRolePolicyFile = "ocm_admin"
View Source
var OCMRolePolicyFile = "ocm"
View Source
var OCMUserRolePolicyFile = "ocm_user"
View Source
var RoleNameRE = regexp.MustCompile(`^[\w+=,.@-]+$`)
View Source
var UserNoProxyRE = regexp.MustCompile(
	`^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$|^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(3[0-2]|[1-2][0-9]|[0-9]))$|^(.?[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?\.)+[a-z0-9][a-z0-9-]{0,61}[a-z0-9]$|^""$`,
)

the following regex defines five different patterns: first pattern is to validate IPv4 address second,is for IPv4 CIDR range validation third pattern is to validate domains and the fifth petterrn is to be able to remove the existing no-proxy value by typing empty string (""). nolint

View Source
var UserTagKeyRE = regexp.MustCompile(`^[\pL\pZ\pN_.:/=+\-@]{1,128}$`)

UserTagKeyRE , UserTagValueRE - https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html#tag-conventions

View Source
var UserTagValueRE = regexp.MustCompile(`^[\pL\pZ\pN_.:/=+\-@]{0,256}$`)

Functions

func ARNPathValidator added in v1.2.7

func ARNPathValidator(input interface{}) error

func ARNValidator added in v1.1.1

func ARNValidator(input interface{}) error

func AddModeFlag added in v1.1.6

func AddModeFlag(cmd *cobra.Command)

func BuildOperatorRoleCommands added in v1.1.12

func BuildOperatorRoleCommands(prefix string, accountID string, awsClient Client,
	defaultPolicyVersion string, credRequests map[string]*cmv1.STSOperator, policyPath string) []string

func BuildOperatorRolePolicies added in v1.2.0

func BuildOperatorRolePolicies(prefix string, accountID string, awsClient Client, commands []string,
	defaultPolicyVersion string, credRequests map[string]*cmv1.STSOperator, path string) []string

func ComputeOperatorRoleArn added in v1.2.16

func ComputeOperatorRoleArn(prefix string, operator *cmv1.STSOperator, creator *Creator, path string) string

func FindOperatorRoleBySTSOperator added in v1.2.9

func FindOperatorRoleBySTSOperator(operatorRoles []*cmv1.OperatorIAMRole, operator *cmv1.STSOperator) string

func FindOperatorRoleNameBySTSOperator added in v1.2.12

func FindOperatorRoleNameBySTSOperator(cluster *cmv1.Cluster, operator *cmv1.STSOperator) (string, bool)

func GenerateAddonPolicyDoc added in v1.2.4

func GenerateAddonPolicyDoc(cluster *cmv1.Cluster, accountID string, cr *cmv1.CredentialRequest,
	policyDetails string) (string, error)

func GenerateOperatorRolePolicyDoc added in v1.2.4

func GenerateOperatorRolePolicyDoc(cluster *cmv1.Cluster, accountID string, operator *cmv1.STSOperator,
	policyDetails string) (string, error)

func GenerateOperatorRolePolicyDocByOidcEndpointUrl added in v1.2.16

func GenerateOperatorRolePolicyDocByOidcEndpointUrl(oidcEndpointURL string,
	accountID string, operator *cmv1.STSOperator,
	policyDetails string) (string, error)

func GeneratePolicyFiles added in v1.1.6

func GeneratePolicyFiles(reporter *rprtr.Object, env string, generateAccountRolePolicies bool,
	generateOperatorRolePolicies bool, policies map[string]*cmv1.AWSSTSPolicy,
	credRequests map[string]*cmv1.STSOperator, managedPolicies bool) error

func GenerateRolePolicyDoc added in v1.1.12

func GenerateRolePolicyDoc(oidcEndpointUrl,
	accountID, serviceAccounts, policyDetails string) (string, error)

func GetAccountRoleName added in v1.1.6

func GetAccountRoleName(cluster *cmv1.Cluster, accountRole string) (string, error)

func GetAccountRolePolicyKeys added in v1.2.15

func GetAccountRolePolicyKeys(roleType string) []string

GetAccountRolePolicyKeys returns the policy key for fetching the managed policy ARN

func GetAccountRolesArnsMap added in v1.2.9

func GetAccountRolesArnsMap(cluster *cmv1.Cluster) map[string]string

func GetAdminPolicyARN added in v1.2.9

func GetAdminPolicyARN(accountID string, name string, path string) string

func GetAdminPolicyName added in v1.2.9

func GetAdminPolicyName(name string) string

func GetFormattedFileName added in v1.2.0

func GetFormattedFileName(filename string) string

func GetInstallerAccountRoleName added in v1.2.9

func GetInstallerAccountRoleName(cluster *cmv1.Cluster) (string, error)

func GetJumpAccount added in v1.2.5

func GetJumpAccount(env string) string

func GetManagedPolicyARN added in v1.2.11

func GetManagedPolicyARN(policies map[string]*cmv1.AWSSTSPolicy, key string) (string, error)

func GetMode added in v1.1.6

func GetMode() (string, error)

func GetOCMRoleName added in v1.1.7

func GetOCMRoleName(prefix string, role string, postfix string) string

func GetOIDCProviderARN added in v1.2.5

func GetOIDCProviderARN(accountID string, providerURL string) string

func GetOperatorPolicyARN added in v1.1.6

func GetOperatorPolicyARN(accountID string, prefix string, namespace string, name string, path string) string

func GetOperatorPolicyKey added in v1.2.16

func GetOperatorPolicyKey(roleType string, hostedCP bool) string

func GetOperatorPolicyName added in v1.2.9

func GetOperatorPolicyName(prefix string, namespace string, name string) string

func GetOperatorRolePolicyPrefixFromCluster added in v1.2.9

func GetOperatorRolePolicyPrefixFromCluster(cluster *cmv1.Cluster, awsClient Client) (string, error)

func GetPartition added in v1.2.5

func GetPartition() string

func GetPathFromARN added in v1.2.7

func GetPathFromARN(arnStr string) (string, error)

func GetPathFromAccountRole added in v1.2.9

func GetPathFromAccountRole(cluster *cmv1.Cluster, roleNameSuffix string) (string, error)

func GetPolicyARN added in v1.1.6

func GetPolicyARN(accountID string, name string, path string) string

func GetPolicyDetails added in v1.2.11

func GetPolicyDetails(policies map[string]*cmv1.AWSSTSPolicy, key string) string

GetPolicyDetails retrieves from the map the policy details for unmanaged and managed policies.

func GetPolicyName added in v1.1.6

func GetPolicyName(name string) string

func GetPrefixFromAccountRole added in v1.1.6

func GetPrefixFromAccountRole(cluster *cmv1.Cluster, roleNameSuffix string) (string, error)

func GetPrefixFromInstallerAccountRole added in v1.2.9

func GetPrefixFromInstallerAccountRole(cluster *cmv1.Cluster) (string, error)

func GetPrefixFromOperatorRole added in v1.2.3

func GetPrefixFromOperatorRole(cluster *cmv1.Cluster) string

func GetRegion

func GetRegion(region string) (string, error)

GetRegion will return a region selected by the user or given as a default to the AWS client. If the region given is empty, it will first attempt to use the default, and, failing that, will prompt for user input.

func GetResourceIdFromARN added in v1.2.7

func GetResourceIdFromARN(stringARN string) (string, error)

GetResourceIdFromARN function takes a full AWS ARN, parses it and extracts the last part of the resource field e.g. arn:partition:service:region:account-id:resource-type/<some-path>/resource-id an assumption is made that there is always a resource-type if resource-id is empty then error is returned

func GetResourceIdFromSecretArn added in v1.2.14

func GetResourceIdFromSecretArn(secretArn string) (string, error)

func GetRoleARN added in v1.1.6

func GetRoleARN(accountID string, name string, path string) string

func GetRoleName added in v1.1.6

func GetRoleName(prefix string, role string) string

func GetServiceQuota

func GetServiceQuota(serviceQuotas []*servicequotas.ServiceQuota,
	quotaCode string) (*servicequotas.ServiceQuota, error)

GetServiceQuota extract service quota for the list of service quotas

func GetTagValues added in v1.1.3

func GetTagValues(tagsValue []*iam.Tag) (roleType string, version string)

func GetUserRoleName added in v1.1.6

func GetUserRoleName(prefix string, role string, userName string) string

func HasDuplicateTagKey added in v1.1.2

func HasDuplicateTagKey(tags []string) (string, bool)

func HasDuplicates added in v1.2.3

func HasDuplicates(valSlice []string) (string, bool)

func InterpolatePolicyDocument added in v1.2.3

func InterpolatePolicyDocument(doc string, replacements map[string]string) string

func IsHostedCPManagedPolicies added in v1.2.16

func IsHostedCPManagedPolicies(cluster *cmv1.Cluster) bool

func IsOCMRole added in v1.1.10

func IsOCMRole(roleName *string) bool

func IsStandardNamedAccountRole added in v1.2.16

func IsStandardNamedAccountRole(accountRoleName, roleSuffix string) (bool, string)

func ListServiceQuotas

func ListServiceQuotas(client *awsClient, serviceCode string) ([]*servicequotas.ServiceQuota, error)

ListServiceQuotas list available quotas for service

func MarshalRoles added in v1.1.3

func MarshalRoles(role []Role, b *bytes.Buffer) error

func ParseSubnet added in v1.2.4

func ParseSubnet(subnetOption string) string

ParseSubnet Parses the subnet from the option chosen by the user.

func SetModeKey added in v1.1.6

func SetModeKey(key string)

func SetSubnetOption added in v1.2.4

func SetSubnetOption(subnet, zone string) string

SetSubnetOption Creates a subnet options using a predefined template.

func SortRolesByLinkedRole added in v1.1.12

func SortRolesByLinkedRole(roles []Role)

func TrimRoleSuffix added in v1.2.3

func TrimRoleSuffix(orig, sufix string) string

Role names can be truncated if they are over 64 chars, so we need to make sure we aren't missing a truncated suffix

func UpgradeOperatorPolicies added in v1.1.12

func UpgradeOperatorPolicies(reporter *rprtr.Object, awsClient Client, accountID string,
	prefix string, policies map[string]string, defaultPolicyVersion string,
	credRequests map[string]*cmv1.STSOperator, path string) error

func UpgradeOperatorRolePolicies added in v1.2.9

func UpgradeOperatorRolePolicies(
	reporter *rprtr.Object,
	awsClient Client,
	accountID string,
	prefix string,
	policies map[string]*cmv1.AWSSTSPolicy,
	defaultPolicyVersion string,
	credRequests map[string]*cmv1.STSOperator,
	path string,
) error

func UserNoProxyDuplicateValidator added in v1.2.3

func UserNoProxyDuplicateValidator(input interface{}) error

func UserNoProxyValidator added in v1.2.3

func UserNoProxyValidator(input interface{}) error

func UserTagDuplicateValidator added in v1.1.2

func UserTagDuplicateValidator(input interface{}) error

func UserTagValidator added in v1.1.2

func UserTagValidator(input interface{}) error

Types

type AccessKey

type AccessKey struct {
	AccessKeyID     string
	SecretAccessKey string
}

type AccountRole added in v1.1.0

type AccountRole struct {
	Name string
	Flag string
}

type Client

type Client interface {
	CheckAdminUserNotExisting(userName string) (err error)
	CheckAdminUserExists(userName string) (err error)
	CheckStackReadyOrNotExisting(stackName string) (stackReady bool, stackStatus *string, err error)
	CheckRoleExists(roleName string) (bool, string, error)
	ValidateRoleARNAccountIDMatchCallerAccountID(roleARN string) error
	GetIAMCredentials() (credentials.Value, error)
	GetRegion() string
	ValidateCredentials() (isValid bool, err error)
	EnsureOsdCcsAdminUser(stackName string, adminUserName string, awsRegion string) (bool, error)
	DeleteOsdCcsAdminUser(stackName string) error
	GetAWSAccessKeys() (*AccessKey, error)
	GetLocalAWSAccessKeys() (*AccessKey, error)
	GetCreator() (*Creator, error)
	ValidateSCP(*string, map[string]*cmv1.AWSSTSPolicy) (bool, error)
	GetSubnetIDs() ([]*ec2.Subnet, error)
	GetSubnetAvailabilityZone(subnetID string) (string, error)
	GetVPCSubnets(subnetID string) ([]*ec2.Subnet, error)
	GetVPCPrivateSubnets(subnetID string) ([]*ec2.Subnet, error)
	FilterVPCsPrivateSubnets(subnets []*ec2.Subnet) ([]*ec2.Subnet, error)
	ValidateQuota() (bool, error)
	TagUserRegion(username string, region string) error
	GetClusterRegionTagForUser(username string) (string, error)
	EnsureRole(name string, policy string, permissionsBoundary string,
		version string, tagList map[string]string, path string, managedPolicies bool) (string, error)
	ValidateRoleNameAvailable(name string) (err error)
	PutRolePolicy(roleName string, policyName string, policy string) error
	ForceEnsurePolicy(policyArn string, document string, version string, tagList map[string]string,
		path string) (string, error)
	EnsurePolicy(policyArn string, document string, version string, tagList map[string]string,
		path string) (string, error)
	AttachRolePolicy(roleName string, policyARN string) error
	CreateOpenIDConnectProvider(issuerURL string, thumbprint string, clusterID string) (string, error)
	DeleteOpenIDConnectProvider(providerURL string) error
	HasOpenIDConnectProvider(issuerURL string, accountID string) (bool, error)
	FindRoleARNs(roleType string, version string) ([]string, error)
	FindPolicyARN(operator Operator, version string) (string, error)
	ListUserRoles() ([]Role, error)
	ListOCMRoles() ([]Role, error)
	ListAccountRoles(version string) ([]Role, error)
	ListOperatorRoles(version string) (map[string][]Role, error)
	GetRoleByARN(roleARN string) (*iam.Role, error)
	HasCompatibleVersionTags(iamTags []*iam.Tag, version string) (bool, error)
	DeleteOperatorRole(roles string, managedPolicies bool) error
	GetOperatorRolesFromAccountByClusterID(clusterID string, credRequests map[string]*cmv1.STSOperator) ([]string, error)
	GetOperatorRolesFromAccountByPrefix(prefix string, credRequest map[string]*cmv1.STSOperator) ([]string, error)
	GetPolicies(roles []string) (map[string][]string, error)
	GetAccountRolesForCurrentEnv(env string, accountID string) ([]Role, error)
	GetAccountRoleForCurrentEnv(env string, roleName string) (Role, error)
	GetAccountRoleForCurrentEnvWithPrefix(env string, rolePrefix string,
		accountRolesMap map[string]AccountRole) ([]Role, error)
	DeleteAccountRole(roleName string, managedPolicies bool) error
	DeleteOCMRole(roleARN string, managedPolicies bool) error
	DeleteUserRole(roleName string) error
	GetAccountRolePolicies(roles []string) (map[string][]PolicyDetail, error)
	GetAttachedPolicy(role *string) ([]PolicyDetail, error)
	HasPermissionsBoundary(roleName string) (bool, error)
	GetOpenIDConnectProviderByClusterIdTag(clusterID string) (string, error)
	GetOpenIDConnectProviderByOidcEndpointUrl(oidcEndpointUrl string) (string, error)
	GetInstanceProfilesForRole(role string) ([]string, error)
	IsUpgradedNeededForAccountRolePolicies(rolePrefix string, version string) (bool, error)
	IsUpgradedNeededForAccountRolePoliciesUsingCluster(clusterID *cmv1.Cluster, version string) (bool, error)
	IsUpgradedNeededForOperatorRolePoliciesUsingCluster(
		cluster *cmv1.Cluster,
		accountID string,
		version string,
		credRequests map[string]*cmv1.STSOperator,
		operatorRolePolicyPrefix string,
	) (bool, error)
	IsUpgradedNeededForOperatorRolePoliciesUsingPrefix(
		rolePrefix string,
		accountID string,
		version string,
		credRequests map[string]*cmv1.STSOperator,
		path string,
	) (bool, error)
	UpdateTag(roleName string, defaultPolicyVersion string) error
	AddRoleTag(roleName string, key string, value string) error
	IsPolicyCompatible(policyArn string, version string) (bool, error)
	GetAccountRoleVersion(roleName string) (string, error)
	IsPolicyExists(policyARN string) (*iam.GetPolicyOutput, error)
	IsRolePolicyExists(roleName string, policyName string) (*iam.GetRolePolicyOutput, error)
	IsAdminRole(roleName string) (bool, error)
	DeleteInlineRolePolicies(roleName string) error
	IsUserRole(roleName *string) (bool, error)
	GetRoleARNPath(prefix string) (string, error)
	DescribeAvailabilityZones() ([]string, error)
	IsLocalAvailabilityZone(availabilityZoneName string) (bool, error)
	DetachRolePolicies(roleName string) error
	HasManagedPolicies(roleARN string) (bool, error)
	HasHostedCPPolicies(roleARN string) (bool, error)
	GetAccountRoleARN(prefix string, roleType string) (string, error)
	ValidateAccountRolesManagedPolicies(prefix string, policies map[string]*cmv1.AWSSTSPolicy) error
	ValidateHCPAccountRolesManagedPolicies(prefix string, policies map[string]*cmv1.AWSSTSPolicy) error
	ValidateOperatorRolesManagedPolicies(cluster *cmv1.Cluster, operatorRoles map[string]*cmv1.STSOperator,
		policies map[string]*cmv1.AWSSTSPolicy, hostedCPPolicies bool) error
	CreateS3Bucket(bucketName string, region string) error
	DeleteS3Bucket(bucketName string) error
	PutPublicReadObjectInS3Bucket(bucketName string, body io.ReadSeeker, key string) error
	CreateSecretInSecretsManager(name string, secret string) (string, error)
	DeleteSecretInSecretsManager(secretArn string) error
}

Client defines a client interface

func CreateNewClientOrExit added in v1.1.10

func CreateNewClientOrExit(logger *logrus.Logger, reporter *reporter.Object) Client

func GetAWSClientForUserRegion added in v1.0.8

func GetAWSClientForUserRegion(reporter *rprtr.Object, logger *logrus.Logger, supportedRegions []string) Client

Currently user can rosa init using the region from their config or using --region When checking for cloud formation we need to check in the region used by the user

func New

func New(
	logger *logrus.Logger,
	iamClient iamiface.IAMAPI,
	ec2Client ec2iface.EC2API,
	orgClient organizationsiface.OrganizationsAPI,
	s3Client s3iface.S3API,
	smClient secretsmanageriface.SecretsManagerAPI,
	stsClient stsiface.STSAPI,
	cfClient cloudformationiface.CloudFormationAPI,
	servicequotasClient servicequotasiface.ServiceQuotasAPI,
	awsSession *session.Session,
	awsAccessKeys *AccessKey,

) Client

type ClientBuilder

type ClientBuilder struct {
	// contains filtered or unexported fields
}

ClientBuilder contains the information and logic needed to build a new AWS client.

func NewClient

func NewClient() *ClientBuilder

NewClient creates a builder that can then be used to configure and build a new AWS client.

func (*ClientBuilder) AccessKeys

func (b *ClientBuilder) AccessKeys(value *AccessKey) *ClientBuilder

func (*ClientBuilder) Build

func (b *ClientBuilder) Build() (Client, error)

Build uses the information stored in the builder to build a new AWS client.

func (*ClientBuilder) BuildSessionWithOptions

func (b *ClientBuilder) BuildSessionWithOptions() (*session.Session, error)

func (*ClientBuilder) BuildSessionWithOptionsCredentials

func (b *ClientBuilder) BuildSessionWithOptionsCredentials(value *AccessKey) (*session.Session, error)

Create AWS session with a specific set of credentials

func (*ClientBuilder) Logger

func (b *ClientBuilder) Logger(value *logrus.Logger) *ClientBuilder

Logger sets the logger that the AWS client will use to send messages to the log.

func (*ClientBuilder) Region

func (b *ClientBuilder) Region(value string) *ClientBuilder

type Creator

type Creator struct {
	ARN       string
	AccountID string
	IsSTS     bool
}

type CustomRetryer added in v1.1.5

type CustomRetryer struct {
	client.DefaultRetryer
}

CustomRetryer wraps the aws SDK's built in DefaultRetryer allowing for additional custom features

func (CustomRetryer) ShouldRetry added in v1.1.5

func (r CustomRetryer) ShouldRetry(req *request.Request) bool

ShouldRetry overrides the SDK's built in DefaultRetryer adding customization to not retry 5xx status codes.

type Operator added in v1.1.0

type Operator struct {
	Name                string
	Namespace           string
	RoleARN             string
	ServiceAccountNames []string
	MinVersion          string
}

type Policy added in v1.1.3

type Policy struct {
	PolicyName     string         `json:"PolicyName,omitempty"`
	PolicyDocument PolicyDocument `json:"PolicyDocument,omitempty"`
}

type PolicyDetail added in v1.1.5

type PolicyDetail struct {
	PolicyName string
	PolicyArn  string
	PolicType  string
}

func FindAllAttachedPolicyDetails added in v1.2.9

func FindAllAttachedPolicyDetails(policiesDetails []PolicyDetail) []PolicyDetail

func FindFirstAttachedPolicy added in v1.2.9

func FindFirstAttachedPolicy(policiesDetails []PolicyDetail) PolicyDetail

type PolicyDocument

type PolicyDocument struct {
	ID string `json:"Id,omitempty"`
	// Specify the version of the policy language that you want to use.
	// As a best practice, use the latest 2012-10-17 version.
	Version string `json:"Version,omitempty"`
	// Use this main policy element as a container for the following elements.
	// You can include more than one statement in a policy.
	Statement []PolicyStatement `json:"Statement"`
}

PolicyDocument models an AWS IAM policy document

func NewPolicyDocument added in v1.2.3

func NewPolicyDocument() *PolicyDocument

func ParsePolicyDocument added in v1.2.3

func ParsePolicyDocument(doc string) (*PolicyDocument, error)

func (*PolicyDocument) AllowActions added in v1.2.3

func (p *PolicyDocument) AllowActions(actions ...string)

AllowActions adds a statement to a policy allowing the provided actions for all Resources. If you need a more compilex statement it is better to construct it manually.

func (*PolicyDocument) GetAllowedActions added in v1.2.3

func (p *PolicyDocument) GetAllowedActions() []string

func (*PolicyDocument) IsActionAllowed added in v1.2.3

func (p *PolicyDocument) IsActionAllowed(wanted string) bool

IsActionAllowed checks if any of the statements in the document allows the wanted action. It does not take into account Resource or Principal constraints on the action.

func (PolicyDocument) String added in v1.2.3

func (p PolicyDocument) String() string

type PolicyStatement

type PolicyStatement struct {
	// Include an optional statement ID to differentiate between your statements.
	Sid string `json:"Sid,omitempty"`
	// Use `Allow` or `Deny` to indicate whether the policy allows or denies access.
	Effect string `json:"Effect"`
	// If you create a resource-based policy, you must indicate the account, user, role, or
	// federated user to which you would like to allow or deny access. If you are creating an
	// IAM permissions policy to attach to a user or role, you cannot include this element.
	// The principal is implied as that user or role.
	Principal *PolicyStatementPrincipal `json:"Principal,omitempty"`
	// Include a list of actions that the policy allows or denies.
	// (i.e. ec2:StartInstances, iam:ChangePassword)
	Action interface{} `json:"Action,omitempty"`
	// If you create an IAM permissions policy, you must specify a list of resources to which
	// the actions apply. If you create a resource-based policy, this element is optional. If
	// you do not include this element, then the resource to which the action applies is the
	// resource to which the policy is attached.
	Resource interface{} `json:"Resource,omitempty"`
}

PolicyStatement models an AWS policy statement entry.

func (*PolicyStatement) GetAWSPrincipals added in v1.2.3

func (p *PolicyStatement) GetAWSPrincipals() []string

type PolicyStatementPrincipal added in v1.1.0

type PolicyStatementPrincipal struct {
	// A service principal is an identifier that is used to grant permissions to a service.
	// The identifier for a service principal includes the service name, and is usually in the
	// following format: service-name.amazonaws.com
	Service []string `json:"Service,omitempty"`
	// You can specify an individual IAM role ARN (or array of role ARNs) as the principal.
	// In IAM roles, the Principal element in the role's trust policy specifies who can assume the role.
	// When you specify more than one principal in the element, you grant permissions to each principal.
	AWS interface{} `json:"AWS,omitempty"`
	// A federated principal uses a web identity token or SAML federation
	Federated string `json:"Federated,omitempty"`
}

type Role added in v1.1.3

type Role struct {
	RoleType      string   `json:"RoleType,omitempty"`
	Version       string   `json:"Version,omitempty"`
	RolePrefix    string   `json:"RolePrefix,omitempty"`
	RoleName      string   `json:"RoleName,omitempty"`
	RoleARN       string   `json:"RoleARN,omitempty"`
	Linked        string   `json:"Linked,omitempty"`
	Admin         string   `json:"Admin,omitempty"`
	Policy        []Policy `json:"Policy,omitempty"`
	ManagedPolicy bool     `json:"ManagedPolicy,omitempty"`
}

type SimulateParams

type SimulateParams struct {
	Region string
}

SimulateParams captures any additional details that should be used when simulating permissions.

Directories

Path Synopsis
Package mocks is a generated GoMock package.
Package mocks is a generated GoMock package.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL