Beispiel #1
0
def updateModelRoles(ctx, targetRegion, targetEnv, targetRole, constrainToModel):
    ctxRoles = ctx.model['roles']
    for region in ctxRoles:
        if targetRegion != None and region != targetRegion:
            continue
        for env in ctxRoles[region]:
            #defaults = None
            if targetEnv != None and env != targetEnv:
                continue
            for role in ctxRoles[region][env]:
                if targetRole != None and role != targetRole:
                    continue
                if not aws_roles.isRoleInAWS(ctx, role):
                    ctx.vlog('Adding missing role to AWS: %s' % role)
                    aws_roles.createRole(ctx, role)
                    if ctx.dry_run:
                        # Since we are not actually creating the role in
                        # dry_run mode, we can't try to attach policies.
                        continue
                else:
                    ctx.log('Model role found in AWS: ' + role)

                policies = set(ctxRoles[region][env][role])
                attached = set(aws_roles.getAttachedPolicies(ctx, role))

                missing = policies.difference(attached)
                if len(missing) > 0:
                    for policyName in missing:
                        ctx.log('-- Attaching policy: %s' % policyName)
                        aws_roles.attachPolicy(ctx, role, policyName)

                if not constrainToModel:
                    continue

                # Remove attached policies that are not in the model
                extra = attached.difference(policies)
                if len(extra) > 0:
                    for policyName in extra:
                        ctx.log('-- Unattaching policy: %s' % policyName)
                        aws_roles.detachPolicy(ctx, role, policyName)
Beispiel #2
0
def compareModelRoles(ctx, targetRegion, targetEnv, targetRole, isAudit, no_diff, diff_type, context_lines):
    ctxRoles = ctx.model['roles']
    for region in ctxRoles:
        if targetRegion != None and region != targetRegion:
            continue
        for env in ctxRoles[region]:
            #defaults = None
            if targetEnv != None and env != targetEnv:
                continue
            for role in ctxRoles[region][env]:
                if targetRole != None and role != targetRole:
                    continue
                ctx.log('Model role %-34s' % role, nl=False, bold=True)
                if not aws_roles.isRoleInAWS(ctx,role):
                    ctx.log('NOT FOUND!', fg='red')
                    continue

                ctx.log('     FOUND', bold=True)

                policies = set(ctxRoles[region][env][role])
                if isAudit:
                    for policyName in policies:
                        csm_policies.comparePolicy(ctx, policyName, no_diff, diff_type, context_lines, '    ')

                attached = set(aws_roles.getAttachedPolicies(ctx, role))
                missing = policies.difference(attached)

                if len(missing) > 0:
                    ctx.log('    -- Model policies not attached:', fg='cyan')
                    for policyName in missing:
                        ctx.log('       %s' % policyName)

                extra = attached.difference(policies)
                if len(extra) > 0:
                    ctx.log('    -- Attached policies not in model:', fg='cyan')
                    for policyName in extra:
                        ctx.log('       %s' % policyName)