def ots_svc(self, env: GlobalEnvironment, refresh: bool = False) -> OTSService:
"""
Returns a hydrated & properly configured One-time-secret service. This service will be configured for the appropriate
"utility" account by the registry.
"""
new_env = env
try:
config_svc = self.config_svc(env=env, refresh=refresh)
utility_account_id: Fig = config_svc.get_fig_with_cache(PS_FIGGY_UTILITY_ACCOUNT_ID).value
log.debug(f"Got utility account id: {utility_account_id}")
current_account_id: Fig = config_svc.get_fig_with_cache(PS_FIGGY_CURRENT_ACCOUNT_ID).value
log.debug(f"Got current session alias: {current_account_id}")
new_role = Role(role=FIGGY_DEFAULT_ROLE_NAME, full_name='figgy-default')
regions = config_svc.get_fig_with_cache(PS_FIGGY_REGIONS)
ots_region = json.loads(regions.value)[0]
new_env = GlobalEnvironment(role=AssumableRole(account_id=utility_account_id,
run_env=RunEnv(env="utility", account_id=utility_account_id),
role=new_role,
provider_name=env.role.provider_name),
region=ots_region)
except BaseException as e:
raise InvalidFiggyConfigurationException(f"Unable to initialize one-time-secret service. Are you sure your "
f"'utility_account_alias' was set to a valid value when you configured "
f"Figgy Cloud?") from e
config_svc = self.config_svc(env=new_env, refresh=refresh)
ots_key: Fig = config_svc.get_fig_with_cache(PS_FIGGY_OTS_KEY_ID)
return OTSService(self.__ssm(env=new_env, refresh=refresh),
self.__kms(env=new_env, refresh=refresh),
kms_id=ots_key.value)
def reauthenticate(self):
mfa = request.args.get('mfa', None)
envs: List[GlobalEnvironment] = []
for role in self.user.assumable_roles:
for region in self.user.enabled_regions:
envs.append(GlobalEnvironment(role=role, region=region))
return self._registry.auth_roles(envs, mfa=mfa)
def configure_figgy_defaults(self, current_defaults: CLIDefaults):
updated_defaults = current_defaults
env = GlobalEnvironment(role=current_defaults.assumable_roles[0], region=current_defaults.region)
session = self._get_session_manager(current_defaults).get_session(env,
prompt=True)
ssm = SsmDao(session.client('ssm'))
default_service_ns = ssm.get_parameter(PS_FIGGY_DEFAULT_SERVICE_NS_PATH)
updated_defaults.service_ns = default_service_ns
updated_defaults.enabled_regions = json.loads(ssm.get_parameter(PS_FIGGY_REGIONS))
return updated_defaults
def _build_cache(self):
roles = self.context.defaults.assumable_roles
regions = self.context.defaults.enabled_regions
self._out.notify(f'Found {len(roles) * len(regions)} caches to build.')
for role in roles:
for region in regions:
self._out.print(
f"Building cache for Role: {role.role.role} and region: {region}"
)
env = GlobalEnvironment(role=role, region=region)
self._svc_registry.config_svc(env).get_parameter_names()
def get_enabled_regions(self, refresh: bool = False):
"""
This call occurs during app INIT and cannot require the "region" header as we can't possibly know what
region before we've requested the enabled regions.
"""
log.info(
f'Active role: {request.headers.get("ActiveRole")} and region {self.context.defaults.region}'
)
env: GlobalEnvironment = GlobalEnvironment(
role=AssumableRole(
**json.loads(request.headers.get('ActiveRole'))),
region=self.context.defaults.region)
return {'regions': self._cfg(refresh, env).get_all_regions()}
def build_sessions(self):
envs: List[GlobalEnvironment] = []
self.user = User(
name=self._context.defaults.user,
role=self._context.defaults.role,
assumable_roles=self._context.defaults.assumable_roles,
enabled_regions=self._context.defaults.enabled_regions
or [self._context.defaults.region])
for role in self.user.assumable_roles:
for region in self.user.enabled_regions:
envs.append(GlobalEnvironment(role=role, region=region))
self._svc_registry.auth_roles(envs)
def _promote(self):
repeat = True
parameters: List[Dict] = []
while repeat:
namespace = Input.input("Please input a namespace prefix to promote:"
f" (i.e. {self.context.defaults.service_ns}/foo/): ", completer=self._config_completer)
if not self._utils.is_valid_input(namespace, "namespace", notify=False):
continue
try:
parameters: List[Dict] = self._source_ssm.get_all_parameters([namespace])
if not parameters and self._source_ssm.get_parameter(namespace):
parameters, latest_version = self._source_ssm.get_parameter_details(namespace)
parameters = list(parameters)
if parameters:
repeat = False
else:
self._out.warn("\nNo parameters found. Try again.\n")
except ClientError as e:
print(f"{self.c.fg_rd}ERROR: >> {e}{self.c.rs}")
continue
self._out.notify(f'\nFound [[{len(parameters)}]] parameter{"s" if len(parameters) > 1 else ""} to migrate.\n')
assumable_roles = self.context.defaults.assumable_roles
matching_roles = list(set([x for x in assumable_roles if x.role == self.config_context.role]))
valid_envs = set([x.run_env.env for x in matching_roles])
valid_envs.remove(self.run_env.env) # Remove current env, we can't promote from dev -> dev
next_env = Input.select(f'Please select the destination environment.', valid_options=list(valid_envs))
matching_role = [role for role in matching_roles if role.run_env == RunEnv(env=next_env)][0]
env: GlobalEnvironment = GlobalEnvironment(role=matching_role, region=self.config_context.defaults.region)
dest_ssm = SsmDao(self._session_mgr.get_session(env, prompt=False).client('ssm'))
for param in parameters:
if 'KeyId' in param:
self._out.print(f"Skipping param: [[{param['Name']}]]. It is encrypted and cannot be migrated.")
else:
promote_it = Input.y_n_input(f"Would you like to promote: {param['Name']}?",
default_yes=True)
if promote_it:
val = self._source_ssm.get_parameter(param['Name'])
description = param.get('Description', "")
dest_ssm.set_parameter(param['Name'], val, description, SSM_STRING)
self._out.success(f"Successfully promoted [[{param['Name']}]] to [[{next_env}]].\r\n")
def __build_env(self) -> GlobalEnvironment:
return GlobalEnvironment(role=self._context.selected_role,
region=self._cli_defaults.region)
def get_environment(self) -> GlobalEnvironment:
# return self.context.defaults.assumable_roles[0]
return GlobalEnvironment(role=AssumableRole(
**json.loads(request.headers.get('ActiveRole'))),
region=request.headers.get('ActiveRegion'))
def get_session_and_role(self, assumable_role: AssumableRole, prompt: bool, exit_on_fail=True) \
-> Tuple[boto3.Session, AssumableRole]:
return self.get_session(
GlobalEnvironment(role=assumable_role,
region=self._defaults.region), prompt,
exit_on_fail), assumable_role