def isValidTarget(ctx,policyName, targetRegion, targetEnv, targetService, targetPolicy):
if targetPolicy != None and policyName != targetPolicy:
return False
region, env, service = utils.regionEnvAndRole(policyName)
if targetRegion != None and region != targetRegion:
return False
if targetEnv != None and env != targetEnv:
return False
if targetService != None and service != targetService:
return False
return True
def isRoleInModel(ctx, roleName):
try:
region, env, _ = utils.regionEnvAndRole(roleName)
if env not in ctx.model['roles'][region]:
return False
else:
if roleName not in ctx.model['roles'][region][env]:
return False
else:
return True
except:
return False
def updateAWSRoles(ctx, targetRegion, targetEnv, targetRole):
for role in ctx.currentRoles:
roleName = role['RoleName']
if targetRole != None and roleName != targetRole:
continue
region, env, _ = utils.regionEnvAndRole(roleName)
if targetRegion != None and region != targetRegion:
continue
if targetEnv != None and env != targetEnv:
continue
if not isRoleInModel(ctx, roleName):
aws_roles.deleteRole(ctx,roleName)
def showRoles(ctx, targetRegion, targetEnv, targetRole):
for role in ctx.currentRoles:
roleName = role['RoleName']
if targetRole != None and roleName != targetRole:
continue
region, env, _ = utils.regionEnvAndRole(roleName)
if targetRegion != None and region != targetRegion:
continue
if targetEnv != None and env != targetEnv:
continue
attached = aws_roles.getAttachedPolicies(ctx, roleName)
ctx.log('Role: %s: %d attached policies:' % (roleName, len(attached)))
for policyName in attached:
policyDoc = csm_policies.getAWSPolicyDocument(ctx,policyName)
utils.showPolicyJson(ctx, policyName, ctx.dumps(policyDoc), 15, 120)
ctx.log('')
def compareAWSRoles(ctx, targetRegion, targetEnv, targetRole):
extraRoles = []
for role in ctx.currentRoles:
roleName = role['RoleName']
if targetRole != None and roleName != targetRole:
continue
region, env, _ = utils.regionEnvAndRole(roleName)
if targetRegion != None and region != targetRegion:
continue
if targetEnv != None and env != targetEnv:
continue
if not isRoleInModel(ctx, roleName):
extraRoles.append(roleName)
if len(extraRoles) > 0:
ctx.log('AWS Roles NOT in Model:', fg='cyan')
for roleName in extraRoles:
ctx.log(' %s' % roleName)
def getAllRoles(ctx):
iam = ctx.iam
if ctx.env == None:
mps = iam.list_roles()
else:
mps = iam.list_roles(PathPrefix="/%s/%s" % (ctx.region, ctx.env))
ctx.currentRoles.extend(mps["Roles"])
while mps["IsTruncated"]:
mps = iam.list_roles(Marker=mps["Marker"])
ctx.currentRoles.extend(mps["Roles"])
for role in ctx.currentRoles:
if role["Path"] == "/":
try:
region, env, rolePart = utils.regionEnvAndRole(role["RoleName"])
_, path = utils.nameAndPath(region, env, rolePart)
role["Path"] = path
except:
pass
def createRole(ctx, roleName):
iam = ctx.iam
if ctx.currentRoles == None:
ctx.vlog("createRole: Roles must be fetched first")
return
assumeRolePolicyDocument = '{"Statement": [{"Action": "sts:AssumeRole", "Principal": {"Service": "ec2.amazonaws.com"}, "Sid": "", "Effect": "Allow"}], "Version": "2012-10-17"}'
if ctx.dry_run:
ctx.log(
"create_role(Path=%s, RoleName=%s,AssumeRolePolicyDocument=%s)" % (path, roleName, assumeRolePolicyDocument)
)
return
# Create roles
region, env, role = utils.regionEnvAndRole(roleName)
path = "/%s/%s/%s/" % (region, env, role)
# Attach role to instance profile
msp = iam.create_role(Path=path, RoleName=roleName, AssumeRolePolicyDocument=assumeRolePolicyDocument)
if msp["ResponseMetadata"]["HTTPStatusCode"] != 200:
ctx.log("createRole Error: create_role returned %d" % msp["ResponseMetadata"]["HTTPStatusCode"])
return
ctx.audit("Created role: %s" % roleName)
msp2 = iam.create_instance_profile(InstanceProfileName=roleName)
if msp2["ResponseMetadata"]["HTTPStatusCode"] != 200:
ctx.log("createRole Error: create_role returned %d" % msp2["ResponseMetadata"]["HTTPStatusCode"])
return
ctx.audit("Created instance profile: %s" % roleName)
msp3 = iam.add_role_to_instance_profile(InstanceProfileName=roleName, RoleName=roleName)
if msp3["ResponseMetadata"]["HTTPStatusCode"] != 200:
ctx.log("createRole Error: create_role returned %d" % msp3["ResponseMetadata"]["HTTPStatusCode"])
return
ctx.audit("Attached role %s to instance profile: %s" % (roleName, roleName))
ctx.vlog("Role created: %s" % msp["Role"]["Arn"])
ctx.currentRoles.append(msp["Role"])
def showInstanceProfiles(ctx, targetRegion, targetEnv, targetRole, targetProfileName, targetId, show_instances):
instanceProfiles,instanceProfileByProfileId = aws_profiles.getAllInstanceProfiles(ctx)
if show_instances:
instances, instancesByProfileId = aws_instances.getInstances(ctx, targetRegion, targetEnv )
for profile in instanceProfiles:
profileName = profile['InstanceProfileName']
profileId = profile['InstanceProfileId']
if targetProfileName != None and profileName != targetProfileName:
continue
if targetId != None and profileId != targetId:
continue
region, env, role = utils.regionEnvAndRole(profileName)
if targetRegion != None and region != targetRegion:
continue
if targetEnv != None and env != targetEnv:
continue
if targetRole != None and role != targetRole:
continue
ctx.log('Profile Name: %s Profile ID: %s' % (profileName, profileId))
ctx.log(' Attached Roles:')
for role in profile['Roles']:
ctx.log(' %s' % (role['RoleName']))
if not show_instances:
continue
if profileId in instancesByProfileId:
ctx.log(' Attached Instances:')
for instance in instancesByProfileId[profileId]:
fullName = aws_instances.getTag(ctx,instance['Tags'], 'FullName')
ctx.log(' %s' % (fullName))
else:
ctx.log(' No Attached Instances:')
ctx.log('\n')
if not show_instances:
return
if 'NO_INSTANCE_PROFILE' in instancesByProfileId:
ctx.log('The following instances have no profile id')
for instance in instancesByProfileId['NO_INSTANCE_PROFILE']:
fullName = aws_instances.getTag(ctx,instance['Tags'], 'FullName')
state = instance['State']['Name']
ctx.log(' %-30s State: %s' % (fullName, state))
else:
ctx.log('All instances have a profile id')
badIds = []
for instance in instances:
if 'IamInstanceProfile' not in instance:
continue
profileId = instance['IamInstanceProfile']['Id']
if profileId not in instanceProfileByProfileId:
fullName = aws_instances.getTag(ctx,instance['Tags'], 'FullName')
state = instance['State']['Name']
badIds.append({'fullName':fullName,'state':state, 'profileId':profileId})
if len(badIds) > 0:
ctx.log('\nThe following instances have a bad profile id')
for entry in badIds:
ctx.log(' Instance: %-25s State: %-10s Profile ID: %s' % (entry['fullName'], entry['state'], entry['profileId']))
else:
ctx.log('\nAll instances have a valid profile id')
