def aws_account_from_infrastructure_access(cluster, access_level: str,
ocm_map: OCMMap):
"""
Generate an AWS account object from a cluster's awsInfrastructureAccess
groups and access levels
"""
ocm = ocm_map.get(cluster['name'])
account = None
for awsAccess in cluster['awsInfrastructureAccess']:
if awsAccess.get('accessLevel', "") == access_level:
account = {
'name':
awsAccess['awsGroup']['account']['name'],
'uid':
awsAccess['awsGroup']['account']['uid'],
'terraformUsername':
awsAccess['awsGroup']['account']['terraformUsername'],
'automationToken':
awsAccess['awsGroup']['account']['automationToken'],
'assume_role':
ocm.get_aws_infrastructure_access_terraform_assume_role(
cluster['name'],
awsAccess['awsGroup']['account']['uid'],
awsAccess['awsGroup']['account']['terraformUsername'],
),
'assume_region':
cluster['spec']['region'],
'assume_cidr':
cluster['network']['vpc']
}
return account
def build_desired_state_vpc_single_cluster(cluster_info, ocm: OCM,
awsapi: AWSApi):
desired_state = []
peering_info = cluster_info['peering']
peer_connections = peering_info['connections']
cluster = cluster_info['name']
for peer_connection in peer_connections:
# We only care about account-vpc peering providers
peer_connection_provider = peer_connection['provider']
if not peer_connection_provider == 'account-vpc':
continue
# requester is the cluster's AWS account
requester = {
'cidr_block': cluster_info['network']['vpc'],
'region': cluster_info['spec']['region']
}
connection_name = peer_connection['name']
peer_vpc = peer_connection['vpc']
# accepter is the peered AWS account
accepter = {
'vpc_id': peer_vpc['vpc_id'],
'cidr_block': peer_vpc['cidr_block'],
'region': peer_vpc['region']
}
account = peer_vpc['account']
# assume_role is the role to assume to provision the peering
# connection request, through the accepter AWS account.
account['assume_role'] = \
ocm.get_aws_infrastructure_access_terraform_assume_role(
cluster,
peer_vpc['account']['uid'],
peer_vpc['account']['terraformUsername']
)
account['assume_region'] = requester['region']
account['assume_cidr'] = requester['cidr_block']
requester_vpc_id, requester_route_table_ids, _ = \
awsapi.get_cluster_vpc_details(
account,
route_tables=peer_connection.get('manageRoutes')
)
if requester_vpc_id is None:
raise BadTerraformPeeringState(
f'[{cluster} could not find VPC ID for cluster')
requester['vpc_id'] = requester_vpc_id
requester['route_table_ids'] = requester_route_table_ids
requester['account'] = account
accepter['account'] = account
item = {
'connection_provider': peer_connection_provider,
'connection_name': connection_name,
'requester': requester,
'accepter': accepter,
'deleted': peer_connection.get('delete', False)
}
desired_state.append(item)
return desired_state
def _build_infrastructure_assume_role(
account: dict[str, Any],
cluster: dict[str, Any],
ocm: OCM) -> Optional[dict[str, Any]]:
assume_role = ocm.get_aws_infrastructure_access_terraform_assume_role(
cluster['name'],
account['uid'],
account['terraformUsername'],
)
if assume_role:
return {
'name': account['name'],
'uid': account['uid'],
'terraformUsername':
account['terraformUsername'],
'automationToken':
account['automationToken'],
'assume_role': assume_role,
'assume_region': cluster['spec']['region'],
'assume_cidr': cluster['network']['vpc']
}
else:
return None
def build_desired_state_vpc_single_cluster(cluster_info, ocm: Optional[OCM],
awsapi: AWSApi):
desired_state = []
peering_info = cluster_info['peering']
peer_connections = peering_info['connections']
cluster = cluster_info['name']
for peer_connection in peer_connections:
# We only care about account-vpc peering providers
peer_connection_provider = peer_connection['provider']
if not peer_connection_provider == 'account-vpc':
continue
# requester is the cluster's AWS account
requester = {
'cidr_block': cluster_info['network']['vpc'],
'region': cluster_info['spec']['region']
}
connection_name = peer_connection['name']
peer_vpc = peer_connection['vpc']
# accepter is the peered AWS account
accepter = {
'vpc_id': peer_vpc['vpc_id'],
'cidr_block': peer_vpc['cidr_block'],
'region': peer_vpc['region']
}
account = peer_vpc['account']
# assume_role is the role to assume to provision the peering
# connection request, through the accepter AWS account.
provided_assume_role = peer_connection.get('assumeRole')
# if an assume_role is provided, it means we don't need
# to get the information from OCM. it likely means that
# there is no OCM at all.
if provided_assume_role:
account['assume_role'] = provided_assume_role
elif ocm is not None:
account['assume_role'] = \
ocm.get_aws_infrastructure_access_terraform_assume_role(
cluster,
peer_vpc['account']['uid'],
peer_vpc['account']['terraformUsername']
)
else:
raise KeyError(
f'[{cluster}] peering connection '
f'{connection_name} must either specify assumeRole '
'or ocm should be defined to obtain role to assume')
account['assume_region'] = requester['region']
account['assume_cidr'] = requester['cidr_block']
requester_vpc_id, requester_route_table_ids, _ = \
awsapi.get_cluster_vpc_details(
account,
route_tables=peer_connection.get('manageRoutes')
)
if requester_vpc_id is None:
raise BadTerraformPeeringState(
f'[{cluster}] could not find VPC ID for cluster'
)
requester['vpc_id'] = requester_vpc_id
requester['route_table_ids'] = requester_route_table_ids
requester['account'] = account
accepter['account'] = account
item = {
'connection_provider': peer_connection_provider,
'connection_name': connection_name,
'requester': requester,
'accepter': accepter,
'deleted': peer_connection.get('delete', False)
}
desired_state.append(item)
return desired_state
