def build_desired_state_cluster(clusters, ocm_map, settings): """ Fetch state for VPC peerings between two OCM clusters """ desired_state = [] error = False for cluster_info in clusters: cluster_name = cluster_info['name'] # Find an aws account with the "network-mgmt" access level on the # requester cluster and use that as the account for the requester req_aws = aws_account_from_infrastructure_access( cluster_info, 'network-mgmt', ocm_map) if not req_aws: msg = f"could not find an AWS account with the " \ f"'network-mgmt' access level on the cluster {cluster_name}" logging.error(msg) error = True continue req_aws['assume_region'] = cluster_info['spec']['region'] req_aws['assume_cidr'] = cluster_info['network']['vpc'] peering_info = cluster_info['peering'] peer_connections = peering_info['connections'] for peer_connection in peer_connections: # We only care about cluster-vpc-requester peering providers peer_connection_provider = peer_connection['provider'] if not peer_connection_provider == 'cluster-vpc-requester': continue peer_connection_name = peer_connection['name'] peer_cluster = peer_connection['cluster'] peer_cluster_name = peer_cluster['name'] requester_manage_routes = peer_connection.get('manageRoutes') # Ensure we have a matching peering connection peer_info = find_matching_peering(cluster_info, peer_connection, peer_cluster, 'cluster-vpc-accepter') if not peer_info: msg = f"could not find a matching peering connection for " \ f"cluster {cluster_name}, " \ f"connection {peer_connection_name}" logging.error(msg) error = True continue accepter_manage_routes = peer_info.get('manageRoutes') aws_api = AWSApi(1, [req_aws], settings=settings) requester_vpc_id, requester_route_table_ids = \ aws_api.get_cluster_vpc_id( req_aws, route_tables=requester_manage_routes ) if requester_vpc_id is None: msg = f'[{cluster_name} could not find VPC ID for cluster' logging.error(msg) error = True continue requester = { 'cidr_block': cluster_info['network']['vpc'], 'region': cluster_info['spec']['region'], 'vpc_id': requester_vpc_id, 'route_table_ids': requester_route_table_ids, 'account': req_aws } # Find an aws account with the "network-mgmt" access level on the # peer cluster and use that as the account for the accepter acc_aws = aws_account_from_infrastructure_access( peer_cluster, 'network-mgmt', ocm_map) if not acc_aws: msg = "could not find an AWS account with the " \ "'network-mgmt' access level on the cluster" logging.error(msg) error = True continue acc_aws['assume_region'] = peer_cluster['spec']['region'] acc_aws['assume_cidr'] = peer_cluster['network']['vpc'] aws_api = AWSApi(1, [acc_aws], settings=settings) accepter_vpc_id, accepter_route_table_ids = \ aws_api.get_cluster_vpc_id( acc_aws, route_tables=accepter_manage_routes ) if accepter_vpc_id is None: msg = f'[{peer_cluster_name} could not find VPC ID for cluster' logging.error(msg) error = True continue requester['peer_owner_id'] = acc_aws['assume_role'].split(':')[4] accepter = { 'cidr_block': peer_cluster['network']['vpc'], 'region': peer_cluster['spec']['region'], 'vpc_id': accepter_vpc_id, 'route_table_ids': accepter_route_table_ids, 'account': acc_aws } item = { 'connection_provider': peer_connection_provider, 'connection_name': peer_connection_name, 'requester': requester, 'accepter': accepter, 'deleted': peer_connection.get('delete', False) } desired_state.append(item) return desired_state, error
def build_desired_state_vpc(clusters, ocm_map, settings): """ Fetch state for VPC peerings between a cluster and a VPC (account) """ desired_state = [] error = False for cluster_info in clusters: cluster = cluster_info['name'] ocm = ocm_map.get(cluster) peering_info = cluster_info['peering'] peer_connections = peering_info['connections'] for peer_connection in peer_connections: # We only care about account-vpc peering providers peer_connection_provider = peer_connection['provider'] if not peer_connection_provider == 'account-vpc': continue # requester is the cluster's AWS account requester = { 'cidr_block': cluster_info['network']['vpc'], 'region': cluster_info['spec']['region'] } connection_name = peer_connection['name'] peer_vpc = peer_connection['vpc'] # accepter is the peered AWS account accepter = { 'vpc_id': peer_vpc['vpc_id'], 'cidr_block': peer_vpc['cidr_block'], 'region': peer_vpc['region'] } account = peer_vpc['account'] # assume_role is the role to assume to provision the # peering connection request, through the accepter AWS account. account['assume_role'] = \ ocm.get_aws_infrastructure_access_terraform_assume_role( cluster, peer_vpc['account']['uid'], peer_vpc['account']['terraformUsername'] ) account['assume_region'] = requester['region'] account['assume_cidr'] = requester['cidr_block'] aws_api = AWSApi(1, [account], settings=settings) requester_vpc_id, requester_route_table_ids = \ aws_api.get_cluster_vpc_id( account, route_tables=peer_connection.get('manageRoutes') ) if requester_vpc_id is None: logging.error(f'[{cluster} could not find VPC ID for cluster') error = True continue requester['vpc_id'] = requester_vpc_id requester['route_table_ids'] = requester_route_table_ids requester['account'] = account accepter['account'] = account item = { 'connection_provider': peer_connection_provider, 'connection_name': connection_name, 'requester': requester, 'accepter': accepter, 'deleted': peer_connection.get('delete', False) } desired_state.append(item) return desired_state, error