def _release_factory(): boto_session = assume_role(root_session, global_config.dev_account_id, get_role_session_name(os.environ)) ecr_client = boto_session.client('ecr') release_config = ReleaseConfig(global_config.dev_account_id, global_config.prod_account_id, metadata.aws_region) return Release(release_config, ecr_client, component_name, version)
def migrate_state( root_session, account_scheme, old_scheme, team, component_name, ): release_account_session = assume_role( root_session, account_scheme.release_account, ) release_s3 = release_account_session.resource('s3') for account in old_scheme.accounts: logger.debug(f'Looking for state in account {account.alias}') session = assume_role(root_session, account) state_bucket = S3BucketFactory(session).get_bucket_name() prefixes = get_bucket_prefixes(session, state_bucket) logger.debug(f'State bucket {state_bucket} has prefixes: {prefixes}') s3 = session.resource('s3') for env in [p.strip('/') for p in prefixes]: migrated_flag = release_s3.Object( account_scheme.backend_s3_bucket, f'{team}/{component_name}/{env}/MIGRATED', ) old_state = s3.Object( state_bucket, f'{env}/{component_name}/terraform.tfstate', ) if key_exists(old_state) and not is_migrated(migrated_flag): logger.debug( 'Not migrated, checking for state at: ' f'{env}/{component_name}/terraform.tfstate', ) old_state_content = old_state.get()['Body'].read() logger.debug( f'Putting state into {account_scheme.backend_s3_bucket} ' f'under {team}/{component_name}/{env}/terraform.tfstate', ) new_state = release_s3.Object( account_scheme.backend_s3_bucket, f'{team}/{component_name}/{env}/terraform.tfstate', ) new_state.put(Body=old_state_content) migrated_flag.put(Body=b'1')
def _deploy_monitor_factory(): is_prod = environment_name == 'live' if is_prod: account_id = global_config.prod_account_id else: account_id = global_config.dev_account_id boto_session = assume_role(root_session, account_id, get_role_session_name(os.environ)) events = ECSEventIterator(metadata.ecs_cluster, environment_name, component_name, version, boto_session) return ECSMonitor(events)
def test_role_is_assumed(self, MockSession): mock_root_session = Mock() mock_root_session.region_name = 'eu-west-12' mock_session = Mock() MockSession.return_value = mock_session mock_sts = Mock() user_id = 'foo' mock_sts.get_caller_identity.return_value = { u'UserId': user_id, 'Arn': f'role/{user_id}' } mock_sts.assume_role.return_value = { 'Credentials': { 'AccessKeyId': 'dummy-access-key-id', 'SecretAccessKey': 'dummy-secret-access-key', 'SessionToken': 'dummy-session-token', 'Expiration': datetime(2015, 1, 1) }, 'AssumedRoleUser': { 'AssumedRoleId': 'dummy-assumed-role-id', 'Arn': 'dummy-arn' }, 'PackedPolicySize': 123 } mock_root_session.client.return_value = mock_sts account_id = 123456789 role_name = 'test-role-name' region = 'us-east-99' account = Account('account-alias', account_id, role_name, region) session = config.assume_role(mock_root_session, account) assert session is mock_session mock_root_session.client.assert_called_once_with('sts') mock_sts.assume_role.assert_called_once_with( DurationSeconds=14400, RoleArn='arn:aws:iam::{}:role/{}'.format(account_id, role_name), RoleSessionName=user_id, ) MockSession.assert_called_once_with( 'dummy-access-key-id', 'dummy-secret-access-key', 'dummy-session-token', region, )
def _destroy_factory(): is_prod = environment_name == 'live' if is_prod: account_id = global_config.prod_account_id else: account_id = global_config.dev_account_id boto_session = assume_role(root_session, account_id, get_role_session_name(os.environ)) s3_bucket_factory = S3BucketFactory(boto_session, account_id) s3_bucket = s3_bucket_factory.get_bucket_name() write_terragrunt_config(metadata.aws_region, s3_bucket, environment_name, component_name) return Destroy(boto_session, component_name, environment_name, s3_bucket)
def test_role_is_assumed(self, MockSession): mock_root_session = Mock() mock_root_session.region_name = 'eu-west-12' mock_session = Mock() MockSession.return_value = mock_session mock_sts = Mock() mock_sts.assume_role.return_value = { 'Credentials': { 'AccessKeyId': 'dummy-access-key-id', 'SecretAccessKey': 'dummy-secret-access-key', 'SessionToken': 'dummy-session-token', 'Expiration': datetime(2015, 1, 1) }, 'AssumedRoleUser': { 'AssumedRoleId': 'dummy-assumed-role-id', 'Arn': 'dummy-arn' }, 'PackedPolicySize': 123 } mock_root_session.client.return_value = mock_sts account_id = 123456789 session_name = 'dummy-session-name' session = config.assume_role(mock_root_session, account_id, session_name) assert session is mock_session mock_root_session.client.assert_called_once_with('sts') mock_sts.assume_role.assert_called_once_with( RoleArn='arn:aws:iam::{}:role/admin'.format(account_id), RoleSessionName=session_name, ) MockSession.assert_called_once_with( 'dummy-access-key-id', 'dummy-secret-access-key', 'dummy-session-token', 'eu-west-12', )
def _deploy_factory(): is_prod = environment_name == 'live' if is_prod: account_id = global_config.prod_account_id else: account_id = global_config.dev_account_id platform_config_file = get_platform_config_path( metadata.account_prefix, metadata.aws_region, is_prod) boto_session = assume_role(root_session, account_id, get_role_session_name(os.environ)) s3_bucket_factory = S3BucketFactory(boto_session, account_id) s3_bucket = s3_bucket_factory.get_bucket_name() write_terragrunt_config(metadata.aws_region, s3_bucket, environment_name, component_name) deploy_config = DeployConfig( team=metadata.team, platform_config_file=platform_config_file, ) return Deploy(boto_session, component_name, environment_name, additional_variables, deploy_config)