def _release_factory():
boto_session = assume_role(root_session, global_config.dev_account_id,
get_role_session_name(os.environ))
ecr_client = boto_session.client('ecr')
release_config = ReleaseConfig(global_config.dev_account_id,
global_config.prod_account_id,
metadata.aws_region)
return Release(release_config, ecr_client, component_name, version)
def migrate_state(
root_session, account_scheme, old_scheme, team, component_name,
):
release_account_session = assume_role(
root_session, account_scheme.release_account,
)
release_s3 = release_account_session.resource('s3')
for account in old_scheme.accounts:
logger.debug(f'Looking for state in account {account.alias}')
session = assume_role(root_session, account)
state_bucket = S3BucketFactory(session).get_bucket_name()
prefixes = get_bucket_prefixes(session, state_bucket)
logger.debug(f'State bucket {state_bucket} has prefixes: {prefixes}')
s3 = session.resource('s3')
for env in [p.strip('/') for p in prefixes]:
migrated_flag = release_s3.Object(
account_scheme.backend_s3_bucket,
f'{team}/{component_name}/{env}/MIGRATED',
)
old_state = s3.Object(
state_bucket, f'{env}/{component_name}/terraform.tfstate',
)
if key_exists(old_state) and not is_migrated(migrated_flag):
logger.debug(
'Not migrated, checking for state at: '
f'{env}/{component_name}/terraform.tfstate',
)
old_state_content = old_state.get()['Body'].read()
logger.debug(
f'Putting state into {account_scheme.backend_s3_bucket} '
f'under {team}/{component_name}/{env}/terraform.tfstate',
)
new_state = release_s3.Object(
account_scheme.backend_s3_bucket,
f'{team}/{component_name}/{env}/terraform.tfstate',
)
new_state.put(Body=old_state_content)
migrated_flag.put(Body=b'1')
def _deploy_monitor_factory():
is_prod = environment_name == 'live'
if is_prod:
account_id = global_config.prod_account_id
else:
account_id = global_config.dev_account_id
boto_session = assume_role(root_session, account_id,
get_role_session_name(os.environ))
events = ECSEventIterator(metadata.ecs_cluster, environment_name,
component_name, version, boto_session)
return ECSMonitor(events)
def test_role_is_assumed(self, MockSession):
mock_root_session = Mock()
mock_root_session.region_name = 'eu-west-12'
mock_session = Mock()
MockSession.return_value = mock_session
mock_sts = Mock()
user_id = 'foo'
mock_sts.get_caller_identity.return_value = {
u'UserId': user_id,
'Arn': f'role/{user_id}'
}
mock_sts.assume_role.return_value = {
'Credentials': {
'AccessKeyId': 'dummy-access-key-id',
'SecretAccessKey': 'dummy-secret-access-key',
'SessionToken': 'dummy-session-token',
'Expiration': datetime(2015, 1, 1)
},
'AssumedRoleUser': {
'AssumedRoleId': 'dummy-assumed-role-id',
'Arn': 'dummy-arn'
},
'PackedPolicySize': 123
}
mock_root_session.client.return_value = mock_sts
account_id = 123456789
role_name = 'test-role-name'
region = 'us-east-99'
account = Account('account-alias', account_id, role_name, region)
session = config.assume_role(mock_root_session, account)
assert session is mock_session
mock_root_session.client.assert_called_once_with('sts')
mock_sts.assume_role.assert_called_once_with(
DurationSeconds=14400,
RoleArn='arn:aws:iam::{}:role/{}'.format(account_id, role_name),
RoleSessionName=user_id,
)
MockSession.assert_called_once_with(
'dummy-access-key-id',
'dummy-secret-access-key',
'dummy-session-token',
region,
)
def _destroy_factory():
is_prod = environment_name == 'live'
if is_prod:
account_id = global_config.prod_account_id
else:
account_id = global_config.dev_account_id
boto_session = assume_role(root_session, account_id,
get_role_session_name(os.environ))
s3_bucket_factory = S3BucketFactory(boto_session, account_id)
s3_bucket = s3_bucket_factory.get_bucket_name()
write_terragrunt_config(metadata.aws_region, s3_bucket,
environment_name, component_name)
return Destroy(boto_session, component_name, environment_name,
s3_bucket)
def test_role_is_assumed(self, MockSession):
mock_root_session = Mock()
mock_root_session.region_name = 'eu-west-12'
mock_session = Mock()
MockSession.return_value = mock_session
mock_sts = Mock()
mock_sts.assume_role.return_value = {
'Credentials': {
'AccessKeyId': 'dummy-access-key-id',
'SecretAccessKey': 'dummy-secret-access-key',
'SessionToken': 'dummy-session-token',
'Expiration': datetime(2015, 1, 1)
},
'AssumedRoleUser': {
'AssumedRoleId': 'dummy-assumed-role-id',
'Arn': 'dummy-arn'
},
'PackedPolicySize': 123
}
mock_root_session.client.return_value = mock_sts
account_id = 123456789
session_name = 'dummy-session-name'
session = config.assume_role(mock_root_session, account_id,
session_name)
assert session is mock_session
mock_root_session.client.assert_called_once_with('sts')
mock_sts.assume_role.assert_called_once_with(
RoleArn='arn:aws:iam::{}:role/admin'.format(account_id),
RoleSessionName=session_name,
)
MockSession.assert_called_once_with(
'dummy-access-key-id',
'dummy-secret-access-key',
'dummy-session-token',
'eu-west-12',
)
def _deploy_factory():
is_prod = environment_name == 'live'
if is_prod:
account_id = global_config.prod_account_id
else:
account_id = global_config.dev_account_id
platform_config_file = get_platform_config_path(
metadata.account_prefix, metadata.aws_region, is_prod)
boto_session = assume_role(root_session, account_id,
get_role_session_name(os.environ))
s3_bucket_factory = S3BucketFactory(boto_session, account_id)
s3_bucket = s3_bucket_factory.get_bucket_name()
write_terragrunt_config(metadata.aws_region, s3_bucket,
environment_name, component_name)
deploy_config = DeployConfig(
team=metadata.team,
platform_config_file=platform_config_file,
)
return Deploy(boto_session, component_name, environment_name,
additional_variables, deploy_config)
