def read_aws_iam_role_document_to_string(logger=None,
path_to_role_document="",
is_app_role=False,
aws_access_key_id="",
aws_secret_access_key="",
log_indentation=""):
logger.info(
log_indentation +
"START: Read AWS IAM Role-Policy-Document from local to string...")
### Step 01: Read the input file for Role Policy Document Content
with open(path_to_role_document, "r") as input_file_stream:
role_policy_doc = input_file_stream.read()
if is_app_role:
logger.info(
log_indentation +
"This is aviatrix-role-app. Therefore, it needs to get AWS Account ID Number..."
)
### Step 02: Get AWS Account ID Number
aws_account_id = get_aws_account_id(
logger=logger,
aws_access_key_id=aws_access_key_id,
aws_secret_access_key=aws_secret_access_key,
log_indentation=log_indentation + " ")
### Step 03: Fill AWS Account ID into the doc
role_policy_doc = role_policy_doc.replace("MY_ACCOUNT_ID",
aws_account_id)
# END if
logger.info(log_indentation + " Role-Policy-Document is: \n" +
role_policy_doc)
logger.info(
log_indentation +
"ENDED: Read AWS IAM Role-Policy-Document from local to string...\n")
return role_policy_doc
##### Step 04: Create EC2 Role
ec2_role_created_by_script, instance_profile_arn = create_aviatrix_role_ec2(
logger=logger,
aws_access_key_id=aws_access_key_id,
aws_secret_access_key=aws_secret_access_key
)
result["AWS"]["ec2_role_created_by_script"] = ec2_role_created_by_script
write_py_dict_to_config_file(logger=logger, py_dict=result, path_to_file=path_to_result_file)
logger.info(msg="EC2 Role created by script? " + str(ec2_role_created_by_script) + "\n")
##### Step 05-a: Create APP Role (Get AWS Account ID)
aws_account_id = get_aws_account_id(logger=logger,
aws_access_key_id=aws_access_key_id,
aws_secret_access_key=aws_secret_access_key
)
##### Step 05-b: Create APP Role
app_role_created_by_script = create_aviatrix_role_app(logger=logger,
aws_account_id=aws_account_id,
aws_access_key_id=aws_access_key_id,
aws_secret_access_key=aws_secret_access_key
)
result["AWS"]["aws_account_id"] = aws_account_id
result["AWS"]["app_role_created_by_script"] = app_role_created_by_script
write_py_dict_to_config_file(logger=logger, py_dict=result, path_to_file=path_to_result_file)
logger.info(msg="APP Role created by script? " + str(app_role_created_by_script) + "\n")
##### Step 06-a: Create VPC
def create_aviatrix_role_ec2(
logger=None,
role_name="aviatrix-role-ec2",
path_to_role_document="./config/assume_role_policy_document_for_ec2_role.txt",
policy_name="aviatrix-ec2-policy",
url_to_assume_role_policy="https://s3-us-west-2.amazonaws.com/aviatrix-download/iam_assume_role_policy.txt",
path_to_policy_file="./result/aviatrix-ec2-policy.txt",
aws_access_key_id="",
aws_secret_access_key="",
log_indentation=""
):
logger.info(log_indentation + "START: Create Aviatrix EC2 Role")
role_created_by_this_function = False
role_already_exists = False
instance_profile_arn = "arn:aws:iam::AWS_ACCOUNT_ID:instance-profile/aviatrix-role-ec2"
try:
##### IAM Role Creation Step 01: Find out if "aviatrix-role-ec2" exists
logger.info(log_indentation + " IAM Role Creation Step 01: Find out if " + role_name + " exists")
role_already_exists = find_role(logger=logger,
target_role_name=role_name,
aws_access_key_id=aws_access_key_id,
aws_secret_access_key=aws_secret_access_key,
log_indentation=log_indentation+" "
)
logger.info(log_indentation + " " + role_name + " already exists? " + str(role_already_exists) + "\n")
### IF role already exists, then return False, and Default Instance-Profile ARN
if role_already_exists and is_role_attached_with_policy(logger=logger,
role_name=role_name,
aws_access_key_id=aws_access_key_id,
aws_secret_access_key=aws_secret_access_key,
log_indentation=log_indentation+" "):
aws_account_id = get_aws_account_id(logger=logger,
aws_access_key_id=aws_access_key_id,
aws_secret_access_key=aws_secret_access_key,
log_indentation=log_indentation
)
instance_profile_arn = instance_profile_arn.replace("AWS_ACCOUNT_ID", aws_account_id)
return role_created_by_this_function, instance_profile_arn
# END checking if aviatrix-role-ec2 already exists AND already has at least one or more policy attached
##### IAM Role Creation Step 02: Read Role-Policy-Document from local
logger.info(log_indentation + " IAM Role Creation Step 02: Read Role-Policy-Document from local")
role_policy_document = read_aws_iam_role_document_to_string(
logger=logger,
path_to_role_document=path_to_role_document,
is_app_role=False,
log_indentation=log_indentation+" "
)
##### IAM Role Creation Step 03: Create IAM Role with Role-Policy-Document
logger.info(log_indentation + " IAM Role Creation Step 03: Create IAM Role")
role_id, role_arn = create_role(logger=logger,
role_name=role_name,
role_policy_document=role_policy_document,
aws_access_key_id=aws_access_key_id,
aws_secret_access_key=aws_secret_access_key,
log_indentation=log_indentation+" "
)
if role_id:
role_created_by_this_function = True
##### Instance Profile Creation: Step 01: Create Instance Profile
logger.info(log_indentation + " Instance Profile Creation: Step 01: Create Instance Profile")
instance_profile_name, instance_profile_id, instance_profile_arn = create_iam_instance_profile(
logger=logger,
instance_profile_name=role_name,
aws_access_key_id=aws_access_key_id,
aws_secret_access_key=aws_secret_access_key,
log_indentation=log_indentation+" "
)
##### Instance Profile Creation: Step 02: Add EC2 Role to Instance-Profile
logger.info(log_indentation + " Instance Profile Creation: Step 02: Add EC2 Role to Instance-Profile")
add_role_to_instance_profile(logger=logger,
role_name=role_name,
instance_profile_name=instance_profile_name,
aws_access_key_id=aws_access_key_id,
aws_secret_access_key=aws_secret_access_key,
log_indentation=log_indentation+" "
)
# time.sleep(10) # Might be needed
##### IAM Policy Creation Step 01: Download the AWS Policy from Aviatrix Website to local
logger.info(log_indentation +
" IAM Policy Creation Step 01: Download the AWS Policy from Aviatrix Website to local")
download_aviatrix_aws_iam_policy(logger=logger,
url=url_to_assume_role_policy,
save_to=path_to_policy_file,
log_indentation=log_indentation+" ")
##### IAM Policy Creation Step 03: Read IAM Policy from local
logger.info(log_indentation + " IAM Policy Creation Step 03: Read IAM Policy from local")
with open(path_to_policy_file, "r") as input_file_stream:
policy_content = input_file_stream.read()
# Give policy_arn a default value in case creation fails
logger.info(log_indentation +
" Give policy_arn a default value in case creation fails due to policy already exists")
aws_account_id = get_aws_account_id(logger=logger,
aws_access_key_id=aws_access_key_id,
aws_secret_access_key=aws_secret_access_key,
log_indentation=log_indentation+" "
)
policy_arn = "arn:aws:iam::AWS_ACCOUNT_ID:policy/aviatrix-ec2-policy"
policy_arn = policy_arn.replace("AWS_ACCOUNT_ID", aws_account_id)
try: # The reason why "try-except" the code here is because we can continue to attach Role & Policy if Policy creation fails due to already exists
##### IAM Policy Creation Step 03: Create IAM Policy
logger.info(log_indentation + " IAM Policy Creation Step 03: Create IAM Policy")
policy_id, policy_arn = create_iam_policy(logger=logger,
policy_name=policy_name,
policy_body_content=policy_content,
aws_access_key_id=aws_access_key_id,
aws_secret_access_key=aws_secret_access_key,
log_indentation=log_indentation+" "
)
except Exception as e:
tracekback_msg = traceback.format_exc()
logger.info(tracekback_msg)
##### Attach IAM Role & IAM Policy
logger.info(log_indentation + " Attach IAM Role & IAM Policy")
attach_role_policy(logger=logger,
role_name=role_name,
policy_arn=policy_arn,
aws_access_key_id=aws_access_key_id,
aws_secret_access_key=aws_secret_access_key,
log_indentation=log_indentation+" "
)
except Exception as e:
tracekback_msg = traceback.format_exc()
logger.info(tracekback_msg)
finally:
logger.info(log_indentation + "ENDED: Create Aviatrix EC2 Role\n")
return role_created_by_this_function, instance_profile_arn