def test_get_policy_arn_suffix(self):
self.assertEqual("aws-cn", utils.get_policy_arn_suffix("cn-northwest-1"))
self.assertEqual("aws-cn", utils.get_policy_arn_suffix("cn-northwest-2"))
self.assertEqual("aws-cn", utils.get_policy_arn_suffix("cn-north-1"))
self.assertEqual("aws-us-gov", utils.get_policy_arn_suffix("us-gov-west-1"))
self.assertEqual("aws", utils.get_policy_arn_suffix("ca-central-1"))
self.assertEqual("aws", utils.get_policy_arn_suffix("us-east-1"))
self.assertEqual("aws", utils.get_policy_arn_suffix("sa-east-1"))
self.assertEqual("aws", utils.get_policy_arn_suffix("ap-south-1"))
def _update_role_trust_policy(self, parsed_globals):
"""Method to update trust policy if not done already"""
base36 = Base36()
eks_client = EKS(
self._session.create_client('eks',
region_name=self._region,
verify=parsed_globals.verify_ssl))
account_id = eks_client.get_account_id(self._cluster_name)
oidc_provider = eks_client.get_oidc_issuer_id(self._cluster_name)
base36_encoded_role_name = base36.encode(self._role_name)
LOG.debug('Base36 encoded role name: %s', base36_encoded_role_name)
trust_policy_statement = json.loads(
TRUST_POLICY_STATEMENT_FORMAT % {
"AWS_ACCOUNT_ID": account_id,
"OIDC_PROVIDER": oidc_provider,
"NAMESPACE": self._namespace,
"BASE36_ENCODED_ROLE_NAME": base36_encoded_role_name,
"AWS_PARTITION": get_policy_arn_suffix(self._region)
})
LOG.debug('Computed Trust Policy Statement:\n%s',
json.dumps(trust_policy_statement, indent=2))
iam_client = IAM(
self._session.create_client('iam',
region_name=self._region,
endpoint_url=self._endpoint_url,
verify=parsed_globals.verify_ssl))
assume_role_document = iam_client.get_assume_role_policy(
self._role_name)
matches = check_if_statement_exists(trust_policy_statement,
assume_role_document)
if not matches:
LOG.debug('Role %s does not have the required trust policy ',
self._role_name)
existing_statements = assume_role_document.get("Statement")
if existing_statements is None:
assume_role_document["Statement"] = [trust_policy_statement]
else:
existing_statements.append(trust_policy_statement)
if self._dry_run:
return json.dumps(assume_role_document, indent=2)
else:
LOG.debug('Updating trust policy of role %s', self._role_name)
iam_client.update_assume_role_policy(self._role_name,
assume_role_document)
return TRUST_POLICY_UPDATE_SUCCESSFUL % self._role_name
else:
return TRUST_POLICY_STATEMENT_ALREADY_EXISTS % self._role_name
def test_get_policy_arn_suffix(self):
self.assertEqual("aws-cn",
utils.get_policy_arn_suffix("cn-northwest-1"))
self.assertEqual("aws-cn",
utils.get_policy_arn_suffix("cn-northwest-2"))
self.assertEqual("aws-cn", utils.get_policy_arn_suffix("cn-north-1"))
self.assertEqual("aws-us-gov",
utils.get_policy_arn_suffix("us-gov-west-1"))
self.assertEqual("aws", utils.get_policy_arn_suffix("ca-central-1"))
self.assertEqual("aws", utils.get_policy_arn_suffix("us-east-1"))
self.assertEqual("aws", utils.get_policy_arn_suffix("sa-east-1"))
self.assertEqual("aws", utils.get_policy_arn_suffix("ap-south-1"))
def get_role_policy_arn(region, policy_name):
region_suffix = get_policy_arn_suffix(region)
role_arn = ROLE_ARN_PATTERN.replace("{{region_suffix}}", region_suffix)
role_arn = role_arn.replace("{{policy_name}}", policy_name)
return role_arn
def get_policy_arn(region, policy_name):
region_suffix = get_policy_arn_suffix(region)
role_arn = POLICY_ARN_PATTERN.format(region_suffix, policy_name)
return role_arn
def get_policy_arn(region, policy_name):
region_suffix = get_policy_arn_suffix(region)
role_arn = POLICY_ARN_PATTERN.format(region_suffix, policy_name)
return role_arn
def get_role_policy_arn(region, policy_name):
region_suffix = get_policy_arn_suffix(region)
role_arn = ROLE_ARN_PATTERN.replace("{{region_suffix}}", region_suffix)
role_arn = role_arn.replace("{{policy_name}}", policy_name)
return role_arn