def aws_account_from_infrastructure_access(cluster, access_level: str, ocm_map: OCMMap): """ Generate an AWS account object from a cluster's awsInfrastructureAccess groups and access levels """ ocm = ocm_map.get(cluster['name']) account = None for awsAccess in cluster['awsInfrastructureAccess']: if awsAccess.get('accessLevel', "") == access_level: account = { 'name': awsAccess['awsGroup']['account']['name'], 'uid': awsAccess['awsGroup']['account']['uid'], 'terraformUsername': awsAccess['awsGroup']['account']['terraformUsername'], 'automationToken': awsAccess['awsGroup']['account']['automationToken'], 'assume_role': ocm.get_aws_infrastructure_access_terraform_assume_role( cluster['name'], awsAccess['awsGroup']['account']['uid'], awsAccess['awsGroup']['account']['terraformUsername'], ), 'assume_region': cluster['spec']['region'], 'assume_cidr': cluster['network']['vpc'] } return account
def build_desired_state_vpc_single_cluster(cluster_info, ocm: OCM, awsapi: AWSApi): desired_state = [] peering_info = cluster_info['peering'] peer_connections = peering_info['connections'] cluster = cluster_info['name'] for peer_connection in peer_connections: # We only care about account-vpc peering providers peer_connection_provider = peer_connection['provider'] if not peer_connection_provider == 'account-vpc': continue # requester is the cluster's AWS account requester = { 'cidr_block': cluster_info['network']['vpc'], 'region': cluster_info['spec']['region'] } connection_name = peer_connection['name'] peer_vpc = peer_connection['vpc'] # accepter is the peered AWS account accepter = { 'vpc_id': peer_vpc['vpc_id'], 'cidr_block': peer_vpc['cidr_block'], 'region': peer_vpc['region'] } account = peer_vpc['account'] # assume_role is the role to assume to provision the peering # connection request, through the accepter AWS account. account['assume_role'] = \ ocm.get_aws_infrastructure_access_terraform_assume_role( cluster, peer_vpc['account']['uid'], peer_vpc['account']['terraformUsername'] ) account['assume_region'] = requester['region'] account['assume_cidr'] = requester['cidr_block'] requester_vpc_id, requester_route_table_ids, _ = \ awsapi.get_cluster_vpc_details( account, route_tables=peer_connection.get('manageRoutes') ) if requester_vpc_id is None: raise BadTerraformPeeringState( f'[{cluster} could not find VPC ID for cluster') requester['vpc_id'] = requester_vpc_id requester['route_table_ids'] = requester_route_table_ids requester['account'] = account accepter['account'] = account item = { 'connection_provider': peer_connection_provider, 'connection_name': connection_name, 'requester': requester, 'accepter': accepter, 'deleted': peer_connection.get('delete', False) } desired_state.append(item) return desired_state
def _build_infrastructure_assume_role( account: dict[str, Any], cluster: dict[str, Any], ocm: OCM) -> Optional[dict[str, Any]]: assume_role = ocm.get_aws_infrastructure_access_terraform_assume_role( cluster['name'], account['uid'], account['terraformUsername'], ) if assume_role: return { 'name': account['name'], 'uid': account['uid'], 'terraformUsername': account['terraformUsername'], 'automationToken': account['automationToken'], 'assume_role': assume_role, 'assume_region': cluster['spec']['region'], 'assume_cidr': cluster['network']['vpc'] } else: return None
def build_desired_state_vpc_single_cluster(cluster_info, ocm: Optional[OCM], awsapi: AWSApi): desired_state = [] peering_info = cluster_info['peering'] peer_connections = peering_info['connections'] cluster = cluster_info['name'] for peer_connection in peer_connections: # We only care about account-vpc peering providers peer_connection_provider = peer_connection['provider'] if not peer_connection_provider == 'account-vpc': continue # requester is the cluster's AWS account requester = { 'cidr_block': cluster_info['network']['vpc'], 'region': cluster_info['spec']['region'] } connection_name = peer_connection['name'] peer_vpc = peer_connection['vpc'] # accepter is the peered AWS account accepter = { 'vpc_id': peer_vpc['vpc_id'], 'cidr_block': peer_vpc['cidr_block'], 'region': peer_vpc['region'] } account = peer_vpc['account'] # assume_role is the role to assume to provision the peering # connection request, through the accepter AWS account. provided_assume_role = peer_connection.get('assumeRole') # if an assume_role is provided, it means we don't need # to get the information from OCM. it likely means that # there is no OCM at all. if provided_assume_role: account['assume_role'] = provided_assume_role elif ocm is not None: account['assume_role'] = \ ocm.get_aws_infrastructure_access_terraform_assume_role( cluster, peer_vpc['account']['uid'], peer_vpc['account']['terraformUsername'] ) else: raise KeyError( f'[{cluster}] peering connection ' f'{connection_name} must either specify assumeRole ' 'or ocm should be defined to obtain role to assume') account['assume_region'] = requester['region'] account['assume_cidr'] = requester['cidr_block'] requester_vpc_id, requester_route_table_ids, _ = \ awsapi.get_cluster_vpc_details( account, route_tables=peer_connection.get('manageRoutes') ) if requester_vpc_id is None: raise BadTerraformPeeringState( f'[{cluster}] could not find VPC ID for cluster' ) requester['vpc_id'] = requester_vpc_id requester['route_table_ids'] = requester_route_table_ids requester['account'] = account accepter['account'] = account item = { 'connection_provider': peer_connection_provider, 'connection_name': connection_name, 'requester': requester, 'accepter': accepter, 'deleted': peer_connection.get('delete', False) } desired_state.append(item) return desired_state