From 44ebbe402a11b8b1237eec5d60f6d53937c3a20d Mon Sep 17 00:00:00 2001 From: Tomoya Kabe Date: Fri, 30 Mar 2018 16:40:27 +0900 Subject: [PATCH] Support MaxSessionDuration for roles --- lib/miam/client.rb | 14 +++++++++++++- lib/miam/driver.rb | 10 ++++++++++ lib/miam/dsl/context/role.rb | 6 +++++- lib/miam/dsl/converter.rb | 8 ++++++++ lib/miam/exporter.rb | 3 +++ 5 files changed, 39 insertions(+), 2 deletions(-) diff --git a/lib/miam/client.rb b/lib/miam/client.rb index 8c4b620..f730e06 100644 --- a/lib/miam/client.rb +++ b/lib/miam/client.rb @@ -255,12 +255,24 @@ def walk_role(role_name, expected_attrs, actual_attrs) log(:warn, "Role `#{role_name}`: 'path' cannot be updated", :color => :yellow) end - updated = walk_assume_role_policy(role_name, expected_attrs[:assume_role_policy_document], actual_attrs[:assume_role_policy_document]) + updated = walk_role_settings(role_name, {max_session_duration: expected_attrs[:max_session_duration]}, {max_session_duration: actual_attrs[:max_session_duration]}) + updated = walk_assume_role_policy(role_name, expected_attrs[:assume_role_policy_document], actual_attrs[:assume_role_policy_document]) || updated updated = walk_role_instance_profiles(role_name, expected_attrs[:instance_profiles], actual_attrs[:instance_profiles]) || updated updated = walk_attached_managed_policies(:role, role_name, expected_attrs[:attached_managed_policies], actual_attrs[:attached_managed_policies]) || updated walk_policies(:role, role_name, expected_attrs[:policies], actual_attrs[:policies]) || updated end + def walk_role_settings(role_name, expected_settings, actual_settings) + updated = false + + if expected_settings != actual_settings + @driver.update_role_settings(role_name, expected_settings, actual_settings) + updated = true + end + + updated + end + def walk_assume_role_policy(role_name, expected_assume_role_policy, actual_assume_role_policy) updated = false expected_assume_role_policy.sort_array! diff --git a/lib/miam/driver.rb b/lib/miam/driver.rb index 7c9f07c..5c0c73d 100644 --- a/lib/miam/driver.rb +++ b/lib/miam/driver.rb @@ -178,6 +178,7 @@ def create_role(role_name, attrs) params = { :role_name => role_name, :assume_role_policy_document => encode_document(assume_role_policy_document), + :max_session_duration => attrs.fetch(:max_session_duration) } params[:path] = attrs[:path] if attrs[:path] @@ -189,6 +190,7 @@ def create_role(role_name, attrs) :assume_role_policy_document => assume_role_policy_document, :policies => {}, :attached_managed_policies => [], + :max_session_duration => attrs.fetch(:max_session_duration), } new_role_attrs[:path] = attrs[:path] if attrs[:path] @@ -237,6 +239,14 @@ def remove_role_from_instance_profiles(role_name, instance_profile_names) end end + def update_role_settings(role_name, new_settings, old_settings) + log(:info, "Update Role `#{role_name}` > Settings", :color => :green) + log(:info, Miam::Utils.diff(old_settings, new_settings, :color => @options[:color]), :color => false) + unless_dry_run do + @iam.update_role(new_settings.merge(role_name: role_name)) + end + end + def update_assume_role_policy(role_name, policy_document, old_policy_document) log(:info, "Update Role `#{role_name}` > AssumeRolePolicy", :color => :green) log(:info, Miam::Utils.diff(old_policy_document, policy_document, :color => @options[:color]), :color => false) diff --git a/lib/miam/dsl/context/role.rb b/lib/miam/dsl/context/role.rb index 2c83bd6..e587705 100644 --- a/lib/miam/dsl/context/role.rb +++ b/lib/miam/dsl/context/role.rb @@ -4,7 +4,7 @@ class Miam::DSL::Context::Role def initialize(context, name, &block) @role_name = name @context = context.merge(:role_name => name) - @result = {:instance_profiles => [], :policies => {}, :attached_managed_policies => []} + @result = {:instance_profiles => [], :max_session_duration => 3600, :policies => {}, :attached_managed_policies => []} instance_eval(&block) end @@ -22,6 +22,10 @@ def instance_profiles(*profiles) @result[:instance_profiles].concat(profiles.map(&:to_s)) end + def max_session_duration(duration) + @result[:max_session_duration] = duration + end + def assume_role_policy_document if @result[:assume_role_policy_document] raise "Role `#{@role_name}` > AssumeRolePolicyDocument: already defined" diff --git a/lib/miam/dsl/converter.rb b/lib/miam/dsl/converter.rb index b225b06..2b1a77e 100644 --- a/lib/miam/dsl/converter.rb +++ b/lib/miam/dsl/converter.rb @@ -95,6 +95,8 @@ def output_role(role_name, attrs) role #{role_name.inspect}, #{Miam::Utils.unbrace(role_options.inspect)} do #{output_role_instance_profiles(attrs[:instance_profiles])} + #{output_role_max_session_duration(attrs[:max_session_duration])} + #{output_assume_role_policy_document(attrs[:assume_role_policy_document])} #{output_policies(attrs[:policies])} @@ -122,6 +124,12 @@ def output_instance_profiles(instance_profiles) }.select {|i| i }.join("\n") end + def output_role_max_session_duration(max_session_duration) + <<-EOS.strip + max_session_duration #{max_session_duration} + EOS + end + def output_assume_role_policy_document(assume_role_policy_document) assume_role_policy_document = assume_role_policy_document.pretty_inspect assume_role_policy_document.gsub!("\n", "\n ").strip! diff --git a/lib/miam/exporter.rb b/lib/miam/exporter.rb index 835be7d..a8bf1b0 100644 --- a/lib/miam/exporter.rb +++ b/lib/miam/exporter.rb @@ -144,6 +144,8 @@ def export_roles(roles, instance_profile_roles) instance_profiles = role.instance_profile_list.map {|i| i.instance_profile_name } policies = export_role_policies(role) attached_managed_policies = role.attached_managed_policies.map(&:policy_arn) + role_data = @iam.get_role(role_name: role_name).role + max_session_duration = role_data.max_session_duration @mutex.synchronize do instance_profiles.each do |instance_profile_name| @@ -159,6 +161,7 @@ def export_roles(roles, instance_profile_roles) :instance_profiles => instance_profiles, :policies => policies, :attached_managed_policies => attached_managed_policies, + :max_session_duration => max_session_duration, } progress