Documentation ¶
Index ¶
- Constants
- func AttachAdminUserPolicy(client awsclient.Client, iamUser *iam.User) (*iam.AttachUserPolicyOutput, error)
- func ClaimAccount(r *AccountReconciler, currentAcctInstance *awsv1alpha1.Account) error
- func CleanUpIAM(reqLogger logr.Logger, awsClient awsclient.Client, ...) error
- func CreateAccount(reqLogger logr.Logger, client awsclient.Client, ...) (*organizations.DescribeCreateAccountStatusOutput, error)
- func CreateEC2Instance(reqLogger logr.Logger, account *awsv1alpha1.Account, client awsclient.Client, ...) (string, error)
- func CreateIAMUser(reqLogger logr.Logger, client awsclient.Client, userName string) (*iam.CreateUserOutput, error)
- func CreateRole(reqLogger logr.Logger, byocRole string, accessArnList []string, ...) (string, error)
- func CreateSecret(name string, namespace string, data map[string][]byte) *corev1.Secret
- func CreateUserAccessKey(client awsclient.Client, iamUser *iam.User) (*iam.CreateAccessKeyOutput, error)
- func DeleteRole(reqLogger logr.Logger, byocRole string, byocAWSClient awsclient.Client) error
- func DescribeEC2Instances(reqLogger logr.Logger, client awsclient.Client, instanceID string) (int, error)
- func DetachPolicyFromRole(reqLogger logr.Logger, policy *iam.AttachedPolicy, byocRole string, ...) error
- func GenerateAccountCR(namespace string) *awsv1alpha1.Account
- func GenerateAccountCRName(uuid string) string
- func GetAttachedPolicies(reqLogger logr.Logger, byocRole string, byocAWSClient awsclient.Client) (*iam.ListAttachedRolePoliciesOutput, error)
- func GetExistingRole(reqLogger logr.Logger, byocRole string, byocAWSClient awsclient.Client) (*iam.GetRoleOutput, error)
- func ListEC2InstanceStatus(reqLogger logr.Logger, client awsclient.Client) (*ec2.DescribeInstanceStatusOutput, error)
- func TagAccount(awsSetupClient awsclient.Client, awsAccountID string, shardName string) error
- func TerminateEC2Instance(reqLogger logr.Logger, client awsclient.Client, instanceID string) error
- type AccountReconciler
- func (r *AccountReconciler) BuildAccount(reqLogger logr.Logger, awsClient awsclient.Client, ...) (string, error)
- func (r *AccountReconciler) BuildAndDestroyEC2Instances(reqLogger logr.Logger, account *awsv1alpha1.Account, ...) error
- func (r *AccountReconciler) BuildIAMUser(reqLogger logr.Logger, awsClient awsclient.Client, ...) (*string, error)
- func (r *AccountReconciler) CreateSecret(reqLogger logr.Logger, account *awsv1alpha1.Account, secret *corev1.Secret) error
- func (r *AccountReconciler) DoesSecretExist(namespacedName types.NamespacedName) (bool, error)
- func (r *AccountReconciler) GetSREAccessARN(reqLogger logr.Logger, arnName string) (string, error)
- func (r *AccountReconciler) InitializeRegion(reqLogger logr.Logger, account *awsv1alpha1.Account, region string, ...) error
- func (r *AccountReconciler) InitializeSupportedRegions(reqLogger logr.Logger, account *awsv1alpha1.Account, ...)
- func (r *AccountReconciler) IsKubeSecretValid(reqLogger logr.Logger, currentAcctInstance *awsv1alpha1.Account) (bool, error)
- func (r *AccountReconciler) ProbeSecret(reqLogger logr.Logger, currentAcctInstance *awsv1alpha1.Account, ...) error
- func (r *AccountReconciler) Reconcile(ctx context.Context, request ctrl.Request) (ctrl.Result, error)
- func (r *AccountReconciler) RotateIAMAccessKeys(reqLogger logr.Logger, awsClient awsclient.Client, ...) (*iam.CreateAccessKeyOutput, error)
- func (r *AccountReconciler) SetupWithManager(mgr ctrl.Manager) error
- func (r *AccountReconciler) ValidateIAMSecret(reqLogger logr.Logger, awsClient awsclient.Client, ...) error
- type PolicyDocument
- type StatementEntry
Constants ¶
const ( // AccountPending indicates an account is pending AccountPending = "Pending" // AccountCreating indicates an account is being created AccountCreating = "Creating" // AccountFailed indicates account creation has failed AccountFailed = "Failed" // AccountInitializingRegions indicates we've kicked off the process of creating and terminating // instances in all supported regions AccountInitializingRegions = "InitializingRegions" // AccountReady indicates account creation is ready AccountReady = "Ready" // AccountPendingVerification indicates verification (of AWS limits and Enterprise Support) is pending AccountPendingVerification = "PendingVerification" )
Variables ¶
This section is empty.
Functions ¶
func AttachAdminUserPolicy ¶
func AttachAdminUserPolicy(client awsclient.Client, iamUser *iam.User) (*iam.AttachUserPolicyOutput, error)
AttachAdminUserPolicy attaches the AdministratorAccess policy to a target user Takes a logger, an AWS client for the target account, and the target IAM user's username
func ClaimAccount ¶
func ClaimAccount(r *AccountReconciler, currentAcctInstance *awsv1alpha1.Account) error
func CleanUpIAM ¶
func CreateAccount ¶
func CreateAccount(reqLogger logr.Logger, client awsclient.Client, accountName, accountEmail string) (*organizations.DescribeCreateAccountStatusOutput, error)
CreateAccount creates an AWS account for the specified accountName and accountEmail in the organization
func CreateEC2Instance ¶
func CreateEC2Instance(reqLogger logr.Logger, account *awsv1alpha1.Account, client awsclient.Client, instanceInfo awsv1alpha1.AmiSpec, managedTags []awsclient.AWSTag, customerTags []awsclient.AWSTag, customerKmsKeyId string) (string, error)
CreateEC2Instance creates ec2 instance and returns its instance ID
func CreateIAMUser ¶
func CreateIAMUser(reqLogger logr.Logger, client awsclient.Client, userName string) (*iam.CreateUserOutput, error)
CreateIAMUser creates a new IAM user in the target AWS account Takes a logger, an AWS client for the target account, and the desired IAM username
func CreateRole ¶
func CreateRole(reqLogger logr.Logger, byocRole string, accessArnList []string, byocAWSClient awsclient.Client, tags []*iam.Tag) (string, error)
CreateRole creates the role with the correct assume policy for BYOC for a given roleName
func CreateSecret ¶
CreateSecret takes in a secret name, the namespace to store the secret, and a map of string: bytearray and gives you a corev1.Secret to store.
func CreateUserAccessKey ¶
func CreateUserAccessKey(client awsclient.Client, iamUser *iam.User) (*iam.CreateAccessKeyOutput, error)
CreateUserAccessKey creates a new IAM Access Key in AWS and returns aws.CreateAccessKeyOutput struct containing access key and secret
func DeleteRole ¶
DeleteRole deletes an existing role from AWS and handles the error
func DescribeEC2Instances ¶
func DescribeEC2Instances(reqLogger logr.Logger, client awsclient.Client, instanceID string) (int, error)
DescribeEC2Instances returns the InstanceState code
func DetachPolicyFromRole ¶
func DetachPolicyFromRole(reqLogger logr.Logger, policy *iam.AttachedPolicy, byocRole string, byocAWSClient awsclient.Client) error
DetachPolicyFromRole detaches a given AttachedPolicy from a role
func GenerateAccountCR ¶
func GenerateAccountCR(namespace string) *awsv1alpha1.Account
GenerateAccountCR returns new account CR struct
func GenerateAccountCRName ¶
GenerateAccountCRName return a formatted Account CR name
func GetAttachedPolicies ¶
func GetAttachedPolicies(reqLogger logr.Logger, byocRole string, byocAWSClient awsclient.Client) (*iam.ListAttachedRolePoliciesOutput, error)
GetAttachedPolicies gets a list of policies attached to a role
func GetExistingRole ¶
func GetExistingRole(reqLogger logr.Logger, byocRole string, byocAWSClient awsclient.Client) (*iam.GetRoleOutput, error)
GetExistingRole checks to see if a given role exists in the AWS account already. If it does not, we return an empty response and nil for an error. If it does, we return the existing role. Otherwise, we return any error we get.
func ListEC2InstanceStatus ¶
func ListEC2InstanceStatus(reqLogger logr.Logger, client awsclient.Client) (*ec2.DescribeInstanceStatusOutput, error)
ListEC2InstanceStatus returns a slice of EC2 instance statuses
func TagAccount ¶
Types ¶
type AccountReconciler ¶
type AccountReconciler struct { client.Client Scheme *runtime.Scheme // contains filtered or unexported fields }
AccountReconciler reconciles a Account object
func (*AccountReconciler) BuildAccount ¶
func (r *AccountReconciler) BuildAccount(reqLogger logr.Logger, awsClient awsclient.Client, account *awsv1alpha1.Account) (string, error)
BuildAccount take all parameters required and uses those to make an aws call to CreateAccount. It returns an account ID and and error
func (*AccountReconciler) BuildAndDestroyEC2Instances ¶
func (r *AccountReconciler) BuildAndDestroyEC2Instances( reqLogger logr.Logger, account *awsv1alpha1.Account, awsClient awsclient.Client, instanceInfo awsv1alpha1.AmiSpec, managedTags []awsclient.AWSTag, customerTags []awsclient.AWSTag, kmsKeyId string) error
BuildAndDestroyEC2Instances runs an ec2 instance and terminates it
func (*AccountReconciler) BuildIAMUser ¶
func (r *AccountReconciler) BuildIAMUser(reqLogger logr.Logger, awsClient awsclient.Client, account *awsv1alpha1.Account, iamUserName string, nameSpace string) (*string, error)
BuildIAMUser creates and initializes all resources needed for a new IAM user Takes a logger, an AWS client, an Account CR, the desired IAM username and a namespace to create resources in
func (*AccountReconciler) CreateSecret ¶
func (r *AccountReconciler) CreateSecret(reqLogger logr.Logger, account *awsv1alpha1.Account, secret *corev1.Secret) error
CreateSecret creates a secret for placing IAM Credentials Takes a logger, the desired name of the secret, the Account CR that will own the secret, and pointer to an empty secret object to fill
func (*AccountReconciler) DoesSecretExist ¶
func (r *AccountReconciler) DoesSecretExist(namespacedName types.NamespacedName) (bool, error)
DoesSecretExist checks to see if a given secret exists
func (*AccountReconciler) GetSREAccessARN ¶
func (*AccountReconciler) InitializeRegion ¶
func (r *AccountReconciler) InitializeRegion( reqLogger logr.Logger, account *awsv1alpha1.Account, region string, instanceInfo awsv1alpha1.AmiSpec, vCPUQuota float64, ec2Notifications chan string, ec2Errors chan regionInitializationError, creds *sts.AssumeRoleOutput, managedTags []awsclient.AWSTag, customerTags []awsclient.AWSTag, kmsKeyId string, ) error
InitializeRegion sets up a connection to the AWS `region` and then creates and terminates an EC2 instance if necessary
func (*AccountReconciler) InitializeSupportedRegions ¶
func (r *AccountReconciler) InitializeSupportedRegions(reqLogger logr.Logger, account *awsv1alpha1.Account, regions []awsv1alpha1.AwsRegions, creds *sts.AssumeRoleOutput, regionAMIs map[string]awsv1alpha1.AmiSpec)
InitializeSupportedRegions concurrently calls InitializeRegion to create instances in all supported regions This should ensure we don't see any AWS API "PendingVerification" errors when launching instances NOTE: This function does not have any returns. In particular, error conditions from the goroutines are logged, but do not result in a failure up the stack.
func (*AccountReconciler) IsKubeSecretValid ¶
func (r *AccountReconciler) IsKubeSecretValid(reqLogger logr.Logger, currentAcctInstance *awsv1alpha1.Account) (bool, error)
func (*AccountReconciler) ProbeSecret ¶
func (r *AccountReconciler) ProbeSecret(reqLogger logr.Logger, currentAcctInstance *awsv1alpha1.Account, awsAssumedRoleClient awsclient.Client, iamUserUHC string, nameSpace string) error
func (*AccountReconciler) Reconcile ¶
func (r *AccountReconciler) Reconcile(ctx context.Context, request ctrl.Request) (ctrl.Result, error)
Reconcile reads that state of the cluster for a Account object and makes changes based on the state read and what is in the Account.Spec The Controller will requeue the Request to be processed again if the returned error is non-nil or Result.Requeue is true, otherwise upon completion it will remove the work from the queue.
func (*AccountReconciler) RotateIAMAccessKeys ¶
func (r *AccountReconciler) RotateIAMAccessKeys(reqLogger logr.Logger, awsClient awsclient.Client, account *awsv1alpha1.Account, iamUser *iam.User) (*iam.CreateAccessKeyOutput, error)
RotateIAMAccessKeys will delete all AWS access keys assigned to the user and recreate them
func (*AccountReconciler) SetupWithManager ¶
func (r *AccountReconciler) SetupWithManager(mgr ctrl.Manager) error
SetupWithManager sets up the controller with the Manager.
func (*AccountReconciler) ValidateIAMSecret ¶
func (r *AccountReconciler) ValidateIAMSecret(reqLogger logr.Logger, awsClient awsclient.Client, account *awsv1alpha1.Account, iamUserName string, kubeSecretNamespacedName types.NamespacedName) error
type PolicyDocument ¶
type PolicyDocument struct { Version string Statement []StatementEntry }
PolicyDocument represents JSON object of an AWS Policy Document
type StatementEntry ¶
StatementEntry represents JSON of a statement in a policy doc