account

package
v0.0.0-...-a0d0389 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Sep 2, 2022 License: Apache-2.0 Imports: 35 Imported by: 0

Documentation

Index

Constants

View Source 
const (

	// AccountPending indicates an account is pending
	AccountPending = "Pending"
	// AccountCreating indicates an account is being created
	AccountCreating = "Creating"
	// AccountFailed indicates account creation has failed
	AccountFailed = "Failed"
	// AccountInitializingRegions indicates we've kicked off the process of creating and terminating
	// instances in all supported regions
	AccountInitializingRegions = "InitializingRegions"
	// AccountReady indicates account creation is ready
	AccountReady = "Ready"
	// AccountPendingVerification indicates verification (of AWS limits and Enterprise Support) is pending
	AccountPendingVerification = "PendingVerification"
)

Variables

This section is empty.

Functions

func AttachAdminUserPolicy 

func AttachAdminUserPolicy(client awsclient.Client, iamUser *iam.User) (*iam.AttachUserPolicyOutput, error)

AttachAdminUserPolicy attaches the AdministratorAccess policy to a target user Takes a logger, an AWS client for the target account, and the target IAM user's username

func ClaimAccount 

func ClaimAccount(r *AccountReconciler, currentAcctInstance *awsv1alpha1.Account) error

func CleanUpIAM 

func CleanUpIAM(reqLogger logr.Logger, awsClient awsclient.Client, accountCR *awsv1alpha1.Account) error

func CreateAccount 

func CreateAccount(reqLogger logr.Logger, client awsclient.Client, accountName, accountEmail string) (*organizations.DescribeCreateAccountStatusOutput, error)

CreateAccount creates an AWS account for the specified accountName and accountEmail in the organization

func CreateEC2Instance 

func CreateEC2Instance(reqLogger logr.Logger, account *awsv1alpha1.Account, client awsclient.Client, instanceInfo awsv1alpha1.AmiSpec, managedTags []awsclient.AWSTag, customerTags []awsclient.AWSTag, customerKmsKeyId string) (string, error)

CreateEC2Instance creates ec2 instance and returns its instance ID

func CreateIAMUser 

func CreateIAMUser(reqLogger logr.Logger, client awsclient.Client, userName string) (*iam.CreateUserOutput, error)

CreateIAMUser creates a new IAM user in the target AWS account Takes a logger, an AWS client for the target account, and the desired IAM username

func CreateRole 

func CreateRole(reqLogger logr.Logger, byocRole string, accessArnList []string, byocAWSClient awsclient.Client, tags []*iam.Tag) (string, error)

CreateRole creates the role with the correct assume policy for BYOC for a given roleName

func CreateSecret 

func CreateSecret(name string, namespace string, data map[string][]byte) *corev1.Secret

CreateSecret takes in a secret name, the namespace to store the secret, and a map of string: bytearray and gives you a corev1.Secret to store.

func CreateUserAccessKey 

func CreateUserAccessKey(client awsclient.Client, iamUser *iam.User) (*iam.CreateAccessKeyOutput, error)

CreateUserAccessKey creates a new IAM Access Key in AWS and returns aws.CreateAccessKeyOutput struct containing access key and secret

func DeleteRole 

func DeleteRole(reqLogger logr.Logger, byocRole string, byocAWSClient awsclient.Client) error

DeleteRole deletes an existing role from AWS and handles the error

func DescribeEC2Instances 

func DescribeEC2Instances(reqLogger logr.Logger, client awsclient.Client, instanceID string) (int, error)

DescribeEC2Instances returns the InstanceState code

func DetachPolicyFromRole 

func DetachPolicyFromRole(reqLogger logr.Logger, policy *iam.AttachedPolicy, byocRole string, byocAWSClient awsclient.Client) error

DetachPolicyFromRole detaches a given AttachedPolicy from a role

func GenerateAccountCR 

func GenerateAccountCR(namespace string) *awsv1alpha1.Account

GenerateAccountCR returns new account CR struct

func GenerateAccountCRName 

func GenerateAccountCRName(uuid string) string

GenerateAccountCRName return a formatted Account CR name

func GetAttachedPolicies 

func GetAttachedPolicies(reqLogger logr.Logger, byocRole string, byocAWSClient awsclient.Client) (*iam.ListAttachedRolePoliciesOutput, error)

GetAttachedPolicies gets a list of policies attached to a role

func GetExistingRole 

func GetExistingRole(reqLogger logr.Logger, byocRole string, byocAWSClient awsclient.Client) (*iam.GetRoleOutput, error)

GetExistingRole checks to see if a given role exists in the AWS account already. If it does not, we return an empty response and nil for an error. If it does, we return the existing role. Otherwise, we return any error we get.

func ListEC2InstanceStatus 

func ListEC2InstanceStatus(reqLogger logr.Logger, client awsclient.Client) (*ec2.DescribeInstanceStatusOutput, error)

ListEC2InstanceStatus returns a slice of EC2 instance statuses

func TagAccount 

func TagAccount(awsSetupClient awsclient.Client, awsAccountID string, shardName string) error

func TerminateEC2Instance 

func TerminateEC2Instance(reqLogger logr.Logger, client awsclient.Client, instanceID string) error

TerminateEC2Instance terminates the ec2 instance from the instanceID provided

Types

type AccountReconciler 

type AccountReconciler struct {
	client.Client
	Scheme *runtime.Scheme
	// contains filtered or unexported fields
}

AccountReconciler reconciles a Account object

func (*AccountReconciler) BuildAccount 

func (r *AccountReconciler) BuildAccount(reqLogger logr.Logger, awsClient awsclient.Client, account *awsv1alpha1.Account) (string, error)

BuildAccount take all parameters required and uses those to make an aws call to CreateAccount. It returns an account ID and and error

func (*AccountReconciler) BuildAndDestroyEC2Instances 

func (r *AccountReconciler) BuildAndDestroyEC2Instances(
	reqLogger logr.Logger,
	account *awsv1alpha1.Account,
	awsClient awsclient.Client,
	instanceInfo awsv1alpha1.AmiSpec,
	managedTags []awsclient.AWSTag,
	customerTags []awsclient.AWSTag,
	kmsKeyId string) error

BuildAndDestroyEC2Instances runs an ec2 instance and terminates it

func (*AccountReconciler) BuildIAMUser 

func (r *AccountReconciler) BuildIAMUser(reqLogger logr.Logger, awsClient awsclient.Client, account *awsv1alpha1.Account, iamUserName string, nameSpace string) (*string, error)

BuildIAMUser creates and initializes all resources needed for a new IAM user Takes a logger, an AWS client, an Account CR, the desired IAM username and a namespace to create resources in

func (*AccountReconciler) CreateSecret 

func (r *AccountReconciler) CreateSecret(reqLogger logr.Logger, account *awsv1alpha1.Account, secret *corev1.Secret) error

CreateSecret creates a secret for placing IAM Credentials Takes a logger, the desired name of the secret, the Account CR that will own the secret, and pointer to an empty secret object to fill

func (*AccountReconciler) DoesSecretExist 

func (r *AccountReconciler) DoesSecretExist(namespacedName types.NamespacedName) (bool, error)

DoesSecretExist checks to see if a given secret exists

func (*AccountReconciler) GetSREAccessARN 

func (r *AccountReconciler) GetSREAccessARN(reqLogger logr.Logger, arnName string) (string, error)

func (*AccountReconciler) InitializeRegion 

func (r *AccountReconciler) InitializeRegion(
	reqLogger logr.Logger,
	account *awsv1alpha1.Account,
	region string,
	instanceInfo awsv1alpha1.AmiSpec,
	vCPUQuota float64,
	ec2Notifications chan string,
	ec2Errors chan regionInitializationError,
	creds *sts.AssumeRoleOutput,
	managedTags []awsclient.AWSTag,
	customerTags []awsclient.AWSTag,
	kmsKeyId string,
) error

InitializeRegion sets up a connection to the AWS `region` and then creates and terminates an EC2 instance if necessary

func (*AccountReconciler) InitializeSupportedRegions 

func (r *AccountReconciler) InitializeSupportedRegions(reqLogger logr.Logger, account *awsv1alpha1.Account, regions []awsv1alpha1.AwsRegions, creds *sts.AssumeRoleOutput, regionAMIs map[string]awsv1alpha1.AmiSpec)

InitializeSupportedRegions concurrently calls InitializeRegion to create instances in all supported regions This should ensure we don't see any AWS API "PendingVerification" errors when launching instances NOTE: This function does not have any returns. In particular, error conditions from the goroutines are logged, but do not result in a failure up the stack.

func (*AccountReconciler) IsKubeSecretValid 

func (r *AccountReconciler) IsKubeSecretValid(reqLogger logr.Logger, currentAcctInstance *awsv1alpha1.Account) (bool, error)

func (*AccountReconciler) ProbeSecret 

func (r *AccountReconciler) ProbeSecret(reqLogger logr.Logger, currentAcctInstance *awsv1alpha1.Account,
	awsAssumedRoleClient awsclient.Client, iamUserUHC string, nameSpace string) error

func (*AccountReconciler) Reconcile 

func (r *AccountReconciler) Reconcile(ctx context.Context, request ctrl.Request) (ctrl.Result, error)

Reconcile reads that state of the cluster for a Account object and makes changes based on the state read and what is in the Account.Spec The Controller will requeue the Request to be processed again if the returned error is non-nil or Result.Requeue is true, otherwise upon completion it will remove the work from the queue.

func (*AccountReconciler) RotateIAMAccessKeys 

func (r *AccountReconciler) RotateIAMAccessKeys(reqLogger logr.Logger, awsClient awsclient.Client, account *awsv1alpha1.Account, iamUser *iam.User) (*iam.CreateAccessKeyOutput, error)

RotateIAMAccessKeys will delete all AWS access keys assigned to the user and recreate them

func (*AccountReconciler) SetupWithManager 

func (r *AccountReconciler) SetupWithManager(mgr ctrl.Manager) error

SetupWithManager sets up the controller with the Manager.

func (*AccountReconciler) ValidateIAMSecret 

func (r *AccountReconciler) ValidateIAMSecret(reqLogger logr.Logger, awsClient awsclient.Client, account *awsv1alpha1.Account,
	iamUserName string, kubeSecretNamespacedName types.NamespacedName) error

type PolicyDocument 

type PolicyDocument struct {
	Version   string
	Statement []StatementEntry
}

PolicyDocument represents JSON object of an AWS Policy Document

type StatementEntry 

type StatementEntry struct {
	Effect   string
	Action   []string
	Resource string
}

StatementEntry represents JSON of a statement in a policy doc

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.