Class: BuildCloud::IAMGroup
- Inherits:
-
Object
- Object
- BuildCloud::IAMGroup
- Includes:
- Component
- Defined in:
- lib/build-cloud/iamgroup.rb
Constant Summary collapse
- @@objects =
[]
Instance Method Summary collapse
- #create ⇒ Object
- #delete ⇒ Object
-
#initialize(fog_interfaces, log, options = {}) ⇒ IAMGroup
constructor
A new instance of IAMGroup.
- #rationalise_policies(policies) ⇒ Object
- #rationalise_users(users) ⇒ Object
- #read ⇒ Object (also: #fog_object)
Methods included from Component
Constructor Details
#initialize(fog_interfaces, log, options = {}) ⇒ IAMGroup
Returns a new instance of IAMGroup.
9 10 11 12 13 14 15 16 17 18 19 |
# File 'lib/build-cloud/iamgroup.rb', line 9 def initialize ( fog_interfaces, log, = {} ) @iam = fog_interfaces[:iam] @log = log @options = @log.debug( .inspect ) (:name) end |
Instance Method Details
#create ⇒ Object
21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 |
# File 'lib/build-cloud/iamgroup.rb', line 21 def create policies = @options.delete(:policies) users = @options.delete(:users) unless exists? @log.info( "Creating new IAM group #{@options[:name]}" ) group = @iam.groups.new( @options ) group.save @log.debug( group.inspect ) end rationalise_policies ( policies ) rationalise_users ( users ) end |
#delete ⇒ Object
226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 |
# File 'lib/build-cloud/iamgroup.rb', line 226 def delete return unless exists? @log.info( "Deleting IAM group for #{@options[:name]}" ) #detach all policies fog_object.attached_policies.each do |p| fog_object.detach(p) end fog_object.policies.each do |p| @iam.delete_user_policy(@options[:id], p.id) end #remove all users fog_object.users.each do |u| @iam.remove_user_from_group(fog_object.name, u.id) end fog_object.destroy end |
#rationalise_policies(policies) ⇒ Object
47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 |
# File 'lib/build-cloud/iamgroup.rb', line 47 def rationalise_policies( policies ) policies = {} if policies.nil? managed_policies_to_add = [] group_policies_to_add = [] current_managed_policies = [] current_group_policies = [] fog_object.attached_policies.each do |p| current_managed_policies << { :arn => p.arn } end # fog_object.policies doesn't return id/policy name @iam.list_group_policies(fog_object.name).body['PolicyNames'].each do |pn| p = @iam.get_group_policy(pn, fog_object.name).body policy = { :document => p['Policy']['PolicyDocument'], :id => p['PolicyName'] } current_group_policies << policy end # Build add lists policies.each do |p| @log.debug("Policy action on is #{p}") if p[:arn] @log.debug("For group #{fog_object.name} checking managed policy #{p[:arn]}") # Assume adding policy add_policy = true current_managed_policies.each do |cmp| add_policy = false if cmp[:arn] == p[:arn] end if add_policy @log.debug("Adding #{p[:arn]} to list" ) managed_policies_to_add << { :arn => p[:arn] } end elsif p[:id] @log.debug("For group #{fog_object.name} checking policy #{p[:id]}") # Assume adding policy pa = { :document => JSON.parse(p[:document]), :id => p[:id], } group_policies_to_add << pa end end policies.each do |p| # If we find a current policy that matches the desired policy, then # remove that from the list of current policies - we will remove any # remaining policies if p[:arn] current_managed_policies.delete_if do |c| if c[:arn] == p[:arn] @log.debug( "#{p[:arn]} already exists" ) true # so that delete_if removes the list item else false end end elsif p[:id] current_group_policies.delete_if do |c| if c[:id] == p[:id] @log.debug( "#{p[:id]} already exists" ) # Remove from the policies to add if the policy documents match group_policies_to_add.delete_if do |a| if (c[:id] == a[:id]) and (c[:document] == a[:document]) @log.debug("#{p[:id]} is a match" ) true else false end end true # so that delete_if removes the list item else false end end end end # At the end of this loop, anything left in the user_current_policies list # represents a policy that's present on the infra, but should be deleted # (since there's no matching desired policy), so delete those. # Changing a rule maps to "delete old rule, create new one". current_group_policies.each do |p| @log.debug( "Removing policy #{p.inspect}" ) @log.info( "For group #{fog_object.name} removing policy #{p[:id]}" ) @iam.delete_group_policy(fog_object.name, p[:id]) end group_policies_to_add.each do |p| @log.debug( "For group #{fog_object.name} adding/updating policy #{p}" ) @log.info( "For group #{fog_object.name} adding/updating policy #{p[:id]}" ) @iam.put_group_policy( fog_object.name, p[:id], p[:document] ) end # And the same for managed policies, but we just detatch them: current_managed_policies.each do |p| @log.debug( "Detatching policy #{p.inspect}" ) @log.info( "For group #{fog_object.name} detatcing policy #{p[:arn]}" ) @iam.detach_group_policy(fog_object.name, p[:arn]) end managed_policies_to_add.each do |p| @log.debug( "For group #{fog_object.name} attaching policy #{p}" ) @log.info( "For group #{fog_object.name} attaching policy #{p[:arn]}" ) @iam.attach_group_policy(fog_object.name, p[:arn]) end end |
#rationalise_users(users) ⇒ Object
160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 |
# File 'lib/build-cloud/iamgroup.rb', line 160 def rationalise_users( users ) users = {} if users.nil? users_to_add = [] current_users = [] @log.debug("Users info: #{@iam.get_group(@options[:name]).body['Users'].inspect}") # can't use fog_object.users as always empty @iam.get_group(@options[:name]).body['Users'].each do |u| current_users << { :id => u['UserName']} end @log.debug("Current users: #{current_users}") # Build list of users to add users.each do |u| @log.debug("User acting on is #{u}") @log.debug("For group #{fog_object.name} checking user #{u}") # Assume adding user add_user = true current_users.each do |cmu| add_user = false if cmu[:id] == u end if add_user # If we find a user that's not currently present we prepare to add it @log.debug("Adding #{u} to list" ) users_to_add << { :id => u } end end # Find users to remove users.each do |u| # If we find a current user that matches the desired user, then # remove that from the list of current users - we will remove any # remaining users current_users.delete_if do |c| if c[:id] == u @log.debug( "#{u} already exists" ) true # so that delete_if removes the list item else false end end end # At the end of this loop, anything left in the current_users list # represents a group that's present on the user, but should be removed # (since there's no matching desired group), so delete those. current_users.each do |u| @log.debug( "Removing group #{u.inspect} from #{u}" ) @log.info( "For group #{fog_object.name} removing user #{u[:id]}" ) @iam.remove_user_from_group(fog_object.name, u[:id]) end users_to_add.each do |u| @log.debug( "For group #{fog_object.name} attaching user #{u}" ) @log.info( "For group #{fog_object.name} attaching user #{u[:id]}" ) fog_object.add_user(u[:id]) end fog_object.save end |
#read ⇒ Object Also known as: fog_object
42 43 44 |
# File 'lib/build-cloud/iamgroup.rb', line 42 def read @iam.groups.select { |r| r.name == @options[:name] }.first end |