Class: Conjur::Provisioner::AWS::CreateRole

Inherits:
Object
  • Object
show all
Includes:
BucketHelper, RoleHelper
Defined in:
lib/conjur/provisioner/aws.rb

Instance Attribute Summary collapse

Attributes included from BucketHelper

#bucket_name

Instance Method Summary collapse

Instance Attribute Details

#host_factory_tokenObject

Returns the value of attribute host_factory_token.



97
98
99
 
# File 'lib/conjur/provisioner/aws.rb', line 97

def host_factory_token
  @host_factory_token
end

Instance Method Details

#create_roleObject 



135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
 
# File 'lib/conjur/provisioner/aws.rb', line 135

def create_role
  policy = {
    "Version" => "2012-10-17",
    "Statement" => [
      {
        "Effect" => "Allow",
        "Principal" => {
          "Service" => "ec2.amazonaws.com"
        },
        "Action" => "sts:AssumeRole"
      }
    ]
  }
  role_params = {
    role_name: role_name,
    assume_role_policy_document: JSON.pretty_generate(policy)
  }
  instance_profile_params = {
    instance_profile_name: role_name
  }
  
  role = aws_iam.client.create_role role_params
  instance_profile = aws_iam.client.create_instance_profile instance_profile_params
  aws_iam.client.add_role_to_instance_profile role_name: role_name, instance_profile_name: role_name
  
  aws_iam.client.put_role_policy role_name: role_name, policy_name: 'read-bootstrap-file', policy_document: JSON.pretty_generate({
    "Statement" => [{
      "Effect" =>  "Allow",
      "Action" =>  "s3:GetObject",
      "Resource" =>  ["arn:aws:s3:::#{bucket_name}/#{token_file_name}"]
      }
    ]            
  })
end

#create_s3_token_fileObject 



128
129
130
131
132
133
 
# File 'lib/conjur/provisioner/aws.rb', line 128

def create_s3_token_file
  bucket = aws_s3.buckets[bucket_name]
  bucket = aws_s3.buckets.create(bucket_name) unless bucket.exists?
  
  bucket.objects[token_file_name].write host_factory_token.token
end

#host_factoryObject 



124
125
126
 
# File 'lib/conjur/provisioner/aws.rb', line 124

def host_factory
  host_factory_token.host_factory
end

#performObject

Creates an AWS IAM Role corresponding to the Layer. The Role can be assumed by EC2 instances. Creates a system user (deputy) and adds it to the layer. In S3, a file is created with the identity of the system user, along with other information needed by Conjur chef-solo. The file is in chef-solo JSON format. It will be used by the [conjur-client Upstart job](github.com/conjur-cookbooks/conjur-client/blob/master/templates/default/conjur-bootstrap.conf.erb) to finish the server configuration.



119
120
121
122
 
# File 'lib/conjur/provisioner/aws.rb', line 119

def perform
  create_role
  create_s3_token_file
end

#role_nameObject 



105
106
107
 
# File 'lib/conjur/provisioner/aws.rb', line 105

def role_name
  host_factory.id.parameterize
end

#token_file_nameObject 



109
110
111
 
# File 'lib/conjur/provisioner/aws.rb', line 109

def token_file_name
  host_factory.id.parameterize
end

#validateObject 



99
100
101
102
103
 
# File 'lib/conjur/provisioner/aws.rb', line 99

def validate
  super
  
  raise "host_factory_token is missing" unless host_factory_token
end