Class: Conjur::Provisioner::AWS::CreateRole
- Inherits:
-
Object
- Object
- Conjur::Provisioner::AWS::CreateRole
- Includes:
- BucketHelper, RoleHelper
- Defined in:
- lib/conjur/provisioner/aws.rb
Instance Attribute Summary collapse
-
#host_factory_token ⇒ Object
Returns the value of attribute host_factory_token.
Attributes included from BucketHelper
Instance Method Summary collapse
- #create_role ⇒ Object
- #create_s3_token_file ⇒ Object
- #host_factory ⇒ Object
-
#perform ⇒ Object
Creates an AWS IAM Role corresponding to the Layer.
- #role_name ⇒ Object
- #token_file_name ⇒ Object
- #validate ⇒ Object
Instance Attribute Details
#host_factory_token ⇒ Object
Returns the value of attribute host_factory_token.
97 98 99 |
# File 'lib/conjur/provisioner/aws.rb', line 97 def host_factory_token @host_factory_token end |
Instance Method Details
#create_role ⇒ Object
135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 |
# File 'lib/conjur/provisioner/aws.rb', line 135 def create_role policy = { "Version" => "2012-10-17", "Statement" => [ { "Effect" => "Allow", "Principal" => { "Service" => "ec2.amazonaws.com" }, "Action" => "sts:AssumeRole" } ] } role_params = { role_name: role_name, assume_role_policy_document: JSON.pretty_generate(policy) } instance_profile_params = { instance_profile_name: role_name } role = aws_iam.client.create_role role_params instance_profile = aws_iam.client.create_instance_profile instance_profile_params aws_iam.client.add_role_to_instance_profile role_name: role_name, instance_profile_name: role_name aws_iam.client.put_role_policy role_name: role_name, policy_name: 'read-bootstrap-file', policy_document: JSON.pretty_generate({ "Statement" => [{ "Effect" => "Allow", "Action" => "s3:GetObject", "Resource" => ["arn:aws:s3:::#{bucket_name}/#{token_file_name}"] } ] }) end |
#create_s3_token_file ⇒ Object
128 129 130 131 132 133 |
# File 'lib/conjur/provisioner/aws.rb', line 128 def create_s3_token_file bucket = aws_s3.buckets[bucket_name] bucket = aws_s3.buckets.create(bucket_name) unless bucket.exists? bucket.objects[token_file_name].write host_factory_token.token end |
#host_factory ⇒ Object
124 125 126 |
# File 'lib/conjur/provisioner/aws.rb', line 124 def host_factory host_factory_token.host_factory end |
#perform ⇒ Object
Creates an AWS IAM Role corresponding to the Layer. The Role can be assumed by EC2 instances. Creates a system user (deputy) and adds it to the layer. In S3, a file is created with the identity of the system user, along with other information needed by Conjur chef-solo. The file is in chef-solo JSON format. It will be used by the [conjur-client Upstart job](github.com/conjur-cookbooks/conjur-client/blob/master/templates/default/conjur-bootstrap.conf.erb) to finish the server configuration.
119 120 121 122 |
# File 'lib/conjur/provisioner/aws.rb', line 119 def perform create_role create_s3_token_file end |
#role_name ⇒ Object
105 106 107 |
# File 'lib/conjur/provisioner/aws.rb', line 105 def role_name host_factory.id.parameterize end |
#token_file_name ⇒ Object
109 110 111 |
# File 'lib/conjur/provisioner/aws.rb', line 109 def token_file_name host_factory.id.parameterize end |
#validate ⇒ Object
99 100 101 102 103 |
# File 'lib/conjur/provisioner/aws.rb', line 99 def validate super raise "host_factory_token is missing" unless host_factory_token end |