Release/0.0.39 (#43)

added bootstrap-org-master command to help with AWS Organizations integration

docs/source/puppet/getting_up_and_running.md

@@ -93,27 +93,21 @@ Once that has completed you are ready to bring up the rest of the puppet.
 
 #### Setting to to use AWS Organizations
 The second part to bootstrapping is optional.  If you would like to use AWS Organizations features in your manifest file 
-you will need to set which IAM Role should be used to perform these actions.  In order to do this you will need to run 
-the following:
+you will need to set which IAM Role should be used to perform these actions.  
 
+To create the correct role in your organization master export your credentials or change profile and run the following:
 ```bash
-servicecatalog-puppet set-org-iam-role-arn arn:aws:iam::0123456789010:role/Admin  
+servicecatalog-puppet bootstrap-org-master <ACCOUNT_ID_OF_YOUR_PUPPET>
 ```
 
-Please replace 0123456789010 with the master account id you want to use.  Please note this IAM Role needs the following 
-IAM Policy:
+This command will provision a role the account you specified and output the ARN of the role.
 
-```yaml
-PolicyDocument:
-  Version: 2012-10-17
-  Statement:
-    - Effect: Allow
-      Action:
-        - organizations:ListRoots
-        - organizations:DescribeAccount
-        - organizations:ListOrganizationalUnitsForParent
-        - organizations:ListChildren
-      Resource: '*'
+Once you have the ARN or you know the ARN you want to use you can configure the framework to use it.  Export the 
+credentials for your puppet account or change your profile so you are using your puppet account and run the following 
+command:
+
+```bash
+servicecatalog-puppet set-org-iam-role-arn <THE_ARN_YOU_WANT_TO_USE>  
 ```
 
 Once you have run that command you are ready for the final stage.

servicecatalog_puppet/cli.py

@@ -22,6 +22,7 @@
 from servicecatalog_puppet.commands.bootstrap_spoke import do_bootstrap_spoke
 from servicecatalog_puppet.commands.expand import do_expand
 from servicecatalog_puppet.utils.manifest import build_deployment_map
+from servicecatalog_puppet.commands.bootstrap_org_master import do_bootstrap_org_master
 
 logger = logging.getLogger()
 logger.setLevel(logging.INFO)
@@ -221,5 +222,17 @@ def set_org_iam_role_arn(org_iam_role_arn):
     click.echo("Uploaded config")
 
 
+@cli.command()
+@click.argument('puppet_account_id')
+def bootstrap_org_master(puppet_account_id):
+    with betterboto_client.ClientContextManager(
+        'cloudformation',
+    ) as cloudformation:
+        org_iam_role_arn = do_bootstrap_org_master(
+            puppet_account_id, cloudformation, get_puppet_version()
+        )
+    click.echo("Bootstrapped org master, org-iam-role-arn: {}".format(org_iam_role_arn))
+
+
 if __name__ == "__main__":
     cli()

servicecatalog_puppet/commands/bootstrap_org_master.py

@@ -0,0 +1,45 @@
+from jinja2 import Template
+
+import logging
+
+
+from servicecatalog_puppet.asset_helpers import read_from_site_packages
+from servicecatalog_puppet.constants import BOOTSTRAP_STACK_NAME
+from servicecatalog_puppet.constants import PUPPET_ORG_ROLE_FOR_EXPANDS_ARN
+
+logger = logging.getLogger(__file__)
+
+
+def do_bootstrap_org_master(puppet_account_id, cloudformation, puppet_version):
+    logger.info('Starting bootstrap of org master')
+    stack_name = "{}-org-master".format(BOOTSTRAP_STACK_NAME)
+    template = read_from_site_packages('{}.template.yaml'.format(stack_name))
+    template = Template(template).render(VERSION=puppet_version)
+    args = {
+        'StackName': stack_name,
+        'TemplateBody': template,
+        'Capabilities': ['CAPABILITY_NAMED_IAM'],
+        'Parameters': [
+            {
+                'ParameterKey': 'PuppetAccountId',
+                'ParameterValue': str(puppet_account_id),
+            }, {
+                'ParameterKey': 'Version',
+                'ParameterValue': puppet_version,
+                'UsePreviousValue': False,
+            },
+        ],
+    }
+    cloudformation.create_or_update(**args)
+    response = cloudformation.describe_stacks(StackName=stack_name)
+    if len(response.get('Stacks')) != 1:
+        raise Exception("Expected there to be only one {} stack".format(stack_name))
+    stack = response.get('Stacks')[0]
+
+    for output in stack.get('Outputs'):
+        if output.get('OutputKey') == PUPPET_ORG_ROLE_FOR_EXPANDS_ARN:
+            logger.info('Finished bootstrap of org-master')
+            return output.get("OutputValue")
+
+    raise Exception("Could not find output: {} in stack: {}".format(PUPPET_ORG_ROLE_FOR_EXPANDS_ARN, stack_name))
+

servicecatalog_puppet/constants.py

@@ -8,4 +8,5 @@
 LAUNCHES = os.path.sep.join([OUTPUT, "launches"])
 HOME_REGION = os.environ.get('AWS_DEFAULT_REGION', 'eu-west-1')
 CONFIG_PARAM_NAME = "/servicecatalog-puppet/config"
-CONFIG_PARAM_NAME_ORG_IAM_ROLE_ARN = "/servicecatalog-puppet/org-iam-role-arn"
+CONFIG_PARAM_NAME_ORG_IAM_ROLE_ARN = "/servicecatalog-puppet/org-iam-role-arn"
+PUPPET_ORG_ROLE_FOR_EXPANDS_ARN = "PuppetOrgRoleForExpandsArn"

servicecatalog_puppet/servicecatalog-puppet-org-master.template.yaml

@@ -0,0 +1,54 @@
+# Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0
+AWSTemplateFormatVersion: "2010-09-09"
+
+Parameters:
+  PuppetAccountId:
+    Type: String
+    MinLength: 12
+    MaxLength: 12
+  Version:
+    Type: String
+    Default: "{{ VERSION }}"
+
+Resources:
+  Param:
+    Type: AWS::SSM::Parameter
+    Properties:
+      Name: service-catalog-puppet-org-master-version
+      Type: String
+      Value: !Ref Version
+
+  PuppetOrgRoleForExpands:
+    Type: AWS::IAM::Role
+    Properties:
+      RoleName: PuppetOrgRoleForExpands
+      Path: /servicecatalog-puppet/
+      Policies:
+        - PolicyName: "allowExpands"
+          PolicyDocument:
+            Version: "2012-10-17"
+            Statement:
+              - Effect: "Allow"
+                Action:
+                  - organizations:ListRoots
+                  - organizations:DescribeAccount
+                  - organizations:ListOrganizationalUnitsForParent
+                  - organizations:ListChildren
+                Resource: "*"
+
+      AssumeRolePolicyDocument:
+        Version: "2012-10-17"
+        Statement:
+          - Effect: "Allow"
+            Principal:
+              AWS: !Sub "arn:aws:iam::${PuppetAccountId}:root"
+            Action:
+              - "sts:AssumeRole"
+
+Outputs:
+  PuppetOrgRoleForExpandsArn:
+    Value: !GetAtt PuppetOrgRoleForExpands.Arn
+
+  Version:
+    Value: !GetAtt Param.Value

setup.py

@@ -11,7 +11,7 @@
 
 setuptools.setup(
     name="aws-service-catalog-puppet",
-    version="0.0.38",
+    version="0.0.39",
     author="Eamonn Faherty",
     author_email="aws-service-catalog-tools@amazon.com",
     description="Making it easier to deploy ServiceCatalog products",