Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.Sign up
Several features (AWS CloudFormation Support, IAM Support, Kinesis, DynamoDB, and local auth options) #172
This PR adds several new things that I am intending to use to make my job easier with managing our AWS resources.
Local Credential and STS Support (Including MFA)
Local credentials (ie: via ~/.aws/credentials) are now supported, as is STS roles thru the
Region Resource Parameter
I needed to add the
Support for managing CloudFormation templates has been added - the template is stored in the consuming cookbook's
Finally, support for creation of IAM users, groups, policies, and roles has been added as well. These were added as I was not entirely satisfied with how CloudFormation manages the naming of IAM resources (there still seems to be no way to control user names, for example). Full details of how to use these resources are in the README, there is quite a bit of detail, so for summary's sake I won't mention all of the features.
What has been tested?
I have tested most of the stuff using a local cookbook running chef-zero, including create/update/delete cycles for every resource here. There has been some refactoring done to ensure compliance with rubocop, so I will be doing another round of testing tonight, including testing the
I have not re-tested the existing resources as I have not had cycles to do so, and assuming that the new parameters will not break any functionality as they only really come into play when setting up the session in
If there's anything else I need to do to help get this PR accepted, please let me know!
Looks like the MFA stuff is probably a no-go - it makes sense when I try it out now, but trying to recycle the MFA code across multiple STS sessions does not work. I have removed the functionality, and instead put a section in the README with an example of how one can use MFA and supply the session data to a resource. Testing this now, but in theory it should work.
* Adding the aws_cfn_stack LWRP * Adding the aws_iam_user, aws_iam_group, aws_iam_policy, and aws_iam_role LWRPs * Adding global facilities to support using local credentials for auth (ie: ~/.aws/credentials)
PS: Any word on when this might be reviewed and/or merged? I see that our fork is now falling behind commit wise. I have another commit that I wanted to send along (some readability fixes on the Dynamo resource, mainly), but it's been awfully quiet here.
* Refactoring the dynamodb_table resource provider * Fixtures for testing table creation and update * rspec tests in Kitchen to test Dynamo thru API
Wooh! Thanks a ton @tas50! I think my Ruby's gotten a lot better since I initially sent this along, so if there's some refactoring that needs done, let me know and I can set some time aside to get it done. I'd imagine some squashing is also in order, but I'll wait for the review.
@vancluever We are really excited to merge these changes in, but we could really use your help in doing so. Could you rebase and let us know if some of the changes that have happened in the time since you wrote your PR work for your changes (like the query_aws_region function which should probably be refactored into a general library ).
Also please factor in @tas50 line item comments. Thank you so much for your contributions. We will get this merged in ASAP.
Hey @iennae and @tas50 - I just wanted to let you two know that I haven't forgotten about this and it's on my radar to do relatively shortly. Hopefully I have time in the next few days to perform the needful.
PS @tas50 - I can just drop the kitchen stuff from this PR, I don't necessarily want to go out of scope. I will see if I can keep the integration tests, and maybe just blacklist the .kitchen.cloud.yml file from the commit, unless you think that there's some value in keeping them.
Will reply more in the next couple of days!