Update readme and changelog for 1.6.2

connelldave · Sep 14, 2022 · 256bc52 · 256bc52
1 parent f333164
commit 256bc52
Show file tree

Hide file tree

Showing 3 changed files with 33 additions and 23 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -6,6 +6,22 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [1.6.2] - 2022-14-09
+
+### Added
+
+- Botocove now has a simple typecheck for the account_ids kwarg to assert a list
+has been provided rather than a string.
+
+### Fixed
+
+- Botocove no longer calls DescribeAccount per account when running in an AWS
+organization.
+- `org_master` is now a deprecated kwarg: Botocove will optimistically check for
+permission
+to an AWS Organization to list accounts, and fall back to not adding metadata to
+CoveSession.
+
 ## [1.6.1] - 2022-04-03
 
 ### Fixed

diff --git a/README.md b/README.md
@@ -13,7 +13,7 @@ context.
 - Dolphin Themed 🐬
 
 Botocove is a simple decorator for functions to remove time and complexity
-burden. Uses`ThreadPoolExecutor` to run boto3 sessions against AWS accounts
+burden. Uses a `ThreadPoolExecutor` to run boto3 sessions against AWS accounts
 concurrently.
 
 Decorating a function in `@cove` provides a boto3 session to the decorated
@@ -26,26 +26,30 @@ arguments to understand safe experimentation with this package.
 
 ## Pre-requisites and Info
 
-An IAM user with `sts:assumerole` privilege, and accounts that have a trust
-relationship to the IAM user's account.
+An AWS session with `sts:assumerole` and `sts:get-caller-identity` access,
+and accounts that contain a IAM role with trust relationship to the Botocove
+calling account.
 
-By default, the IAM user is expected to be in an AWS Organization Master
-account. You can alter nearly all behaviour of Cove with appropriate
-[arguments](#arguments)
+By default, the session is expected to be in an AWS Organization Master or
+a delegated Organization admin account. You can alter nearly all behaviour of
+Cove with appropriate [arguments](#arguments)
 
 Cove will not execute a function call in the account it's called from.
 
-Default requirements are:
+Default IAM requirements are:
 
-In the organization master account:
+In the Botocove calling account:
 
-- IAM permissions `sts:assumerole`, `sts:get-caller-identity` and
+- Base requirements `sts:assumerole` and `sts:get-caller-identity`
+- To run against an entire AWS Organization and capture account metadata:
 `organizations:list-accounts`
+- To run against specific Organizational Units: `organizations:list-children`
 
 In the organization member accounts:
 
-- An
-  [`OrganizationAccountAccessRole` role](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html)
+- A target role that trusts the calling account - for example `AWSControlTowerExecution`
+or
+[`OrganizationAccountAccessRole` role](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html)
 
 See the [arguments](#arguments) section for how to change these defaults to work
 with any account configuration, including running without an AWS Organization.
@@ -142,7 +146,7 @@ Equivalent to:
 @cove(
     target_ids=None, ignore_ids=None, rolename=None, role_session_name=None,
     policy=None, policy_arns=None, assuming_session=None, raise_exception=False,
-    org_master=True, thread_workers=20, regions=None
+    thread_workers=20, regions=None
     )
 ```
 
@@ -200,16 +204,6 @@ to resolve all tasks and report their results instead of exiting early.
 exception seen; but will not gracefully or consistently interrupt running tasks.
 It is vital to run interruptible, idempotent code with this argument as `True`.
 
-`org_master`: bool
-
-Defaults to True. When True, will leverage the Boto3 Organizations API to list
-all accounts in the organization, and enrich each `CoveSession` with information
-available (`Id`, `Arn`, `Name`, `Status`, `Email`). Disabling this and providing
-your own full list of accounts may be a desirable optimisation if speed is an
-issue.
-
-`org_master=False` means only `Id` will be available to `CoveSession`.
-
 `thread_workers`: int
 
 Defaults to 20. Cove utilises a ThreadPoolWorker under the hood, which can be

diff --git a/pyproject.toml b/pyproject.toml
@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "botocove"
-version = "1.6.1"
+version = "1.6.2"
 description = "A decorator to allow running a function against all AWS accounts in an organization"
 authors = ["Dave Connell <daveconn41@gmail.com>"]
 license = "LGPL-3.0-or-later"