diff --git a/CHANGELOG.md b/CHANGELOG.md index 7e7e16a..f727e6f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,22 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## [1.6.2] - 2022-14-09 + +### Added + +- Botocove now has a simple typecheck for the account_ids kwarg to assert a list +has been provided rather than a string. + +### Fixed + +- Botocove no longer calls DescribeAccount per account when running in an AWS +organization. +- `org_master` is now a deprecated kwarg: Botocove will optimistically check for +permission +to an AWS Organization to list accounts, and fall back to not adding metadata to +CoveSession. + ## [1.6.1] - 2022-04-03 ### Fixed diff --git a/README.md b/README.md index 45c7ae5..c87ac54 100644 --- a/README.md +++ b/README.md @@ -13,7 +13,7 @@ context. - Dolphin Themed 🐬 Botocove is a simple decorator for functions to remove time and complexity -burden. Uses`ThreadPoolExecutor` to run boto3 sessions against AWS accounts +burden. Uses a `ThreadPoolExecutor` to run boto3 sessions against AWS accounts concurrently. Decorating a function in `@cove` provides a boto3 session to the decorated @@ -26,26 +26,30 @@ arguments to understand safe experimentation with this package. ## Pre-requisites and Info -An IAM user with `sts:assumerole` privilege, and accounts that have a trust -relationship to the IAM user's account. +An AWS session with `sts:assumerole` and `sts:get-caller-identity` access, +and accounts that contain a IAM role with trust relationship to the Botocove +calling account. -By default, the IAM user is expected to be in an AWS Organization Master -account. You can alter nearly all behaviour of Cove with appropriate -[arguments](#arguments) +By default, the session is expected to be in an AWS Organization Master or +a delegated Organization admin account. You can alter nearly all behaviour of +Cove with appropriate [arguments](#arguments) Cove will not execute a function call in the account it's called from. -Default requirements are: +Default IAM requirements are: -In the organization master account: +In the Botocove calling account: -- IAM permissions `sts:assumerole`, `sts:get-caller-identity` and +- Base requirements `sts:assumerole` and `sts:get-caller-identity` +- To run against an entire AWS Organization and capture account metadata: `organizations:list-accounts` +- To run against specific Organizational Units: `organizations:list-children` In the organization member accounts: -- An - [`OrganizationAccountAccessRole` role](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html) +- A target role that trusts the calling account - for example `AWSControlTowerExecution` +or +[`OrganizationAccountAccessRole` role](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html) See the [arguments](#arguments) section for how to change these defaults to work with any account configuration, including running without an AWS Organization. @@ -142,7 +146,7 @@ Equivalent to: @cove( target_ids=None, ignore_ids=None, rolename=None, role_session_name=None, policy=None, policy_arns=None, assuming_session=None, raise_exception=False, - org_master=True, thread_workers=20, regions=None + thread_workers=20, regions=None ) ``` @@ -200,16 +204,6 @@ to resolve all tasks and report their results instead of exiting early. exception seen; but will not gracefully or consistently interrupt running tasks. It is vital to run interruptible, idempotent code with this argument as `True`. -`org_master`: bool - -Defaults to True. When True, will leverage the Boto3 Organizations API to list -all accounts in the organization, and enrich each `CoveSession` with information -available (`Id`, `Arn`, `Name`, `Status`, `Email`). Disabling this and providing -your own full list of accounts may be a desirable optimisation if speed is an -issue. - -`org_master=False` means only `Id` will be available to `CoveSession`. - `thread_workers`: int Defaults to 20. Cove utilises a ThreadPoolWorker under the hood, which can be diff --git a/pyproject.toml b/pyproject.toml index ac68755..2d7d7bd 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [tool.poetry] name = "botocove" -version = "1.6.1" +version = "1.6.2" description = "A decorator to allow running a function against all AWS accounts in an organization" authors = ["Dave Connell "] license = "LGPL-3.0-or-later"