Add support for specifying account aliases in the allowed_accounts stack definition property#325
Conversation
There's a method with that name.
Existing iam stub must be cleaned up if it's not specified. This can happen if a previouse scenario stubs the account alias and a subsequent one doesn't.
| | stack_id | event_id | stack_name | logical_resource_id | resource_status | resource_type | timestamp | | ||
| | 1 | 1 | myapp-db | myapp-db | CREATE_COMPLETE | AWS::CloudFormation::Stack | 2020-10-29 00:00:00 | | ||
| When I use the account "11111111" with alias "an-account-alias" | ||
| And I run `stack_master apply us-east-1 myapp-db` |
There was a problem hiding this comment.
Should this be testing the stack with account alias?
| And I run `stack_master apply us-east-1 myapp-db` | |
| And I run `stack_master apply us-east-1 myapp-cache` |
| And the output should match /2020-10-29 00:00:00 (\+|\-)[0-9]{4} myapp-cache AWS::CloudFormation::Stack CREATE_COMPLETE/ | ||
| Then the exit status should be 0 |
There was a problem hiding this comment.
We should use Then for lines with assertions:
| And the output should match /2020-10-29 00:00:00 (\+|\-)[0-9]{4} myapp-cache AWS::CloudFormation::Stack CREATE_COMPLETE/ | |
| Then the exit status should be 0 | |
| Then the output should match /2020-10-29 00:00:00 (\+|\-)[0-9]{4} myapp-cache AWS::CloudFormation::Stack CREATE_COMPLETE/ | |
| And the exit status should be 0 |
| class Identity | ||
| def running_in_allowed_account?(allowed_accounts) | ||
| allowed_accounts.nil? || allowed_accounts.empty? || allowed_accounts.include?(account) | ||
| def running_in_account?(accounts) |
|
|
||
| private | ||
| def account_aliases | ||
| @aliases ||= iam.list_account_aliases.account_aliases |
There was a problem hiding this comment.
With the addition of this new API call, I'm assuming StackMaster requires additional permissions. Perhaps we should document this in the changelog.
patrobinson
left a comment
patrobinson
left a comment
There was a problem hiding this comment.
I personally would prefer using IDs, I know they're not meaningful but they never change and you can't deny permission for any user/role to call get-caller-identity
But 👍 nonetheless
| end | ||
|
|
||
| def contains_account_alias?(aliases) | ||
| account_aliases.any? { |account_alias| aliases.include?(account_alias) } |
There was a problem hiding this comment.
Perhaps this should only be checked (and the API call made) if the provided values look like aliases, ie. they're not numbers.
There was a problem hiding this comment.
I thought about this too, but the problem with this approach is that it only covers the case where the check is performed, not when the error message is being generated in the cli.rb file.
I think the way to cover all cases is to rescue the permissions error in the account_aliases method and hard fail with a useful error message.
…liases permission
|
@patrobinson @orien I added a useful error message when the Please have a look 😄 . |
4 participants
Add support for specifying account aliases in the allowed_accounts stack definition property.