feat(aws): Flag to allow launching private thirdparty AMIs (#1603)

clouddriver-aws/src/main/groovy/com/netflix/spinnaker/clouddriver/aws/deploy/ops/AllowLaunchAtomicOperation.groovy

@@ -62,6 +62,13 @@ class AllowLaunchAtomicOperation implements AtomicOperation<ResolvedAmiResult> {
     def targetAmazonEC2 = amazonClientProvider.getAmazonEC2(targetCredentials, description.region, true)
 
     ResolvedAmiResult resolvedAmi = AmiIdResolver.resolveAmiIdFromAllSources(sourceAmazonEC2, description.region, description.amiName, description.credentials.accountId)
+    if (!resolvedAmi && targetCredentials.allowPrivateThirdPartyImages) {
+      resolvedAmi = AmiIdResolver.resolveAmiId(targetAmazonEC2, description.region, description.amiName)
+      if (resolvedAmi) {
+        task.updateStatus BASE_PHASE, "AMI appears to be from a private third-party, which is permitted on this target account: skipping allow launch"
+        return resolvedAmi
+      }
+    }
     if (!resolvedAmi) {
       throw new IllegalArgumentException("unable to resolve AMI imageId from '$description.amiName': If this is a private AMI owned by a third-party, you will need to contact them to share the AMI to your desired account(s)")
     }

clouddriver-aws/src/main/groovy/com/netflix/spinnaker/clouddriver/aws/security/AmazonCredentials.java

@@ -49,6 +49,7 @@ public class AmazonCredentials implements AccountCredentials<AWSCredentials> {
     private final List<AWSRegion> regions;
     private final List<String> defaultSecurityGroups;
     private final List<LifecycleHook> lifecycleHooks;
+    private final boolean allowPrivateThirdPartyImages;
     private final AWSCredentialsProvider credentialsProvider;
 
     public static AmazonCredentials fromAWSCredentials(String name, String environment, String accountType, AWSCredentialsProvider credentialsProvider, AmazonClientProvider amazonClientProvider) {
@@ -59,7 +60,7 @@ public static AmazonCredentials fromAWSCredentials(String name, String environme
         AWSAccountInfoLookup lookup = new DefaultAWSAccountInfoLookup(credentialsProvider, amazonClientProvider);
         final String accountId = lookup.findAccountId();
         final List<AWSRegion> regions = lookup.listRegions();
-        return new AmazonCredentials(name, environment, accountType, accountId, defaultKeyPair, regions, null, null, null, credentialsProvider);
+        return new AmazonCredentials(name, environment, accountType, accountId, defaultKeyPair, regions, null, null, null, false, credentialsProvider);
     }
 
     public AmazonCredentials(@JsonProperty("name") String name,
@@ -70,8 +71,9 @@ public AmazonCredentials(@JsonProperty("name") String name,
                              @JsonProperty("regions") List<AWSRegion> regions,
                              @JsonProperty("defaultSecurityGroups") List<String> defaultSecurityGroups,
                              @JsonProperty("requiredGroupMembership") List<String> requiredGroupMembership,
-                             @JsonProperty("lifecycleHooks") List<LifecycleHook> lifecycleHooks) {
-        this(name, environment, accountType, accountId, defaultKeyPair, regions, defaultSecurityGroups, requiredGroupMembership, lifecycleHooks, null);
+                             @JsonProperty("lifecycleHooks") List<LifecycleHook> lifecycleHooks,
+                             @JsonProperty("allowPrivateThirdPartyImages") Boolean allowPrivateThirdPartyImages) {
+        this(name, environment, accountType, accountId, defaultKeyPair, regions, defaultSecurityGroups, requiredGroupMembership, lifecycleHooks, allowPrivateThirdPartyImages, null);
     }
 
     public AmazonCredentials(AmazonCredentials source, AWSCredentialsProvider credentialsProvider) {
@@ -85,6 +87,7 @@ public AmazonCredentials(AmazonCredentials source, AWSCredentialsProvider creden
             source.getDefaultSecurityGroups(),
             source.getRequiredGroupMembership(),
             source.getLifecycleHooks(),
+            source.getAllowPrivateThirdPartyImages(),
             credentialsProvider
         );
     }
@@ -98,6 +101,7 @@ public AmazonCredentials(AmazonCredentials source, AWSCredentialsProvider creden
                       List<String> defaultSecurityGroups,
                       List<String> requiredGroupMembership,
                       List<LifecycleHook> lifecycleHooks,
+                      boolean allowPrivateThirdPartyImages,
                       AWSCredentialsProvider credentialsProvider) {
         this.name = requireNonNull(name, "name");
         this.environment = requireNonNull(environment, "environment");
@@ -108,6 +112,7 @@ public AmazonCredentials(AmazonCredentials source, AWSCredentialsProvider creden
         this.defaultSecurityGroups = defaultSecurityGroups == null ? null : Collections.unmodifiableList(defaultSecurityGroups);
         this.requiredGroupMembership = requiredGroupMembership == null ? Collections.<String>emptyList() : Collections.unmodifiableList(requiredGroupMembership);
         this.lifecycleHooks = lifecycleHooks == null ? Collections.<LifecycleHook>emptyList() : Collections.unmodifiableList(lifecycleHooks);
+        this.allowPrivateThirdPartyImages = allowPrivateThirdPartyImages;
         this.credentialsProvider = credentialsProvider;
     }
 
@@ -147,6 +152,10 @@ public List<LifecycleHook> getLifecycleHooks() {
       return lifecycleHooks;
     }
 
+    public boolean getAllowPrivateThirdPartyImages() {
+      return allowPrivateThirdPartyImages;
+    }
+
     @JsonIgnore
     public AWSCredentialsProvider getCredentialsProvider() {
       return credentialsProvider;

clouddriver-aws/src/main/groovy/com/netflix/spinnaker/clouddriver/aws/security/AssumeRoleAmazonCredentials.java

@@ -59,17 +59,18 @@ public AssumeRoleAmazonCredentials(@JsonProperty("name") String name,
                                        @JsonProperty("defaultSecurityGroups") List<String> defaultSecurityGroups,
                                        @JsonProperty("requiredGroupMembership") List<String> requiredGroupMembership,
                                        @JsonProperty("lifecycleHooks") List<LifecycleHook> lifecycleHooks,
+                                       @JsonProperty("allowPrivateThirdPartyImages") boolean allowPrivateThirdPartyImages,
                                        @JsonProperty("assumeRole") String assumeRole,
                                        @JsonProperty("sessionName") String sessionName) {
-        this(name, environment, accountType, accountId, defaultKeyPair, regions, defaultSecurityGroups, requiredGroupMembership, lifecycleHooks, null, assumeRole, sessionName);
+        this(name, environment, accountType, accountId, defaultKeyPair, regions, defaultSecurityGroups, requiredGroupMembership, lifecycleHooks, allowPrivateThirdPartyImages, null, assumeRole, sessionName);
     }
 
     public AssumeRoleAmazonCredentials(AssumeRoleAmazonCredentials copy, AWSCredentialsProvider credentialsProvider) {
-        this(copy.getName(), copy.getEnvironment(), copy.getAccountType(), copy.getAccountId(), copy.getDefaultKeyPair(), copy.getRegions(), copy.getDefaultSecurityGroups(), copy.getRequiredGroupMembership(), copy.getLifecycleHooks(), credentialsProvider, copy.getAssumeRole(), copy.getSessionName());
+        this(copy.getName(), copy.getEnvironment(), copy.getAccountType(), copy.getAccountId(), copy.getDefaultKeyPair(), copy.getRegions(), copy.getDefaultSecurityGroups(), copy.getRequiredGroupMembership(), copy.getLifecycleHooks(), copy.getAllowPrivateThirdPartyImages(), credentialsProvider, copy.getAssumeRole(), copy.getSessionName());
     }
 
-    AssumeRoleAmazonCredentials(String name, String environment, String accountType, String accountId, String defaultKeyPair, List<AWSRegion> regions, List<String> defaultSecurityGroups, List<String> requiredGroupMembership, List<LifecycleHook> lifecycleHooks, AWSCredentialsProvider credentialsProvider, String assumeRole, String sessionName) {
-        super(name, environment, accountType, accountId, defaultKeyPair, regions, defaultSecurityGroups, requiredGroupMembership, lifecycleHooks, createSTSCredentialsProvider(credentialsProvider, accountId, assumeRole, sessionName == null ? DEFAULT_SESSION_NAME : sessionName));
+    AssumeRoleAmazonCredentials(String name, String environment, String accountType, String accountId, String defaultKeyPair, List<AWSRegion> regions, List<String> defaultSecurityGroups, List<String> requiredGroupMembership, List<LifecycleHook> lifecycleHooks, boolean allowPrivateThirdPartyImages, AWSCredentialsProvider credentialsProvider, String assumeRole, String sessionName) {
+        super(name, environment, accountType, accountId, defaultKeyPair, regions, defaultSecurityGroups, requiredGroupMembership, lifecycleHooks, allowPrivateThirdPartyImages, createSTSCredentialsProvider(credentialsProvider, accountId, assumeRole, sessionName == null ? DEFAULT_SESSION_NAME : sessionName));
         this.assumeRole = assumeRole;
         this.sessionName = sessionName == null ? DEFAULT_SESSION_NAME : sessionName;
     }

clouddriver-aws/src/main/groovy/com/netflix/spinnaker/clouddriver/aws/security/NetflixAmazonCredentials.java

@@ -43,6 +43,7 @@ public NetflixAmazonCredentials(@JsonProperty("name") String name,
                                     @JsonProperty("defaultSecurityGroups") List<String> defaultSecurityGroups,
                                     @JsonProperty("requiredGroupMembership") List<String> requiredGroupMembership,
                                     @JsonProperty("lifecycleHooks") List<LifecycleHook> lifecycleHooks,
+                                    @JsonProperty("allowPrivateThirdPartyImages") boolean allowPrivateThirdPartyImages,
                                     @JsonProperty("edda") String edda,
                                     @JsonProperty("eddaEnabled") Boolean eddaEnabled,
                                     @JsonProperty("discovery") String discovery,
@@ -51,15 +52,15 @@ public NetflixAmazonCredentials(@JsonProperty("name") String name,
                                     @JsonProperty("front50Enabled") Boolean front50Enabled,
                                     @JsonProperty("bastionHost") String bastionHost,
                                     @JsonProperty("bastionEnabled") Boolean bastionEnabled) {
-        this(name, environment, accountType, accountId, defaultKeyPair, regions, defaultSecurityGroups, requiredGroupMembership, lifecycleHooks, null, edda, eddaEnabled, discovery, discoveryEnabled, front50, front50Enabled, bastionHost, bastionEnabled);
+        this(name, environment, accountType, accountId, defaultKeyPair, regions, defaultSecurityGroups, requiredGroupMembership, lifecycleHooks, allowPrivateThirdPartyImages, null, edda, eddaEnabled, discovery, discoveryEnabled, front50, front50Enabled, bastionHost, bastionEnabled);
     }
 
     private static boolean flagValue(String serviceUrl, Boolean flag) {
         return (!(serviceUrl == null || serviceUrl.trim().length() == 0) && (flag != null ? flag : true));
     }
 
     public NetflixAmazonCredentials(NetflixAmazonCredentials copy, AWSCredentialsProvider credentialsProvider) {
-        this(copy.getName(), copy.getEnvironment(), copy.getAccountType(), copy.getAccountId(), copy.getDefaultKeyPair(), copy.getRegions(), copy.getDefaultSecurityGroups(), copy.getRequiredGroupMembership(), copy.getLifecycleHooks(), credentialsProvider, copy.getEdda(), copy.getEddaEnabled(), copy.getDiscovery(), copy.getDiscoveryEnabled(), copy.getFront50(), copy.getFront50Enabled(), copy.getBastionHost(), copy.getBastionEnabled());
+        this(copy.getName(), copy.getEnvironment(), copy.getAccountType(), copy.getAccountId(), copy.getDefaultKeyPair(), copy.getRegions(), copy.getDefaultSecurityGroups(), copy.getRequiredGroupMembership(), copy.getLifecycleHooks(), copy.getAllowPrivateThirdPartyImages(), credentialsProvider, copy.getEdda(), copy.getEddaEnabled(), copy.getDiscovery(), copy.getDiscoveryEnabled(), copy.getFront50(), copy.getFront50Enabled(), copy.getBastionHost(), copy.getBastionEnabled());
     }
 
     NetflixAmazonCredentials(String name,
@@ -71,6 +72,7 @@ public NetflixAmazonCredentials(NetflixAmazonCredentials copy, AWSCredentialsPro
                              List<String> defaultSecurityGroups,
                              List<String> requiredGroupMembership,
                              List<LifecycleHook> lifecycleHooks,
+                             boolean allowPrivateThirdPartyImages,
                              AWSCredentialsProvider credentialsProvider,
                              String edda,
                              Boolean eddaEnabled,
@@ -80,7 +82,7 @@ public NetflixAmazonCredentials(NetflixAmazonCredentials copy, AWSCredentialsPro
                              Boolean front50Enabled,
                              String bastionHost,
                              Boolean bastionEnabled) {
-        super(name, environment, accountType, accountId, defaultKeyPair, regions, defaultSecurityGroups, requiredGroupMembership, lifecycleHooks, credentialsProvider);
+        super(name, environment, accountType, accountId, defaultKeyPair, regions, defaultSecurityGroups, requiredGroupMembership, lifecycleHooks, allowPrivateThirdPartyImages, credentialsProvider);
         this.edda = edda;
         this.eddaEnabled = flagValue(edda, eddaEnabled);
         this.discovery = discovery;

clouddriver-aws/src/main/groovy/com/netflix/spinnaker/clouddriver/aws/security/NetflixAssumeRoleAmazonCredentials.java

@@ -42,6 +42,7 @@ public NetflixAssumeRoleAmazonCredentials(@JsonProperty("name") String name,
                                               @JsonProperty("defaultSecurityGroups") List<String> defaultSecurityGroups,
                                               @JsonProperty("requiredGroupMembership") List<String> requiredGroupMembership,
                                               @JsonProperty("lifecycleHooks") List<LifecycleHook> lifecycleHooks,
+                                              @JsonProperty("allowPrivateThirdPartyImages") boolean allowPrivateThirdPartyImages,
                                               @JsonProperty("edda") String edda,
                                               @JsonProperty("eddaEnabled") Boolean eddaEnabled,
                                               @JsonProperty("discovery") String discovery,
@@ -53,15 +54,15 @@ public NetflixAssumeRoleAmazonCredentials(@JsonProperty("name") String name,
                                               @JsonProperty("assumeRole") String assumeRole,
                                               @JsonProperty("sessionName") String sessionName) {
 
-        this(name, environment, accountType, accountId, defaultKeyPair, regions, defaultSecurityGroups, requiredGroupMembership, lifecycleHooks, null, edda, eddaEnabled, discovery, discoveryEnabled, front50, front50Enabled, bastionHost, bastionEnabled, assumeRole, sessionName);
+        this(name, environment, accountType, accountId, defaultKeyPair, regions, defaultSecurityGroups, requiredGroupMembership, lifecycleHooks, allowPrivateThirdPartyImages, null, edda, eddaEnabled, discovery, discoveryEnabled, front50, front50Enabled, bastionHost, bastionEnabled, assumeRole, sessionName);
     }
 
     public NetflixAssumeRoleAmazonCredentials(NetflixAssumeRoleAmazonCredentials copy, AWSCredentialsProvider credentialsProvider) {
-        this(copy.getName(), copy.getEnvironment(), copy.getAccountType(), copy.getAccountId(), copy.getDefaultKeyPair(), copy.getRegions(), copy.getDefaultSecurityGroups(), copy.getRequiredGroupMembership(), copy.getLifecycleHooks(), credentialsProvider, copy.getEdda(), copy.getEddaEnabled(), copy.getDiscovery(), copy.getDiscoveryEnabled(), copy.getFront50(), copy.getFront50Enabled(), copy.getBastionHost(), copy.getBastionEnabled(), copy.getAssumeRole(), copy.getSessionName());
+        this(copy.getName(), copy.getEnvironment(), copy.getAccountType(), copy.getAccountId(), copy.getDefaultKeyPair(), copy.getRegions(), copy.getDefaultSecurityGroups(), copy.getRequiredGroupMembership(), copy.getLifecycleHooks(), copy.getAllowPrivateThirdPartyImages(), credentialsProvider, copy.getEdda(), copy.getEddaEnabled(), copy.getDiscovery(), copy.getDiscoveryEnabled(), copy.getFront50(), copy.getFront50Enabled(), copy.getBastionHost(), copy.getBastionEnabled(), copy.getAssumeRole(), copy.getSessionName());
     }
 
-    NetflixAssumeRoleAmazonCredentials(String name, String environment, String accountType, String accountId, String defaultKeyPair, List<AWSRegion> regions, List<String> defaultSecurityGroups, List<String> requiredGroupMembership, List<LifecycleHook> lifecycleHooks, AWSCredentialsProvider credentialsProvider, String edda, Boolean eddaEnabled, String discovery, Boolean discoveryEnabled, String front50, Boolean front50Enabled, String bastionHost, Boolean bastionEnabled, String assumeRole, String sessionName) {
-        super(name, environment, accountType, accountId, defaultKeyPair, regions, defaultSecurityGroups, requiredGroupMembership, lifecycleHooks, AssumeRoleAmazonCredentials.createSTSCredentialsProvider(credentialsProvider, accountId, assumeRole, sessionName == null ? AssumeRoleAmazonCredentials.DEFAULT_SESSION_NAME : sessionName), edda, eddaEnabled, discovery, discoveryEnabled, front50, front50Enabled, bastionHost, bastionEnabled);
+    NetflixAssumeRoleAmazonCredentials(String name, String environment, String accountType, String accountId, String defaultKeyPair, List<AWSRegion> regions, List<String> defaultSecurityGroups, List<String> requiredGroupMembership, List<LifecycleHook> lifecycleHooks, boolean allowPrivateThirdPartyImages, AWSCredentialsProvider credentialsProvider, String edda, Boolean eddaEnabled, String discovery, Boolean discoveryEnabled, String front50, Boolean front50Enabled, String bastionHost, Boolean bastionEnabled, String assumeRole, String sessionName) {
+        super(name, environment, accountType, accountId, defaultKeyPair, regions, defaultSecurityGroups, requiredGroupMembership, lifecycleHooks, allowPrivateThirdPartyImages, AssumeRoleAmazonCredentials.createSTSCredentialsProvider(credentialsProvider, accountId, assumeRole, sessionName == null ? AssumeRoleAmazonCredentials.DEFAULT_SESSION_NAME : sessionName), edda, eddaEnabled, discovery, discoveryEnabled, front50, front50Enabled, bastionHost, bastionEnabled);
         this.assumeRole = assumeRole;
         this.sessionName = sessionName == null ? AssumeRoleAmazonCredentials.DEFAULT_SESSION_NAME : sessionName;
     }

clouddriver-aws/src/main/groovy/com/netflix/spinnaker/clouddriver/aws/security/config/CredentialsConfig.java

@@ -127,7 +127,6 @@ public String getDefaultResult() {
       public void setDefaultResult(String defaultResult) {
         this.defaultResult = defaultResult;
       }
-
     }
 
     public static class Account {
@@ -150,6 +149,7 @@ public static class Account {
         private String assumeRole;
         private String sessionName;
         private List<LifecycleHook> lifecycleHooks;
+        private boolean allowPrivateThirdPartyImages;
 
         public String getName() {
             return name;
@@ -302,6 +302,14 @@ public List<LifecycleHook> getLifecycleHooks() {
         public void setLifecycleHooks(List<LifecycleHook> lifecycleHooks) {
           this.lifecycleHooks = lifecycleHooks;
         }
+
+        public Boolean getAllowPrivateThirdPartyImages() {
+          return allowPrivateThirdPartyImages;
+        }
+
+        public void setAllowPrivateThirdPartyImages(Boolean allowPrivateThirdPartyImages) {
+          this.allowPrivateThirdPartyImages = allowPrivateThirdPartyImages;
+        }
     }
 
     private String defaultKeyPairTemplate;
@@ -343,7 +351,7 @@ public void setDefaultSecurityGroups(List<String> defaultSecurityGroups) {
         this.defaultSecurityGroups = defaultSecurityGroups;
     }
 
-  public String getDefaultEddaTemplate() {
+    public String getDefaultEddaTemplate() {
         return defaultEddaTemplate;
     }