From 2447859163c5c10b44878e3a696599ea87712112 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Tich=C3=BD?= Date: Fri, 23 Nov 2018 13:44:10 +0100 Subject: [PATCH] Defer fetching of resource data for IAM --- fixtures/vcr_cassettes/iam_group-setup.yml | 132 +++++++++--------- lib/puppet/provider/iam_group/v2.rb | 9 +- lib/puppet/provider/iam_policy/v2.rb | 30 ++-- .../provider/iam_policy_attachment/v2.rb | 34 +++-- 4 files changed, 108 insertions(+), 97 deletions(-) diff --git a/fixtures/vcr_cassettes/iam_group-setup.yml b/fixtures/vcr_cassettes/iam_group-setup.yml index c3a88b0c..e781ade6 100644 --- a/fixtures/vcr_cassettes/iam_group-setup.yml +++ b/fixtures/vcr_cassettes/iam_group-setup.yml @@ -66,6 +66,72 @@ http_interactions: http_version: recorded_at: Wed, 11 Jan 2017 17:20:08 GMT +- request: + method: post + uri: https://iam.amazonaws.com/ + body: + encoding: UTF-8 + string: Action=ListGroups&Version=2010-05-08 + headers: + Content-Type: + - application/x-www-form-urlencoded; charset=utf-8 + Accept-Encoding: + - '' + User-Agent: + - aws-sdk-ruby2/2.6.38 ruby/2.3.1 x86_64-darwin15 + X-Amz-Date: + - 20170111T172009Z + X-Amz-Content-Sha256: + - 5f776d91509b9c99b8cb5eb5d6d4a787a33ae41c8cd6e7b69effca69080e1e1f + Authorization: + - AWS4-HMAC-SHA256 Credential=111111111111/20170111/us-east-1/iam/aws4_request, + SignedHeaders=content-type;host;x-amz-content-sha256;x-amz-date, Signature=8eeb9f4d1171c4ddb3728af4fd3e835f419e734b4b250c48f54ff8b8813c64f1 + Content-Length: + - '36' + Accept: + - "*/*" + response: + status: + code: 200 + message: OK + headers: + X-Amzn-Requestid: + - 341bbf93-d822-11e6-ab10-214f93a0c1e1 + Content-Type: + - text/xml + Content-Length: + - '807' + Date: + - Wed, 11 Jan 2017 17:20:09 GMT + body: + encoding: UTF-8 + string: | + + + false + + + / + notops + arn:aws:iam::123456789012:group/notops + AGPAJBN5CML7FQ5J7JD26 + 2016-08-23T19:23:16Z + + + / + ops + arn:aws:iam::123456789012:group/ops + AGPAIQCI4K2HPEBNN6QQM + 2016-06-16T18:23:08Z + + + + + 341bbf93-d822-11e6-ab10-214f93a0c1e1 + + + http_version: + recorded_at: Wed, 11 Jan 2017 17:20:09 GMT - request: method: post uri: https://iam.amazonaws.com/ @@ -191,72 +257,6 @@ http_interactions: http_version: recorded_at: Wed, 11 Jan 2017 17:20:09 GMT -- request: - method: post - uri: https://iam.amazonaws.com/ - body: - encoding: UTF-8 - string: Action=ListGroups&Version=2010-05-08 - headers: - Content-Type: - - application/x-www-form-urlencoded; charset=utf-8 - Accept-Encoding: - - '' - User-Agent: - - aws-sdk-ruby2/2.6.38 ruby/2.3.1 x86_64-darwin15 - X-Amz-Date: - - 20170111T172009Z - X-Amz-Content-Sha256: - - 5f776d91509b9c99b8cb5eb5d6d4a787a33ae41c8cd6e7b69effca69080e1e1f - Authorization: - - AWS4-HMAC-SHA256 Credential=111111111111/20170111/us-east-1/iam/aws4_request, - SignedHeaders=content-type;host;x-amz-content-sha256;x-amz-date, Signature=8eeb9f4d1171c4ddb3728af4fd3e835f419e734b4b250c48f54ff8b8813c64f1 - Content-Length: - - '36' - Accept: - - "*/*" - response: - status: - code: 200 - message: OK - headers: - X-Amzn-Requestid: - - 341bbf93-d822-11e6-ab10-214f93a0c1e1 - Content-Type: - - text/xml - Content-Length: - - '807' - Date: - - Wed, 11 Jan 2017 17:20:09 GMT - body: - encoding: UTF-8 - string: | - - - false - - - / - notops - arn:aws:iam::123456789012:group/notops - AGPAJBN5CML7FQ5J7JD26 - 2016-08-23T19:23:16Z - - - / - ops - arn:aws:iam::123456789012:group/ops - AGPAIQCI4K2HPEBNN6QQM - 2016-06-16T18:23:08Z - - - - - 341bbf93-d822-11e6-ab10-214f93a0c1e1 - - - http_version: - recorded_at: Wed, 11 Jan 2017 17:20:09 GMT - request: method: post uri: https://iam.amazonaws.com/ diff --git a/lib/puppet/provider/iam_group/v2.rb b/lib/puppet/provider/iam_group/v2.rb index 689104cb..6d5bf74b 100644 --- a/lib/puppet/provider/iam_group/v2.rb +++ b/lib/puppet/provider/iam_group/v2.rb @@ -26,14 +26,10 @@ def self.get_groups def self.instances groups = get_groups() groups.collect do |group| - group_data = iam_client.get_group({ group_name: group.group_name }) - member_names = group_data.users.map {|user| user.user_name } - new({ name: group.group_name, ensure: :present, path: group.path, - members: member_names, }) end end @@ -101,6 +97,11 @@ def destroy @property_hash[:ensure] = :absent end + def members + group_data = iam_client.get_group({ group_name: name }) + @property_hash[:members] = group_data.users.map {|user| user.user_name } + end + def members=(value) unless @property_hash[:ensure] == :absent # First all add missing members to the group diff --git a/lib/puppet/provider/iam_policy/v2.rb b/lib/puppet/provider/iam_policy/v2.rb index 6c77ee70..36b1a24e 100644 --- a/lib/puppet/provider/iam_policy/v2.rb +++ b/lib/puppet/provider/iam_policy/v2.rb @@ -10,27 +10,12 @@ def self.instances policies = PuppetX::Puppetlabs::Iam_policy.get_policies policies.collect do |policy| - - policy_document_versions = iam_client.list_policy_versions({ - policy_arn: policy.arn, - max_items: 1 - }) - - policy_version_data = iam_client.get_policy_version({ - policy_arn: policy.arn, - version_id: policy_document_versions.versions[0].version_id - }) - - policy_data = JSON.parse(URI.unescape(policy_version_data.policy_version.document)) - policy_document = JSON.pretty_generate(policy_data) - new({ name: policy.policy_name, ensure: :present, path: policy.path, description: policy.description, arn: policy.arn, - document: policy_document, }) end end @@ -86,6 +71,21 @@ def destroy @property_hash[:ensure] = :absent end + def document + policy_document_versions = iam_client.list_policy_versions({ + policy_arn: arn, + max_items: 1 + }) + + policy_version_data = iam_client.get_policy_version({ + policy_arn: arn, + version_id: policy_document_versions.versions[0].version_id + }) + + policy_data = JSON.parse(URI.unescape(policy_version_data.policy_version.document)) + @property_hash[:document] = JSON.pretty_generate(policy_data) + end + def document=(value) # IAM allows up to 5 managed policies at the time of this writing. As # such, if we are going to modify a policy, that is, to create a new one, diff --git a/lib/puppet/provider/iam_policy_attachment/v2.rb b/lib/puppet/provider/iam_policy_attachment/v2.rb index 14115e4b..05acff7c 100644 --- a/lib/puppet/provider/iam_policy_attachment/v2.rb +++ b/lib/puppet/provider/iam_policy_attachment/v2.rb @@ -39,20 +39,9 @@ def self.instances end end - response = iam_client.list_entities_for_policy({ - policy_arn: policy.arn, - }) - - user_names = response.policy_users.collect {|user| user.user_name } - group_names = response.policy_groups.collect {|group| group.group_name } - role_names = response.policy_roles.collect {|role| role.role_name } - new({ name: policy.policy_name, - users: user_names, - groups: group_names, - roles: role_names, - arn: policy.arn, + arn: policy.arn }) end end @@ -67,6 +56,21 @@ def self.prefetch(resources) end end + def users + return [] unless @property_hash[:name] + @property_hash[:users] = list_entities_for_policy.policy_users.collect {|user| user.user_name } + end + + def groups + return [] unless @property_hash[:name] + @property_hash[:groups] = list_entities_for_policy.policy_groups.collect {|group| group.group_name } + end + + def roles + return [] unless @property_hash[:name] + @property_hash[:roles] = list_entities_for_policy.policy_roles.collect {|role| role.role_name } + end + def users=(value) Array(value).flatten.each {|user| unless @property_hash[:users].include? user @@ -133,4 +137,10 @@ def roles=(value) } end + private + + def list_entities_for_policy + @entities_for_policy ||= iam_client.list_entities_for_policy({ policy_arn: arn }) + end + end