class Conjur::Provisioner::AWS::CreateRole

Attributes

host_factory_token[RW]

Public Instance Methods

create_role() click to toggle source
# File lib/conjur/provisioner/aws.rb, line 135
def create_role
  policy = {
    "Version" => "2012-10-17",
    "Statement" => [
      {
        "Effect" => "Allow",
        "Principal" => {
          "Service" => "ec2.amazonaws.com"
        },
        "Action" => "sts:AssumeRole"
      }
    ]
  }
  role_params = {
    role_name: role_name,
    assume_role_policy_document: JSON.pretty_generate(policy)
  }
  instance_profile_params = {
    instance_profile_name: role_name
  }
  
  role = aws_iam.client.create_role role_params
  instance_profile = aws_iam.client.create_instance_profile instance_profile_params
  aws_iam.client.add_role_to_instance_profile role_name: role_name, instance_profile_name: role_name
  
  aws_iam.client.put_role_policy role_name: role_name, policy_name: 'read-bootstrap-file', policy_document: JSON.pretty_generate({
    "Statement" => [{
      "Effect" =>  "Allow",
      "Action" =>  "s3:GetObject",
      "Resource" =>  ["arn:aws:s3:::#{bucket_name}/#{token_file_name}"]
      }
    ]            
  })
end
create_s3_token_file() click to toggle source
# File lib/conjur/provisioner/aws.rb, line 128
def create_s3_token_file
  bucket = aws_s3.buckets[bucket_name]
  bucket = aws_s3.buckets.create(bucket_name) unless bucket.exists?
  
  bucket.objects[token_file_name].write host_factory_token.token
end
host_factory() click to toggle source
# File lib/conjur/provisioner/aws.rb, line 124
def host_factory
  host_factory_token.host_factory
end
perform() click to toggle source

Creates an AWS IAM Role corresponding to the Layer. The Role can be assumed by EC2 instances. Creates a system user (deputy) and adds it to the layer. In S3, a file is created with the identity of the system user, along with other information needed by Conjur chef-solo. The file is in chef-solo JSON format. It will be used by the [conjur-client Upstart job](github.com/conjur-cookbooks/conjur-client/blob/master/templates/default/conjur-bootstrap.conf.erb) to finish the server configuration.

# File lib/conjur/provisioner/aws.rb, line 119
def perform
  create_role
  create_s3_token_file
end
role_name() click to toggle source
# File lib/conjur/provisioner/aws.rb, line 105
def role_name
  host_factory.id.parameterize
end
token_file_name() click to toggle source
# File lib/conjur/provisioner/aws.rb, line 109
def token_file_name
  host_factory.id.parameterize
end
validate() click to toggle source
# File lib/conjur/provisioner/aws.rb, line 99
def validate
  super
  
  raise "host_factory_token is missing" unless host_factory_token
end