From 718ddb6da5ade3ce4312410528dafffb7fe2cb5d Mon Sep 17 00:00:00 2001 From: Derek Graeber Date: Mon, 26 Feb 2024 09:09:01 -0500 Subject: [PATCH 1/3] adding force updat logic of project policies --- CHANGELOG.md | 2 ++ seedfarmer/__main__.py | 9 +++++++++ seedfarmer/commands/_deployment_commands.py | 16 ++++++++++++++-- seedfarmer/commands/_stack_commands.py | 9 +++++++-- 4 files changed, 32 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e6b1109a..bfd0cce0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -16,6 +16,8 @@ This project adheres to [Semantic Versioning](http://semver.org/) and [Keep a Ch - added `--update-seedkit` support to `apply` - SeedFarmer will no longer try to update the seedkit on every request - Users can override this with the `--update-seedkit` flag in case AWS CodeSeeder has updated the SeedKit +- added `--update-project_policy` support to `apply` + - SeedFarmer will apply a changeset to the project policy when this flag is set ### Fixes - adding in workaround for manifests whose char length is greater than SSM limit of 8192 k diff --git a/seedfarmer/__main__.py b/seedfarmer/__main__.py index a3bffc10..792feb62 100644 --- a/seedfarmer/__main__.py +++ b/seedfarmer/__main__.py @@ -112,6 +112,13 @@ def version() -> None: show_default=True, type=bool, ) +@click.option( + "--update-project-policy/--no-update-project-policy", + default=False, + help="Force SeedFarmer to update the deployed Project Policy", + show_default=True, + type=bool, +) def apply( spec: str, profile: Optional[str], @@ -124,6 +131,7 @@ def apply( enable_session_timeout: bool, session_timeout_interval: int, update_seedkit: bool, + update_project_policy: bool, ) -> None: """Apply manifests to a SeedFarmer managed deployment""" if debug: @@ -146,6 +154,7 @@ def apply( enable_session_timeout=enable_session_timeout, session_timeout_interval=session_timeout_interval, update_seedkit=update_seedkit, + update_project_policy=update_project_policy, ) diff --git a/seedfarmer/commands/_deployment_commands.py b/seedfarmer/commands/_deployment_commands.py index ddfca71a..e6e5718c 100644 --- a/seedfarmer/commands/_deployment_commands.py +++ b/seedfarmer/commands/_deployment_commands.py @@ -372,7 +372,9 @@ def _render_permissions_boundary_arn( du.write_deployed_deployment_manifest(deployment_manifest=deployment_manifest) -def prime_target_accounts(deployment_manifest: DeploymentManifest, update_seedkit: bool = False) -> None: +def prime_target_accounts( + deployment_manifest: DeploymentManifest, update_seedkit: bool = False, update_project_policy: bool = False +) -> None: _logger.info("Priming Accounts") with concurrent.futures.ThreadPoolExecutor(max_workers=len(deployment_manifest.target_accounts_regions)) as workers: @@ -388,6 +390,7 @@ def _prime_accounts(args: Dict[str, Any]) -> List[Any]: "account_id": target_account_region["account_id"], "region": target_account_region["region"], "update_seedkit": update_seedkit, + "update_project_policy": update_project_policy, } if target_account_region["network"] is not None: network = commands.load_network_values( @@ -665,6 +668,7 @@ def apply( enable_session_timeout: bool = False, session_timeout_interval: int = 900, update_seedkit: bool = False, + update_project_policy: bool = False, ) -> None: """ apply @@ -698,6 +702,10 @@ def apply( If enabled, boto3 Sessions will be reset on the timeout interval session_timeout_interval: int The interval, in seconds, to reset boto3 Sessions + update_seedkit: bool + Force update run of seedkit, defaults to False + update_project_policy: bool + Force update run of managed project policy, defaults to False Raises ------ @@ -755,7 +763,11 @@ def apply( raise seedfarmer.errors.InvalidPathError("Cannot parse manifest file path") deployment_manifest.validate_and_set_module_defaults() - prime_target_accounts(deployment_manifest=deployment_manifest, update_seedkit=update_seedkit) + prime_target_accounts( + deployment_manifest=deployment_manifest, + update_seedkit=update_seedkit, + update_project_policy=update_project_policy, + ) module_info_index = du.populate_module_info_index(deployment_manifest=deployment_manifest) destroy_manifest = du.filter_deploy_destroy(deployment_manifest, module_info_index) diff --git a/seedfarmer/commands/_stack_commands.py b/seedfarmer/commands/_stack_commands.py index 262a1a9b..1b2cf02c 100644 --- a/seedfarmer/commands/_stack_commands.py +++ b/seedfarmer/commands/_stack_commands.py @@ -78,7 +78,11 @@ def _check_stack_status() -> Tuple[bool, Dict[str, str]]: def deploy_managed_policy_stack( - deployment_manifest: DeploymentManifest, account_id: str, region: str, **kwargs: Any + deployment_manifest: DeploymentManifest, + account_id: str, + region: str, + update_project_policy: Optional[bool] = False, + **kwargs: Any, ) -> None: """ deploy_managed_policy_stack @@ -98,7 +102,7 @@ def deploy_managed_policy_stack( project_managed_policy_stack_exists, _ = services.cfn.does_stack_exist( stack_name=info.PROJECT_MANAGED_POLICY_CFN_NAME, session=session ) - if not project_managed_policy_stack_exists: + if not project_managed_policy_stack_exists or update_project_policy: project_managed_policy_template = config.PROJECT_POLICY_PATH _logger.info("Resolved the ProjectPolicyPath %s", project_managed_policy_template) if not os.path.exists(project_managed_policy_template): @@ -436,6 +440,7 @@ def deploy_seedkit( private_subnet_ids: Optional[List[str]] = None, security_group_ids: Optional[List[str]] = None, update_seedkit: Optional[bool] = False, + **kwargs: Any, ) -> Dict[str, Any]: """ deploy_seedkit From 514d1c7f69c359403652c88d9dd51ab817d98c37 Mon Sep 17 00:00:00 2001 From: Derek Graeber Date: Mon, 26 Feb 2024 09:57:12 -0500 Subject: [PATCH 2/3] make sure the params array is initialized prior ot referencing on destroy --- seedfarmer/commands/_deployment_commands.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/seedfarmer/commands/_deployment_commands.py b/seedfarmer/commands/_deployment_commands.py index e6e5718c..b9302e3d 100644 --- a/seedfarmer/commands/_deployment_commands.py +++ b/seedfarmer/commands/_deployment_commands.py @@ -476,7 +476,7 @@ def destroy_deployment( def _exec_destroy(args: Dict[str, Any]) -> Optional[ModuleDeploymentResponse]: return _execute_destroy(**args) - + params = [] for _module in _group.modules: _process_module_path(module=_module) if _module.path.startswith("git::") else None From 57706808c940d5fafa59803fd9c0596a286ca5eb Mon Sep 17 00:00:00 2001 From: Derek Graeber Date: Mon, 26 Feb 2024 10:10:09 -0500 Subject: [PATCH 3/3] formatting --- seedfarmer/commands/_deployment_commands.py | 1 + 1 file changed, 1 insertion(+) diff --git a/seedfarmer/commands/_deployment_commands.py b/seedfarmer/commands/_deployment_commands.py index b9302e3d..32a705fc 100644 --- a/seedfarmer/commands/_deployment_commands.py +++ b/seedfarmer/commands/_deployment_commands.py @@ -476,6 +476,7 @@ def destroy_deployment( def _exec_destroy(args: Dict[str, Any]) -> Optional[ModuleDeploymentResponse]: return _execute_destroy(**args) + params = [] for _module in _group.modules: _process_module_path(module=_module) if _module.path.startswith("git::") else None