This is an automated email from the ASF dual-hosted git repository.
onikolas pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/airflow.git
The following commit(s) were added to refs/heads/main by this push:
new f6852c2c55 Remove identity center auth manager cli (#42481)
f6852c2c55 is described below
commit f6852c2c551250c28cad2949e5a7f9bd97a9ea35
Author: Niko Oliveira <[email protected]>
AuthorDate: Wed Sep 25 15:09:06 2024 -0700
Remove identity center auth manager cli (#42481)
* Remove identity center auth manager cli
The CLI command to setup identity center could only setup part of the
required resources, since adding an application must be done from the
console. As of November 15, 2023 it is now required to have an
AWS Organization setup to create the required type of Identity Center
Instance. The script would have to be change majorly to achieve this but
it is also something that should be done with great care and intention
since creating an organization in your AWS account has implications. If
we automate it, many users won't know it's being created. Instead have
users run through the wizard provided in the AWS console.
* Missing test change
---
.../amazon/aws/auth_manager/cli/definition.py | 6 -
.../amazon/aws/auth_manager/cli/idc_commands.py | 153 ---------------------
.../auth-manager/setup/identity-center.rst | 46 ++-----
.../amazon/aws/auth_manager/cli/test_definition.py | 2 +-
.../aws/auth_manager/cli/test_idc_commands.py | 140 -------------------
5 files changed, 10 insertions(+), 337 deletions(-)
diff --git a/airflow/providers/amazon/aws/auth_manager/cli/definition.py
b/airflow/providers/amazon/aws/auth_manager/cli/definition.py
index bb1236d5c4..b5f37136f5 100644
--- a/airflow/providers/amazon/aws/auth_manager/cli/definition.py
+++ b/airflow/providers/amazon/aws/auth_manager/cli/definition.py
@@ -55,12 +55,6 @@ ARG_POLICY_STORE_ID = Arg(("--policy-store-id",),
help="Policy store ID")
################
AWS_AUTH_MANAGER_COMMANDS = (
- ActionCommand(
- name="init-identity-center",
- help="Initialize AWS IAM identity Center resources to be used by AWS
manager",
-
func=lazy_load_command("airflow.providers.amazon.aws.auth_manager.cli.idc_commands.init_idc"),
- args=(ARG_INSTANCE_NAME, ARG_APPLICATION_NAME, ARG_DRY_RUN,
ARG_VERBOSE),
- ),
ActionCommand(
name="init-avp",
help="Initialize Amazon Verified resources to be used by AWS manager",
diff --git a/airflow/providers/amazon/aws/auth_manager/cli/idc_commands.py
b/airflow/providers/amazon/aws/auth_manager/cli/idc_commands.py
deleted file mode 100644
index c4901351b2..0000000000
--- a/airflow/providers/amazon/aws/auth_manager/cli/idc_commands.py
+++ /dev/null
@@ -1,153 +0,0 @@
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements. See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership. The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations
-# under the License.
-"""User sub-commands."""
-
-from __future__ import annotations
-
-import logging
-import sys
-from typing import TYPE_CHECKING
-
-import boto3
-from botocore.exceptions import ClientError
-
-from airflow.configuration import conf
-from airflow.exceptions import AirflowOptionalProviderFeatureException
-from airflow.providers.amazon.aws.auth_manager.constants import
CONF_REGION_NAME_KEY, CONF_SECTION_NAME
-from airflow.utils import cli as cli_utils
-
-try:
- from airflow.utils.providers_configuration_loader import
providers_configuration_loaded
-except ImportError:
- raise AirflowOptionalProviderFeatureException(
- "Failed to import avp_commands. This feature is only available in
Airflow "
- "version >= 2.8.0 where Auth Managers are introduced."
- )
-
-if TYPE_CHECKING:
- from botocore.client import BaseClient
-
-log = logging.getLogger(__name__)
-
-
-@cli_utils.action_cli
-@providers_configuration_loaded
-def init_idc(args):
- """Initialize AWS IAM Identity Center resources."""
- client = _get_client()
-
- # Create the instance if needed
- instance_arn = _create_instance(client, args)
-
- # Create the application if needed
- _create_application(client, instance_arn, args)
-
- if not args.dry_run:
- print("AWS IAM Identity Center resources created successfully.")
-
-
-def _get_client():
- """Return AWS IAM Identity Center client."""
- region_name = conf.get(CONF_SECTION_NAME, CONF_REGION_NAME_KEY)
- return boto3.client("sso-admin", region_name=region_name)
-
-
-def _create_instance(client: BaseClient, args) -> str | None:
- """Create if needed AWS IAM Identity Center instance."""
- instances = client.list_instances()
-
- if args.verbose:
- log.debug("Instances found: %s", instances)
-
- if len(instances["Instances"]) > 0:
- print(
- f"There is already an instance configured in AWS IAM Identity
Center: '{instances['Instances'][0]['InstanceArn']}'. "
- "No need to create a new one."
- )
- return instances["Instances"][0]["InstanceArn"]
- else:
- print("No instance configured in AWS IAM Identity Center, creating
one.")
- if args.dry_run:
- print("Dry run, not creating the instance.")
- return None
-
- response = client.create_instance(Name=args.instance_name)
- if args.verbose:
- log.debug("Response from create_instance: %s", response)
-
- print(f"Instance created: '{response['InstanceArn']}'")
-
- return response["InstanceArn"]
-
-
-def _create_application(client: BaseClient, instance_arn: str | None, args) ->
str | None:
- """Create if needed AWS IAM identity Center application."""
- paginator = client.get_paginator("list_applications")
- pages = paginator.paginate(InstanceArn=instance_arn or "")
- applications = [application for page in pages for application in
page["Applications"]]
- existing_applications = [
- application for application in applications if application["Name"] ==
args.application_name
- ]
-
- if args.verbose:
- log.debug("Applications found: %s", applications)
- log.debug("Existing applications found: %s", existing_applications)
-
- if len(existing_applications) > 0:
- print(
- f"There is already an application named '{args.application_name}'
in AWS IAM Identity Center: '{existing_applications[0]['ApplicationArn']}'. "
- "Using this application."
- )
- return existing_applications[0]["ApplicationArn"]
- else:
- print(f"No application named {args.application_name} found, creating
one.")
- if args.dry_run:
- print("Dry run, not creating the application.")
- return None
-
- try:
- response = client.create_application(
-
ApplicationProviderArn="arn:aws:sso::aws:applicationProvider/custom-saml",
- Description="Application automatically created through the
Airflow CLI. This application is used to access Airflow environment.",
- InstanceArn=instance_arn,
- Name=args.application_name,
- PortalOptions={
- "SignInOptions": {
- "Origin": "IDENTITY_CENTER",
- },
- "Visibility": "ENABLED",
- },
- Status="ENABLED",
- )
- if args.verbose:
- log.debug("Response from create_application: %s", response)
- except ClientError as e:
- # This is needed because as of today, the create_application in
AWS Identity Center does not support SAML application
- # Remove this part when it is supported
- if "is not supported for this action" in
e.response["Error"]["Message"]:
- print(
-
"*************************************************************************\n"
- "* ACTION REQUIRED
*\n"
- "* Creation of SAML applications is only supported in AWS
console today. *\n"
- "* Please create the application through the console.
*\n"
-
"*************************************************************************\n"
- )
- sys.exit(1)
-
- print(f"Application created: '{response['ApplicationArn']}'")
-
- return response["ApplicationArn"]
diff --git
a/docs/apache-airflow-providers-amazon/auth-manager/setup/identity-center.rst
b/docs/apache-airflow-providers-amazon/auth-manager/setup/identity-center.rst
index acf3727bf9..ff2dc6295e 100644
---
a/docs/apache-airflow-providers-amazon/auth-manager/setup/identity-center.rst
+++
b/docs/apache-airflow-providers-amazon/auth-manager/setup/identity-center.rst
@@ -27,51 +27,23 @@ Create resources
================
The AWS auth manager needs two resources in AWS IAM Identity Center: an
instance and an application.
-You can create them either through the provided CLI command or manually.
+You can must create them manually.
-Create resources with CLI
--------------------------
-
-.. note::
- The CLI command is not compatible with AWS accounts that are managed through
AWS organizations.
- If your AWS account is managed through an AWS organization, please follow the
- :ref:`manual configuration <identity_center_manual_configuration>`.
-
-.. note::
- To create all necessary resources for the AWS Auth Manager, you can utilize
the CLI command provided as part of the
- AWS auth manager. Before executing the command, ensure the AWS auth manager
is configured as the auth manager
- for the Airflow instance. See :doc:`/auth-manager/setup/config`.
-
-To create the resources, please run the following command:
-
-.. code-block:: bash
-
- airflow aws-auth-manager init-identity-center
-
-The CLI command will ask you to create any resources manually if they cannot
be automatically created. Please look carefully at the CLI command output to
understand which resource(s)
-have or have not been created successfully. The resource(s) which have not
been successfully created need to be
-:ref:`created manually <identity_center_manual_configuration>`.
-
-If the error message below is raised, please create the AWS IAM Identity
Center application through the console
-following :ref:`these instructions
<identity_center_manual_configuration_application>`: ::
-
- Creation of SAML applications is only supported in AWS console today. Please
create the application through the console.
-
-.. _identity_center_manual_configuration:
+Create the instance
+-------------------
-Create resources manually
--------------------------
+The AWS auth manager leverages SAML 2.0 as the underlying technology powering
authentication against AWS Identity Center.
-Create the instance
-~~~~~~~~~~~~~~~~~~~
+There are several instance types, but only Organization level instances can
use SAML 2.0 applications. See more details
+about instances types `here
<https://docs.aws.amazon.com/singlesignon/latest/userguide/identity-center-instances.html>`_.
-Please follow `AWS documentation
<https://docs.aws.amazon.com/singlesignon/latest/userguide/identity-center-instances.html>`_
-to create the AWS IAM Identity Center instance.
+Please follow `AWS documentation
<https://docs.aws.amazon.com/singlesignon/latest/userguide/get-set-up-for-idc.html>`_
+to create the AWS IAM Identity Center instance at the organization level.
.. _identity_center_manual_configuration_application:
Create the application
-~~~~~~~~~~~~~~~~~~~~~~
+----------------------
Please follow the instructions below to create the AWS IAM Identity Center
application.
diff --git a/tests/providers/amazon/aws/auth_manager/cli/test_definition.py
b/tests/providers/amazon/aws/auth_manager/cli/test_definition.py
index 5866aa594f..079df886f6 100644
--- a/tests/providers/amazon/aws/auth_manager/cli/test_definition.py
+++ b/tests/providers/amazon/aws/auth_manager/cli/test_definition.py
@@ -21,4 +21,4 @@ from airflow.providers.amazon.aws.auth_manager.cli.definition
import AWS_AUTH_MA
class TestAwsCliDefinition:
def test_aws_auth_manager_cli_commands(self):
- assert len(AWS_AUTH_MANAGER_COMMANDS) == 3
+ assert len(AWS_AUTH_MANAGER_COMMANDS) == 2
diff --git a/tests/providers/amazon/aws/auth_manager/cli/test_idc_commands.py
b/tests/providers/amazon/aws/auth_manager/cli/test_idc_commands.py
deleted file mode 100644
index 394704474f..0000000000
--- a/tests/providers/amazon/aws/auth_manager/cli/test_idc_commands.py
+++ /dev/null
@@ -1,140 +0,0 @@
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements. See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership. The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations
-# under the License.
-from __future__ import annotations
-
-import importlib
-from unittest.mock import Mock, patch
-
-import pytest
-
-from airflow.cli import cli_parser
-from airflow.providers.amazon.aws.auth_manager.cli.idc_commands import init_idc
-from tests.test_utils.compat import AIRFLOW_V_2_8_PLUS
-from tests.test_utils.config import conf_vars
-
-mock_boto3 = Mock()
-
-pytestmark = [
- pytest.mark.skipif(not AIRFLOW_V_2_8_PLUS, reason="Test requires Airflow
2.8+"),
- pytest.mark.skip_if_database_isolation_mode,
-]
-
-
[email protected]_test
-class TestIdcCommands:
- def setup_method(self):
- mock_boto3.reset_mock()
-
- @classmethod
- def setup_class(cls):
- with conf_vars(
- {
- (
- "core",
- "auth_manager",
- ):
"airflow.providers.amazon.aws.auth_manager.aws_auth_manager.AwsAuthManager"
- }
- ):
- importlib.reload(cli_parser)
- cls.arg_parser = cli_parser.get_parser()
-
- @pytest.mark.parametrize(
- "dry_run, verbose",
- [
- (False, False),
- (True, True),
- ],
- )
-
@patch("airflow.providers.amazon.aws.auth_manager.cli.idc_commands._get_client")
- def test_init_idc_with_no_existing_resources(self, mock_get_client,
dry_run, verbose):
- mock_get_client.return_value = mock_boto3
-
- instance_name = "test-instance"
- instance_arn = "test-instance-arn"
- application_name = "test-application"
- application_arn = "test-application-arn"
-
- paginator = Mock()
- paginator.paginate.return_value = []
-
- mock_boto3.list_instances.return_value = {"Instances": []}
- mock_boto3.create_instance.return_value = {"InstanceArn": instance_arn}
- mock_boto3.get_paginator.return_value = paginator
- mock_boto3.create_application.return_value = {"ApplicationArn":
application_arn}
-
- with conf_vars({("database", "check_migrations"): "False"}):
- params = [
- "aws-auth-manager",
- "init-identity-center",
- "--instance-name",
- instance_name,
- "--application-name",
- application_name,
- ]
- if dry_run:
- params.append("--dry-run")
- if verbose:
- params.append("--verbose")
- init_idc(self.arg_parser.parse_args(params))
-
- mock_boto3.list_instances.assert_called_once_with()
- if not dry_run:
-
mock_boto3.create_instance.assert_called_once_with(Name=instance_name)
- mock_boto3.create_application.assert_called_once()
-
- @pytest.mark.parametrize(
- "dry_run, verbose",
- [
- (False, False),
- (True, True),
- ],
- )
-
@patch("airflow.providers.amazon.aws.auth_manager.cli.idc_commands._get_client")
- def test_init_idc_with_existing_resources(self, mock_get_client, dry_run,
verbose):
- mock_get_client.return_value = mock_boto3
-
- instance_name = "test-instance"
- instance_arn = "test-instance-arn"
- application_name = "test-application"
- application_arn = "test-application-arn"
-
- paginator = Mock()
- paginator.paginate.return_value = [
- {"Applications": [{"Name": application_name, "ApplicationArn":
application_arn}]}
- ]
-
- mock_boto3.list_instances.return_value = {"Instances":
[{"InstanceArn": instance_arn}]}
- mock_boto3.get_paginator.return_value = paginator
-
- with conf_vars({("database", "check_migrations"): "False"}):
- params = [
- "aws-auth-manager",
- "init-identity-center",
- "--instance-name",
- instance_name,
- "--application-name",
- application_name,
- ]
- if dry_run:
- params.append("--dry-run")
- if verbose:
- params.append("--verbose")
- init_idc(self.arg_parser.parse_args(params))
-
- mock_boto3.list_instances.assert_called_once_with()
- mock_boto3.create_instance.assert_not_called()
- mock_boto3.create_application.assert_not_called()
