This is an automated email from the ASF dual-hosted git repository. lfrolov pushed a commit to branch DATALAB-2545 in repository https://gitbox.apache.org/repos/asf/incubator-datalab.git
commit 56c64112e745519c4d8a063e41c27ca591de7c5b Author: leonidfrolov <[email protected]> AuthorDate: Wed Dec 15 17:30:11 2021 +0200 [DATALAB-2545]: added predefined role for aws ssn --- .../scripts/deploy_datalab.py | 2 ++ .../src/general/scripts/aws/ssn_prepare.py | 30 ++++++++++++---------- 2 files changed, 19 insertions(+), 13 deletions(-) diff --git a/infrastructure-provisioning/scripts/deploy_datalab.py b/infrastructure-provisioning/scripts/deploy_datalab.py index 34be5ec..9dd70e4 100644 --- a/infrastructure-provisioning/scripts/deploy_datalab.py +++ b/infrastructure-provisioning/scripts/deploy_datalab.py @@ -210,6 +210,8 @@ def build_parser(): aws_parser.add_argument('--aws_report_path', type=str, help='The path to billing reports directory in S3 bucket') aws_parser.add_argument('--aws_permissions_boundary_arn', type=str, default='', help='Permission boundary to be attached to new roles') + aws_parser.add_argument('--aws_ssn_instance_role', type=str, default='', + help='Role to be attached to SSN instance') aws_required_args = aws_parser.add_argument_group('Required arguments') aws_required_args.add_argument('--aws_region', type=str, required=True, help='AWS region') diff --git a/infrastructure-provisioning/src/general/scripts/aws/ssn_prepare.py b/infrastructure-provisioning/src/general/scripts/aws/ssn_prepare.py index 7e21cb1..346f265 100644 --- a/infrastructure-provisioning/src/general/scripts/aws/ssn_prepare.py +++ b/infrastructure-provisioning/src/general/scripts/aws/ssn_prepare.py @@ -257,19 +257,23 @@ if __name__ == "__main__": #creating roles try: - logging.info('[CREATE ROLES]') - params = "--role_name {} --role_profile_name {} --policy_name {} --policy_file_name {} --region {} " \ - "--infra_tag_name {} --infra_tag_value {} --user_tag_value {}". \ - format(ssn_conf['role_name'], ssn_conf['role_profile_name'], ssn_conf['policy_name'], - ssn_conf['policy_path'], ssn_conf['region'], ssn_conf['tag_name'], - ssn_conf['service_base_name'], ssn_conf['user_tag']) - if 'aws_permissions_boundary_arn' in os.environ: - params = '{} --permissions_boundary_arn {}'.format(params, os.environ['aws_permissions_boundary_arn']) - try: - subprocess.run("~/scripts/{}.py {}".format('common_create_role_policy', params), shell=True, check=True) - except: - traceback.print_exc() - raise Exception + if 'aws_ssn_instance_role' in os.environ and os.environ['aws_ssn_instance_role'] != '': + ssn_conf['role_name'] = os.environ['aws_ssn_instance_role'] + ssn_conf['role_profile_name'] = os.environ['aws_ssn_instance_role'] + else: + logging.info('[CREATE ROLES]') + params = "--role_name {} --role_profile_name {} --policy_name {} --policy_file_name {} --region {} " \ + "--infra_tag_name {} --infra_tag_value {} --user_tag_value {}". \ + format(ssn_conf['role_name'], ssn_conf['role_profile_name'], ssn_conf['policy_name'], + ssn_conf['policy_path'], ssn_conf['region'], ssn_conf['tag_name'], + ssn_conf['service_base_name'], ssn_conf['user_tag']) + if 'aws_permissions_boundary_arn' in os.environ: + params = '{} --permissions_boundary_arn {}'.format(params, os.environ['aws_permissions_boundary_arn']) + try: + subprocess.run("~/scripts/{}.py {}".format('common_create_role_policy', params), shell=True, check=True) + except: + traceback.print_exc() + raise Exception except Exception as err: logging.error('Error: {0}'.format(err)) datalab.fab.append_result("Failed to create roles", str(err)) --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
