8000 Cross account support by ejholmes · Pull Request #553 · cloudtools/stacker · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

Cross account support #553

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Mar 14, 2018
Merged

Cross account support #553

merged 1 commit into from
Mar 14, 2018

Conversation

ejholmes
Copy link
Contributor
@ejholmes ejholmes commented Mar 10, 2018
edited
Loading

Depends on #551

This is based on the RFC in https://github.com/remind101/stacker/wiki/RFC:-Profiles

Closes #263
Fixes #277

With this change, you can specify a boto3 profile to use for a given stack. This can be used for cross account provisioning and linking of stacks. For example, say you wanted to provision a hot and cold version of an application in multiple regions and multiple accounts, you could do something like this:

stacks:
- name: hot/vpc
  stack_name: vpc
  profile: hot
- name: cold/vpc
  stack_name: vpc
  profile: cold
- name: app
  profile: hot
  variables:
    VpcId: ${output hot/vpc::VpcId}
- name: cold/app
  stack_name: app
  profile: cold
  variables:
    VpcId: ${output cold/vpc::VpcId}
$ echo <<EOF > .aws/config
[profile hot]
region = us-east-1
role_arn = arn:aws:iam::1234567:role/Stacker

[profile prod/cold]
region = us-west-1
role_arn = arn:aws:iam::7654321:role/Stacker
EOF
$ AWS_CONFIG_FILE=.aws/config.prod stacker build stacker.yaml

TODO

  • Docs around using AWS profiles with stacker.
  • Functional tests

@ejholmes ejholmes requested a review from a team March 10, 2018 02:39
@codecov-io
Copy link
codecov-io commented Mar 10, 2018
edited
Loading

Codecov Report

Merging #553 into multi-region will decrease coverage by 0.11%.
The diff coverage is 64%.

Impacted file tree graph

@@               Coverage Diff                @@
##           multi-region     #553      +/-   ##
================================================
- Coverage         87.36%   87.24%   -0.12%     
================================================
  Files                95       95              
  Lines              6167     6180      +13     
================================================
+ Hits               5388     5392       +4     
- Misses              779      788       +9
Impacted Files Coverage Δ
stacker/tests/factories.py 97.14% <100%> (ø) ⬆️
stacker/stack.py 86.56% <100%> (+0.2%) ⬆️
stacker/actions/base.py 63.75% <100%> (ø) ⬆️
stacker/config/__init__.py 92.81% <100%> (+0.04%) ⬆️
stacker/session_cache.py 48.83% <100%> (-1.17%) ⬇️
stacker/tests/actions/test_destroy.py 100% <100%> (ø) ⬆️
stacker/tests/fixtures/mock_blueprints.py 58.73% <33.33%> (-3.34%) ⬇️
stacker/ui.py 82.75% <33.33%> (-12.9%) ⬇️
stacker/providers/aws/default.py 65.36% <50%> (ø) ⬆️
stacker/dag/__init__.py 87.81% <0%> (-0.51%) ⬇️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 42cba20...48b71de. Read the comment docs.

@ejholmes ejholmes force-pushed the profiles-1.2 branch 2 times, most recently from 06bb096 to 6aa2395 Compare March 12, 2018 07:16
phobologic
phobologic requested changes Mar 12, 2018
View reviewed changes
Copy link
Member
@phobologic phobologic left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same questions as the region PR - how are the s3 buckets/lookups/hooks handled in this world?

docs/config.rst Outdated
@@ -359,6 +359,10 @@ A stack has the following keys:
**region**:
(optional): If provided, specifies the name of the region that the
CloudFormation stack should reside in.
**profile**:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What happens if this is provided, and region is provided? Pretty sure you can provide a region as part of a profile, so curious which wins out (and it should probably be documented)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'll add this to the docs. If both profile and region are provided, the region that's used in the config overrides the region in the profile.

stacker/session_cache.py Outdated
ui.unlock()


def get_session(region, profile=None):
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

needs updated docstring

stacker/session_cache.py
if region is not None:
session.set_config_variable('region', region)
c = session.get_component('credential_provider')
session = boto3.Session(region_name=region, profile_name=profile)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the reason we had to use botocore originally was because boto3 didn't have this ability at the time. Do we need to update our dependency for boto3 to a specific minimum version for this?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We lock on "boto3>=1.3.1", which has support for both of these params, so we should be ok.

stacker/session_cache.py Outdated


def get_session(region):
def getpass(*args):
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Worth moving into the ui library, since we might need this elsewhere?

@ejholmes
Copy link
Contributor Author
ejholmes commented Mar 12, 2018
edited
Loading

how are the s3 buckets handled in this world?

We already talked about this offline, but just adding here: Special consideration will need to be taken when using multi-account and uploading templates to s3. Wherever the stacker bucket is provisioned, it'll need a bucket policy that allows any external accounts access to read templates from the bucket. My plan is to update the docs before a 1.3 release with a guide on how to setup a multi-account config.

The easiest way to use this for now is to set stacker_bucket: '' so templates are sent direct to CloudFormation.

how are the lookups handled in this world?

output plugin just works, and like multi-region, the xref and rxref plugins will use the profile in the given stack when performing the lookup.

how are the hookups handled in this world?

Same answer as #551 (comment). Hooks will use the default AWS config for now.

@ejholmes ejholmes changed the base branch from multi-region to master March 14, 2018 03:30
@ejholmes ejholmes mentioned this pull request Mar 14, 2018
Closed
@ejholmes ejholmes merged commit 3a41603 into master Mar 14, 2018
@ejholmes ejholmes deleted the profiles-1.2 branch March 14, 2018 03:42
phrohdoh pushed a commit to phrohdoh/stacker that referenced this pull request Dec 18, 2018
@ejholmes
Merge pull request cloudtools#553 from remind101/profiles-1.2
f70f8d9 
Cross account support
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@phobologic phobologic phobologic approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ejholmes @codecov-io @phobologic
0