Merge branch 'hkobew/ec2/addInlinePolicies' into feature/ec2

Hweinstock · Hweinstock · commit c3b0ae9de3f8 · 2023-08-08T12:53:16.000-07:00
diff --git a/src/ec2/model.ts b/src/ec2/model.ts
@@ -17,6 +17,7 @@ import {
     ensureDependencies,
     getDeniedSsmActions,
     openRemoteTerminal,
+    promptToAddInlinePolicy,
 } from '../shared/remoteSession'
 import { DefaultIamClient } from '../shared/clients/iamClient'
 import { ErrorInformation } from '../shared/errors'
@@ -113,19 +114,22 @@ export class Ec2ConnectionManager {
         const hasPermission = await this.hasProperPermissions(IamRole!.Arn)
 
         if (!hasPermission) {
-            const message = `Ensure an IAM role with the proper permissions is attached to the instance. Found attached role: ${
-                IamRole!.Arn
-            }`
-            this.throwConnectionError(message, selection, {
-                code: 'EC2SSMPermission',
-                documentationUri: this.policyDocumentationUri,
-            })
+            const policiesAdded = await promptToAddInlinePolicy(this.iamClient, IamRole!.Arn!)
+
+            if (!policiesAdded) {
+                const message = `Did not add permissions. Ensure an IAM role with the proper permissions is attached to the instance. Found attached role: ${
+                    IamRole!.Arn
+                }`
+                this.throwConnectionError(message, selection, {
+                    code: 'EC2SSMPermission',
+                    documentationUri: this.policyDocumentationUri,
+                })
+            }
         }
     }
 
     private async checkForInstanceSsmError(selection: Ec2Selection): Promise<void> {
         const isSsmAgentRunning = (await this.ssmClient.getInstanceAgentPingStatus(selection.instanceId)) == 'Online'
-
         if (!isSsmAgentRunning) {
             this.throwConnectionError('Is SSM Agent running on the target instance?', selection, {
                 code: 'EC2SSMAgentStatus',
@@ -135,7 +139,7 @@ export class Ec2ConnectionManager {
     }
 
     public throwGeneralConnectionError(selection: Ec2Selection, error: Error) {
-        this.throwConnectionError('Unable to connect to target instance. ', selection, {
+        this.throwConnectionError('', selection, {
             code: 'EC2SSMConnect',
             cause: error,
         })
diff --git a/src/shared/clients/iamClient.ts b/src/shared/clients/iamClient.ts
@@ -104,4 +104,12 @@ export class DefaultIamClient {
         }
         return response.InstanceProfile.Roles[0]
     }
+
+    public async putRolePolicy(roleArn: string, policyName: string, policyDocument: string): Promise<void> {
+        const client = await this.createSdkClient()
+        const roleName = this.getFriendlyName(roleArn)
+        await client
+            .putRolePolicy({ RoleName: roleName, PolicyName: policyName, PolicyDocument: policyDocument })
+            .promise()
+    }
 }
diff --git a/src/shared/remoteSession.ts b/src/shared/remoteSession.ts
@@ -5,10 +5,9 @@
 
 import * as vscode from 'vscode'
 import * as nls from 'vscode-nls'
-const localize = nls.loadMessageBundle()
 
 import { Settings } from '../shared/settings'
-import { showMessageWithCancel } from './utilities/messages'
+import { showConfirmationMessage, showMessageWithCancel } from './utilities/messages'
 import { CancellationError, Timeout } from './utilities/timeoutUtils'
 import { isExtensionInstalled, showInstallExtensionMsg } from './utilities/vsCodeUtils'
 import { VSCODE_EXTENSION_ID, vscodeExtensionMinVersion } from './extensions'
@@ -21,16 +20,28 @@ import { pushIf } from './utilities/collectionUtils'
 import { ChildProcess } from './utilities/childProcess'
 import { IamClient } from './clients/iamClient'
 import { IAM } from 'aws-sdk'
+import { getIdeProperties } from './extensionUtilities'
+
+const localize = nls.loadMessageBundle()
 
 export interface MissingTool {
     readonly name: 'code' | 'ssm' | 'ssh'
     readonly reason?: string
 }
 
+const minimumSsmActions = [
+    'ssmmessages:CreateControlChannel',
+    'ssmmessages:CreateDataChannel',
+    'ssmmessages:OpenControlChannel',
+    'ssmmessages:OpenDataChannel',
+]
+
+const policyAttachDelay = 5000
+
 export async function openRemoteTerminal(options: vscode.TerminalOptions, onClose: () => void) {
     const timeout = new Timeout(60000)
 
-    await showMessageWithCancel('AWS: Starting session...', timeout, 1000)
+    await showMessageWithCancel('AWS: Opening remote terminal...', timeout, 1000)
     await withoutShellIntegration(async () => {
         const terminal = vscode.window.createTerminal(options)
 
@@ -173,13 +184,63 @@ export async function handleMissingTool(tools: Err<MissingTool[]>) {
 export async function getDeniedSsmActions(client: IamClient, roleArn: string): Promise<IAM.EvaluationResult[]> {
     const deniedActions = await client.getDeniedActions({
         PolicySourceArn: roleArn,
-        ActionNames: [
-            'ssmmessages:CreateControlChannel',
-            'ssmmessages:CreateDataChannel',
-            'ssmmessages:OpenControlChannel',
-            'ssmmessages:OpenDataChannel',
-        ],
+        ActionNames: minimumSsmActions,
     })
 
     return deniedActions
 }
+
+export async function promptToAddInlinePolicy(client: IamClient, roleArn: string): Promise<boolean> {
+    const promptText = `${
+        getIdeProperties().company
+    } Toolkit will add required actions to role ${roleArn}:\n${getFormattedSsmActions()}`
+    const confirmation = await showConfirmationMessage({ prompt: promptText, confirm: 'Approve' })
+
+    if (confirmation) {
+        await addInlinePolicyWithDelay(client, roleArn)
+    }
+
+    return confirmation
+}
+
+async function addInlinePolicyWithDelay(client: IamClient, roleArn: string) {
+    const timeout = new Timeout(policyAttachDelay)
+    const message = `Adding Inline Policy to ${roleArn}`
+    await showMessageWithCancel(message, timeout)
+    await addSsmActionsToInlinePolicy(client, roleArn)
+
+    function delay(ms: number) {
+        return new Promise(resolve => setTimeout(resolve, ms))
+    }
+
+    await delay(policyAttachDelay)
+    if (timeout.elapsedTime < policyAttachDelay) {
+        throw new CancellationError('user')
+    }
+    timeout.cancel()
+}
+
+function getFormattedSsmActions() {
+    const formattedActions = minimumSsmActions.map(action => `"${action}",\n`).reduce((l, r) => l + r)
+
+    return formattedActions.slice(0, formattedActions.length - 2)
+}
+
+function getSsmPolicyDocument() {
+    return `{
+            "Version": "2012-10-17",
+            "Statement": {
+                "Effect": "Allow",
+                "Action": [
+                    ${getFormattedSsmActions()}
+                ],
+                "Resource": "*"
+                }
+            }`
+}
+
+async function addSsmActionsToInlinePolicy(client: IamClient, roleArn: string) {
+    const policyName = 'AWSVSCodeRemoteConnect'
+    const policyDocument = getSsmPolicyDocument()
+    await client.putRolePolicy(roleArn, policyName, policyDocument)
+}

Original file line number	Diff line number	Diff line change
`@@ -104,4 +104,12 @@ export class DefaultIamClient {`
`104`	`104`	`}`
`105`	`105`	`return response.InstanceProfile.Roles[0]`
`106`	`106`	`}`
	`107`	`+`
	`108`	`+ public async putRolePolicy(roleArn: string, policyName: string, policyDocument: string): Promise<void> {`
	`109`	`+ const client = await this.createSdkClient()`
	`110`	`+ const roleName = this.getFriendlyName(roleArn)`
	`111`	`+ await client`
	`112`	`+ .putRolePolicy({ RoleName: roleName, PolicyName: policyName, PolicyDocument: policyDocument })`
	`113`	`+ .promise()`
	`114`	`+ }`
`107`	`115`	`}`