Merge master into feature/emr

Author: aws-toolkit-automation

packages/core/src/awsService/ec2/model.ts

@@ -17,13 +17,14 @@ import {
     ensureDependencies,
     getDeniedSsmActions,
     openRemoteTerminal,
+    promptToAddInlinePolicy,
 } from '../../shared/remoteSession'
 import { DefaultIamClient } from '../../shared/clients/iamClient'
 import { ErrorInformation } from '../../shared/errors'
 import { sshAgentSocketVariable, startSshAgent, startVscodeRemote } from '../../shared/extensions/ssh'
 import { createBoundProcess } from '../../codecatalyst/model'
 import { getLogger } from '../../shared/logger/logger'
-import { Timeout } from '../../shared/utilities/timeoutUtils'
+import { CancellationError, Timeout } from '../../shared/utilities/timeoutUtils'
 import { showMessageWithCancel } from '../../shared/utilities/messages'
 import { SshConfig, sshLogFileLocation } from '../../shared/sshConfig'
 import { SshKeyPair } from './sshKeyPair'
@@ -113,13 +114,11 @@ export class Ec2ConnectionManager {
         const hasPermission = await this.hasProperPermissions(IamRole!.Arn)
 
         if (!hasPermission) {
-            const message = `Ensure an IAM role with the required policies is attached to the instance. Found attached role: ${
-                IamRole!.Arn
-            }`
-            this.throwConnectionError(message, selection, {
-                code: 'EC2SSMPermission',
-                documentationUri: this.policyDocumentationUri,
-            })
+            const policiesAdded = await promptToAddInlinePolicy(this.iamClient, IamRole!.Arn!)
+
+            if (!policiesAdded) {
+                throw new CancellationError('user')
+            }
         }
     }
 

packages/core/src/shared/remoteSession.ts

@@ -8,7 +8,7 @@ import * as nls from 'vscode-nls'
 const localize = nls.loadMessageBundle()
 
 import { Settings } from '../shared/settings'
-import { showMessageWithCancel } from './utilities/messages'
+import { showConfirmationMessage, showMessageWithCancel } from './utilities/messages'
 import { CancellationError, Timeout } from './utilities/timeoutUtils'
 import { isExtensionInstalled, showInstallExtensionMsg } from './utilities/vsCodeUtils'
 import { VSCODE_EXTENSION_ID, vscodeExtensionMinVersion } from './extensions'
@@ -21,6 +21,9 @@ import { ChildProcess } from './utilities/childProcess'
 import { findSshPath, getVscodeCliPath } from './utilities/pathFind'
 import { IamClient } from './clients/iamClient'
 import { IAM } from 'aws-sdk'
+import { getIdeProperties } from './extensionUtilities'
+
+const policyAttachDelay = 5000
 
 export interface MissingTool {
     readonly name: 'code' | 'ssm' | 'ssh'
@@ -32,6 +35,9 @@ const minimumSsmActions = [
     'ssmmessages:CreateDataChannel',
     'ssmmessages:OpenControlChannel',
     'ssmmessages:OpenDataChannel',
+    'ssm:DescribeAssociation',
+    'ssm:ListAssociations',
+    'ssm:UpdateInstanceInformation',
 ]
 
 export async function openRemoteTerminal(options: vscode.TerminalOptions, onClose: () => void) {
@@ -175,6 +181,68 @@ export async function handleMissingTool(tools: Err<MissingTool[]>) {
     )
 }
 
+function getFormattedSsmActions() {
+    const formattedActions = minimumSsmActions.map((action) => `"${action}",\n`).reduce((l, r) => l + r)
+
+    return formattedActions.slice(0, formattedActions.length - 2)
+}
+
+/**
+ * Shows a progress message for adding inline policy to the role, then adds the policy.
+ * Importantly, it keeps the progress bar up for `policyAttachDelay` additional ms to allow permissions to propagate.
+ * If user cancels, it throws a CancellationError and stops the process from subsequently opening a connection.
+ * @param client IamClient to be use to add the permissions.
+ * @param roleArn Arn of the role the inline policy should be added to.
+ */
+async function addInlinePolicyWithDelay(client: IamClient, roleArn: string) {
+    const timeout = new Timeout(policyAttachDelay)
+    const message = `Adding Inline Policy to ${roleArn}`
+    await showMessageWithCancel(message, timeout)
+    await addSsmActionsToInlinePolicy(client, roleArn)
+
+    function delay(ms: number) {
+        return new Promise((resolve) => setTimeout(resolve, ms))
+    }
+
+    await delay(policyAttachDelay)
+    if (timeout.elapsedTime < policyAttachDelay) {
+        throw new CancellationError('user')
+    }
+    timeout.cancel()
+}
+
+export async function promptToAddInlinePolicy(client: IamClient, roleArn: string): Promise<boolean> {
+    const promptText = `${
+        getIdeProperties().company
+    } Toolkit will add required actions to role ${roleArn}:\n${getFormattedSsmActions()}`
+    const confirmation = await showConfirmationMessage({ prompt: promptText, confirm: 'Approve' })
+
+    if (confirmation) {
+        await addInlinePolicyWithDelay(client, roleArn)
+    }
+
+    return confirmation
+}
+
+async function addSsmActionsToInlinePolicy(client: IamClient, roleArn: string) {
+    const policyName = 'AWSVSCodeRemoteConnect'
+    const policyDocument = getSsmPolicyDocument()
+    await client.putRolePolicy(roleArn, policyName, policyDocument)
+}
+
+function getSsmPolicyDocument() {
+    return `{
+            "Version": "2012-10-17",
+            "Statement": {
+                "Effect": "Allow",
+                "Action": [
+                    ${getFormattedSsmActions()}
+                ],
+                "Resource": "*"
+                }
+            }`
+}
+
 export async function getDeniedSsmActions(client: IamClient, roleArn: string): Promise<IAM.EvaluationResult[]> {
     const deniedActions = await client.getDeniedActions({
         PolicySourceArn: roleArn,

packages/core/src/test/awsService/ec2/model.test.ts

@@ -44,7 +44,7 @@ describe('Ec2ConnectClient', function () {
 
     describe('hasProperPermissions', async function () {
         it('throws error when sdk throws error', async function () {
-            sinon.stub(DefaultIamClient.prototype, 'listAttachedRolePolicies').throws(new ToolkitError('error'))
+            sinon.stub(DefaultIamClient.prototype, 'simulatePrincipalPolicy').throws(new ToolkitError('error'))
 
             try {
                 await client.hasProperPermissions('')