fix missing sandbox IAM role registration

dforsber · dforsber · commit 2caffcfdf677 · 2024-03-25T21:01:42.000+02:00
diff --git a/README.md b/README.md
@@ -54,7 +54,7 @@ dataSource:
 
 % bdcli aws iam -c datasource_config.yaml --region eu-west-1 --create-role-only
 ✔ Authenticating: success
-✔ Creating IAM Role: arn:aws:iam::589434896614:role/boilingdata/bd-euw1-noenv-notmplname-21346bf26c314caf8e7e9832205ffdee
+✔ Creating IAM Role: arn:aws:iam::589434896614:role/boilingdata/bd-euw1-noenv-notmpl-21346bf26c314caf8e7e9832205ffdee
 
 % echo "Now you can verify the generated IAM role"
 Now you can verify the generated IAM role
diff --git a/src/bdcli/commands/account/bdcli-account-tap-client-token.ts b/src/bdcli/commands/account/bdcli-account-tap-client-token.ts
@@ -7,7 +7,7 @@ import { BDAccount } from "../../../integration/boilingdata/account.js";
 import { combineOptsWithSettings } from "../../utils/config_util.js";
 import { outputResults } from "../../utils/output_util.js";
 
-const logger = getLogger("bdcli-account-token");
+const logger = getLogger("bdcli-account-tap-client-token");
 
 async function show(options: any, _command: cmd.Command): Promise<void> {
   try {
@@ -19,27 +19,27 @@ async function show(options: any, _command: cmd.Command): Promise<void> {
     updateSpinnerText(`Authenticating: ${idCached ? "cached" : "success"}`);
     spinnerSuccess();
 
-    updateSpinnerText(`Getting BoilingData TAP token`);
+    updateSpinnerText(`Getting BoilingData Client TAP token`);
     if (!region) throw new Error("Pass --region parameter or set AWS_REGION env");
     const bdAccount = new BDAccount({ logger, authToken: token });
     const {
       bdTapToken,
       cached: tapCached,
       ...rest
     } = await bdAccount.getTapToken(options.lifetime ?? "24h", options.sharingUser);
-    updateSpinnerText(`Getting BoilingData TAP token: ${tapCached ? "cached" : "success"}`);
+    updateSpinnerText(`Getting BoilingData Client TAP token: ${tapCached ? "cached" : "success"}`);
     spinnerSuccess();
     await outputResults({ bdTapToken, cached: tapCached, ...rest }, options.disableSpinner);
   } catch (err: any) {
     spinnerError(err?.message);
   }
 }
 
-const program = new cmd.Command("bdcli account tap-token")
+const program = new cmd.Command("bdcli account tap-client-token")
   .addOption(
     new cmd.Option(
       "--lifetime <lifetime>",
-      "Expiration lifetime for the token, in string format, like '1h' (see https://github.com/vercel/ms)",
+      "Expiration lifetime for the token, in string format, like '24h' (see https://github.com/vercel/ms)",
     ),
   )
   .addOption(
diff --git a/src/bdcli/commands/account/bdcli-account-tap-master-secret.ts b/src/bdcli/commands/account/bdcli-account-tap-master-secret.ts
@@ -0,0 +1,46 @@
+import * as cmd from "commander";
+import { getLogger } from "../../utils/logger_util.js";
+import { spinnerError, spinnerSuccess, updateSpinnerText } from "../../utils/spinner_util.js";
+import { addGlobalOptions } from "../../utils/options_util.js";
+import { authSpinnerWithConfigCheck, getIdToken, validateTokenLifetime } from "../../utils/auth_util.js";
+import { BDAccount } from "../../../integration/boilingdata/account.js";
+import { combineOptsWithSettings } from "../../utils/config_util.js";
+import { outputResults } from "../../utils/output_util.js";
+
+const logger = getLogger("bdcli-account-tap-master-secret");
+
+async function show(options: any, _command: cmd.Command): Promise<void> {
+  try {
+    options = await combineOptsWithSettings(options, logger);
+    if (options.lifetime) await validateTokenLifetime(options.lifetime);
+
+    if (!authSpinnerWithConfigCheck()) return;
+    const { idToken: token, cached: idCached, region } = await getIdToken(logger);
+    updateSpinnerText(`Authenticating: ${idCached ? "cached" : "success"}`);
+    spinnerSuccess();
+
+    updateSpinnerText(`Getting BoilingData Master TAP secret`);
+    if (!region) throw new Error("Pass --region parameter or set AWS_REGION env");
+    const bdAccount = new BDAccount({ logger, authToken: token });
+    const { bdTapMasterSecret, cached: tapCached, ...rest } = await bdAccount.getTapMasterSecret();
+    updateSpinnerText(`Getting BoilingData Master TAP secret: ${tapCached ? "cached" : "success"}`);
+    spinnerSuccess();
+    await outputResults({ bdTapMasterSecret, cached: tapCached, ...rest }, options.disableSpinner);
+  } catch (err: any) {
+    spinnerError(err?.message);
+  }
+}
+
+const program = new cmd.Command("bdcli account tap-master-secret")
+  .addOption(
+    new cmd.Option(
+      "--sharing-user <emailOfTapSharingUser>",
+      "A user has shared Tap for you so that you can write to it.",
+    ),
+  )
+  .action(async (options, command) => await show(options, command));
+
+(async () => {
+  await addGlobalOptions(program, logger);
+  await program.parseAsync(process.argv);
+})();
diff --git a/src/bdcli/commands/aws/bdcli-aws-s3-iam.ts b/src/bdcli/commands/aws/bdcli-aws-s3-iam.ts
@@ -5,13 +5,13 @@ import { ELogLevel, getLogger } from "../../utils/logger_util.js";
 import { spinnerError, spinnerSuccess, spinnerWarn, updateSpinnerText } from "../../utils/spinner_util.js";
 import { addGlobalOptions } from "../../utils/options_util.js";
 import { getIdToken } from "../../utils/auth_util.js";
-import { BDIamRole } from "../../../integration/aws/iam_roles.js";
+import { BDIamRole, ERoleType } from "../../../integration/aws/iam_role.js";
 import { BDAccount } from "../../../integration/boilingdata/account.js";
 import { BDDataSourceConfig } from "../../../integration/boilingdata/dataset.js";
 import { BDIntegration } from "../../../integration/bdIntegration.js";
 import { combineOptsWithSettings } from "../../utils/config_util.js";
 
-const logger = getLogger("bdcli-aws");
+const logger = getLogger("bdcli-aws-iam");
 logger.setLogLevel(ELogLevel.WARN);
 
 async function iamrole(options: any, _command: cmd.Command): Promise<void> {
@@ -29,30 +29,32 @@ async function iamrole(options: any, _command: cmd.Command): Promise<void> {
     updateSpinnerText(cached ? "Authenticating: cached" : "Authenticating: success");
     spinnerSuccess();
 
-    updateSpinnerText("Creating IAM Role");
+    updateSpinnerText("Creating S3 IAM Role");
     if (!region) throw new Error("Pass --region parameter or set AWS_REGION env");
     const bdAccount = new BDAccount({ logger, authToken: token });
     const bdDataSources = new BDDataSourceConfig({ logger });
     await bdDataSources.readConfig(options.config);
+    const stsClient = new sts.STSClient({ region });
     const bdRole = new BDIamRole({
       ...options,
       logger,
+      roleType: ERoleType.S3,
       iamClient: new iam.IAMClient({ region }),
-      stsClient: new sts.STSClient({ region }),
+      stsClient,
       username: await bdAccount.getUsername(),
       assumeAwsAccount: await bdAccount.getAssumeAwsAccount(),
       assumeCondExternalId: await bdAccount.getExtId(),
     });
-    const bdIntegration = new BDIntegration({ logger, bdAccount, bdRole, bdDataSources });
-    const policyDocument = await bdIntegration.getPolicyDocument();
+    const bdIntegration = new BDIntegration({ logger, bdAccount, bdRole, bdDataSources, stsClient });
+    const policyDocument = await bdIntegration.getS3PolicyDocument();
     const iamRoleArn = await bdRole.upsertRole(JSON.stringify(policyDocument));
-    updateSpinnerText(`Creating IAM Role: ${iamRoleArn}`);
+    updateSpinnerText(`Creating S3 IAM Role: ${iamRoleArn}`);
     spinnerSuccess();
 
     if (!options.createRoleOnly) {
-      updateSpinnerText(`Registering IAM Role: ${iamRoleArn}`);
+      updateSpinnerText(`Registering S3 IAM Role: ${iamRoleArn}`);
       const datasourcesConfig = bdDataSources.getDatasourcesConfig();
-      await bdAccount.setIamRoleWithPayload(iamRoleArn, { datasourcesConfig });
+      await bdAccount.setS3IamRoleWithPayload(iamRoleArn, { datasourcesConfig });
       spinnerSuccess();
     }
   } catch (err: any) {
diff --git a/src/bdcli/commands/aws/bdcli-aws-taps-iam.ts b/src/bdcli/commands/aws/bdcli-aws-taps-iam.ts
@@ -0,0 +1,78 @@
+import * as iam from "@aws-sdk/client-iam";
+import * as sts from "@aws-sdk/client-sts";
+import * as cmd from "commander";
+import { ELogLevel, getLogger } from "../../utils/logger_util.js";
+import { spinnerError, spinnerSuccess, spinnerWarn, updateSpinnerText } from "../../utils/spinner_util.js";
+import { addGlobalOptions } from "../../utils/options_util.js";
+import { getIdToken } from "../../utils/auth_util.js";
+import { BDIamRole, ERoleType } from "../../../integration/aws/iam_role.js";
+import { BDAccount } from "../../../integration/boilingdata/account.js";
+import { BDIntegration } from "../../../integration/bdIntegration.js";
+import { combineOptsWithSettings } from "../../utils/config_util.js";
+
+const logger = getLogger("bdcli-aws-taps-iam");
+logger.setLogLevel(ELogLevel.WARN);
+
+async function iamrole(options: any, _command: cmd.Command): Promise<void> {
+  try {
+    options = await combineOptsWithSettings(options, logger);
+
+    if (options.delete) {
+      updateSpinnerText("Not implemented yet. Please delete the IAM Role from AWS Console");
+      spinnerWarn("Not implemented yet. Please delete the IAM Role from AWS Console");
+      return;
+    }
+
+    updateSpinnerText("Authenticating");
+    const { idToken: token, cached, region } = await getIdToken(logger);
+    updateSpinnerText(cached ? "Authenticating: cached" : "Authenticating: success");
+    spinnerSuccess();
+
+    updateSpinnerText("Creating TAPS IAM Role");
+    if (!region) throw new Error("Pass --region parameter or set AWS_REGION env");
+    const bdAccount = new BDAccount({ logger, authToken: token });
+    const stsClient = new sts.STSClient({ region });
+    const bdRole = new BDIamRole({
+      ...options,
+      logger,
+      roleType: ERoleType.TAP,
+      iamClient: new iam.IAMClient({ region }),
+      stsClient,
+      username: await bdAccount.getUsername(),
+      assumeAwsAccount: await bdAccount.getAssumeAwsAccount(),
+      assumeCondExternalId: await bdAccount.getExtId(),
+    });
+    const bdIntegration = new BDIntegration({ logger, bdAccount, bdRole, stsClient });
+    const policyDocument = await bdIntegration.getTapsPolicyDocument();
+    const iamRoleArn = await bdRole.upsertRole(JSON.stringify(policyDocument));
+    updateSpinnerText(`Creating TAPS IAM Role: ${iamRoleArn}`);
+    spinnerSuccess();
+
+    if (!options.createRoleOnly) {
+      updateSpinnerText(`Registering TAPS IAM Role: ${iamRoleArn}`);
+      await bdAccount.setTapsIamRoleWithPayload(iamRoleArn);
+      spinnerSuccess();
+    }
+  } catch (err: any) {
+    spinnerError(err?.message);
+  }
+}
+
+const program = new cmd.Command("bdcli aws taps-iam")
+  .addHelpText(
+    "beforeAll",
+    "If you have an AWS account, you can use this command to create BoilingData assumable AWS IAM Role into " +
+      "your AWS account. It is fully owned and controlled by you. The IAM Policy allows deploying Data Taps " +
+      "(Lambda Functions with URL) into your account and creating the needed IAM Role for the Data Tap itself" +
+      " (service role). \n\nSee the README.md in https://github.com/boilingdata/boilingdata-bdcli " +
+      "for more information.\n",
+  )
+  .addOption(new cmd.Option("-r, --region <region>", "AWS region"))
+  .addOption(new cmd.Option("--delete", "Delete the IAM role"))
+  .addOption(new cmd.Option("--create-role-only", "Create the IAM role only and do not update BoilingData"))
+  .action(async (options, command) => await iamrole(options, command));
+
+(async () => {
+  await addGlobalOptions(program, logger);
+  await program.parseAsync(process.argv);
+})();
diff --git a/src/bdcli/commands/bdcli-account.ts b/src/bdcli/commands/bdcli-account.ts
@@ -8,7 +8,8 @@ const program = new Command("bdcli account")
   .command("mfa", "Enable MFA")
   .command("migrate", "Migrate your account to another AWS region (not-yet-implemented)")
   .command("sts-token", "Exchange Cognito ID Token into shared or your own BoilingData Short-Term-Session (STS) token")
-  .command("tap-token", "Exchange Cognito ID Token into shared or your own BoilingData Stream Tap auth token")
+  .command("tap-client-token", "Exchange Cognito ID Token into BoilingData Data Tap client auth token")
+  .command("tap-master-secret", "Get your BoilingData Data Tap master secret")
   .command("token-share", "Share data sets via access tokens to other Boiling users")
   .command("token-unshare", "Unshare access tokens")
   .command("token-list-shares", "List shared data sets (access tokens) from and to you")
diff --git a/src/bdcli/commands/bdcli-aws.ts b/src/bdcli/commands/bdcli-aws.ts
@@ -2,6 +2,7 @@ import { Command } from "commander";
 
 const program = new Command("bdcli aws")
   .executableDir("aws")
-  .command("iam", "Setup IAM Role into your AWS account for controlled BoilingData access");
+  .command("s3-iam", "Setup IAM Role into your AWS account for accessing S3")
+  .command("taps-iam", "Setup deployer and service IAM Roles into your AWS account for creating and running Data Taps");
 
 program.parse(process.argv);
diff --git a/src/bdcli/commands/domain/bdcli-domain-setup.ts b/src/bdcli/commands/domain/bdcli-domain-setup.ts
@@ -5,7 +5,7 @@ import { ELogLevel, getLogger } from "../../utils/logger_util.js";
 import { spinnerError, spinnerSuccess, spinnerWarn, updateSpinnerText } from "../../utils/spinner_util.js";
 import { addGlobalOptions } from "../../utils/options_util.js";
 import { authSpinnerWithConfigCheck, getIdToken } from "../../utils/auth_util.js";
-import { BDIamRole } from "../../../integration/aws/iam_roles.js";
+import { BDIamRole } from "../../../integration/aws/iam_role.js";
 import { BDAccount } from "../../../integration/boilingdata/account.js";
 import { BDDataSourceConfig } from "../../../integration/boilingdata/dataset.js";
 import { BDIntegration } from "../../../integration/bdIntegration.js";
@@ -34,6 +34,7 @@ async function iamrole(options: any, _command: cmd.Command): Promise<void> {
     const bdAccount = new BDAccount({ logger, authToken: token });
     const bdDataSources = new BDDataSourceConfig({ logger });
     await bdDataSources.readConfig(options.config);
+    const stsClient = new sts.STSClient({ region });
     const bdRole = new BDIamRole({
       ...options,
       logger,
@@ -42,16 +43,16 @@ async function iamrole(options: any, _command: cmd.Command): Promise<void> {
       assumeAwsAccount: await bdAccount.getAssumeAwsAccount(),
       assumeCondExternalId: await bdAccount.getExtId(),
     });
-    const bdIntegration = new BDIntegration({ logger, bdAccount, bdRole, bdDataSources });
-    const policyDocument = await bdIntegration.getPolicyDocument();
+    const bdIntegration = new BDIntegration({ logger, bdAccount, bdRole, bdDataSources, stsClient });
+    const policyDocument = await bdIntegration.getS3PolicyDocument();
     const iamRoleArn = await bdRole.upsertRole(JSON.stringify(policyDocument));
     updateSpinnerText(`Creating IAM Role: ${iamRoleArn}`);
     spinnerSuccess();
 
     if (!options.createRoleOnly) {
       updateSpinnerText(`Registering IAM Role: ${iamRoleArn}`);
       const datasourcesConfig = bdDataSources.getDatasourcesConfig();
-      await bdAccount.setIamRoleWithPayload(iamRoleArn, { datasourcesConfig });
+      await bdAccount.setS3IamRoleWithPayload(iamRoleArn, { datasourcesConfig });
       spinnerSuccess();
     }
   } catch (err: any) {
diff --git a/src/bdcli/commands/sandbox/bdcli-sandbox-create-role.ts b/src/bdcli/commands/sandbox/bdcli-sandbox-create-role.ts
@@ -7,7 +7,7 @@ import { addGlobalOptions } from "../../utils/options_util.js";
 import { combineOptsWithSettings } from "../../utils/config_util.js";
 import { authSpinnerWithConfigCheck, getIdToken } from "../../utils/auth_util.js";
 import { BDSandbox } from "../../../integration/boilingdata/sandbox.js";
-import { BDIamRole } from "../../../integration/aws/iam_roles.js";
+import { BDIamRole } from "../../../integration/aws/iam_role.js";
 import { BDAccount } from "../../../integration/boilingdata/account.js";
 import { BDIntegration } from "../../../integration/bdIntegration.js";
 import { BDDataSourceConfig } from "../../../integration/boilingdata/dataset.js";
@@ -35,21 +35,30 @@ async function show(options: any, _command: cmd.Command): Promise<void> {
     const bdAccount = new BDAccount({ logger, authToken: token });
     const bdDataSources = new BDDataSourceConfig({ logger });
     bdDataSources.withConfig({ dataSource: bdSandbox.tmpl.resources.storage });
+    const stsClient = new sts.STSClient({ region });
     const bdRole = new BDIamRole({
       ...options,
       logger,
       iamClient: new iam.IAMClient({ region }),
-      stsClient: new sts.STSClient({ region }),
+      stsClient,
       templateName: bdSandbox.tmpl.id,
       username: await bdAccount.getUsername(),
       assumeAwsAccount: await bdAccount.getAssumeAwsAccount(),
       assumeCondExternalId: await bdAccount.getExtId(),
     });
-    const bdIntegration = new BDIntegration({ logger, bdAccount, bdRole, bdDataSources });
-    const policyDocument = await bdIntegration.getPolicyDocument(options.listBucketsPermission);
-    let iamRoleArn;
-    if (!options.dryRun) iamRoleArn = await bdRole.upsertRole(JSON.stringify(policyDocument));
-    updateSpinnerText(`Creating IAM Role: ${iamRoleArn}` + (options.dryRun ? "(dry-run)" : ""));
+    const bdIntegration = new BDIntegration({ logger, bdAccount, bdRole, bdDataSources, stsClient });
+    const policyDocument = await bdIntegration.getS3PolicyDocument(options.listBucketsPermission);
+    if (options.dryRun) {
+      updateSpinnerText(`Creating IAM Role (dry-run)`);
+      spinnerSuccess();
+      return;
+    }
+    const iamRoleArn = await bdRole.upsertRole(JSON.stringify(policyDocument));
+    spinnerSuccess();
+
+    updateSpinnerText(`Registering S3 IAM Role: ${iamRoleArn}`);
+    const datasourcesConfig = bdDataSources.getDatasourcesConfig();
+    await bdAccount.setS3IamRoleWithPayload(iamRoleArn, { datasourcesConfig });
     spinnerSuccess();
   } catch (err: any) {
     // try to decode the message
diff --git a/src/integration/aws/iam_role.ts b/src/integration/aws/iam_role.ts
@@ -13,12 +13,18 @@ enum ENameType {
   "POLICY" = "policy",
 }
 
+export enum ERoleType {
+  S3 = "s3",
+  TAP = "tap",
+}
+
 export interface IBDIamRole {
   logger: ILogger;
   iamClient: iam.IAMClient;
   stsClient: sts.STSClient;
   region: string;
   username: string;
+  roleType: ERoleType;
   templateName?: string;
   assumeCondExternalId: string;
   assumeAwsAccount: string;
@@ -36,13 +42,15 @@ export class BDIamRole {
   private _iamManagedPolicyName?: string;
   private boilingDataTags: Tag[];
   private path: string;
+  private type: ERoleType;
   private awsAccountId?: string;
   private policyArn?: string;
 
   constructor(private params: IBDIamRole) {
     this.iamClient = this.params.iamClient;
     this.stsClient = this.params.stsClient;
     this.logger = this.params.logger;
+    this.type = this.params.roleType;
     this.path = this.params.path ?? "/boilingdata/";
     if (!this.path.startsWith("/") || !this.path.endsWith("/")) throw new Error("path must start and end with /");
     this.boilingDataTags = [{ Key: "service", Value: "boilingdata" }];
@@ -51,9 +59,9 @@ export class BDIamRole {
   private getName(type: string): string {
     const prefix = this.params.roleNamePrefix ?? "bd";
     const regionShort = getAwsRegionShortName(this.params.region ?? process.env["AWS_REGION"] ?? "eu-west-1");
-    const tmplName = this.params.templateName ?? "notmplname";
+    const tmplName = this.params.templateName ?? "notmpl";
     const username = this.params.username.replaceAll("-", "");
-    const name = [prefix, regionShort, tmplName, username].join("-");
+    const name = [prefix, regionShort, tmplName, username, this.type].join("-");
     if (name.length > 64) {
       throw new Error(
         `${type} name (${name}) too long (${name.length}), reduce prefix/tmplname lengths (roomLeft ${
diff --git a/src/integration/aws/iam_roles.test.ts b/src/integration/aws/iam_roles.test.ts
diff --git a/src/integration/bdIntegration.test.ts b/src/integration/bdIntegration.test.ts
diff --git a/src/integration/bdIntegration.ts b/src/integration/bdIntegration.ts
diff --git a/src/integration/boilingdata/account.ts b/src/integration/boilingdata/account.ts
diff --git a/src/integration/boilingdata/boilingdata_api.ts b/src/integration/boilingdata/boilingdata_api.ts
