public static string CreateRoleIfNotExists(IAmazonIdentityManagementService iamClient, string roleName, string assumeRolePolicyDocument, bool waitForEventualConsistency = true)
{
AutoResetEvent ars = new AutoResetEvent(false);
Exception responseException = new Exception();
Role role = GetRoleIfExists(iamClient, roleName);
if (role != null && !string.IsNullOrEmpty(role.Arn))
{
return role.Arn;
}
iamClient.CreateRoleAsync(new CreateRoleRequest
{
RoleName = roleName,
AssumeRolePolicyDocument = assumeRolePolicyDocument
}, (response) =>
{
responseException = response.Exception;
if (responseException == null)
{
role = response.Response.Role;
}
ars.Set();
}, new AsyncOptions { ExecuteCallbackOnMainThread = false });
ars.WaitOne();
Assert.IsNull(responseException);
if (waitForEventualConsistency)
{
// Wait for eventual consistency of IAM role:
Thread.Sleep(TimeSpan.FromSeconds(10));
}
return role.Arn;
}
public static void Initialize()
{
LambdaClient = new AmazonLambdaClient(TestRunner.Credentials, TestRunner.RegionEndpoint);
IAMClient = new AmazonIdentityManagementServiceClient(TestRunner.Credentials, TestRunner.RegionEndpoint);
RoleArn = UtilityMethods.CreateRoleIfNotExists(IAMClient, RoleName, UtilityMethods.LambdaAssumeRolePolicyDocument);
UtilityMethods.CreatePolicyIfNotExists(IAMClient, RolePolicyName, RolePolicyDocument, RoleName);
foreach (string[] functionInfo in FunctionNames)
{
CreateFunction(functionInfo[0], functionInfo[1], functionInfo[2]);
}
}
public async Task<Group> RetrieveGroup(
string identifier,
IAmazonIdentityManagementService proxy)
{
if (null == identifier)
{
throw new ArgumentException(AnchoringByIdentifierBehavior.ArgumentNameIdentifier);
}
if (null == proxy)
{
throw new ArgumentNullException(AnchoringByIdentifierBehavior.ArgumentNameProxy);
}
ListGroupsRequest request = new ListGroupsRequest();
request.MaxItems = AnchoringByIdentifierBehavior.SizeListPage;
while (true)
{
ListGroupsResponse response = await proxy.ListGroupsAsync(request);
if (null == response.Groups || !response.Groups.Any())
{
return null;
}
Group group =
response
.Groups
.SingleOrDefault(
(Group item) =>
string.Equals(item.GroupId, identifier, StringComparison.OrdinalIgnoreCase));
if (group != null)
{
return group;
}
if (string.IsNullOrWhiteSpace(response.Marker))
{
return null;
}
if (string.Equals(request.Marker, response.Marker, StringComparison.OrdinalIgnoreCase))
{
return null;
}
request.Marker = response.Marker;
}
}
public async Task<Group> RetrieveGroup(
string identifier,
IAmazonIdentityManagementService proxy)
{
if (null == identifier)
{
throw new ArgumentException(AnchoringByNameBehavior.ArgumentNameIdentifier);
}
if (null == proxy)
{
throw new ArgumentNullException(AnchoringByNameBehavior.ArgumentNameProxy);
}
GetGroupRequest request = new GetGroupRequest(identifier);
GetGroupResult response = await proxy.GetGroupAsync(request);
Group result = response.Group;
return result;
}
public async Task<User> RetrieveUser(
string identifier,
IAmazonIdentityManagementService proxy)
{
if (null == identifier)
{
throw new ArgumentException(AnchoringByNameBehavior.ArgumentNameIdentifier);
}
if (null == proxy)
{
throw new ArgumentNullException(AnchoringByNameBehavior.ArgumentNameProxy);
}
GetUserRequest request =
new GetUserRequest()
{
UserName = identifier
};
GetUserResult response = await proxy.GetUserAsync(request);
User result = response.User;
return result;
}
public static Role GetRoleIfExists(IAmazonIdentityManagementService iamClient, string roleName)
{
AutoResetEvent ars = new AutoResetEvent(false);
Exception responseException = new Exception();
// Get role arn if it exists.
Role iamRole = null;
iamClient.GetRoleAsync(new GetRoleRequest()
{
RoleName = roleName
}, (response) =>
{
responseException = response.Exception;
if (responseException == null)
{
iamRole = response.Response.Role;
}
ars.Set();
}, new AsyncOptions { ExecuteCallbackOnMainThread = false });
ars.WaitOne();
if (responseException == null)
{
Assert.IsNotNull(iamRole);
}
else
{
Assert.IsInstanceOf(typeof(NoSuchEntityException), responseException);
}
return iamRole;
}
internal IdentityManagementPaginatorFactory(IAmazonIdentityManagementService client)
{
this.client = client;
}
public static void CreatePolicyIfNotExists(IAmazonIdentityManagementService iamClient, string policyName, string policyDocument, string roleName)
{
if (DoesRoleHavePolicy(iamClient, policyName, roleName))
{
return;
}
AutoResetEvent ars = new AutoResetEvent(false);
Exception responseException = new Exception();
iamClient.PutRolePolicyAsync(new PutRolePolicyRequest()
{
PolicyName = policyName,
PolicyDocument = policyDocument,
RoleName = roleName
}, (response) =>
{
responseException = response.Exception;
ars.Set();
}, new AsyncOptions { ExecuteCallbackOnMainThread = false });
ars.WaitOne();
Assert.IsNull(responseException);
}
public static string CreateRole(IAmazonIdentityManagementService iamClient, string roleName, string assumeRolePolicy, params string[] managedPolicies)
{
if (managedPolicies != null && managedPolicies.Length > 0)
{
for (int i = 0; i < managedPolicies.Length; i++)
{
managedPolicies[i] = ExpandManagedPolicyName(iamClient, managedPolicies[i]);
}
}
string roleArn;
try
{
CreateRoleRequest request = new CreateRoleRequest
{
RoleName = roleName,
AssumeRolePolicyDocument = assumeRolePolicy
};
var response = iamClient.CreateRoleAsync(request).Result;
roleArn = response.Role.Arn;
}
catch (Exception e)
{
throw new ToolsException($"Error creating IAM Role: {e.Message}", ToolsException.CommonErrorCode.IAMCreateRole, e);
}
if (managedPolicies != null && managedPolicies.Length > 0)
{
try
{
foreach (var managedPolicy in managedPolicies)
{
var request = new AttachRolePolicyRequest
{
RoleName = roleName,
PolicyArn = managedPolicy
};
iamClient.AttachRolePolicyAsync(request).Wait();
}
}
catch (Exception e)
{
throw new ToolsException($"Error assigning managed IAM Policy: {e.Message}", ToolsException.CommonErrorCode.IAMAttachRole, e);
}
}
bool found = false;
do
{
// There is no way check if the role has propagated yet so to
// avoid error during deployment creation do a generous sleep.
Console.WriteLine("Waiting for new IAM Role to propagate to AWS regions");
long start = DateTime.Now.Ticks;
while (TimeSpan.FromTicks(DateTime.Now.Ticks - start).TotalSeconds < SLEEP_TIME_FOR_ROLE_PROPOGATION.TotalSeconds)
{
Thread.Sleep(TimeSpan.FromSeconds(1));
Console.Write(".");
Console.Out.Flush();
}
Console.WriteLine("\t Done");
try
{
var getResponse = iamClient.GetRoleAsync(new GetRoleRequest {
RoleName = roleName
}).Result;
if (getResponse.Role != null)
{
found = true;
}
}
catch (NoSuchEntityException)
{
}
catch (Exception e)
{
throw new ToolsException("Error confirming new role was created: " + e.Message, ToolsException.CommonErrorCode.IAMGetRole, e);
}
} while (!found);
return(roleArn);
}
public IdentityService(IAmazonIdentityManagementService iamClient, IArnParser arnParser)
{
_iamClient = iamClient;
_arnParser = arnParser;
}
private async Task<Amazon.IdentityManagement.Model.User> RetrieveUser(
string resourceIdentifier,
IAmazonIdentityManagementService proxy)
{
if (null == resourceIdentifier)
{
throw new ArgumentException(AmazonWebServicesProvider.ArgumentNameResourceIdentifier);
}
if (null == proxy)
{
throw new ArgumentNullException(AmazonWebServicesProvider.ArgumentNameProxy);
}
Amazon.IdentityManagement.Model.User result = await this.AnchoringBehavior.RetrieveUser(resourceIdentifier, proxy);
return result;
}
private async Task RemoveMember(
string groupName,
string memberIdentifier,
IAmazonIdentityManagementService proxy,
string correlationIdentifier)
{
if (string.IsNullOrWhiteSpace(groupName))
{
throw new ArgumentNullException(AmazonWebServicesProvider.ArgumentNameGroupName);
}
if (string.IsNullOrWhiteSpace(memberIdentifier))
{
throw new ArgumentNullException(AmazonWebServicesProvider.ArgumentNameMemberIdentifier);
}
if (null == proxy)
{
throw new ArgumentNullException(AmazonWebServicesProvider.ArgumentNameProxy);
}
if (string.IsNullOrWhiteSpace(correlationIdentifier))
{
throw new ArgumentNullException(AmazonWebServicesProvider.ArgumentNameCorrelationIdentifier);
}
Amazon.IdentityManagement.Model.User memberUser = await this.RetrieveUser(memberIdentifier, proxy);
if (null == memberUser)
{
string warning =
string.Format(
CultureInfo.InvariantCulture,
AmazonProvisioningAgentResources.WarningEntryNotFoundTemplate,
typeof(Amazon.IdentityManagement.Model.User).Name,
memberIdentifier);
ProvisioningAgentMonitor.Instance.Warn(warning, correlationIdentifier);
return;
}
RemoveUserFromGroupRequest request = new RemoveUserFromGroupRequest(groupName, memberUser.UserName);
await proxy.RemoveUserFromGroupAsync(request);
}
private Amazon.IdentityManagement.Model.GetServiceLastAccessedDetailsWithEntitiesResponse CallAWSServiceOperation(IAmazonIdentityManagementService client, Amazon.IdentityManagement.Model.GetServiceLastAccessedDetailsWithEntitiesRequest request)
{
Utils.Common.WriteVerboseEndpointMessage(this, client.Config, "AWS Identity and Access Management", "GetServiceLastAccessedDetailsWithEntities");
try
{
#if DESKTOP
return(client.GetServiceLastAccessedDetailsWithEntities(request));
#elif CORECLR
return(client.GetServiceLastAccessedDetailsWithEntitiesAsync(request).GetAwaiter().GetResult());
#else
#error "Unknown build edition"
#endif
}
catch (AmazonServiceException exc)
{
var webException = exc.InnerException as System.Net.WebException;
if (webException != null)
{
throw new Exception(Utils.Common.FormatNameResolutionFailureMessage(client.Config, webException.Message), webException);
}
throw;
}
}
internal ListSSHPublicKeysPaginator(IAmazonIdentityManagementService client, ListSSHPublicKeysRequest request)
{
this._client = client;
this._request = request;
}
internal SimulateCustomPolicyPaginator(IAmazonIdentityManagementService client, SimulateCustomPolicyRequest request)
{
this._client = client;
this._request = request;
}
internal ListPoliciesPaginator(IAmazonIdentityManagementService client, ListPoliciesRequest request)
{
this._client = client;
this._request = request;
}
internal ListInstanceProfilesForRolePaginator(IAmazonIdentityManagementService client, ListInstanceProfilesForRoleRequest request)
{
this._client = client;
this._request = request;
}
public static async Task <IList <InstanceProfile> > FindExistingInstanceProfilesAsync(IAmazonIdentityManagementService iamClient, int maxRoles)
{
var profiles = new List <InstanceProfile>();
ListInstanceProfilesRequest request = new ListInstanceProfilesRequest();
ListInstanceProfilesResponse response = null;
do
{
if (response != null)
{
request.Marker = response.Marker;
}
response = await iamClient.ListInstanceProfilesAsync(request).ConfigureAwait(false);
foreach (var profile in response.InstanceProfiles)
{
profiles.Add(profile);
}
} while (response.IsTruncated && profiles.Count < maxRoles);
return(profiles);
}
private async Task AddMember(
string groupName,
Member member,
IAmazonIdentityManagementService proxy,
string correlationIdentifier)
{
if (string.IsNullOrWhiteSpace(groupName))
{
throw new ArgumentNullException(AmazonWebServicesProvider.ArgumentNameGroupName);
}
if (null == member)
{
throw new ArgumentNullException(AmazonWebServicesProvider.ArgumentNameMember);
}
if (string.IsNullOrWhiteSpace(member.Value))
{
throw new ArgumentException(ProvisioningAgentResources.ExceptionInvalidMember);
}
if (null == proxy)
{
throw new ArgumentNullException(AmazonWebServicesProvider.ArgumentNameProxy);
}
if (string.IsNullOrWhiteSpace(correlationIdentifier))
{
throw new ArgumentNullException(AmazonWebServicesProvider.ArgumentNameCorrelationIdentifier);
}
await this.AddMember(groupName, member.Value, proxy, correlationIdentifier);
}
private async Task AddMembers(
string groupName,
IEnumerable<Member> members,
IAmazonIdentityManagementService proxy,
string correlationIdentifier)
{
if (string.IsNullOrWhiteSpace(groupName))
{
throw new ArgumentNullException(AmazonWebServicesProvider.ArgumentNameGroupName);
}
if (null == members)
{
throw new ArgumentNullException(AmazonWebServicesProvider.ArgumentNameMembers);
}
if (null == proxy)
{
throw new ArgumentNullException(AmazonWebServicesProvider.ArgumentNameProxy);
}
if (string.IsNullOrWhiteSpace(correlationIdentifier))
{
throw new ArgumentNullException(AmazonWebServicesProvider.ArgumentNameCorrelationIdentifier);
}
foreach (Member member in members)
{
await this.AddMember(groupName, member, proxy, correlationIdentifier);
}
}
/// <summary>
/// Default constructor. This constructor is used by Lambda to construct the instance. When invoked in a Lambda environment
/// the AWS credentials will come from the IAM role associated with the function and the AWS region will be set to the
/// region the Lambda function is executed in.
/// </summary>
public Function()
{
S3Client = new AmazonS3Client();
SnsClient = new AmazonSimpleNotificationServiceClient();
IamClient = new AmazonIdentityManagementServiceClient();
}
private async Task<Group> RetrieveGroup(
string resourceIdentifier,
IAmazonIdentityManagementService proxy)
{
if (string.IsNullOrWhiteSpace(resourceIdentifier))
{
throw new ArgumentException(AmazonWebServicesProvider.ArgumentNameResourceIdentifier);
}
if (null == proxy)
{
throw new ArgumentNullException(AmazonWebServicesProvider.ArgumentNameProxy);
}
Group result = await this.AnchoringBehavior.RetrieveGroup(resourceIdentifier, proxy);
return result;
}
protected Func <Task <Settings> > CreateSettingsInitializer(
CommandLineApplication cmd,
bool requireAwsProfile = true
)
{
CommandOption awsProfileOption = null;
CommandOption awsRegionOption = null;
// add misc options
var tierOption = cmd.Option("--tier|-T <NAME>", "(optional) Name of deployment tier (default: LAMBDASHARP_TIER environment variable)", CommandOptionType.SingleValue);
if (requireAwsProfile)
{
awsProfileOption = cmd.Option("--aws-profile|-P <NAME>", "(optional) Use a specific AWS profile from the AWS credentials file", CommandOptionType.SingleValue);
awsRegionOption = cmd.Option("--aws-region <NAME>", "(optional) Use a specific AWS region (default: read from AWS profile)", CommandOptionType.SingleValue);
}
// add hidden testing options
var awsAccountIdOption = cmd.Option("--aws-account-id <VALUE>", "(test only) Override AWS account Id (default: read from AWS profile)", CommandOptionType.SingleValue);
var awsUserArnOption = cmd.Option("--aws-user-arn <ARN>", "(test only) Override AWS user ARN (default: read from AWS profile)", CommandOptionType.SingleValue);
var toolVersionOption = cmd.Option("--cli-version <VALUE>", "(test only) LambdaSharp CLI version for profile", CommandOptionType.SingleValue);
var deploymentBucketNameOption = cmd.Option("--deployment-bucket-name <NAME>", "(test only) S3 Bucket name used to deploy modules (default: read from LambdaSharp CLI configuration)", CommandOptionType.SingleValue);
var tierVersionOption = cmd.Option("--tier-version <VERSION>", "(test only) LambdaSharp tier version (default: read from deployment tier)", CommandOptionType.SingleValue);
var promptsAsErrorsOption = cmd.Option("--prompts-as-errors", "(optional) Missing parameters cause an error instead of a prompts (use for CI/CD to avoid unattended prompts)", CommandOptionType.NoValue);
awsAccountIdOption.ShowInHelpText = false;
awsUserArnOption.ShowInHelpText = false;
toolVersionOption.ShowInHelpText = false;
deploymentBucketNameOption.ShowInHelpText = false;
tierVersionOption.ShowInHelpText = false;
return(async() => {
// check if experimental caching feature is enabled
Settings.AllowCaching = string.Equals((Environment.GetEnvironmentVariable("LAMBDASHARP_FEATURE_CACHING") ?? "false"), "true", StringComparison.OrdinalIgnoreCase);
// initialize deployment tier
string tier = tierOption.Value() ?? Environment.GetEnvironmentVariable("LAMBDASHARP_TIER") ?? "";
// initialize AWS profile
try {
AwsAccountInfo awsAccount = null;
IAmazonSimpleSystemsManagement ssmClient = null;
IAmazonCloudFormation cfnClient = null;
IAmazonKeyManagementService kmsClient = null;
IAmazonS3 s3Client = null;
IAmazonAPIGateway apiGatewayClient = null;
IAmazonIdentityManagementService iamClient = null;
IAmazonLambda lambdaClient = null;
if (requireAwsProfile)
{
awsAccount = await InitializeAwsProfile(
awsProfileOption.Value(),
awsAccountIdOption.Value(),
awsRegionOption.Value(),
awsUserArnOption.Value()
);
if (awsAccount == null)
{
return null;
}
// create AWS clients
ssmClient = new AmazonSimpleSystemsManagementClient(AWSConfigs.RegionEndpoint);
cfnClient = new AmazonCloudFormationClient(AWSConfigs.RegionEndpoint);
kmsClient = new AmazonKeyManagementServiceClient(AWSConfigs.RegionEndpoint);
s3Client = new AmazonS3Client(AWSConfigs.RegionEndpoint);
apiGatewayClient = new AmazonAPIGatewayClient(AWSConfigs.RegionEndpoint);
iamClient = new AmazonIdentityManagementServiceClient(AWSConfigs.RegionEndpoint);
lambdaClient = new AmazonLambdaClient(AWSConfigs.RegionEndpoint);
}
if (HasErrors)
{
return null;
}
// initialize LambdaSharp deployment values
var tierVersion = tierVersionOption.Value();
var deploymentBucketName = deploymentBucketNameOption.Value();
// initialize LambdaSharp testing values
VersionInfo toolVersion = null;
if (toolVersionOption.HasValue())
{
toolVersion = VersionInfo.Parse(toolVersionOption.Value());
}
// create a settings instance for each module filename
return new Settings(toolVersion ?? Version)
{
TierVersion = (tierVersion != null) ? VersionInfo.Parse(tierVersion) : null,
Tier = tier,
AwsRegion = awsAccount?.Region,
AwsAccountId = awsAccount?.AccountId,
AwsUserArn = awsAccount?.UserArn,
DeploymentBucketName = deploymentBucketName,
SsmClient = ssmClient,
CfnClient = cfnClient,
KmsClient = kmsClient,
S3Client = s3Client,
ApiGatewayClient = apiGatewayClient,
IamClient = iamClient,
LambdaClient = lambdaClient,
PromptsAsErrors = promptsAsErrorsOption.HasValue()
};
} catch (AmazonClientException e) when(e.Message == "No RegionEndpoint or ServiceURL configured")
{
LogError("AWS profile is missing a region specifier");
return null;
}
});
}
public static void ClassInitialize(TestContext testContext)
{
lambdaClient = new AmazonLambdaClient();
iamClient = new AmazonIdentityManagementServiceClient();
}
public static bool DoesRoleHavePolicy(IAmazonIdentityManagementService iamClient, string policyName, string roleName)
{
AutoResetEvent ars = new AutoResetEvent(false);
Exception responseException = new Exception();
List<string> policyNames = null;
iamClient.ListRolePoliciesAsync(new ListRolePoliciesRequest()
{
RoleName = roleName,
}, (response) =>
{
responseException = response.Exception;
if (responseException == null)
{
policyNames = response.Response.PolicyNames;
}
ars.Set();
}, new AsyncOptions { ExecuteCallbackOnMainThread = false });
ars.WaitOne();
Assert.IsNull(responseException);
Assert.IsNotNull(policyNames);
return policyNames.Contains(policyName);
}
public static void ClassInitialize(TestContext testContext)
{
iamClient = new AmazonIdentityManagementServiceClient();
s3Client = new AmazonS3Client();
}
public ExcelUploadService(IAmazonS3 s3Client, IAmazonDynamoDB dynamoDbClient, ILogger <ExcelUploadService> logger, IAmazonIdentityManagementService iamService)
{
S3Client = s3Client;
DynamoDbClient = dynamoDbClient;
IAMService = iamService;
Logger = logger;
}
