App-FargateStack
view release on metacpan or search on metacpan
lib/App/FargateStack/Builder/IAM.pm view on Meta::CPAN
package App::FargateStack::Builder::IAM;
use strict;
use warnings;
use Carp;
use Data::Dumper;
use Data::Compare;
use English qw(-no_match_vars);
use App::FargateStack::Constants;
use App::FargateStack::Builder::Utils qw(choose log_die);
use Text::Diff;
use JSON;
use Role::Tiny;
########################################################################
sub build_iam_role {
########################################################################
my ($self) = @_;
my ( $config, $tasks, $dryrun ) = $self->common_args(qw(config tasks dryrun));
my $iam = $self->fetch_iam;
######################################################################
# create role
######################################################################
my $role = $config->{role} // {};
$config->{role} = $role;
$self->log_trace( sub { return Dumper( [ role => $role ] ) } );
my ( $role_name, $role_arn ) = $self->create_fargate_role();
my $policy_name = $role->{policy_name} // $self->create_default( 'policy-name', 'ecs' );
@{$role}{qw(name arn policy_name)} = ( $role_name, $role_arn, $policy_name );
######################################################################
# create policy - see if policy needs to be created or updated
######################################################################
$self->create_policy( $iam, 'ecs' );
######################################################################
# create task role
######################################################################
my $task_role = $config->{task_role} // {};
$config->{task_role} = $task_role;
$self->log_trace( sub { return Dumper( [ task_role => $task_role ] ) } );
my ( $task_role_name, $task_role_arn ) = $self->create_fargate_task_role();
my $task_policy_name = $task_role->{policy_name} // $self->create_default( 'policy-name', 'task' );
@{$task_role}{qw(name arn policy_name)} = ( $task_role_name, $task_role_arn, $task_policy_name );
######################################################################
# create task policy
######################################################################
$self->create_policy( $iam, 'task' );
return;
}
########################################################################
sub create_policy {
########################################################################
my ( $self, $iam, $type ) = @_;
my ( $config, $dryrun ) = $self->common_args(qw(config dryrun));
my $role = $type eq 'ecs' ? $config->{role} : $config->{task_role};
my ( $policy_name, $role_name ) = @{$role}{qw(policy_name name)};
######################################################################
# create policy - see if policy needs to be created or updated
######################################################################
# if we turned caching off OR we don't have an ARN yet, check to see
# if the policy exists
my $policy = $iam->get_role_policy( $role_name, $policy_name );
$iam->check_result(
message => 'ERROR: could not get role policy: [%s] for role [%s]',
params => [ $policy_name, $role_name ],
regexp => qr/cannot\sbe\sfound/xsmi
);
$self->log_trace(
sub {
return Dumper(
[ policy => $policy,
role => $role
]
);
}
);
my $role_policy = choose {
return $self->create_fargate_policy
if $type eq 'ecs';
return $self->create_fargate_task_policy;
};
if ( !$role_policy ) {
$self->log_info( 'iam: policy: [%s] ... not required...skipping', $policy_name );
return;
}
my $policy_exists = $FALSE;
if ($policy) {
$policy_exists = Compare( $policy, $role_policy ) ? 1 : -1;
}
$self->log_trace(
sub {
return Dumper(
[ existing_policy => $policy,
new_policy => $role_policy,
role => $role,
policy_exists => $policy_exists,
]
);
}
);
if ( $policy_exists && $policy_exists != -1 ) {
$self->log_info( 'iam: policy: [%s] exists...%s', $policy_name, 'skipping' );
$self->inc_existing_resources( 'iam:role-policy' => [$policy_name] );
return;
}
elsif ( $policy_exists == -1 ) {
my $title = sprintf 'iam: role policy [%s] differs', $policy_name;
( run in 1.223 second using v1.01-cache-2.11-cpan-e1769b4cff6 )