AWS Cloud Provider for Idem
Project description
AWS Cloud Provider for Idem.
About
idem-aws helps manage AWS with idem.
What is POP?
This project is built with pop, a Python-based implementation of Plugin Oriented Programming (POP). POP seeks to bring together concepts and wisdom from the history of computing in new ways to solve modern computing problems.
For more information:
What is Idem?
This project is built with idem, an idempotent, imperatively executed, declarative programming language written in Python. This project extends idem!
For more information:
Getting Started
Prerequisites
Python 3.8+
git (if installing from source, or contributing to the project)
Idem
Installation
You can install idem-aws from PyPI, a source repository, or a local directory.
Before you install idem-aws, ensure that you are in the same directory as your pyproject.toml file. Optionally, you can specify the directory containing your pyproject.toml file by using the --directory=DIRECTORY (-C) option.
Install from PyPI
To install idem-aws from PyPI, run the following command:
poetry add idem-aws
Install from source
You can also install idem-aws directly from the source repository:
poetry add git+https://gitlab.com/vmware/idem/idem-aws.git
If you don’t specify a branch, Poetry uses the latest commit on the master branch.
Install from a local directory
Clone the idem-aws repository. Then run the following command to install from the cloned directory:
poetry add ~/path/to/idem-aws
Setup
After installation the AWS Idem Provider execution and state modules will be accessible to the pop hub. In order to use them we need to set up our credentials.
Create a new file called credentials.yaml and populate it with credentials. If you are using localstack, then the id and key can be bogus values. The default profile will be picked up automatically by idem.
There are many ways aws providers/profiles can be stored. See acct backends for more information.
There are multiple authentication backends for idem-aws which each have their own unique set of parameters. The following examples show some of the parameters that can be used in these backends to define profiles. All backends end up creating a boto3 session under the hood and storing it in the ctx variable that gets passed to all idem exec and state functions.
All authentication backends support two optional parameters, endpoint_url and provider_tag_key. The endpoint url is used to specify an alternate destination for boto3 calls, such as a localstack server or custom dynamodb server. The provider_tag_key is used when creating new resources. idem-aws will only interact with resources that are tagged with the the customizable provider_tag_key key.
credentials.yaml:
aws:
default:
endpoint_url: http://localhost:4566
use_ssl: False
aws_access_key_id: localstack
aws_secret_access_key: _
region_name: us-west-1
You can also use aws_session_token with Idem for temporary security credentials
aws:
default:
endpoint_url: http://localhost:4566
use_ssl: False
aws_access_key_id: localstack
aws_secret_access_key: _
region_name: us-west-1
aws_session_token: my_token
Additionally, you can use AWS AssumeRole with Idem
aws:
default:
endpoint_url: http://localhost:4566
use_ssl: False
aws_access_key_id: localstack
aws_secret_access_key: _
region_name: us-west-1
assume_role:
role_arn: arn:aws:iam::999999999999999:role/xacct/developer
role_session_name: IdemSessionName
If region_name is unspecified in the acct profile, it can come from acct.extras in the idem config file:
# idem.cfg
acct:
extras:
aws:
region_name: us-west-1
You can also authenticate with aws-google-auth if it is installed.
aws.gsuite:
my-staging-env:
username: user@gmail.com
password: this_is_available_but_avoid_it
role_arn: arn:aws:iam::999999999999999:role/xacct/developer
idp_id: 9999999
sp_id: 999999999999
region: us-east-1
duration: 36000
account: developer
The google profile example is not named default. To use it, it will need to be specified explicitly in an idem state.
ensure_resource_exists:
aws.ec2.vpc.present:
- acct_profile: my-staging-env
- name: idem_aws_vpc
- cidr_block: 10.0.0.0/24
It can also be specified from the command line when executing states.
idem state --acct-profile my-staging-env my_state.sls
It can also be specified from the command line when calling an exec module directly.
idem exec --acct-profile my-staging-env boto3.client.ec2.describe_vpcs
The last step to get up and running is to encrypt the credentials file and add the encryption key and encrypted file path to the ENVIRONMENT.
The acct command should be available as acct is a requisite of idem and idem-aws. Encrypt the the credential file.
acct encrypt credentials.yaml
output:
-A9ZkiCSOjWYG_lbGmmkVh4jKLFDyOFH4e4S1HNtNwI=
Add these to your environment:
export ACCT_KEY="-A9ZkiCSOjWYG_lbGmmkVh4jKLFDyOFH4e4S1HNtNwI="
export ACCT_FILE=$PWD/credentials.yaml.fernet
If no acct_file is supplied, then the default awscli credentials that are picked-up by botocore will be used. Missing cli options will be filled in by botocore from awscli config. The order of config priority is:
acct profile
idem config file
awscli config
You are ready to use idem-aws!
Execution Modules
Once everything has been set up properly, execution modules can be called directly by idem. Execution modules mirror the namespacing of the boto3.client and boto3.resource modules and have the same parameters.
For example, this is how you could list Vpcs from the command line with idem:
idem exec boto3.client.ec2.describe_vpcs
You can specify parameters as well. In the case of boto3 resources, args will be passed to the resource constructor and kwargs will be passed to the operation like so:
idem exec boto3.resource.ec2.Vpc.create_subnet vpc-71d00419 CidrBlock="10.0.0.0/24"
States
States are also accessed by their relative location in idem-aws/idem_aws/states. For example, idem-aws/idem_aws/states/aws/ec2/vpc.py contains a function absent(). In my state file I can create a state that uses the absent function like so.
my_state.sls:
idem_aws_test_vpc:
aws.ec2.vpc.absent:
- name: "idem_aws_test_vpc"
This state can be executed with:
idem state my_state.sls
idem state also has some flags that can significantly boost the scalability and performance of the run. Let’s use this new state which verifies that 100 vpcs are absent:
{% for i in range(100) %}
idem_aws_test_vpc_{{i}}:
aws.ec2.vpc.absent:
- name: "idem_aws_test_vpc_{{i}}"
{% endfor -%}
State can be executed with --runtime parallel to make full use of idem’s async execution calls:
idem state --runtime parallel my_state.sls
Remote storage for enforced state management
Idem-aws supports remote storage for Idem’s enforced state management feature. That is, Idem can store esm data on AWS S3 bucket. DynamoDB will be used as a file lock to prevent multiple users/processes access the same storage file concurrently. To use remote storage, the esm profile need to be added to the credential profile like the following:
aws:
default:
use_ssl: True
aws_access_key_id: AAAAAAAAA5CDFSDER3UQ
aws_secret_access_key: eHjPASFWERSFwVXKlsdfS4afD
region_name: eu-west-2
esm:
bucket: "idem-state-storage-bucket"
dynamodb_table: "idem-state-storage-table"
key: "/idem-state/demo-storage.json"
This esm file means that Idem will use AWS S3 bucket “idem-state-storage-bucket” and DynamoDB table “idem-state-storage-table” in region eu-west-2. The “key” is the file path to which the esm data will be read and stored. Both S3 bucket and DynamoDB table need to be created before using the feature. The DynamoDB table should have the primary key as string “LockID” and nothing else.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file idem-aws-6.2.1.tar.gz
.
File metadata
- Download URL: idem-aws-6.2.1.tar.gz
- Upload date:
- Size: 818.6 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/3.8.0 pkginfo/1.9.6 readme-renderer/41.0 requests/2.31.0 requests-toolbelt/1.0.0 urllib3/2.0.5 tqdm/4.66.1 importlib-metadata/6.8.0 keyring/24.2.0 rfc3986/2.0.0 colorama/0.4.6 CPython/3.9.18
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | 93dd08ecd0d48f5c16a8dfc5939e980a3f2aec1f9b747a548f7171a604493ef4 |
|
MD5 | 153c47fa649a5bdd319e0f8575c71ee0 |
|
BLAKE2b-256 | 9eec0e1a3b1641f5c1a0c7efc87beb782861798ccd2ef670abac39cb3fc9232b |
File details
Details for the file idem_aws-6.2.1-py3-none-any.whl
.
File metadata
- Download URL: idem_aws-6.2.1-py3-none-any.whl
- Upload date:
- Size: 1.2 MB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/3.8.0 pkginfo/1.9.6 readme-renderer/41.0 requests/2.31.0 requests-toolbelt/1.0.0 urllib3/2.0.5 tqdm/4.66.1 importlib-metadata/6.8.0 keyring/24.2.0 rfc3986/2.0.0 colorama/0.4.6 CPython/3.9.18
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | 4965ed3f7195b937fd8782c52c83075b2bec7d090c51550a536065bf02c0eed5 |
|
MD5 | fab38ede21734b7f1a323830b0384896 |
|
BLAKE2b-256 | 4302b69ce838e2118970d6089f7f22c6a88e761ea787d442343d9b8b4609547d |