Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Resource tagging in the registry-creds up command #718

Merged
merged 2 commits into from
Mar 1, 2019

Conversation

PettitWesley
Copy link
Contributor

Description of changes:
Tag SM secrets and new IAM roles. (IAM is not supported by the standalone resource tagging API, so tagging can only be supported during role creation).

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@PettitWesley
Copy link
Contributor Author

Testing:

$ ecs-cli registry-creds up reg-creds.yml --role-name cat-role2 --tags impala=tame,parker=kevin
INFO[0000] Processing credentials for registry my-registry.example.com...
INFO[0000] Existing credential secret found, using arn:aws:secretsmanager:us-west-2:144718711470:secret:amazon-ecs-cli-setup-my-registry.example.com-VUHL4v
INFO[0000] Creating resources for task execution role cat-role2...
INFO[0000] Created new task execution role arn:aws:iam::144718711470:role/cat-role2
INFO[0000] Created new task execution role policy arn:aws:iam::144718711470:policy/amazon-ecs-cli-setup-cat-role2-policy-20190129T005157Z
INFO[0000] Attached AWS managed policy arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy to role cat-role2
INFO[0000] Attached new policy arn:aws:iam::144718711470:policy/amazon-ecs-cli-setup-cat-role2-policy-20190129T005157Z to role cat-role2
INFO[0001] Writing registry credential output to new file /Users/wppttt/stuffnthings/bugbash/compose3/ecs-registry-creds_20190129T005157Z.yml
INFO[0001]
If your input file contains sensitive information, make sure that you delete it after use.
$ aws resourcegroupstaggingapi get-resources --tag-filters Key=impala,Values=tame --region us-west-2
{
    "ResourceTagMappingList": [
        {
            "ResourceARN": "arn:aws:secretsmanager:us-west-2:144718711470:secret:amazon-ecs-cli-setup-my-registry.example.com-VUHL4v",
            "Tags": [
                {
                    "Key": "impala",
                    "Value": "tame"
                },
                {
                    "Key": "parker",
                    "Value": "kevin"
                }
            ]
        }
    ]
}
aws iam list-role-tags --role-name cat-role2
{
    "Tags": [
        {
            "Key": "impala",
            "Value": "tame"
        },
        {
            "Key": "parker",
            "Value": "kevin"
        }
    ],
    "IsTruncated": false
}

@PettitWesley PettitWesley changed the base branch from dev to tagging January 29, 2019 23:32
Copy link
Contributor

@allisaurus allisaurus left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you add test output that shows existing secrets getting new tags after running the cmd with --update-existing-secrets ?

ecs-cli/modules/cli/regcreds/regcreds_app.go Outdated Show resolved Hide resolved
for key, value := range tags {
iamTags = append(iamTags, &iam.Tag{
Key: aws.String(key),
Value: value,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it valid to have a nil value for a tag? If so, can we add a case for it to TestCreateTaskExecutionRoleWithTags ?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Docs say its a required field: https://docs.aws.amazon.com/sdk-for-go/api/service/iam/#Tag

You can pass an empty string though, which my code handles correctly:

$ ecs-cli registry-creds up --role-name catsss --tags cat=,meow= reg-creds.yml
INFO[0000] Processing credentials for registry my-registry.example.com...
INFO[0000] Existing credential secret found, using arn:aws:secretsmanager:us-west-1:REDACTED:secret:amazon-ecs-cli-setup-my-registry.example.com-TIxAwp
INFO[0000] Creating resources for task execution role catsss...
INFO[0000] Created new task execution role arn:aws:iam::REDACTED:role/catsss
INFO[0000] Created new task execution role policy arn:aws:iam::REDACTED:policy/amazon-ecs-cli-setup-catsss-policy-20190213T184615Z
INFO[0001] Attached AWS managed policy arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy to role catsss
INFO[0001] Attached new policy arn:aws:iam::REDACTED:policy/amazon-ecs-cli-setup-catsss-policy-20190213T184615Z to role catsss
INFO[0001] Writing registry credential output to new file stuffnthings/bugbash/compose3/ecs-registry-creds_20190213T184615Z.yml
INFO[0001]
If your input file contains sensitive information, make sure that you delete it after use.

(I checked that the tags had been set in the Console)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we want to log info about what tags are being applied to what resources?

@PettitWesley
Copy link
Contributor Author

@allisaurus

$ ecs-cli registry-creds up reg-creds.yml --role-name cat-role2 --update-existing-secrets --tags InnerSpeaker=favoritealbum --region us-west-2
INFO[0000] Processing credentials for registry my-registry.example.com...
INFO[0000] Existing credential secret found, using arn:aws:secretsmanager:us-west-2:144718711470:secret:amazon-ecs-cli-setup-my-registry.example.com-VUHL4v
INFO[0000] Creating resources for task execution role cat-role2...
INFO[0000] Using existing role cat-role2
INFO[0000] Created new task execution role policy arn:aws:iam::144718711470:policy/amazon-ecs-cli-setup-cat-role2-policy-20190205T025752Z
INFO[0000] Attached AWS managed policy arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy to role cat-role2
INFO[0000] Attached new policy arn:aws:iam::144718711470:policy/amazon-ecs-cli-setup-cat-role2-policy-20190205T025752Z to role cat-role2
INFO[0001] Writing registry credential output to new file /Users/wppttt/stuffnthings/bugbash/compose3/ecs-registry-creds_20190205T025752Z.yml
INFO[0001]
If your input file contains sensitive information, make sure that you delete it after use.

New and old tags are present on the secret:

$ aws resourcegroupstaggingapi get-resources --tag-filters Key=InnerSpeaker,Values=favoritealbum --region us-west-2
{
    "ResourceTagMappingList": [
        {
            "ResourceARN": "arn:aws:secretsmanager:us-west-2:144718711470:secret:amazon-ecs-cli-setup-my-registry.example.com-VUHL4v",
            "Tags": [
                {
                    "Key": "InnerSpeaker",
                    "Value": "favoritealbum"
                },
                {
                    "Key": "impala",
                    "Value": "tame"
                },
                {
                    "Key": "parker",
                    "Value": "kevin"
                }
            ]
        }
    ]
}

"github.com/aws/amazon-ecs-cli/ecs-cli/modules/utils/regcredio"
"github.com/aws/aws-sdk-go/aws"
taggngSDK "github.com/aws/aws-sdk-go/service/resourcegroupstaggingapi"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: should be taggingSDK

}

for resource, info := range output.FailedResourcesMap {
return fmt.Errorf("Failed to tag resource %s; error=%s", resource, *info.ErrorMessage)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can we add test for this error case (FailedResourceMap != nil) and the API error return (line 342)?

@@ -65,5 +65,9 @@ func regcredsUpFlags() []cli.Flag {
Name: flags.OutputDirFlag,
Usage: "[Optional] The directory where the output file should be created. If none specified, file will be created in the current working directory.",
},
cli.StringFlag{
Name: flags.ResourceTagsFlag,
Usage: "[Optional] Add AWS Resource tags to the Secrets Manager secrets and IAM Role. Note that tags can only be added to the IAM role at time of creation.",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested edit for conciseness + consistency w/ other flags:
"The AWS Resource tags to add to the Secrets Manager secrets and new IAM Role. Existing IAM Roles cannot be tagged."

createRoleRequest := iam.CreateRoleInput{
AssumeRolePolicyDocument: aws.String(assumeRolePolicyDoc),
Description: aws.String(roleDescription),
RoleName: aws.String(roleName),
}
if len(tags) > 0 {
createRoleRequest.Tags = tags
}
roleResult, err := c.CreateRole(createRoleRequest)
// if err is b/c role already exists, OK to continue
if err != nil && !utils.EntityAlreadyExists(err) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What happens if we try to apply tags to an existing role? Does it return a distinct error or succeed? If the former, wondering if we should be checking for a specific error here & allowing it to succeed (like with EntityAlreadyExists) or let it fail.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Adding here what we discussed: trying to re-create an existing role but with tags will still fail with an EntityAlreadyExists error.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm happy to go along with what @allisaurus agrees with but curious why this is the correct behavior?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As per offline discussion, I understand now that this is strictly on creation of a new role, so this seems fine.

@allisaurus
Copy link
Contributor

LGTM! Though do consider the suggested flag text change.

Copy link
Contributor

@SoManyHs SoManyHs left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A few questions just for my own clarification but otherwise LGTM

createRoleRequest := iam.CreateRoleInput{
AssumeRolePolicyDocument: aws.String(assumeRolePolicyDoc),
Description: aws.String(roleDescription),
RoleName: aws.String(roleName),
}
if len(tags) > 0 {
createRoleRequest.Tags = tags
}
roleResult, err := c.CreateRole(createRoleRequest)
// if err is b/c role already exists, OK to continue
if err != nil && !utils.EntityAlreadyExists(err) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm happy to go along with what @allisaurus agrees with but curious why this is the correct behavior?

for key, value := range tags {
iamTags = append(iamTags, &iam.Tag{
Key: aws.String(key),
Value: value,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we want to log info about what tags are being applied to what resources?

@PettitWesley PettitWesley merged commit 0f138cc into aws:tagging Mar 1, 2019
@PettitWesley PettitWesley deleted the tag-regcreds branch March 1, 2019 00:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants