This repository has been archived by the owner on Mar 4, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 11
/
requires.py
301 lines (254 loc) · 9.9 KB
/
requires.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
"""
This is the requires side of the interface layer, for use in charms that
wish to request integration with AWS native features. The integration will
be provided by the AWS integration charm, which allows the requiring charm
to not require cloud credentials itself and not have a lot of AWS specific
API code.
The flags that are set by the requires side of this interface are:
* **`endpoint.{endpoint_name}.joined`** This flag is set when the relation
has been joined, and the charm should then use the methods documented below
to request specific AWS features. This flag is automatically removed if
the relation is broken. It should not be removed by the charm.
* **`endpoint.{endpoint_name}.ready`** This flag is set once the requested
features have been enabled for the AWS instance on which the charm is
running. This flag is automatically removed if new integration features
are requested. It should not be removed by the charm.
"""
import json
import string
from hashlib import sha256
from urllib.parse import urljoin
from urllib.request import urlopen, Request
from charmhelpers.core import unitdata
from charms.reactive import Endpoint
from charms.reactive import when, when_not
from charms.reactive import clear_flag, toggle_flag
# block size to read data from AWS metadata service
# (realistically, just needs to be bigger than ~20 chars)
READ_BLOCK_SIZE = 2048
class AWSIntegrationRequires(Endpoint):
"""
Example usage:
```python
from charms.reactive import when, endpoint_from_flag
@when('endpoint.aws.joined')
def request_aws_integration():
aws = endpoint_from_flag('endpoint.aws.joined')
aws.request_instance_tags({
'tag1': 'value1',
'tag2': None,
})
aws.request_load_balancer_management()
# ...
@when('endpoint.aws.ready')
def aws_integration_ready():
update_config_enable_aws()
```
"""
# the IP is the AWS metadata service, documented here:
# https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html
_metadatav2_token_url = "http://169.254.169.254/latest/api/token"
_metadata_url = "http://169.254.169.254/latest/meta-data/"
_instance_id_url = urljoin(_metadata_url, "instance-id")
_az_url = urljoin(_metadata_url, "placement/availability-zone")
def __init__(self, *args, **kwargs):
super().__init__(*args, **kwargs)
self._instance_id = None
self._region = None
@property
def _received(self):
"""
Helper to streamline access to received data since we expect to only
ever be connected to a single AWS integration application with a
single unit.
"""
return self.relations[0].joined_units.received
@property
def _to_publish(self):
"""
Helper to streamline access to received data since we expect to only
ever be connected to a single AWS integration application with a
single unit.
"""
return self.relations[0].to_publish
@when("endpoint.{endpoint_name}.joined")
def send_instance_info(self):
self._to_publish["instance-id"] = self.instance_id
self._to_publish["region"] = self.region
@when("endpoint.{endpoint_name}.changed")
def check_ready(self):
completed = self._received.get("completed", {})
actual_hash = completed.get(self.instance_id)
# My middle name is ready. No, that doesn't sound right.
# I eat ready for breakfast.
toggle_flag(
self.expand_name("ready"),
self._requested and actual_hash == self._expected_hash,
)
clear_flag(self.expand_name("changed"))
@when_not("endpoint.{endpoint_name}.joined")
def remove_ready(self):
clear_flag(self.expand_name("ready"))
@property
def instance_id(self):
"""
This unit's instance-id.
"""
if self._instance_id is None:
cache_key = self.expand_name("instance-id")
cached = unitdata.kv().get(cache_key)
if cached:
self._instance_id = cached
else:
req = self._imdv2_request(self._instance_id_url)
with urlopen(req) as fd:
self._instance_id = fd.read(READ_BLOCK_SIZE).decode("utf8")
unitdata.kv().set(cache_key, self._instance_id)
return self._instance_id
def _imdv2_request(self, url):
token_req = Request(
self._metadatav2_token_url,
headers={"X-aws-ec2-metadata-token-ttl-seconds": "21600"},
)
setattr(token_req, "method", "PUT")
with urlopen(token_req) as fd:
token = fd.read(READ_BLOCK_SIZE).decode("utf8")
return Request(url, headers={"X-aws-ec2-metadata-token": token})
@property
def region(self):
"""
The region this unit is in.
"""
if self._region is None:
cache_key = self.expand_name("region")
cached = unitdata.kv().get(cache_key)
if cached:
self._region = cached
else:
req = self._imdv2_request(self._az_url)
with urlopen(req) as fd:
az = fd.read(READ_BLOCK_SIZE).decode("utf8")
self._region = az.rstrip(string.ascii_lowercase)
unitdata.kv().set(cache_key, self._region)
return self._region
@property
def _expected_hash(self):
return sha256(
json.dumps(dict(self._to_publish), sort_keys=True).encode("utf8")
).hexdigest()
@property
def _requested(self):
# whether or not a request has been issued
return self._to_publish["requested"]
def _request(self, keyvals):
self._to_publish.update(keyvals)
self._to_publish["requested"] = True
clear_flag(self.expand_name("ready"))
def tag_instance(self, tags):
"""
Request that the given tags be applied to this instance.
# Parameters
`tags` (dict): Mapping of tag names to values (or `None`).
"""
self._request({"instance-tags": dict(tags)})
def tag_instance_security_group(self, tags):
"""
Request that the given tags be applied to this instance's
machine-specific security group (firewall) created by Juju.
# Parameters
`tags` (dict): Mapping of tag names to values (or `None`).
"""
self._request({"instance-security-group-tags": dict(tags)})
def tag_instance_subnet(self, tags):
"""
Request that the given tags be applied to this instance's subnet.
# Parameters
`tags` (dict): Mapping of tag names to values (or `None`).
"""
self._request({"instance-subnet-tags": dict(tags)})
def enable_acm_readonly(self):
"""
Request readonly for ACM.
"""
self._request({"enable-acm-readonly": True})
def enable_acm_fullaccess(self):
"""
Request fullaccess for ACM.
"""
self._request({"enable-acm-fullaccess": True})
def enable_autoscaling_readonly(self):
"""
Request readonly access for autoscaling.
"""
self._request({"enable-autoscaling-readonly": True})
def enable_instance_inspection(self):
"""
Request the ability to inspect instances.
"""
self._request({"enable-instance-inspection": True})
def enable_instance_modification(self):
"""
Request the ability to modify instances.
"""
self._request({"enable-instance-modification": True})
def enable_network_management(self):
"""
Request the ability to manage networking (firewalls, subnets, etc).
"""
self._request({"enable-network-management": True})
def enable_load_balancer_management(self):
"""
Request the ability to manage load balancers.
"""
self._request({"enable-load-balancer-management": True})
def enable_block_storage_management(self):
"""
Request the ability to manage block storage.
"""
self._request({"enable-block-storage-management": True})
def enable_dns_management(self):
"""
Request the ability to manage DNS.
"""
self._request({"enable-dns-management": True})
def enable_region_readonly(self):
"""
Request the ability to read region features.
"""
self._request({"enable-region-readonly": True})
def enable_object_storage_access(self, patterns=None):
"""
Request the ability to access object storage.
# Parameters
`patterns` (list): If given, restrict access to the resources matching
the patterns. If patterns do not start with the S3 ARN prefix
(`arn:aws:s3:::`), it will be prepended.
"""
if patterns:
for i, pattern in enumerate(patterns):
if not pattern.startswith("arn:aws:s3:::"):
patterns[i] = "arn:aws:s3:::{}".format(pattern)
self._request(
{
"enable-object-storage-access": True,
"object-storage-access-patterns": patterns,
}
)
def enable_object_storage_management(self, patterns=None):
"""
Request the ability to manage object storage.
# Parameters
`patterns` (list): If given, restrict management to the resources
matching the patterns. If patterns do not start with the S3 ARN
prefix (`arn:aws:s3:::`), it will be prepended.
"""
if patterns:
for i, pattern in enumerate(patterns):
if not pattern.startswith("arn:aws:s3:::"):
patterns[i] = "arn:aws:s3:::{}".format(pattern)
self._request(
{
"enable-object-storage-management": True,
"object-storage-management-patterns": patterns,
}
)