Merge pull request #356 from dgraeber/feature/quilified-bootstraps

adding support for qualifier on bootstrap roles

CHANGELOG.md

@@ -7,6 +7,7 @@ This project adheres to [Semantic Versioning](http://semver.org/) and [Keep a Ch
 ## Unreleased
 
 ### New
+- adding qualifier support for bootstrap roles
 
 ### Changes
 

docs/source/bootstrapping.md

@@ -14,14 +14,16 @@ Options:
   -p, --project TEXT              Project identifier
   -t, --trusted-principal TEXT    ARN of Principals trusted to assume the
                                   Toolchain Role
-  -b, --permissions-boundary TEXT  ARN of a Managed Policy to set as the
+  -b, --permissions-boundary TEXT
+                                  ARN of a Managed Policy to set as the
                                   Permission Boundary on the Toolchain Role
   --as-target / --not-as-target   Optionally also bootstrap the account as a
                                   Target account  [default: not-as-target]
   --synth / --no-synth            Synthesize a CFN template only...do not
                                   deploy  [default: no-synth]
   --profile TEXT                  The AWS profile to initiate a session
   --region TEXT                   AWS region to use
+  --qualifier TEXT                A qualifier to append to toolchain role (alpha-numeric char max length of 6)
   --debug / --no-debug            Enable detail logging  [default: no-debug]
   --help                          Show this message and exit.
 ```
@@ -33,11 +35,10 @@ The `permission-boundary` filed allows you to attach a policy to the role to act
 Typically, you can have the `toolchain account` act as the `target account`.  The `as-target` field will bootstrap both in a single command. 
 
 
-
 ## Bootstrap Target Account
 
 ```bash
-sage: seedfarmer bootstrap target [OPTIONS]
+Usage: seedfarmer bootstrap target [OPTIONS]
 
   Bootstrap a Target account.
 
@@ -46,12 +47,14 @@ Options:
   -t, --toolchain-account TEXT    Account Id of the Toolchain account trusted
                                   to assume the Target account's Deployment
                                   Role  [required]
-  -b, --permissions-boundary TEXT  ARN of a Managed Policy to set as the
+  -b, --permissions-boundary TEXT
+                                  ARN of a Managed Policy to set as the
                                   Permission Boundary on the Toolchain Role
   --synth / --no-synth            Synthesize a CFN template only...do not
                                   deploy  [default: no-synth]
   --profile TEXT                  The AWS profile to initiate a session
   --region TEXT                   AWS region to use
+  --qualifier TEXT                A qualifier to append to target role (alpha-numeric char max length of 6)
   --debug / --no-debug            Enable detail logging  [default: no-debug]
   --help                          Show this message and exit.
 ```
@@ -60,5 +63,12 @@ You must pass in the `toolchain-account` field so a trust-relationship can be se
 
 The `permission-boundary` filed allows you to attach a policy to the role to act as a [permissions boundary](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html)
 
+
+## Qualifiers for Toolchain Role and Target Roles
+We have added suppprt for the use of a qualifier for the toolchain role and the target account deployment role(s).  This is to help segregate target deployment when using a multi-account structure which has a central shared services (CICD account) as the toolchain account performing deployments across relevant environments (ex. DEV, INT, PROD). A `qualifier` can be used if you want to restrict the level of access/action a dev/tester/support team can perform on any target given environment.
+
+The qualifier post-pends a 6 char alpha-numeric string to the deployment role and toolchain role.  The qualifier **MUST BE THE SAME ON THE TOOLCHAIN ROLE AND EACH TARGET ROLE.**
+
+
 ## Prepping the Account / Region
 `seedfarmer` leverages the AWS CDKv2.  This must be bootstrapped in ech account/region combination to be used of each target account.

seedfarmer/__main__.py

@@ -57,6 +57,12 @@ def version() -> None:
     help="The AWS region to use for boto3.Sessions",
     required=False,
 )
+@click.option(
+    "--qualifier",
+    default=None,
+    help="A qualifier to append to toolchain / target roles",
+    required=False,
+)
 @click.option(
     "--env-file",
     default=".env",
@@ -102,6 +108,7 @@ def apply(
     spec: str,
     profile: Optional[str],
     region: Optional[str],
+    qualifier: Optional[str],
     env_file: str,
     debug: bool,
     dry_run: bool,
@@ -124,6 +131,7 @@ def apply(
         deployment_manifest_path=spec,
         profile=profile,
         region_name=region,
+        qualifier=qualifier,
         dryrun=dry_run,
         show_manifest=show_manifest,
         enable_session_timeout=enable_session_timeout,
@@ -161,6 +169,12 @@ def apply(
     help="The AWS region to use for toolchain",
     required=False,
 )
+@click.option(
+    "--qualifier",
+    default=None,
+    help="A qualifier to append to toolchain / target role",
+    required=False,
+)
 @click.option(
     "--env-file",
     default=".env",
@@ -193,6 +207,7 @@ def destroy(
     show_manifest: bool,
     profile: Optional[str],
     region: Optional[str],
+    qualifier: Optional[str],
     env_file: str,
     debug: bool,
     enable_session_timeout: bool,
@@ -217,6 +232,7 @@ def destroy(
         deployment_name=deployment,
         profile=profile,
         region_name=region,
+        qualifier=qualifier,
         dryrun=dry_run,
         show_manifest=show_manifest,
         enable_session_timeout=enable_session_timeout,

seedfarmer/cli_groups/_bootstrap_group.py

@@ -94,13 +94,20 @@ def bootstrap() -> None:
     help="AWS region to use",
     required=False,
 )
+@click.option(
+    "--qualifier",
+    default=None,
+    help="A qualifier to append to toolchain role (alpha-numeric char max length of 6)",
+    required=False,
+)
 @click.option("--debug/--no-debug", default=False, help="Enable detail logging", show_default=True)
 def bootstrap_toolchain(
     project: Optional[str],
     trusted_principal: List[str],
     permissions_boundary: Optional[str],
     profile: Optional[str],
     region: Optional[str],
+    qualifier: Optional[str],
     as_target: bool,
     synth: bool,
     debug: bool,
@@ -115,6 +122,7 @@ def bootstrap_toolchain(
         principal_arns=trusted_principal,
         permissions_boundary_arn=permissions_boundary,
         profile=profile,
+        qualifier=qualifier,
         region_name=region,
         synthesize=synth,
         as_target=as_target,
@@ -165,13 +173,20 @@ def bootstrap_toolchain(
     help="AWS region to use",
     required=False,
 )
+@click.option(
+    "--qualifier",
+    default=None,
+    help="A qualifier to append to target role (alpha-numeric char max length of 6)",
+    required=False,
+)
 @click.option("--debug/--no-debug", default=False, help="Enable detail logging", show_default=True)
 def bootstrap_target(
     project: Optional[str],
     toolchain_account: str,
     permissions_boundary: Optional[str],
     profile: Optional[str],
     region: Optional[str],
+    qualifier: Optional[str],
     synth: bool,
     debug: bool,
 ) -> None:
@@ -185,6 +200,7 @@ def bootstrap_target(
         project_name=project,
         profile=profile,
         region_name=region,
+        qualifier=qualifier,
         permissions_boundary_arn=permissions_boundary,
         synthesize=synth,
     )