very WIP lambda code changes

tstibbs · Jan 16, 2025 · 905ac71 · 905ac71
1 parent a3003a1
commit 905ac71
Show file tree

Hide file tree

Showing 8 changed files with 4,968 additions and 2,188 deletions.
diff --git a/aws/environment-setup/package-lock.json b/aws/environment-setup/package-lock.json
diff --git a/aws/environment-setup/package.json b/aws/environment-setup/package.json
@@ -11,11 +11,12 @@
 		"@aws-sdk/client-cloudformation": "^3.577.0",
 		"@aws-sdk/client-cloudwatch-logs": "^3.577.0",
 		"@aws-sdk/client-dynamodb": "^3.577.0",
-		"@aws-sdk/client-iam": "^3.577.0",
+		"@aws-sdk/client-iam": "^3.726.1",
 		"@aws-sdk/client-iot": "^3.577.0",
 		"@aws-sdk/client-s3": "^3.726.1",
 		"@aws-sdk/client-sns": "^3.577.0",
 		"@aws-sdk/client-sts": "^3.577.0",
+		"@aws-sdk/credential-providers": "^3.729.0",
 		"@aws-sdk/lib-dynamodb": "^3.726.1",
 		"csv-parse": "^5.5.5",
 		"dotenv": "^16.4.5",

diff --git a/aws/environment-setup/src/auth-utils.js b/aws/environment-setup/src/auth-utils.js
@@ -1,35 +1,25 @@
 import {STS} from '@aws-sdk/client-sts'
-
-const awsDefaults = {region: 'eu-west-2'}
-const awsApiVersions = {
-	Athena: '2017-05-18',
-	CloudFormation: '2010-05-15',
-	CloudWatchLogs: '2014-03-28',
-	DynamoDB: '2012-08-10',
-	IAM: '2010-05-08',
-	IoT: '2015-05-28',
-	S3: '2006-03-01',
-	SNS: '2010-03-31',
-	STS: '2011-06-15'
-}
+import {defaultAwsClientConfig} from '@tstibbs/cloud-core-utils/src/tools/aws-client-config.js'
+import {fromTemporaryCredentials, fromNodeProviderChain} from '@aws-sdk/credential-providers'
 
 export function defaultsForAwsService(serviceName) {
+	//TODO remove this
 	return {
-		...awsDefaults,
-		apiVersion: awsApiVersions[serviceName]
+		...defaultAwsClientConfig
 	}
 }
 
 export async function assumeRole(roleArn) {
-	let sts = new STS(defaultsForAwsService('STS'))
+	let sts = new STS(defaultAwsClientConfig)
 	let currentAuth = await sts.getCallerIdentity({})
 	let currentSessionName = currentAuth.Arn.split('/').slice(-1)[0]
-	let oldCreds = aws.config.credentials
-	aws.config.credentials = new aws.ChainableTemporaryCredentials({
-		params: {
-			RoleArn: roleArn,
-			RoleSessionName: currentSessionName
-		}
-	})
-	return oldCreds
+	return {
+		credentials: fromTemporaryCredentials({
+			masterCredentials: fromNodeProviderChain(),
+			params: {
+				RoleArn: roleArn,
+				RoleSessionName: currentSessionName
+			}
+		})
+	}
 }
diff --git a/aws/environment-setup/src/cfnStackDriftChecker.js b/aws/environment-setup/src/cfnStackDriftChecker.js
@@ -3,6 +3,8 @@ import _ from 'lodash'
 import assert from 'assert'
 import backOff from 'exponential-backoff'
 
+import {CloudFormation} from '@aws-sdk/client-cloudformation'
+
 import {buildApiForAccount, assertNotPaging, inSeries, buildMultiAccountLambdaHandler} from './utils.js'
 import {diffsAreAcceptable} from './drift-exclusions.js'
 import {MonitorStore} from './monitor-store.js'
@@ -103,7 +105,7 @@ function deletedStacksFilter(summary) {
 }
 
 async function checkOneAccount(accountId) {
-	let cloudformation = await buildApiForAccount(accountId, 'ParentAccountCliRole', 'CloudFormation')
+	let cloudformation = await buildApiForAccount(accountId, 'ParentAccountCliRole', CloudFormation)
 	let stackResponse = await cloudformation.listStacks({})
 	let stacks = stackResponse.StackSummaries.filter(deletedStacksFilter).map(summary => summary.StackName)
 	console.log(`Checking drift status for: ${accountId} / ${stacks}`)

diff --git a/aws/environment-setup/src/iam-checker.js b/aws/environment-setup/src/iam-checker.js
@@ -2,6 +2,7 @@
 
 import {parse as csvParse} from 'csv-parse/sync'
 import backOff from 'exponential-backoff'
+import {IAMClient} from '@aws-sdk/client-iam'
 
 import {MAX_CREDENTIAL_AGE} from './runtime-envs.js'
 import {buildApiForAccount, buildMultiAccountLambdaHandler} from './utils.js'
@@ -16,7 +17,7 @@ async function checkOneAccount(accountId) {
 	const issues = []
 	const now = Date.now()
 	const maxCredentialAge = MAX_CREDENTIAL_AGE //in days
-	const iam = await buildApiForAccount(accountId, 'ParentAccountCliRole', 'IAM')
+	const iam = await buildApiForAccount(accountId, 'ParentAccountCliRole', IAMClient)
 
 	async function runChecks() {
 		await doWithBackoff('generateCredentialReport')

diff --git a/aws/environment-setup/src/usage-monitor.js b/aws/environment-setup/src/usage-monitor.js
@@ -1,3 +1,7 @@
+import {Athena} from '@aws-sdk/client-athena'
+import {CloudFormation} from '@aws-sdk/client-cloudformation'
+import {CloudWatchLogs} from '@aws-sdk/client-cloudwatch-logs'
+
 import {buildMultiAccountLambdaHandler, publishNotification, buildApiForAccount} from './utils.js'
 import {USAGE_MONITOR_EVENT_AGE_DAYS, ATHENA_WORKGROUP_NAME} from './runtime-envs.js'
 import {
@@ -248,9 +252,9 @@ function formatResultsForEmail(allResults, ipInfo) {
 }
 
 async function checkOneAccount(accountId) {
-	const cloudformation = await buildApiForAccount(accountId, USAGE_CHILD_ROLE_NAME, 'CloudFormation')
-	const athena = await buildApiForAccount(accountId, USAGE_CHILD_ROLE_NAME, 'Athena')
-	const cloudWatchLogs = await buildApiForAccount(accountId, USAGE_CHILD_ROLE_NAME, 'CloudWatchLogs')
+	const cloudformation = await buildApiForAccount(accountId, USAGE_CHILD_ROLE_NAME, CloudFormation)
+	const athena = await buildApiForAccount(accountId, USAGE_CHILD_ROLE_NAME, Athena)
+	const cloudWatchLogs = await buildApiForAccount(accountId, USAGE_CHILD_ROLE_NAME, CloudWatchLogs)
 	const apis = {
 		athena,
 		cloudWatchLogs

diff --git a/aws/environment-setup/src/utils.js b/aws/environment-setup/src/utils.js
@@ -87,12 +87,8 @@ function getCurrentLambdaLogsLink() {
 }
 
 export async function buildApiForAccount(accountId, role, api) {
-	let oldCreds = await assumeRole(`arn:aws:iam::${accountId}:role/${role}`)
-	let cloudformation = new aws[api]()
-	// JS SDK v3 does not support global configuration.
-	// Codemod has attempted to pass values to each service client in this file.
-	// You may need to update clients outside of this file, if they use global config.
-	aws.config.credentials = oldCreds
+	let clientConfigWithCreds = await assumeRole(`arn:aws:iam::${accountId}:role/${role}`)
+	let cloudformation = new api(clientConfigWithCreds)
 	return cloudformation
 }
 

diff --git a/aws/environment-setup/test/run-stack-drift-checker.js b/aws/environment-setup/test/run-stack-drift-checker.js
@@ -1,12 +1,12 @@
 import {PARENT_ACCOUNT_ID} from '../lib/deploy-envs.js'
 import {assumeRole} from '../src/auth-utils.js'
-import aws from 'aws-sdk'
+import {CloudFormation} from '@aws-sdk/client-cloudformation'
+import {defaultAwsClientConfig} from '@tstibbs/cloud-core-utils/src/tools/aws-client-config.js'
 
-await assumeRole(`arn:aws:iam::${PARENT_ACCOUNT_ID}:role/toolingFunctionsRole`)
+// await assumeRole(`arn:aws:iam::${PARENT_ACCOUNT_ID}:role/toolingFunctionsRole`)
 let {handler, checkOneStackDriftsAcceptable} = await import('../src/cfnStackDriftChecker.js')
-await handler({}, {awsRequestId: 'dummy'})
+// await handler({}, {awsRequestId: 'dummy'})
 
-//TODO comment this out by default
-let cloudformation = new aws.CloudFormation()
-let acceptable = await checkOneStackDriftsAcceptable(cloudformation, stack - name)
+let cloudformation = new CloudFormation(defaultAwsClientConfig)
+let acceptable = await checkOneStackDriftsAcceptable(cloudformation, 'pdf-viewer-sync')
 console.log(acceptable)