UNPKG

@alicloud/fun/lib/ram.js

Version:

5.9 kBJavaScriptView Raw

1'use strict';
2
3const Ram = require('@alicloud/ram');
4const getProfile = require('./profile').getProfile;
5const promiseRetry = require('./retry');
6const { red } = require('colors');
7const debug = require('debug')('fun:ram');
8const _ = require('lodash');
9
10const getRamClient = async () => {
const profile = await getProfile();

return new Ram({
  accessKeyId: profile.accessKeyId,
  accessKeySecret: profile.accessKeySecret,
  endpoint: 'https://ram.aliyuncs.com',
  opts: {
    timeout: profile.timeout * 1000
  }
});
21};
22
23function normalizeRoleOrPoliceName(roleName) {
return roleName.replace(/_/g, '-');
25}
26
27async function deletePolicyNotDefaultVersion(ram, policyName) {
const listResponse = await ram.listPolicyVersions({
  PolicyType: 'Custom',
  PolicyName: policyName
});
  
const versions = (listResponse.PolicyVersions || {}).PolicyVersion;
if (versions) {
  for (let version of versions) {
    if (version.IsDefaultVersion === false) {
      await ram.deletePolicyVersion({
        PolicyName: policyName,
        VersionId: version.VersionId
      });
    }
  }
}
44}
45
46async function makePolicy(policyName, policyDocument) {
const ram = await getRamClient();

let exists = true;
50
await promiseRetry(async (retry, times) => {
  try {
    try {
      await ram.getPolicy({
        PolicyType: 'Custom',
        PolicyName: policyName
      });
    } catch (ex) {
      if (ex.code !== 'EntityNotExist.Policy') {
        throw ex;
      } else { exists = false; }
    }
      
    if (!exists) {
      await ram.createPolicy({
        PolicyName: policyName,
        Description: 'generated by fc fun',
        PolicyDocument: JSON.stringify(policyDocument)
      });
    } else {
      // avoid limitExceeded.Policy.Version
      await deletePolicyNotDefaultVersion(ram, policyName);
    
      await ram.createPolicyVersion({
        PolicyName: policyName,
        PolicyDocument: JSON.stringify(policyDocument), 
        SetAsDefault: true
      });
    }
  } catch (ex) {
    console.log(red(`retry ${times} times`));
    retry(ex);
  }
});
85}
86
87async function attachPolicyToRole(policyName, roleName, policyType = 'System') { 
const ram = await getRamClient();
89
await promiseRetry(async (retry, times) => {
  try {
    const policies = await ram.listPoliciesForRole({
      RoleName: roleName
    });
    var policy = policies.Policies.Policy.find((item) => {
      return _.toLower(item.PolicyName) === _.toLower(policyName);
    });
    if (!policy) {
      await ram.attachPolicyToRole({
        PolicyType: policyType,
        PolicyName: policyName,
        RoleName: roleName
      });
    }
  } catch (ex) {
    debug('error when attachPolicyToRole: %s, policyName %s, error is: \n%O', roleName, policyName, ex);
107
    console.log(red(`retry ${times} times`));
    retry(ex);
  }
});
112}
113
114async function getRamRole(ramClient, roleName) {
try {
  return await ramClient.getRole({
    RoleName: roleName
  });
} catch (ex) {
  debug('error when getRole: %s, error is: \n%O', roleName, ex);
  if (ex.name !== 'EntityNotExist.RoleError') {
    throw ex;
  }
}
125}  
126
127async function makeRole(roleName, createRoleIfNotExist, description = 'FunctionCompute Default Role', assumeRolePolicy) {

const ram = await getRamClient();
var role;
await promiseRetry(async (retry, times) => {
  try {      
    role = await getRamRole(ram, roleName);

    if (!assumeRolePolicy) {
      assumeRolePolicy = {
        'Statement': [
          {
            'Action': 'sts:AssumeRole',
            'Effect': 'Allow',
            'Principal': {
              'Service': [
                'fc.aliyuncs.com'
              ]
            }
          }
        ],
        'Version': '1'
      };
    }
151
    if (!role && createRoleIfNotExist) {
      role = await ram.createRole({
        RoleName: roleName,
        Description: description,
        AssumeRolePolicyDocument: JSON.stringify(assumeRolePolicy)
      });
    } else if (!role) {
      throw new Error(`role ${roleName} not exist`);
    }
  } catch (ex) {
    debug('error when makeRole: %s, error is: \n%O', roleName, ex);
163
    if (ex.code && ex.code.startsWith('InvalidParameter')) {
      throw ex;
    } else if (ex.code && ex.code === 'NoPermission') {
      console.error(red(`\n${ex.message}\n\nMaybe you need grant AliyunRAMFullAccess policy to the sub-account or use the primary account. You can refer to Chinese doc https://github.com/aliyun/fun/blob/master/docs/usage/faq-zh.md#nopermissionerror-you-are-not-authorized-to-do-this-action-resource-acsramxxxxxxxxxxrole-action-ramgetrole or English doc https://github.com/aliyun/fun/blob/master/docs/usage/faq.md#nopermissionerror-you-are-not-authorized-to-do-this-action-resource-acsramxxxxxxxxxxrole-action-ramgetrole for help.\n\n` +
      `If you don’t want use the AliyunRAMFullAccess policy or primary account, you can also specify the Role property for Service. You can refer to Chinese doc https://github.com/aliyun/fun/blob/master/docs/specs/2018-04-03-zh-cn.md#aliyunserverlessservice or English doc https://github.com/aliyun/fun/blob/master/docs/specs/2018-04-03.md#aliyunserverlessservice for help.\n`));
169
      throw ex;
    } else {
      console.log(red(`retry ${times} times`));
      retry(ex);
    }
  }
});
177
return role;
179}
180
181async function makeAndAttachPolicy(policyName, policyDocument, roleName) {
debug('begin makePolicy');
await makePolicy(policyName, policyDocument);
debug('begin attachPolicyToRole');
await attachPolicyToRole(policyName, roleName, 'Custom');
186}
187
188module.exports = {
makeRole, makePolicy, 
attachPolicyToRole, makeAndAttachPolicy,
normalizeRoleOrPoliceName
192};
\No newline at end of file

1	`'use strict';`
2
3	`const Ram = require('@alicloud/ram');`
4	`const getProfile = require('./profile').getProfile;`
5	`const promiseRetry = require('./retry');`
6	`const { red } = require('colors');`
7	`const debug = require('debug')('fun:ram');`
8	`const _ = require('lodash');`
9
10	`const getRamClient = async () => {`
11	`const profile = await getProfile();`
12
13	`return new Ram({`
14	`accessKeyId: profile.accessKeyId,`
15	`accessKeySecret: profile.accessKeySecret,`
16	`endpoint: 'https://ram.aliyuncs.com',`
17	`opts: {`
18	`timeout: profile.timeout * 1000`
19	`}`
20	`});`
21	`};`
22
23	`function normalizeRoleOrPoliceName(roleName) {`
24	`return roleName.replace(/_/g, '-');`
25	`}`
26
27	`async function deletePolicyNotDefaultVersion(ram, policyName) {`
28	`const listResponse = await ram.listPolicyVersions({`
29	`PolicyType: 'Custom',`
30	`PolicyName: policyName`
31	`});`
32
33	`const versions = (listResponse.PolicyVersions \|\| {}).PolicyVersion;`
34	`if (versions) {`
35	`for (let version of versions) {`
36	`if (version.IsDefaultVersion === false) {`
37	`await ram.deletePolicyVersion({`
38	`PolicyName: policyName,`
39	`VersionId: version.VersionId`
40	`});`
41	`}`
42	`}`
43	`}`
44	`}`
45
46	`async function makePolicy(policyName, policyDocument) {`
47	`const ram = await getRamClient();`
48
49	`let exists = true;`
50
51	`await promiseRetry(async (retry, times) => {`
52	`try {`
53	`try {`
54	`await ram.getPolicy({`
55	`PolicyType: 'Custom',`
56	`PolicyName: policyName`
57	`});`
58	`} catch (ex) {`
59	`if (ex.code !== 'EntityNotExist.Policy') {`
60	`throw ex;`
61	`} else { exists = false; }`
62	`}`
63
64	`if (!exists) {`
65	`await ram.createPolicy({`
66	`PolicyName: policyName,`
67	`Description: 'generated by fc fun',`
68	`PolicyDocument: JSON.stringify(policyDocument)`
69	`});`
70	`} else {`
71	`// avoid limitExceeded.Policy.Version`
72	`await deletePolicyNotDefaultVersion(ram, policyName);`
73
74	`await ram.createPolicyVersion({`
75	`PolicyName: policyName,`
76	`PolicyDocument: JSON.stringify(policyDocument),`
77	`SetAsDefault: true`
78	`});`
79	`}`
80	`} catch (ex) {`
81	console.log(red(`retry ${times} times`));
82	`retry(ex);`
83	`}`
84	`});`
85	`}`
86
87	`async function attachPolicyToRole(policyName, roleName, policyType = 'System') {`
88	`const ram = await getRamClient();`
89
90	`await promiseRetry(async (retry, times) => {`
91	`try {`
92	`const policies = await ram.listPoliciesForRole({`
93	`RoleName: roleName`
94	`});`
95	`var policy = policies.Policies.Policy.find((item) => {`
96	`return _.toLower(item.PolicyName) === _.toLower(policyName);`
97	`});`
98	`if (!policy) {`
99	`await ram.attachPolicyToRole({`
100	`PolicyType: policyType,`
101	`PolicyName: policyName,`
102	`RoleName: roleName`
103	`});`
104	`}`
105	`} catch (ex) {`
106	`debug('error when attachPolicyToRole: %s, policyName %s, error is: \n%O', roleName, policyName, ex);`
107
108	console.log(red(`retry ${times} times`));
109	`retry(ex);`
110	`}`
111	`});`
112	`}`
113
114	`async function getRamRole(ramClient, roleName) {`
115	`try {`
116	`return await ramClient.getRole({`
117	`RoleName: roleName`
118	`});`
119	`} catch (ex) {`
120	`debug('error when getRole: %s, error is: \n%O', roleName, ex);`
121	`if (ex.name !== 'EntityNotExist.RoleError') {`
122	`throw ex;`
123	`}`
124	`}`
125	`}`
126
127	`async function makeRole(roleName, createRoleIfNotExist, description = 'FunctionCompute Default Role', assumeRolePolicy) {`
128
129	`const ram = await getRamClient();`
130	`var role;`
131	`await promiseRetry(async (retry, times) => {`
132	`try {`
133	`role = await getRamRole(ram, roleName);`
134
135	`if (!assumeRolePolicy) {`
136	`assumeRolePolicy = {`
137	`'Statement': [`
138	`{`
139	`'Action': 'sts:AssumeRole',`
140	`'Effect': 'Allow',`
141	`'Principal': {`
142	`'Service': [`
143	`'fc.aliyuncs.com'`
144	`]`
145	`}`
146	`}`
147	`],`
148	`'Version': '1'`
149	`};`
150	`}`
151
152	`if (!role && createRoleIfNotExist) {`
153	`role = await ram.createRole({`
154	`RoleName: roleName,`
155	`Description: description,`
156	`AssumeRolePolicyDocument: JSON.stringify(assumeRolePolicy)`
157	`});`
158	`} else if (!role) {`
159	throw new Error(`role ${roleName} not exist`);
160	`}`
161	`} catch (ex) {`
162	`debug('error when makeRole: %s, error is: \n%O', roleName, ex);`
163
164	`if (ex.code && ex.code.startsWith('InvalidParameter')) {`
165	`throw ex;`
166	`} else if (ex.code && ex.code === 'NoPermission') {`
167	console.error(red(`\n${ex.message}\n\nMaybe you need grant AliyunRAMFullAccess policy to the sub-account or use the primary account. You can refer to Chinese doc https://github.com/aliyun/fun/blob/master/docs/usage/faq-zh.md#nopermissionerror-you-are-not-authorized-to-do-this-action-resource-acsramxxxxxxxxxxrole-action-ramgetrole or English doc https://github.com/aliyun/fun/blob/master/docs/usage/faq.md#nopermissionerror-you-are-not-authorized-to-do-this-action-resource-acsramxxxxxxxxxxrole-action-ramgetrole for help.\n\n` +
168	`If you don’t want use the AliyunRAMFullAccess policy or primary account, you can also specify the Role property for Service. You can refer to Chinese doc https://github.com/aliyun/fun/blob/master/docs/specs/2018-04-03-zh-cn.md#aliyunserverlessservice or English doc https://github.com/aliyun/fun/blob/master/docs/specs/2018-04-03.md#aliyunserverlessservice for help.\n`));
169
170	`throw ex;`
171	`} else {`
172	console.log(red(`retry ${times} times`));
173	`retry(ex);`
174	`}`
175	`}`
176	`});`
177
178	`return role;`
179	`}`
180
181	`async function makeAndAttachPolicy(policyName, policyDocument, roleName) {`
182	`debug('begin makePolicy');`
183	`await makePolicy(policyName, policyDocument);`
184	`debug('begin attachPolicyToRole');`
185	`await attachPolicyToRole(policyName, roleName, 'Custom');`
186	`}`
187
188	`module.exports = {`
189	`makeRole, makePolicy,`
190	`attachPolicyToRole, makeAndAttachPolicy,`
191	`normalizeRoleOrPoliceName`
192	`};`
\	No newline at end of file