This plugin queries a remote endpoint for AWS account information in JSON format. Accounts are added and/or removed without restarting clouddriver service.
- Periodically syncs with a configured remote host to update Spinnaker AWS and ECS accounts. Supports account addition, removal, and update.
- On-demand account loading. If a AWS account is not found in the local repository at the time of pipeline execution, the plugin will perform a sync with remote host to provide needed account (if found in remote host).
- Supports IAM authentication when used with API Gateway. The Spinnaker managing account role must have the permission to invoke configured API gateway.
- Must be used with Spinnaker version 1.28 or higher.
- Must enable AWS support
- Must enable Lambda support.
- Must enable ECS support
- Must have a HTTP endpoint which provides JSON payload when invoked with
GET(Example available at.github/integration-testing/mock-server/)
This plugin expects the following JSON payload from the configured remote host, configured with the url property.
{
"SpinnakerAccounts": [
{
"AccountId": "12345678901",
"SpinnakerAccountName": "test-3",
"Regions": [
"us-west-2"
],
"SpinnakerStatus": "ACTIVE | SUSPENDED",
"SpinnakerAssumeRole": "role/spinnakerManaged",
"SpinnakerProviders": [
"ecs", "lambda", "ec2"
],
"UpdatedAt": "2020-08-27T16:52:59.026696+00:00"
}
],
"Pagination": {
"NextUrl": "http://some/next/url"
}
}- Plugin performs
GETwith query string fieldUpdatedAt.gt=<TIME>after the initial sync. Expectation is that the remote host will return accounts that were updated after the specified time by the field. This is done to avoid returning and processing all accounts every time sync occurs. - The
UpdatedAt.gtfield value is determined using the most recent time value provided in theUpdatedAtJSON field. E.g. if two accounts were retruned with timestamps2020-08-27T16:52:59.026696+00:00and2030-12-27T16:52:59.026696+00:00, next request will have a query string fieldUpdatedAt.gt=2030-12-27T16:52:59.026696+00:00. - The
SpinnakerProvidersJSON field means the following:- If empty, AWS and ECS accounts are removed.
- If only
ec2is specified, Spinnaker AWS account is created. - If only
lambdais specified, Spinnaker AWS account with Lambda support is created. - If
ecsis specified, Spinnaker AWS and ECS accounts are created.
- ECS accounts are named with corresponding AWS account's name with "-ecs" suffix.
E.g. ECS account is named
account1-ecsif its corresponding AWS account name isaccount1 - If the
SpinnakerProvidersfield is set toSUSPENDED, AWS and ECS accounts are removed. - If the
NextUrlfield is present, plugin will perform aGETrequest against the URL specified by the field. Returned accounts are aggregated, then processed. - Failure paths are available here:
- Add the following to
clouddriver.ymlin the necessary profile to load plugin.
spinnaker:
extensibility:
plugins:
AWS.AccountRegistration:
id: AWS.AccountRegistration
enabled: true
version: <<plugin release version>>
extensions: {}
repositories:
awsAccountRegistrationPluginRepo:
id: awsAccountRegistrationPluginRepo
url: https://raw.githubusercontent.com/spinnaker-plugins/aws-account-registration-plugin-spinnaker/master/plugins.json
accountProvision:
url: 'http://localhost:8080' # Remote host address. Query string is supported but must not include space characters.
iamAuth: false # Enable IAM authentication for API Gateway.
iamAuthRegion: 'us-west-2' # Specify which region API Gateway is deployed. Required if `iamAuth` is enabled.
connectionTimeout: 2000 # How long to wait before initial connection timeouts
readTimeout: 6000 # How long to wait for remote server to return results.
maxBackoffTime: 3600000 # How long, in milli seconds, maximum backoff time should be.
credentials:
poller:
enabled: true
types:
aws:
reloadFrequencyMs: 20000 # Specify how often in milliseconds credentials should be synced.
ecs:
reloadFrequencyMs: 20000 # Specify how often in milliseconds credentials should be synced.- Run
./gradlew releaseBundlein the root of this project. - The above command will create a zip file,
build/distributions/spinnaker-aws-account-registration*.zip. - Copy the zip file to Clouddriver plugin directory. Defaults to
/opt/clouddriver/plugins. This directory can be specified by theplugins-root-pathconfiguration property. - Enable the plugin by placing the following in Clouddriver profile
spinnaker:
extensibility:
plugins-root-path: /opt/clouddriver/plugins # Specify plugin directory if necessary.
plugins:
AWS.AccountRegistration:
enabled: true
repositories: {}
strict-plugin-loading: false
# Available Plugin configuration properties:
accountProvision:
url: 'http://localhost:8080' # Remote host address. Query string is supported but must not include space characters.
iamAuth: false # Enable IAM authentication for API Gateway.
iamAuthRegion: 'us-west-2' # Specify which region API Gateway is deployed. Required if `iamAuth` is enabled.
connectionTimeout: 2000 # How long to wait before initial connection timeouts
readTimeout: 6000 # How long to wait for remote server to return results.
maxBackoffTime: 3600000 # How long, in milli seconds, maximum backoff time should be.
credentials:
poller:
enabled: true
types:
aws:
reloadFrequencyMs: 20000 # Specify how often in milliseconds credentials should be synced.
ecs:
reloadFrequencyMs: 20000 # Specify how often in milliseconds credentials should be synced.Developer guide for this plugin is available here:
See CONTRIBUTING for more information.
This project is licensed under the Apache-2.0 License.