constellation/cli/internal/cmd/iamupgradeapply.go

/*
Copyright (c) Edgeless Systems GmbH
SPDX-License-Identifier: AGPL-3.0-only
*/

package cmd

import (
	"context"
	"errors"
	"fmt"
	"io"
	"path/filepath"

	"github.com/edgelesssys/constellation/v2/cli/internal/cloudcmd"
	"github.com/edgelesssys/constellation/v2/cli/internal/terraform"
	"github.com/edgelesssys/constellation/v2/internal/api/attestationconfigapi"
	"github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider"
	"github.com/edgelesssys/constellation/v2/internal/config"
	"github.com/edgelesssys/constellation/v2/internal/constants"
	"github.com/edgelesssys/constellation/v2/internal/file"
	"github.com/spf13/afero"
	"github.com/spf13/cobra"
)

func newIAMUpgradeCmd() *cobra.Command {
	cmd := &cobra.Command{
		Use:   "upgrade",
		Short: "Find and apply upgrades to your IAM profile",
		Long:  "Find and apply upgrades to your IAM profile.",
		Args:  cobra.ExactArgs(0),
	}
	cmd.AddCommand(newIAMUpgradeApplyCmd())
	return cmd
}

func newIAMUpgradeApplyCmd() *cobra.Command {
	cmd := &cobra.Command{
		Use:   "apply",
		Short: "Apply an upgrade to an IAM profile",
		Long:  "Apply an upgrade to an IAM profile.",
		Args:  cobra.NoArgs,
		RunE:  runIAMUpgradeApply,
	}
	cmd.Flags().BoolP("yes", "y", false, "run upgrades without further confirmation")
	return cmd
}

type iamUpgradeApplyCmd struct {
	fileHandler   file.Handler
	configFetcher attestationconfigapi.Fetcher
	log           debugLog
}

func runIAMUpgradeApply(cmd *cobra.Command, _ []string) error {
	force, err := cmd.Flags().GetBool("force")
	if err != nil {
		return fmt.Errorf("parsing force argument: %w", err)
	}
	fileHandler := file.NewHandler(afero.NewOsFs())
	configFetcher := attestationconfigapi.NewFetcher()

	upgradeID := generateUpgradeID(upgradeCmdKindIAM)
	upgradeDir := filepath.Join(constants.UpgradeDir, upgradeID)
	iamMigrateCmd, err := cloudcmd.NewIAMUpgrader(
		cmd.Context(),
		constants.TerraformIAMWorkingDir,
		upgradeDir,
		terraform.LogLevelDebug,
		fileHandler,
	)
	if err != nil {
		return fmt.Errorf("setting up IAM migration command: %w", err)
	}

	log, err := newCLILogger(cmd)
	if err != nil {
		return fmt.Errorf("setting up logger: %w", err)
	}

	yes, err := cmd.Flags().GetBool("yes")
	if err != nil {
		return err
	}

	i := iamUpgradeApplyCmd{
		fileHandler:   fileHandler,
		configFetcher: configFetcher,
		log:           log,
	}

	return i.iamUpgradeApply(cmd, iamMigrateCmd, upgradeDir, force, yes)
}

func (i iamUpgradeApplyCmd) iamUpgradeApply(cmd *cobra.Command, iamUpgrader iamUpgrader, upgradeDir string, force, yes bool) error {
	conf, err := config.New(i.fileHandler, constants.ConfigFilename, i.configFetcher, force)
	var configValidationErr *config.ValidationError
	if errors.As(err, &configValidationErr) {
		cmd.PrintErrln(configValidationErr.LongMessage())
	}
	if err != nil {
		return err
	}

	vars, err := cloudcmd.TerraformIAMUpgradeVars(conf, i.fileHandler)
	if err != nil {
		return fmt.Errorf("getting terraform variables: %w", err)
	}
	hasDiff, err := iamUpgrader.PlanIAMUpgrade(cmd.Context(), cmd.OutOrStderr(), vars, conf.GetProvider())
	if err != nil {
		return err
	}
	if !hasDiff && !force {
		cmd.Println("No IAM migrations necessary.")
		return nil
	}

	// If there are any Terraform migrations to apply, ask for confirmation
	cmd.Println("The IAM upgrade requires a migration by applying an updated Terraform template. Please manually review the suggested changes.")
	if !yes {
		ok, err := askToConfirm(cmd, "Do you want to apply the IAM upgrade?")
		if err != nil {
			return fmt.Errorf("asking for confirmation: %w", err)
		}
		if !ok {
			cmd.Println("Aborting upgrade.")
			// Remove the upgrade directory
			if err := i.fileHandler.RemoveAll(upgradeDir); err != nil {
				return fmt.Errorf("cleaning up upgrade directory %s: %w", upgradeDir, err)
			}
			return errors.New("IAM upgrade aborted by user")
		}
	}
	i.log.Debugf("Applying Terraform IAM migrations")
	if err := iamUpgrader.ApplyIAMUpgrade(cmd.Context(), conf.GetProvider()); err != nil {
		return fmt.Errorf("applying terraform migrations: %w", err)
	}

	cmd.Println("IAM profile successfully applied.")

	return nil
}

type iamUpgrader interface {
	PlanIAMUpgrade(ctx context.Context, outWriter io.Writer, vars terraform.Variables, csp cloudprovider.Provider) (bool, error)
	ApplyIAMUpgrade(ctx context.Context, csp cloudprovider.Provider) error
}
cli: add `iam upgrade apply` (#2132) * add new iam upgrade apply * remove iam tf plan from upgrade apply check * add iam migration warning to upgrade apply * update release process * document migration * Apply suggestions from code review Co-authored-by: Otto Bittner <cobittner@posteo.net> * add iam upgrade * remove upgrade dir check in test * ask only without --yes * make iam upgrade provider specific * test without seperate logins * remove csi and only add conditionally * Revert "test without seperate logins" This reverts commit 05a12e59c9fdaa753b0dfa02c9196437743852bf. * fix msising cred * support iam migration for all csps * add iam upgrade label --------- Co-authored-by: Otto Bittner <cobittner@posteo.net> 2023-07-26 11:29:03 -04:00			`/*`
			`Copyright (c) Edgeless Systems GmbH`
			`SPDX-License-Identifier: AGPL-3.0-only`
			`*/`

			`package cmd`

			`import (`
cli: remove/refactor upgrade package (#2266) * Move IAM migration client to cloudcmd package * Move Terraform Cluster upgrade client to cloudcmd package * Use hcl for creating Terraform IAM variables files * Unify terraform upgrade code * Rename some cloudcmd files for better clarity --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2023-08-23 04:35:42 -04:00			`"context"`
cli: add `iam upgrade apply` (#2132) * add new iam upgrade apply * remove iam tf plan from upgrade apply check * add iam migration warning to upgrade apply * update release process * document migration * Apply suggestions from code review Co-authored-by: Otto Bittner <cobittner@posteo.net> * add iam upgrade * remove upgrade dir check in test * ask only without --yes * make iam upgrade provider specific * test without seperate logins * remove csi and only add conditionally * Revert "test without seperate logins" This reverts commit 05a12e59c9fdaa753b0dfa02c9196437743852bf. * fix msising cred * support iam migration for all csps * add iam upgrade label --------- Co-authored-by: Otto Bittner <cobittner@posteo.net> 2023-07-26 11:29:03 -04:00			`"errors"`
			`"fmt"`
cli: remove/refactor upgrade package (#2266) * Move IAM migration client to cloudcmd package * Move Terraform Cluster upgrade client to cloudcmd package * Use hcl for creating Terraform IAM variables files * Unify terraform upgrade code * Rename some cloudcmd files for better clarity --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2023-08-23 04:35:42 -04:00			`"io"`
			`"path/filepath"`
cli: add `iam upgrade apply` (#2132) * add new iam upgrade apply * remove iam tf plan from upgrade apply check * add iam migration warning to upgrade apply * update release process * document migration * Apply suggestions from code review Co-authored-by: Otto Bittner <cobittner@posteo.net> * add iam upgrade * remove upgrade dir check in test * ask only without --yes * make iam upgrade provider specific * test without seperate logins * remove csi and only add conditionally * Revert "test without seperate logins" This reverts commit 05a12e59c9fdaa753b0dfa02c9196437743852bf. * fix msising cred * support iam migration for all csps * add iam upgrade label --------- Co-authored-by: Otto Bittner <cobittner@posteo.net> 2023-07-26 11:29:03 -04:00
cli: remove/refactor upgrade package (#2266) * Move IAM migration client to cloudcmd package * Move Terraform Cluster upgrade client to cloudcmd package * Use hcl for creating Terraform IAM variables files * Unify terraform upgrade code * Rename some cloudcmd files for better clarity --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2023-08-23 04:35:42 -04:00			`"github.com/edgelesssys/constellation/v2/cli/internal/cloudcmd"`
cli: add `iam upgrade apply` (#2132) * add new iam upgrade apply * remove iam tf plan from upgrade apply check * add iam migration warning to upgrade apply * update release process * document migration * Apply suggestions from code review Co-authored-by: Otto Bittner <cobittner@posteo.net> * add iam upgrade * remove upgrade dir check in test * ask only without --yes * make iam upgrade provider specific * test without seperate logins * remove csi and only add conditionally * Revert "test without seperate logins" This reverts commit 05a12e59c9fdaa753b0dfa02c9196437743852bf. * fix msising cred * support iam migration for all csps * add iam upgrade label --------- Co-authored-by: Otto Bittner <cobittner@posteo.net> 2023-07-26 11:29:03 -04:00			`"github.com/edgelesssys/constellation/v2/cli/internal/terraform"`
			`"github.com/edgelesssys/constellation/v2/internal/api/attestationconfigapi"`
			`"github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider"`
			`"github.com/edgelesssys/constellation/v2/internal/config"`
cli: add `--workspace` flag to set base directory for Constellation workspace (#2148) * Remove `--config` and `--master-secret` falgs * Add `--workspace` flag * In CLI, only work on files with paths created from `cli/internal/cmd` * Properly print values for GCP on IAM create when not directly updating the config --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2023-08-04 07:53:51 -04:00			`"github.com/edgelesssys/constellation/v2/internal/constants"`
cli: add `iam upgrade apply` (#2132) * add new iam upgrade apply * remove iam tf plan from upgrade apply check * add iam migration warning to upgrade apply * update release process * document migration * Apply suggestions from code review Co-authored-by: Otto Bittner <cobittner@posteo.net> * add iam upgrade * remove upgrade dir check in test * ask only without --yes * make iam upgrade provider specific * test without seperate logins * remove csi and only add conditionally * Revert "test without seperate logins" This reverts commit 05a12e59c9fdaa753b0dfa02c9196437743852bf. * fix msising cred * support iam migration for all csps * add iam upgrade label --------- Co-authored-by: Otto Bittner <cobittner@posteo.net> 2023-07-26 11:29:03 -04:00			`"github.com/edgelesssys/constellation/v2/internal/file"`
			`"github.com/spf13/afero"`
			`"github.com/spf13/cobra"`
			`)`

			`func newIAMUpgradeCmd() *cobra.Command {`
			`cmd := &cobra.Command{`
			`Use: "upgrade",`
			`Short: "Find and apply upgrades to your IAM profile",`
			`Long: "Find and apply upgrades to your IAM profile.",`
			`Args: cobra.ExactArgs(0),`
			`}`
			`cmd.AddCommand(newIAMUpgradeApplyCmd())`
			`return cmd`
			`}`

			`func newIAMUpgradeApplyCmd() *cobra.Command {`
			`cmd := &cobra.Command{`
			`Use: "apply",`
			`Short: "Apply an upgrade to an IAM profile",`
			`Long: "Apply an upgrade to an IAM profile.",`
			`Args: cobra.NoArgs,`
			`RunE: runIAMUpgradeApply,`
			`}`
cli: add `--workspace` flag to set base directory for Constellation workspace (#2148) * Remove `--config` and `--master-secret` falgs * Add `--workspace` flag * In CLI, only work on files with paths created from `cli/internal/cmd` * Properly print values for GCP on IAM create when not directly updating the config --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2023-08-04 07:53:51 -04:00			`cmd.Flags().BoolP("yes", "y", false, "run upgrades without further confirmation")`
cli: add `iam upgrade apply` (#2132) * add new iam upgrade apply * remove iam tf plan from upgrade apply check * add iam migration warning to upgrade apply * update release process * document migration * Apply suggestions from code review Co-authored-by: Otto Bittner <cobittner@posteo.net> * add iam upgrade * remove upgrade dir check in test * ask only without --yes * make iam upgrade provider specific * test without seperate logins * remove csi and only add conditionally * Revert "test without seperate logins" This reverts commit 05a12e59c9fdaa753b0dfa02c9196437743852bf. * fix msising cred * support iam migration for all csps * add iam upgrade label --------- Co-authored-by: Otto Bittner <cobittner@posteo.net> 2023-07-26 11:29:03 -04:00			`return cmd`
			`}`

cli: remove/refactor upgrade package (#2266) * Move IAM migration client to cloudcmd package * Move Terraform Cluster upgrade client to cloudcmd package * Use hcl for creating Terraform IAM variables files * Unify terraform upgrade code * Rename some cloudcmd files for better clarity --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2023-08-23 04:35:42 -04:00			`type iamUpgradeApplyCmd struct {`
			`fileHandler file.Handler`
			`configFetcher attestationconfigapi.Fetcher`
			`log debugLog`
			`}`

cli: add `iam upgrade apply` (#2132) * add new iam upgrade apply * remove iam tf plan from upgrade apply check * add iam migration warning to upgrade apply * update release process * document migration * Apply suggestions from code review Co-authored-by: Otto Bittner <cobittner@posteo.net> * add iam upgrade * remove upgrade dir check in test * ask only without --yes * make iam upgrade provider specific * test without seperate logins * remove csi and only add conditionally * Revert "test without seperate logins" This reverts commit 05a12e59c9fdaa753b0dfa02c9196437743852bf. * fix msising cred * support iam migration for all csps * add iam upgrade label --------- Co-authored-by: Otto Bittner <cobittner@posteo.net> 2023-07-26 11:29:03 -04:00			`func runIAMUpgradeApply(cmd *cobra.Command, _ []string) error {`
			`force, err := cmd.Flags().GetBool("force")`
			`if err != nil {`
			`return fmt.Errorf("parsing force argument: %w", err)`
			`}`
			`fileHandler := file.NewHandler(afero.NewOsFs())`
			`configFetcher := attestationconfigapi.NewFetcher()`
cli: move helm and terraform out of kubernetes package (#2222) Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2023-08-16 03:59:32 -04:00
			`upgradeID := generateUpgradeID(upgradeCmdKindIAM)`
cli: remove/refactor upgrade package (#2266) * Move IAM migration client to cloudcmd package * Move Terraform Cluster upgrade client to cloudcmd package * Use hcl for creating Terraform IAM variables files * Unify terraform upgrade code * Rename some cloudcmd files for better clarity --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2023-08-23 04:35:42 -04:00			`upgradeDir := filepath.Join(constants.UpgradeDir, upgradeID)`
			`iamMigrateCmd, err := cloudcmd.NewIAMUpgrader(`
			`cmd.Context(),`
			`constants.TerraformIAMWorkingDir,`
			`upgradeDir,`
			`terraform.LogLevelDebug,`
			`fileHandler,`
			`)`
cli: add `iam upgrade apply` (#2132) * add new iam upgrade apply * remove iam tf plan from upgrade apply check * add iam migration warning to upgrade apply * update release process * document migration * Apply suggestions from code review Co-authored-by: Otto Bittner <cobittner@posteo.net> * add iam upgrade * remove upgrade dir check in test * ask only without --yes * make iam upgrade provider specific * test without seperate logins * remove csi and only add conditionally * Revert "test without seperate logins" This reverts commit 05a12e59c9fdaa753b0dfa02c9196437743852bf. * fix msising cred * support iam migration for all csps * add iam upgrade label --------- Co-authored-by: Otto Bittner <cobittner@posteo.net> 2023-07-26 11:29:03 -04:00			`if err != nil {`
			`return fmt.Errorf("setting up IAM migration command: %w", err)`
			`}`

			`log, err := newCLILogger(cmd)`
			`if err != nil {`
			`return fmt.Errorf("setting up logger: %w", err)`
			`}`

			`yes, err := cmd.Flags().GetBool("yes")`
			`if err != nil {`
			`return err`
			`}`
cli: remove/refactor upgrade package (#2266) * Move IAM migration client to cloudcmd package * Move Terraform Cluster upgrade client to cloudcmd package * Use hcl for creating Terraform IAM variables files * Unify terraform upgrade code * Rename some cloudcmd files for better clarity --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2023-08-23 04:35:42 -04:00
			`i := iamUpgradeApplyCmd{`
			`fileHandler: fileHandler,`
			`configFetcher: configFetcher,`
			`log: log,`
			`}`

			`return i.iamUpgradeApply(cmd, iamMigrateCmd, upgradeDir, force, yes)`
			`}`

			`func (i iamUpgradeApplyCmd) iamUpgradeApply(cmd *cobra.Command, iamUpgrader iamUpgrader, upgradeDir string, force, yes bool) error {`
			`conf, err := config.New(i.fileHandler, constants.ConfigFilename, i.configFetcher, force)`
			`var configValidationErr *config.ValidationError`
			`if errors.As(err, &configValidationErr) {`
			`cmd.PrintErrln(configValidationErr.LongMessage())`
			`}`
			`if err != nil {`
			`return err`
			`}`

			`vars, err := cloudcmd.TerraformIAMUpgradeVars(conf, i.fileHandler)`
			`if err != nil {`
			`return fmt.Errorf("getting terraform variables: %w", err)`
			`}`
			`hasDiff, err := iamUpgrader.PlanIAMUpgrade(cmd.Context(), cmd.OutOrStderr(), vars, conf.GetProvider())`
			`if err != nil {`
			`return err`
			`}`
			`if !hasDiff && !force {`
			`cmd.Println("No IAM migrations necessary.")`
			`return nil`
			`}`

			`// If there are any Terraform migrations to apply, ask for confirmation`
			`cmd.Println("The IAM upgrade requires a migration by applying an updated Terraform template. Please manually review the suggested changes.")`
			`if !yes {`
			`ok, err := askToConfirm(cmd, "Do you want to apply the IAM upgrade?")`
			`if err != nil {`
			`return fmt.Errorf("asking for confirmation: %w", err)`
			`}`
			`if !ok {`
			`cmd.Println("Aborting upgrade.")`
			`// Remove the upgrade directory`
			`if err := i.fileHandler.RemoveAll(upgradeDir); err != nil {`
			`return fmt.Errorf("cleaning up upgrade directory %s: %w", upgradeDir, err)`
			`}`
			`return errors.New("IAM upgrade aborted by user")`
			`}`
			`}`
			`i.log.Debugf("Applying Terraform IAM migrations")`
			`if err := iamUpgrader.ApplyIAMUpgrade(cmd.Context(), conf.GetProvider()); err != nil {`
			`return fmt.Errorf("applying terraform migrations: %w", err)`
cli: add `iam upgrade apply` (#2132) * add new iam upgrade apply * remove iam tf plan from upgrade apply check * add iam migration warning to upgrade apply * update release process * document migration * Apply suggestions from code review Co-authored-by: Otto Bittner <cobittner@posteo.net> * add iam upgrade * remove upgrade dir check in test * ask only without --yes * make iam upgrade provider specific * test without seperate logins * remove csi and only add conditionally * Revert "test without seperate logins" This reverts commit 05a12e59c9fdaa753b0dfa02c9196437743852bf. * fix msising cred * support iam migration for all csps * add iam upgrade label --------- Co-authored-by: Otto Bittner <cobittner@posteo.net> 2023-07-26 11:29:03 -04:00			`}`
cli: move helm and terraform out of kubernetes package (#2222) Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2023-08-16 03:59:32 -04:00
cli: add `iam upgrade apply` (#2132) * add new iam upgrade apply * remove iam tf plan from upgrade apply check * add iam migration warning to upgrade apply * update release process * document migration * Apply suggestions from code review Co-authored-by: Otto Bittner <cobittner@posteo.net> * add iam upgrade * remove upgrade dir check in test * ask only without --yes * make iam upgrade provider specific * test without seperate logins * remove csi and only add conditionally * Revert "test without seperate logins" This reverts commit 05a12e59c9fdaa753b0dfa02c9196437743852bf. * fix msising cred * support iam migration for all csps * add iam upgrade label --------- Co-authored-by: Otto Bittner <cobittner@posteo.net> 2023-07-26 11:29:03 -04:00			`cmd.Println("IAM profile successfully applied.")`
cli: remove/refactor upgrade package (#2266) * Move IAM migration client to cloudcmd package * Move Terraform Cluster upgrade client to cloudcmd package * Use hcl for creating Terraform IAM variables files * Unify terraform upgrade code * Rename some cloudcmd files for better clarity --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2023-08-23 04:35:42 -04:00
cli: add `iam upgrade apply` (#2132) * add new iam upgrade apply * remove iam tf plan from upgrade apply check * add iam migration warning to upgrade apply * update release process * document migration * Apply suggestions from code review Co-authored-by: Otto Bittner <cobittner@posteo.net> * add iam upgrade * remove upgrade dir check in test * ask only without --yes * make iam upgrade provider specific * test without seperate logins * remove csi and only add conditionally * Revert "test without seperate logins" This reverts commit 05a12e59c9fdaa753b0dfa02c9196437743852bf. * fix msising cred * support iam migration for all csps * add iam upgrade label --------- Co-authored-by: Otto Bittner <cobittner@posteo.net> 2023-07-26 11:29:03 -04:00			`return nil`
			`}`
cli: remove/refactor upgrade package (#2266) * Move IAM migration client to cloudcmd package * Move Terraform Cluster upgrade client to cloudcmd package * Use hcl for creating Terraform IAM variables files * Unify terraform upgrade code * Rename some cloudcmd files for better clarity --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2023-08-23 04:35:42 -04:00
			`type iamUpgrader interface {`
			`PlanIAMUpgrade(ctx context.Context, outWriter io.Writer, vars terraform.Variables, csp cloudprovider.Provider) (bool, error)`
			`ApplyIAMUpgrade(ctx context.Context, csp cloudprovider.Provider) error`
			`}`