Add ability to restrict which accounts can work with stacks

[petervandoros]

In order to provide extra safety and reduce the risk of applying non-production changes to production, this PR adds the ability to specify which accounts are allowed to work with specific stacks.

The behaviour can be summarised using the following example stack_master.yml file:

stack_defaults:
  allowed_accounts: '555555555'
stacks:
  us-east-1:
    myapp-vpc: # inherits allowed account 555555555
      template: myapp_vpc.rb
      tags:
        purpose: front-end
    myapp-db:
      template: myapp_db.rb
      allowed_accounts: # only these accounts
        - '1234567890'
        - '9876543210'
      tags:
        purpose: back-end
    myapp-web:
      template: myapp_web.rb
      allowed_accounts: [] # allow all accounts by overriding stack defaults
      tags:
        purpose: front-end
    myapp-redis:
      template: myapp_redis.rb
      allowed_accounts: '888888888' # only this account
      tags:
        purpose: back-end

Changes

• Add allowed_accounts stack definition property that lists the aws account IDs allowed to work with the stack
• Add a --skip-account-check flag to bypass the account checks
• Updated readme

[lukerobins]

Seems odd to pass a nil or empty variable to a function.

[stevehodgkiss]

Maybe if nil was the default value for allowed_accounts (in StackDefinition, indicating unspecified) the expected values would either be nil or an array of account IDs

[petervandoros]

Good idea. Done in b30dede.

[stevehodgkiss]

Looks good 👍

[viraptor]

This looks good.

[patrobinson]

Code looks good, I'm curious about the tests though...

[patrobinson]

From just reading this I'm still not entirely sure what the behaviour will be. Does it allow applying myapp-db to account 555555555 or not?

[petervandoros]

No it doesn't as the account IDs specified in the stack definition overrides the stack defaults.

I've reworded this section and example stack below. Let me know if it clarifies things.

See 4233345.

[patrobinson]

This method isn't necessary. If we don't specify a region the SDK does a lookup for us automatically.

[petervandoros]

You're right it does, however I added this method to ensure that a default region is used if it couldn't find a region from the environment. It's also the same as the CloudFormation driver class except for the default value.

This was me being more defensive, but happy to remove it if you think it'll be fine without it?

[patrobinson]

I think spec_helper already handles this

[petervandoros]

It doesn't handle this. The cucumber features do though.

[patrobinson]

Right you are

[patrobinson]

Shouldn't this test expect an error to be returned? If the account IDs don't match it shouldn't print the status?

[viraptor]

It's a got a special case now: Disallowed account | N/A.
It would not be great if it threw an error just because one stack is unavailable.

[petervandoros]

What @viraptor said.

Alternatively, I could leave them blank instead? I didn't go with that option because I thought it would be better to let the user know why no status is included for that stack.

[petervandoros]

Another option is to include SKIPPED for the status field and Disallowed account for different field.

[patrobinson]

Right I see. Are we able to have an integration test for when someone runs stack_master apply on a stack in the wrong account then? I thought that's what this was doing, but I didn't read the spec name 😆

[petervandoros]

Good idea. Added integration tests in f02603c.

[patrobinson]

Thanks