nixops-aws icon indicating copy to clipboard operation
nixops-aws copied to clipboard

Published 20 hours ago verified publisher icon NixOS

Rewriting to use boto3

Open takeda opened this issue 6 years ago • 6 comments

The way how my AWS accounts are setup (assumeRole + MFA) makes it impossible to use old version of nixops. I initially tried to add an option to specify a profile, but turns out that old boto doesn't seem to support this kind of setup (since it was introduced later on) and it mandated porting to boto3.

So this version works fine with assumeRole + MFA and I also added an option to use the same cache that aws command uses. That way you don't have to enter MFA every for every single command.

Currently all of the commands that I used appear to be working, these are:

  • list
  • create
  • modify
  • delete
  • info
  • check
  • deploy
  • send-keys
  • destroy
  • stop
  • start
  • reboot
  • show-arguments
  • show-physical
  • ssh
  • ssh-for-each
  • scp
  • mount
  • rename
  • backup
  • backup-status
  • clean-backups
  • restore (you need to provide backup id, but it looks like that was unrelated to my change?).
  • show-option
  • list-generations
  • show-console-output
  • dump-nix-paths
  • export
  • edit

If you can, please test it (clone my branch and run nix-env -f release.nix -iA build.<your platform>) if there are still broken commands let me know otherwise perhaps this can be merged.

takeda avatar Sep 14 '19 18:09 takeda

I'm currently looking into this, can't guarantee anything at this point but thought I'd mention it so as to avoid duplicate effort.

shmish111 avatar Sep 25 '19 17:09 shmish111

any updates?

takeda avatar Oct 22 '19 19:10 takeda

Hi @takeda, unfortunately I decided not to do this as it was too much to take on at the time however I did do quite a bit of work and I believe a colleague is taking it on. Again, no guarantees but if anyone else is considering working on this it is worth getting together, I can put you in touch.

FYI I discovered that a lot of this was pretty simple and the authentication etc just works with boto3 however there was a lot of small details that were tricky and I also went down the wrong path of using the non-OO API where as I think the conversion would be easier to use the resources (the OO API).

shmish111 avatar Oct 23 '19 10:10 shmish111

@shmish111 the Resources API is incomplete and doesn't cover all calls (it's more about taking given resource and then obtaining information about it, or performing simple actions), when working on it I was preferring to use Resources, but in many places I absolutely had to use Client calls.

BTW to give some background for people not familiar. The Client is the real AWS API, the code there is actually dynamically generated. The Resources is created by hand, and internally is implemented using the Client calls. Very often one Resource call will issue multiple Client calls, Resources also don't implement all functionality and are more about inspecting/performing operations on existing resources.

takeda avatar Oct 23 '19 16:10 takeda

:+1: @takeda Thanks for this!

wavewave avatar Oct 25 '19 06:10 wavewave