Allow specifying a HostedZoneID when running `awless list records`

wallix / awless

A Mighty CLI for AWS

http://awless.io/

Apache License 2.0

4.98k stars 263 forks source link

Allow specifying a HostedZoneID when running `awless list records` #152

Open tokiwinter opened 6 years ago

tokiwinter commented 6 years ago

We use IAM instance roles and appropriate policy to restrict our ListResourceRecordSets operations to specific HostedZoneIDs.

I can't see a way to limit awless list records to a specific HostedZoneID (happy to be pointed in the right direction).

I've tried a few things, which I fully expected not to work, for example:

# awless list records --filter HostedZoneID=some_id
[error]   AccessDenied: User: arn:aws:sts::redacted:assumed-role/redacted/i-redacted is not authorized to perform: route53:ListResourceRecordSets on resource: arn:aws:route53:::hostedzone/some_other_id
    status code: 403, request id: redacted
# awless list records --filter hostedzone/HostedZoneID=some_id
[error]   AccessDenied: User: arn:aws:sts::redacted:assumed-role/redacted/i-redacted is not authorized to perform: route53:ListResourceRecordSets on resource: arn:aws:route53:::hostedzone/some_other_id
    status code: 403, request id: redacted

Is there any way to achieve this?

fxaguessy commented 6 years ago

Hello,

For now it is not possible in awless to filter the data you are fetching from AWS. The --filter flag is applied locally after having fetched all the resources from AWS. Moreover, for now, there is no Zone (nor HostedZoneId) property associated with records. So, it will be impossible to filter according to this property.

So, in order to fix this issue, we need to:

Add the Zone property to records (this should already be in the model and is something easy to add).
Support passing filters to fetchers, in order to fetch only the appropriate information from AWS (this will prevent the Access Denied error). This is something we want to add soon.

tokiwinter commented 6 years ago

Thanks for the response. Sounds like a great plan. At the moment, I'm doing nasty things with the aws cli and jq to achieve what I want 🙂 I might just bite the bullet and write a piece of python using boto3 in the interim.

Kudos for an amazing tool btw. The inconsistencies of the aws cli are not fun to work with.

taraspos commented 6 years ago

@tokiwinter just for the record, with aws cli you don't need to use jq since you can filter results with --query option.

Example: Getting security group ids only: aws ec2 describe-security-groups --query 'SecurityGroups[*].[GroupId]'

tokiwinter commented 6 years ago

@Trane9991 - and that supports all the stuff I need like jq's select(), map(), contains() and so on?

taraspos commented 6 years ago

@tokiwinter hmmm... probably not, you can find some examples here: http://docs.aws.amazon.com/cli/latest/userguide/controlling-output.html

tokiwinter commented 6 years ago

@Trane9991 - looking at that, they head down the path of ... | grep ... | awk ... | ... so I think I'll stick with jq 🙂