2014-06-24 04:01:57 +02:00
|
|
|
package aws
|
|
|
|
|
|
|
|
import (
|
2014-07-30 00:22:37 +02:00
|
|
|
"fmt"
|
2014-11-21 17:58:34 +01:00
|
|
|
"log"
|
2015-12-10 22:43:13 +01:00
|
|
|
"net/http"
|
|
|
|
"os"
|
2015-04-20 00:54:42 +02:00
|
|
|
"strings"
|
2015-12-10 22:43:13 +01:00
|
|
|
"time"
|
2014-06-24 04:01:57 +02:00
|
|
|
|
2015-10-22 20:03:25 +02:00
|
|
|
"github.com/hashicorp/go-cleanhttp"
|
2015-09-28 03:58:48 +02:00
|
|
|
"github.com/hashicorp/go-multierror"
|
2015-02-12 17:48:48 +01:00
|
|
|
|
2016-02-07 22:40:51 +01:00
|
|
|
"crypto/tls"
|
|
|
|
|
2015-06-03 20:36:57 +02:00
|
|
|
"github.com/aws/aws-sdk-go/aws"
|
2015-07-14 23:39:50 +02:00
|
|
|
"github.com/aws/aws-sdk-go/aws/awserr"
|
2015-12-10 22:43:13 +01:00
|
|
|
awsCredentials "github.com/aws/aws-sdk-go/aws/credentials"
|
|
|
|
"github.com/aws/aws-sdk-go/aws/credentials/ec2rolecreds"
|
|
|
|
"github.com/aws/aws-sdk-go/aws/ec2metadata"
|
2015-10-30 00:52:10 +01:00
|
|
|
"github.com/aws/aws-sdk-go/aws/session"
|
2015-06-03 20:36:57 +02:00
|
|
|
"github.com/aws/aws-sdk-go/service/autoscaling"
|
2015-07-07 09:00:05 +02:00
|
|
|
"github.com/aws/aws-sdk-go/service/cloudformation"
|
2015-08-28 00:11:56 +02:00
|
|
|
"github.com/aws/aws-sdk-go/service/cloudtrail"
|
2015-06-07 11:23:32 +02:00
|
|
|
"github.com/aws/aws-sdk-go/service/cloudwatch"
|
2016-01-29 20:13:52 +01:00
|
|
|
"github.com/aws/aws-sdk-go/service/cloudwatchevents"
|
2015-09-16 23:02:28 +02:00
|
|
|
"github.com/aws/aws-sdk-go/service/cloudwatchlogs"
|
2015-10-30 22:35:16 +01:00
|
|
|
"github.com/aws/aws-sdk-go/service/codecommit"
|
2015-07-19 06:09:00 +02:00
|
|
|
"github.com/aws/aws-sdk-go/service/codedeploy"
|
2015-09-13 18:57:58 +02:00
|
|
|
"github.com/aws/aws-sdk-go/service/directoryservice"
|
2015-06-04 02:12:41 +02:00
|
|
|
"github.com/aws/aws-sdk-go/service/dynamodb"
|
2015-06-03 20:36:57 +02:00
|
|
|
"github.com/aws/aws-sdk-go/service/ec2"
|
2015-12-22 16:31:30 +01:00
|
|
|
"github.com/aws/aws-sdk-go/service/ecr"
|
2015-05-04 23:48:09 +02:00
|
|
|
"github.com/aws/aws-sdk-go/service/ecs"
|
2015-06-02 22:19:50 +02:00
|
|
|
"github.com/aws/aws-sdk-go/service/efs"
|
2015-06-03 20:36:57 +02:00
|
|
|
"github.com/aws/aws-sdk-go/service/elasticache"
|
2015-10-02 00:12:46 +02:00
|
|
|
elasticsearch "github.com/aws/aws-sdk-go/service/elasticsearchservice"
|
2015-06-03 20:36:57 +02:00
|
|
|
"github.com/aws/aws-sdk-go/service/elb"
|
2015-11-09 23:26:55 +01:00
|
|
|
"github.com/aws/aws-sdk-go/service/firehose"
|
2015-09-03 23:57:56 +02:00
|
|
|
"github.com/aws/aws-sdk-go/service/glacier"
|
2015-06-03 20:36:57 +02:00
|
|
|
"github.com/aws/aws-sdk-go/service/iam"
|
|
|
|
"github.com/aws/aws-sdk-go/service/kinesis"
|
2015-06-09 21:12:47 +02:00
|
|
|
"github.com/aws/aws-sdk-go/service/lambda"
|
2015-05-11 05:20:17 +02:00
|
|
|
"github.com/aws/aws-sdk-go/service/opsworks"
|
2015-06-03 20:36:57 +02:00
|
|
|
"github.com/aws/aws-sdk-go/service/rds"
|
2015-11-11 21:51:46 +01:00
|
|
|
"github.com/aws/aws-sdk-go/service/redshift"
|
2015-06-03 20:36:57 +02:00
|
|
|
"github.com/aws/aws-sdk-go/service/route53"
|
|
|
|
"github.com/aws/aws-sdk-go/service/s3"
|
|
|
|
"github.com/aws/aws-sdk-go/service/sns"
|
|
|
|
"github.com/aws/aws-sdk-go/service/sqs"
|
2014-06-24 04:01:57 +02:00
|
|
|
)
|
|
|
|
|
|
|
|
type Config struct {
|
2016-01-11 16:22:09 +01:00
|
|
|
AccessKey string
|
|
|
|
SecretKey string
|
|
|
|
CredsFilename string
|
|
|
|
Profile string
|
|
|
|
Token string
|
|
|
|
Region string
|
|
|
|
MaxRetries int
|
2015-04-20 00:54:42 +02:00
|
|
|
|
|
|
|
AllowedAccountIds []interface{}
|
|
|
|
ForbiddenAccountIds []interface{}
|
2015-07-22 23:57:29 +02:00
|
|
|
|
|
|
|
DynamoDBEndpoint string
|
2015-09-16 18:58:46 +02:00
|
|
|
KinesisEndpoint string
|
2016-02-07 22:40:51 +01:00
|
|
|
Ec2Endpoint string
|
|
|
|
IamEndpoint string
|
|
|
|
ElbEndpoint string
|
|
|
|
Insecure bool
|
2014-11-21 17:58:34 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
type AWSClient struct {
|
2016-01-29 20:13:52 +01:00
|
|
|
cfconn *cloudformation.CloudFormation
|
|
|
|
cloudtrailconn *cloudtrail.CloudTrail
|
|
|
|
cloudwatchconn *cloudwatch.CloudWatch
|
|
|
|
cloudwatchlogsconn *cloudwatchlogs.CloudWatchLogs
|
|
|
|
cloudwatcheventsconn *cloudwatchevents.CloudWatchEvents
|
|
|
|
dsconn *directoryservice.DirectoryService
|
|
|
|
dynamodbconn *dynamodb.DynamoDB
|
|
|
|
ec2conn *ec2.EC2
|
|
|
|
ecrconn *ecr.ECR
|
|
|
|
ecsconn *ecs.ECS
|
|
|
|
efsconn *efs.EFS
|
|
|
|
elbconn *elb.ELB
|
|
|
|
esconn *elasticsearch.ElasticsearchService
|
|
|
|
autoscalingconn *autoscaling.AutoScaling
|
|
|
|
s3conn *s3.S3
|
|
|
|
sqsconn *sqs.SQS
|
|
|
|
snsconn *sns.SNS
|
|
|
|
redshiftconn *redshift.Redshift
|
|
|
|
r53conn *route53.Route53
|
|
|
|
region string
|
|
|
|
rdsconn *rds.RDS
|
|
|
|
iamconn *iam.IAM
|
|
|
|
kinesisconn *kinesis.Kinesis
|
|
|
|
firehoseconn *firehose.Firehose
|
|
|
|
elasticacheconn *elasticache.ElastiCache
|
|
|
|
lambdaconn *lambda.Lambda
|
|
|
|
opsworksconn *opsworks.OpsWorks
|
|
|
|
glacierconn *glacier.Glacier
|
|
|
|
codedeployconn *codedeploy.CodeDeploy
|
|
|
|
codecommitconn *codecommit.CodeCommit
|
2014-11-21 17:58:34 +01:00
|
|
|
}
|
|
|
|
|
2015-07-22 23:57:29 +02:00
|
|
|
// Client configures and returns a fully initialized AWSClient
|
2014-11-21 17:58:34 +01:00
|
|
|
func (c *Config) Client() (interface{}, error) {
|
|
|
|
var client AWSClient
|
|
|
|
|
|
|
|
// Get the auth and region. This can fail if keys/regions were not
|
|
|
|
// specified and we're attempting to use the environment.
|
|
|
|
var errs []error
|
|
|
|
|
|
|
|
log.Println("[INFO] Building AWS region structure")
|
2015-03-13 15:42:50 +01:00
|
|
|
err := c.ValidateRegion()
|
2014-11-21 17:58:34 +01:00
|
|
|
if err != nil {
|
|
|
|
errs = append(errs, err)
|
|
|
|
}
|
|
|
|
|
|
|
|
if len(errs) == 0 {
|
2015-02-19 22:38:56 +01:00
|
|
|
// store AWS region in client struct, for region specific operations such as
|
|
|
|
// bucket storage in S3
|
|
|
|
client.region = c.Region
|
2015-02-20 15:55:54 +01:00
|
|
|
|
2015-03-13 15:42:50 +01:00
|
|
|
log.Println("[INFO] Building AWS auth structure")
|
2016-01-11 16:22:09 +01:00
|
|
|
creds := getCreds(c.AccessKey, c.SecretKey, c.Token, c.Profile, c.CredsFilename)
|
2015-12-10 22:43:13 +01:00
|
|
|
// Call Get to check for credential provider. If nothing found, we'll get an
|
|
|
|
// error, and we can present it nicely to the user
|
|
|
|
_, err = creds.Get()
|
|
|
|
if err != nil {
|
2016-01-27 23:30:03 +01:00
|
|
|
if awsErr, ok := err.(awserr.Error); ok && awsErr.Code() == "NoCredentialProviders" {
|
|
|
|
errs = append(errs, fmt.Errorf(`No valid credential sources found for AWS Provider.
|
|
|
|
Please see https://terraform.io/docs/providers/aws/index.html for more information on
|
|
|
|
providing credentials for the AWS Provider`))
|
|
|
|
} else {
|
|
|
|
errs = append(errs, fmt.Errorf("Error loading credentials for AWS Provider: %s", err))
|
|
|
|
}
|
2015-12-10 22:43:13 +01:00
|
|
|
return nil, &multierror.Error{Errors: errs}
|
|
|
|
}
|
2015-04-16 22:02:04 +02:00
|
|
|
awsConfig := &aws.Config{
|
|
|
|
Credentials: creds,
|
2015-07-28 22:29:46 +02:00
|
|
|
Region: aws.String(c.Region),
|
|
|
|
MaxRetries: aws.Int(c.MaxRetries),
|
2015-10-22 20:03:25 +02:00
|
|
|
HTTPClient: cleanhttp.DefaultClient(),
|
2015-04-13 21:01:41 +02:00
|
|
|
}
|
|
|
|
|
2016-02-07 22:40:51 +01:00
|
|
|
if c.Insecure {
|
|
|
|
transport := awsConfig.HTTPClient.Transport.(*http.Transport)
|
|
|
|
transport.TLSClientConfig = &tls.Config{
|
|
|
|
InsecureSkipVerify: true,
|
|
|
|
}
|
|
|
|
}
|
2015-12-11 16:27:49 +01:00
|
|
|
|
2015-07-14 23:39:50 +02:00
|
|
|
log.Println("[INFO] Initializing IAM Connection")
|
2015-10-30 00:52:10 +01:00
|
|
|
sess := session.New(awsConfig)
|
2015-12-11 16:27:49 +01:00
|
|
|
|
2016-02-07 22:40:51 +01:00
|
|
|
awsIamConfig := *awsConfig
|
|
|
|
awsIamConfig.Endpoint = aws.String(c.IamEndpoint)
|
2015-12-11 16:27:49 +01:00
|
|
|
|
2016-02-07 22:40:51 +01:00
|
|
|
awsIamSess := session.New(&awsIamConfig)
|
|
|
|
client.iamconn = iam.New(awsIamSess)
|
2015-07-14 23:39:50 +02:00
|
|
|
|
2015-12-10 22:43:13 +01:00
|
|
|
err = c.ValidateCredentials(client.iamconn)
|
2015-07-14 23:39:50 +02:00
|
|
|
if err != nil {
|
|
|
|
errs = append(errs, err)
|
2015-04-13 21:01:41 +02:00
|
|
|
}
|
2015-07-30 17:21:03 +02:00
|
|
|
|
2015-05-10 10:52:40 +02:00
|
|
|
// Some services exist only in us-east-1, e.g. because they manage
|
|
|
|
// resources that can span across multiple regions, or because
|
|
|
|
// signature format v4 requires region to be us-east-1 for global
|
|
|
|
// endpoints:
|
|
|
|
// http://docs.aws.amazon.com/general/latest/gr/sigv4_changes.html
|
|
|
|
usEast1AwsConfig := &aws.Config{
|
|
|
|
Credentials: creds,
|
|
|
|
Region: aws.String("us-east-1"),
|
|
|
|
MaxRetries: aws.Int(c.MaxRetries),
|
2015-10-22 20:03:25 +02:00
|
|
|
HTTPClient: cleanhttp.DefaultClient(),
|
2015-05-10 10:52:40 +02:00
|
|
|
}
|
2015-10-30 00:52:10 +01:00
|
|
|
usEast1Sess := session.New(usEast1AwsConfig)
|
2015-04-13 21:01:41 +02:00
|
|
|
|
2015-09-16 18:58:46 +02:00
|
|
|
awsDynamoDBConfig := *awsConfig
|
|
|
|
awsDynamoDBConfig.Endpoint = aws.String(c.DynamoDBEndpoint)
|
|
|
|
|
2015-06-04 02:05:02 +02:00
|
|
|
log.Println("[INFO] Initializing DynamoDB connection")
|
2015-10-30 00:52:10 +01:00
|
|
|
dynamoSess := session.New(&awsDynamoDBConfig)
|
|
|
|
client.dynamodbconn = dynamodb.New(dynamoSess)
|
2015-06-04 02:05:02 +02:00
|
|
|
|
2015-04-16 22:02:04 +02:00
|
|
|
log.Println("[INFO] Initializing ELB connection")
|
2016-02-07 22:40:51 +01:00
|
|
|
awsElbConfig := *awsConfig
|
|
|
|
awsElbConfig.Endpoint = aws.String(c.ElbEndpoint)
|
2015-12-11 16:27:49 +01:00
|
|
|
|
2016-02-07 22:40:51 +01:00
|
|
|
awsElbSess := session.New(&awsElbConfig)
|
2015-12-11 16:27:49 +01:00
|
|
|
|
2016-02-07 22:40:51 +01:00
|
|
|
client.elbconn = elb.New(awsElbSess)
|
2015-04-14 23:41:36 +02:00
|
|
|
|
2014-11-21 17:58:34 +01:00
|
|
|
log.Println("[INFO] Initializing S3 connection")
|
2015-10-30 00:52:10 +01:00
|
|
|
client.s3conn = s3.New(sess)
|
2015-02-20 15:55:54 +01:00
|
|
|
|
2015-05-12 23:34:10 +02:00
|
|
|
log.Println("[INFO] Initializing SQS connection")
|
2015-10-30 00:52:10 +01:00
|
|
|
client.sqsconn = sqs.New(sess)
|
2015-05-12 23:34:10 +02:00
|
|
|
|
2015-05-15 01:17:18 +02:00
|
|
|
log.Println("[INFO] Initializing SNS connection")
|
2015-10-30 00:52:10 +01:00
|
|
|
client.snsconn = sns.New(sess)
|
2015-05-15 01:17:18 +02:00
|
|
|
|
2015-04-16 22:02:04 +02:00
|
|
|
log.Println("[INFO] Initializing RDS Connection")
|
2015-10-30 00:52:10 +01:00
|
|
|
client.rdsconn = rds.New(sess)
|
2015-04-13 21:01:41 +02:00
|
|
|
|
2015-09-16 18:58:46 +02:00
|
|
|
awsKinesisConfig := *awsConfig
|
|
|
|
awsKinesisConfig.Endpoint = aws.String(c.KinesisEndpoint)
|
|
|
|
|
2015-05-27 21:17:26 +02:00
|
|
|
log.Println("[INFO] Initializing Kinesis Connection")
|
2015-10-30 00:52:10 +01:00
|
|
|
kinesisSess := session.New(&awsKinesisConfig)
|
|
|
|
client.kinesisconn = kinesis.New(kinesisSess)
|
2015-05-27 21:17:26 +02:00
|
|
|
|
2015-07-14 23:39:50 +02:00
|
|
|
authErr := c.ValidateAccountId(client.iamconn)
|
|
|
|
if authErr != nil {
|
|
|
|
errs = append(errs, authErr)
|
2015-04-20 00:54:42 +02:00
|
|
|
}
|
|
|
|
|
2015-11-09 23:26:55 +01:00
|
|
|
log.Println("[INFO] Initializing Kinesis Firehose Connection")
|
2015-11-10 17:24:33 +01:00
|
|
|
client.firehoseconn = firehose.New(sess)
|
2015-11-09 23:26:55 +01:00
|
|
|
|
2015-04-16 22:02:04 +02:00
|
|
|
log.Println("[INFO] Initializing AutoScaling connection")
|
2015-10-30 00:52:10 +01:00
|
|
|
client.autoscalingconn = autoscaling.New(sess)
|
2015-04-14 16:51:23 +02:00
|
|
|
|
2015-04-16 22:02:04 +02:00
|
|
|
log.Println("[INFO] Initializing EC2 Connection")
|
2015-12-11 16:27:49 +01:00
|
|
|
|
2016-02-07 22:40:51 +01:00
|
|
|
awsEc2Config := *awsConfig
|
|
|
|
awsEc2Config.Endpoint = aws.String(c.Ec2Endpoint)
|
2015-12-11 16:27:49 +01:00
|
|
|
|
2016-02-07 22:40:51 +01:00
|
|
|
awsEc2Sess := session.New(&awsEc2Config)
|
|
|
|
client.ec2conn = ec2.New(awsEc2Sess)
|
2015-04-14 16:51:23 +02:00
|
|
|
|
2015-12-22 16:31:30 +01:00
|
|
|
log.Println("[INFO] Initializing ECR Connection")
|
|
|
|
client.ecrconn = ecr.New(sess)
|
|
|
|
|
2015-05-04 23:48:09 +02:00
|
|
|
log.Println("[INFO] Initializing ECS Connection")
|
2015-10-30 00:52:10 +01:00
|
|
|
client.ecsconn = ecs.New(sess)
|
2015-05-04 23:48:09 +02:00
|
|
|
|
2015-06-02 22:19:50 +02:00
|
|
|
log.Println("[INFO] Initializing EFS Connection")
|
2015-10-30 00:52:10 +01:00
|
|
|
client.efsconn = efs.New(sess)
|
2015-06-02 22:19:50 +02:00
|
|
|
|
2015-10-02 00:12:46 +02:00
|
|
|
log.Println("[INFO] Initializing ElasticSearch Connection")
|
2015-10-30 00:52:10 +01:00
|
|
|
client.esconn = elasticsearch.New(sess)
|
2015-10-02 00:12:46 +02:00
|
|
|
|
2015-04-16 22:18:01 +02:00
|
|
|
log.Println("[INFO] Initializing Route 53 connection")
|
2015-10-30 00:52:10 +01:00
|
|
|
client.r53conn = route53.New(usEast1Sess)
|
2015-04-14 16:51:23 +02:00
|
|
|
|
2015-04-26 03:53:21 +02:00
|
|
|
log.Println("[INFO] Initializing Elasticache Connection")
|
2015-10-30 00:52:10 +01:00
|
|
|
client.elasticacheconn = elasticache.New(sess)
|
2015-06-01 18:33:22 +02:00
|
|
|
|
|
|
|
log.Println("[INFO] Initializing Lambda Connection")
|
2015-10-30 00:52:10 +01:00
|
|
|
client.lambdaconn = lambda.New(sess)
|
2015-06-07 11:23:32 +02:00
|
|
|
|
2015-07-07 09:00:05 +02:00
|
|
|
log.Println("[INFO] Initializing Cloudformation Connection")
|
2015-10-30 00:52:10 +01:00
|
|
|
client.cfconn = cloudformation.New(sess)
|
2015-07-07 09:00:05 +02:00
|
|
|
|
2015-06-07 11:23:32 +02:00
|
|
|
log.Println("[INFO] Initializing CloudWatch SDK connection")
|
2015-10-30 00:52:10 +01:00
|
|
|
client.cloudwatchconn = cloudwatch.New(sess)
|
2015-09-16 23:02:28 +02:00
|
|
|
|
2016-01-29 20:13:52 +01:00
|
|
|
log.Println("[INFO] Initializing CloudWatch Events connection")
|
|
|
|
client.cloudwatcheventsconn = cloudwatchevents.New(sess)
|
|
|
|
|
2015-08-28 00:11:56 +02:00
|
|
|
log.Println("[INFO] Initializing CloudTrail connection")
|
2015-10-30 00:52:10 +01:00
|
|
|
client.cloudtrailconn = cloudtrail.New(sess)
|
2015-08-28 00:11:56 +02:00
|
|
|
|
2015-09-16 23:02:28 +02:00
|
|
|
log.Println("[INFO] Initializing CloudWatch Logs connection")
|
2015-10-30 00:52:10 +01:00
|
|
|
client.cloudwatchlogsconn = cloudwatchlogs.New(sess)
|
2015-05-11 05:20:17 +02:00
|
|
|
|
|
|
|
log.Println("[INFO] Initializing OpsWorks Connection")
|
2015-10-30 00:52:10 +01:00
|
|
|
client.opsworksconn = opsworks.New(usEast1Sess)
|
2015-09-13 18:57:58 +02:00
|
|
|
|
|
|
|
log.Println("[INFO] Initializing Directory Service connection")
|
2015-10-30 00:52:10 +01:00
|
|
|
client.dsconn = directoryservice.New(sess)
|
2015-09-03 23:57:56 +02:00
|
|
|
|
|
|
|
log.Println("[INFO] Initializing Glacier connection")
|
2015-10-30 00:52:10 +01:00
|
|
|
client.glacierconn = glacier.New(sess)
|
2015-07-19 06:09:00 +02:00
|
|
|
|
|
|
|
log.Println("[INFO] Initializing CodeDeploy Connection")
|
2015-10-30 00:52:10 +01:00
|
|
|
client.codedeployconn = codedeploy.New(sess)
|
2015-10-30 22:35:16 +01:00
|
|
|
|
|
|
|
log.Println("[INFO] Initializing CodeCommit SDK connection")
|
2015-10-30 23:22:22 +01:00
|
|
|
client.codecommitconn = codecommit.New(usEast1Sess)
|
2015-11-11 21:51:46 +01:00
|
|
|
|
|
|
|
log.Println("[INFO] Initializing Redshift SDK connection")
|
|
|
|
client.redshiftconn = redshift.New(sess)
|
|
|
|
|
2014-11-21 17:58:34 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
if len(errs) > 0 {
|
|
|
|
return nil, &multierror.Error{Errors: errs}
|
|
|
|
}
|
|
|
|
|
|
|
|
return &client, nil
|
2014-06-24 04:01:57 +02:00
|
|
|
}
|
|
|
|
|
2015-04-27 20:06:49 +02:00
|
|
|
// ValidateRegion returns an error if the configured region is not a
|
|
|
|
// valid aws region and nil otherwise.
|
2015-03-13 15:42:50 +01:00
|
|
|
func (c *Config) ValidateRegion() error {
|
2016-01-11 22:46:53 +01:00
|
|
|
var regions = [12]string{"us-east-1", "us-west-2", "us-west-1", "eu-west-1",
|
2014-10-30 15:07:12 +01:00
|
|
|
"eu-central-1", "ap-southeast-1", "ap-southeast-2", "ap-northeast-1",
|
2016-01-11 22:46:53 +01:00
|
|
|
"ap-northeast-2", "sa-east-1", "cn-north-1", "us-gov-west-1"}
|
2014-07-30 00:22:37 +02:00
|
|
|
|
|
|
|
for _, valid := range regions {
|
|
|
|
if c.Region == valid {
|
2015-03-13 15:42:50 +01:00
|
|
|
return nil
|
2014-07-30 00:22:37 +02:00
|
|
|
}
|
|
|
|
}
|
2015-03-13 15:42:50 +01:00
|
|
|
return fmt.Errorf("Not a valid region: %s", c.Region)
|
2014-06-24 04:01:57 +02:00
|
|
|
}
|
2015-04-20 00:54:42 +02:00
|
|
|
|
2015-08-07 16:49:59 +02:00
|
|
|
// Validate credentials early and fail before we do any graph walking.
|
|
|
|
// In the case of an IAM role/profile with insuffecient privileges, fail
|
|
|
|
// silently
|
2015-07-14 23:39:50 +02:00
|
|
|
func (c *Config) ValidateCredentials(iamconn *iam.IAM) error {
|
|
|
|
_, err := iamconn.GetUser(nil)
|
2015-07-21 15:57:59 +02:00
|
|
|
|
|
|
|
if awsErr, ok := err.(awserr.Error); ok {
|
2015-08-07 16:49:59 +02:00
|
|
|
|
2015-08-07 18:55:44 +02:00
|
|
|
if awsErr.Code() == "AccessDenied" || awsErr.Code() == "ValidationError" {
|
2015-08-07 16:49:59 +02:00
|
|
|
log.Printf("[WARN] AccessDenied Error with iam.GetUser, assuming IAM profile")
|
|
|
|
// User may be an IAM instance profile, or otherwise IAM role without the
|
|
|
|
// GetUser permissions, so fail silently
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2015-07-21 15:57:59 +02:00
|
|
|
if awsErr.Code() == "SignatureDoesNotMatch" {
|
|
|
|
return fmt.Errorf("Failed authenticating with AWS: please verify credentials")
|
2015-07-14 23:39:50 +02:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-07-21 15:57:59 +02:00
|
|
|
return err
|
2015-07-14 23:39:50 +02:00
|
|
|
}
|
|
|
|
|
2015-04-27 20:06:49 +02:00
|
|
|
// ValidateAccountId returns a context-specific error if the configured account
|
|
|
|
// id is explicitly forbidden or not authorised; and nil if it is authorised.
|
2015-04-20 00:54:42 +02:00
|
|
|
func (c *Config) ValidateAccountId(iamconn *iam.IAM) error {
|
|
|
|
if c.AllowedAccountIds == nil && c.ForbiddenAccountIds == nil {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
log.Printf("[INFO] Validating account ID")
|
|
|
|
|
|
|
|
out, err := iamconn.GetUser(nil)
|
2015-08-14 12:52:38 +02:00
|
|
|
|
2015-04-20 00:54:42 +02:00
|
|
|
if err != nil {
|
2015-08-17 02:13:23 +02:00
|
|
|
awsErr, _ := err.(awserr.Error)
|
|
|
|
if awsErr.Code() == "ValidationError" {
|
|
|
|
log.Printf("[WARN] ValidationError with iam.GetUser, assuming its an IAM profile")
|
|
|
|
// User may be an IAM instance profile, so fail silently.
|
|
|
|
// If it is an IAM instance profile
|
|
|
|
// validating account might be superfluous
|
2015-09-24 01:41:48 +02:00
|
|
|
return nil
|
2015-08-17 02:13:23 +02:00
|
|
|
} else {
|
|
|
|
return fmt.Errorf("Failed getting account ID from IAM: %s", err)
|
|
|
|
// return error if the account id is explicitly not authorised
|
|
|
|
}
|
2015-04-20 00:54:42 +02:00
|
|
|
}
|
|
|
|
|
2015-08-17 20:27:16 +02:00
|
|
|
account_id := strings.Split(*out.User.Arn, ":")[4]
|
2015-04-20 00:54:42 +02:00
|
|
|
|
|
|
|
if c.ForbiddenAccountIds != nil {
|
|
|
|
for _, id := range c.ForbiddenAccountIds {
|
|
|
|
if id == account_id {
|
|
|
|
return fmt.Errorf("Forbidden account ID (%s)", id)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if c.AllowedAccountIds != nil {
|
|
|
|
for _, id := range c.AllowedAccountIds {
|
|
|
|
if id == account_id {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return fmt.Errorf("Account ID not allowed (%s)", account_id)
|
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
2015-12-10 22:43:13 +01:00
|
|
|
|
|
|
|
// This function is responsible for reading credentials from the
|
|
|
|
// environment in the case that they're not explicitly specified
|
|
|
|
// in the Terraform configuration.
|
2016-01-11 16:22:09 +01:00
|
|
|
func getCreds(key, secret, token, profile, credsfile string) *awsCredentials.Credentials {
|
2015-12-10 22:43:13 +01:00
|
|
|
// build a chain provider, lazy-evaulated by aws-sdk
|
|
|
|
providers := []awsCredentials.Provider{
|
|
|
|
&awsCredentials.StaticProvider{Value: awsCredentials.Value{
|
|
|
|
AccessKeyID: key,
|
|
|
|
SecretAccessKey: secret,
|
|
|
|
SessionToken: token,
|
|
|
|
}},
|
|
|
|
&awsCredentials.EnvProvider{},
|
2016-01-11 16:22:09 +01:00
|
|
|
&awsCredentials.SharedCredentialsProvider{
|
|
|
|
Filename: credsfile,
|
|
|
|
Profile: profile,
|
|
|
|
},
|
2015-12-10 22:43:13 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
// We only look in the EC2 metadata API if we can connect
|
|
|
|
// to the metadata service within a reasonable amount of time
|
|
|
|
metadataURL := os.Getenv("AWS_METADATA_URL")
|
|
|
|
if metadataURL == "" {
|
|
|
|
metadataURL = "http://169.254.169.254:80/latest"
|
|
|
|
}
|
|
|
|
c := http.Client{
|
|
|
|
Timeout: 100 * time.Millisecond,
|
|
|
|
}
|
|
|
|
|
|
|
|
r, err := c.Get(metadataURL)
|
2015-12-15 17:49:23 +01:00
|
|
|
// Flag to determine if we should add the EC2Meta data provider. Default false
|
2015-12-10 22:43:13 +01:00
|
|
|
var useIAM bool
|
|
|
|
if err == nil {
|
2015-12-15 17:49:23 +01:00
|
|
|
// AWS will add a "Server: EC2ws" header value for the metadata request. We
|
|
|
|
// check the headers for this value to ensure something else didn't just
|
|
|
|
// happent to be listening on that IP:Port
|
2015-12-10 22:43:13 +01:00
|
|
|
if r.Header["Server"] != nil && strings.Contains(r.Header["Server"][0], "EC2") {
|
|
|
|
useIAM = true
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if useIAM {
|
|
|
|
log.Printf("[DEBUG] EC2 Metadata service found, adding EC2 Role Credential Provider")
|
|
|
|
providers = append(providers, &ec2rolecreds.EC2RoleProvider{
|
|
|
|
Client: ec2metadata.New(session.New(&aws.Config{
|
|
|
|
Endpoint: aws.String(metadataURL),
|
|
|
|
})),
|
|
|
|
})
|
|
|
|
} else {
|
|
|
|
log.Printf("[DEBUG] EC2 Metadata service not found, not adding EC2 Role Credential Provider")
|
|
|
|
}
|
|
|
|
return awsCredentials.NewChainCredentials(providers)
|
|
|
|
}
|