packer-cn/builder/amazon/common/access_config.go

package common

import (
	"fmt"
	"log"
	"os"

	"github.com/aws/aws-sdk-go/aws"
	"github.com/aws/aws-sdk-go/aws/credentials"
	"github.com/aws/aws-sdk-go/aws/credentials/stscreds"
	"github.com/aws/aws-sdk-go/aws/ec2metadata"
	"github.com/aws/aws-sdk-go/aws/session"
	"github.com/hashicorp/packer/template/interpolate"
)

// AccessConfig is for common configuration related to AWS access
type AccessConfig struct {
	AccessKey         string `mapstructure:"access_key"`
	AssumeRoleArn     string `mapstructure:"assume_role_arn"`
	CustomEndpointEc2 string `mapstructure:"custom_endpoint_ec2"`
	ExternalID        string `mapstructure:"external_id"`
	MFACode           string `mapstructure:"mfa_code"`
	MFASerial         string `mapstructure:"mfa_serial"`
	ProfileName       string `mapstructure:"profile"`
	RawRegion         string `mapstructure:"region"`
	SecretKey         string `mapstructure:"secret_key"`
	SkipValidation    bool   `mapstructure:"skip_region_validation"`
	Token             string `mapstructure:"token"`
	session           *session.Session
}

// Config returns a valid aws.Config object for access to AWS services, or
// an error if the authentication and region couldn't be resolved
func (c *AccessConfig) Session() (*session.Session, error) {
	if c.session != nil {
		return c.session, nil
	}

	region, err := c.Region()
	if err != nil {
		return nil, err
	}

	if c.AssumeRoleArn != "" {
		var options []func(*stscreds.AssumeRoleProvider)
		if c.MFACode != "" {
			options = append(options, func(p *stscreds.AssumeRoleProvider) {
				p.SerialNumber = aws.String(c.MFASerial)
				p.TokenProvider = func() (string, error) {
					return c.MFACode, nil
				}
			})
		}
	}

	if c.ProfileName != "" {
		err := os.Setenv("AWS_PROFILE", c.ProfileName)
		if err != nil {
			log.Printf("Set env error: %s", err)
		}
	}

	config := aws.NewConfig().WithRegion(region).WithMaxRetries(11).WithCredentialsChainVerboseErrors(true)

	if c.CustomEndpointEc2 != "" {
		config.Endpoint = &c.CustomEndpointEc2
	}
	if c.AccessKey != "" {
		creds := credentials.NewChainCredentials(
			[]credentials.Provider{
				&credentials.StaticProvider{
					Value: credentials.Value{
						AccessKeyID:     c.AccessKey,
						SecretAccessKey: c.SecretKey,
						SessionToken:    c.Token,
					},
				},
			})
		config = config.WithCredentials(creds)
	}

	opts := session.Options{
		SharedConfigState: session.SharedConfigEnable,
		Config:            *config,
	}
	if c.MFACode != "" {
		opts.AssumeRoleTokenProvider = func() (string, error) {
			return c.MFACode, nil
		}
	}
	c.session, err = session.NewSessionWithOptions(opts)
	if err != nil {
		return nil, err
	}

	return c.session, nil
}

// Region returns the aws.Region object for access to AWS services, requesting
// the region from the instance metadata if possible.
func (c *AccessConfig) Region() (string, error) {
	if c.RawRegion != "" {
		if !c.SkipValidation {
			if valid := ValidateRegion(c.RawRegion); !valid {
				return "", fmt.Errorf("Not a valid region: %s", c.RawRegion)
			}
		}
		return c.RawRegion, nil
	}

	sess := session.New()
	ec2meta := ec2metadata.New(sess)
	identity, err := ec2meta.GetInstanceIdentityDocument()
	if err != nil {
		return "", err
	}
	return identity.Region, nil
}

func (c *AccessConfig) Prepare(ctx *interpolate.Context) []error {
	var errs []error
	if c.RawRegion != "" && !c.SkipValidation {
		if valid := ValidateRegion(c.RawRegion); !valid {
			errs = append(errs, fmt.Errorf("Unknown region: %s", c.RawRegion))
		}
	}

	if len(errs) > 0 {
		return errs
	}

	return nil
}
builder/amazon/common: AccessConfig for standard access config 2013-07-16 00:08:19 -04:00			`package common`

			`import (`
builder/amazon/chroot: boilerplate 2013-07-29 19:42:35 -04:00			`"fmt"`
I think this was the intention 2017-03-01 19:43:09 -05:00			`"log"`
			`"os"`
amazon/ebs: use new interpolation stuff 2015-05-27 14:35:56 -04:00
Migrate to new AWS repo 2015-06-03 17:13:52 -04:00			`"github.com/aws/aws-sdk-go/aws"`
			`"github.com/aws/aws-sdk-go/aws/credentials"`
builder/amazon: Support assume role with assume_role_arn This supports assuming a role when using profile or static credentials. 2017-02-26 11:24:34 -05:00			`"github.com/aws/aws-sdk-go/aws/credentials/stscreds"`
Create a session for EC2RoleProvider; prevents crash; fixes #3123 2016-02-19 20:10:05 -05:00			`"github.com/aws/aws-sdk-go/aws/ec2metadata"`
			`"github.com/aws/aws-sdk-go/aws/session"`
move packer to hashicorp 2017-04-04 16:39:01 -04:00			`"github.com/hashicorp/packer/template/interpolate"`
builder/amazon/common: AccessConfig for standard access config 2013-07-16 00:08:19 -04:00			`)`

			`// AccessConfig is for common configuration related to AWS access`
			`type AccessConfig struct {`
add an option custom_endpoint_ec2 for amazon builder, add a condition if vpc_id is empty don't add the parameter to the aws call 2017-05-17 12:45:20 -04:00			AccessKey string `mapstructure:"access_key"`
builder/amazon: Support assume role with assume_role_arn This supports assuming a role when using profile or static credentials. 2017-02-26 11:24:34 -05:00			AssumeRoleArn string `mapstructure:"assume_role_arn"`
			CustomEndpointEc2 string `mapstructure:"custom_endpoint_ec2"`
builder/amazon: Added MFA support 2017-02-27 13:44:07 -05:00			ExternalID string `mapstructure:"external_id"`
			MFACode string `mapstructure:"mfa_code"`
			MFASerial string `mapstructure:"mfa_serial"`
I think this was the intention 2017-03-01 19:43:09 -05:00			ProfileName string `mapstructure:"profile"`
			RawRegion string `mapstructure:"region"`
			SecretKey string `mapstructure:"secret_key"`
add an option custom_endpoint_ec2 for amazon builder, add a condition if vpc_id is empty don't add the parameter to the aws call 2017-05-17 12:45:20 -04:00			SkipValidation bool `mapstructure:"skip_region_validation"`
			Token string `mapstructure:"token"`
I think this was the intention 2017-03-01 19:43:09 -05:00			`session *session.Session`
builder/amazon/common: AccessConfig for standard access config 2013-07-16 00:08:19 -04:00			`}`

Migrate from mitchellh/goamz to awslabs/aws-sdk-go This commit moves the Amazon builders of Packer away from the Hashicorp fork of the goamz library to the official AWS SDK for Go, in order that third party plugins may depend on the more complete official library more easily. 2015-04-05 17:58:48 -04:00			`// Config returns a valid aws.Config object for access to AWS services, or`
			`// an error if the authentication and region couldn't be resolved`
I think this was the intention 2017-03-01 19:43:09 -05:00			`func (c AccessConfig) Session() (session.Session, error) {`
			`if c.session != nil {`
			`return c.session, nil`
			`}`
IAM Role Switching Adds initial IAM Role Switching support and support for AWS CLI Credential and Config files. See: https://github.com/mitchellh/packer/issues/3109 2016-02-01 19:55:59 -05:00
Migrate from mitchellh/goamz to awslabs/aws-sdk-go This commit moves the Amazon builders of Packer away from the Hashicorp fork of the goamz library to the official AWS SDK for Go, in order that third party plugins may depend on the more complete official library more easily. 2015-04-05 17:58:48 -04:00			`region, err := c.Region()`
			`if err != nil {`
			`return nil, err`
builder/amazon/common: save access/secret key from env [GH-434] 2013-09-18 16:59:23 -04:00			`}`
add an option custom_endpoint_ec2 for amazon builder, add a condition if vpc_id is empty don't add the parameter to the aws call 2017-05-17 12:45:20 -04:00
builder/amazon: Support assume role with assume_role_arn This supports assuming a role when using profile or static credentials. 2017-02-26 11:24:34 -05:00			`if c.AssumeRoleArn != "" {`
I think this was the intention 2017-03-01 19:43:09 -05:00			`var options []func(*stscreds.AssumeRoleProvider)`
builder/amazon: Added MFA support 2017-02-27 13:44:07 -05:00			`if c.MFACode != "" {`
I think this was the intention 2017-03-01 19:43:09 -05:00			`options = append(options, func(p *stscreds.AssumeRoleProvider) {`
builder/amazon: Added MFA support 2017-02-27 13:44:07 -05:00			`p.SerialNumber = aws.String(c.MFASerial)`
			`p.TokenProvider = func() (string, error) {`
			`return c.MFACode, nil`
			`}`
I think this was the intention 2017-03-01 19:43:09 -05:00			`})`
builder/amazon: Added MFA support 2017-02-27 13:44:07 -05:00			`}`
I think this was the intention 2017-03-01 19:43:09 -05:00			`}`
builder/amazon: Added MFA support 2017-02-27 13:44:07 -05:00
I think this was the intention 2017-03-01 19:43:09 -05:00			`if c.ProfileName != "" {`
			`err := os.Setenv("AWS_PROFILE", c.ProfileName)`
			`if err != nil {`
			`log.Printf("Set env error: %s", err)`
			`}`
			`}`

			`config := aws.NewConfig().WithRegion(region).WithMaxRetries(11).WithCredentialsChainVerboseErrors(true)`

aws: Drop undocumented option `profile` This was added in 883acb18fac2c732e7fdf05822959bb45977ed00 to support assume role and shared configuration file. This was never completed. 2017-03-06 11:10:39 -05:00			`if c.CustomEndpointEc2 != "" {`
			`config.Endpoint = &c.CustomEndpointEc2`
			`}`
I think this was the intention 2017-03-01 19:43:09 -05:00			`if c.AccessKey != "" {`
			`creds := credentials.NewChainCredentials(`
			`[]credentials.Provider{`
			`&credentials.StaticProvider{`
			`Value: credentials.Value{`
			`AccessKeyID: c.AccessKey,`
			`SecretAccessKey: c.SecretKey,`
			`SessionToken: c.Token,`
			`},`
			`},`
			`})`
			`config = config.WithCredentials(creds)`
			`}`
builder/amazon: Added MFA support 2017-02-27 13:44:07 -05:00
I think this was the intention 2017-03-01 19:43:09 -05:00			`opts := session.Options{`
			`SharedConfigState: session.SharedConfigEnable,`
			`Config: *config,`
builder/amazon: Support assume role with assume_role_arn This supports assuming a role when using profile or static credentials. 2017-02-26 11:24:34 -05:00			`}`
I think this was the intention 2017-03-01 19:43:09 -05:00			`if c.MFACode != "" {`
			`opts.AssumeRoleTokenProvider = func() (string, error) {`
			`return c.MFACode, nil`
			`}`
			`}`
			`c.session, err = session.NewSessionWithOptions(opts)`
			`if err != nil {`
			`return nil, err`
			`}`

			`return c.session, nil`
IAM Role Switching Adds initial IAM Role Switching support and support for AWS CLI Credential and Config files. See: https://github.com/mitchellh/packer/issues/3109 2016-02-01 19:55:59 -05:00			`}`

builder/amazon/chroot: boilerplate 2013-07-29 19:42:35 -04:00			`// Region returns the aws.Region object for access to AWS services, requesting`
			`// the region from the instance metadata if possible.`
Migrate from mitchellh/goamz to awslabs/aws-sdk-go This commit moves the Amazon builders of Packer away from the Hashicorp fork of the goamz library to the official AWS SDK for Go, in order that third party plugins may depend on the more complete official library more easily. 2015-04-05 17:58:48 -04:00			`func (c *AccessConfig) Region() (string, error) {`
builder/amazon/chroot: boilerplate 2013-07-29 19:42:35 -04:00			`if c.RawRegion != "" {`
changing if conditionals to be ! instead of == false 2016-06-07 09:21:43 -04:00			`if !c.SkipValidation {`
simplify some code 2017-03-28 21:29:55 -04:00			`if valid := ValidateRegion(c.RawRegion); !valid {`
Adding ability to skip region validation when using AWS 2016-06-06 14:17:12 -04:00			`return "", fmt.Errorf("Not a valid region: %s", c.RawRegion)`
			`}`
Migrate from mitchellh/goamz to awslabs/aws-sdk-go This commit moves the Amazon builders of Packer away from the Hashicorp fork of the goamz library to the official AWS SDK for Go, in order that third party plugins may depend on the more complete official library more easily. 2015-04-05 17:58:48 -04:00			`}`
			`return c.RawRegion, nil`
builder/amazon/chroot: boilerplate 2013-07-29 19:42:35 -04:00			`}`

builder/amazon: Cleaned up credential handeling This properly handles: - Preference between types of credential - Assume role via ECS Task Role 2017-02-25 14:08:53 -05:00			`sess := session.New()`
			`ec2meta := ec2metadata.New(sess)`
			`identity, err := ec2meta.GetInstanceIdentityDocument()`
builder/amazon/chroot: boilerplate 2013-07-29 19:42:35 -04:00			`if err != nil {`
Migrate from mitchellh/goamz to awslabs/aws-sdk-go This commit moves the Amazon builders of Packer away from the Hashicorp fork of the goamz library to the official AWS SDK for Go, in order that third party plugins may depend on the more complete official library more easily. 2015-04-05 17:58:48 -04:00			`return "", err`
builder/amazon/chroot: boilerplate 2013-07-29 19:42:35 -04:00			`}`
builder/amazon: Cleaned up credential handeling This properly handles: - Preference between types of credential - Assume role via ECS Task Role 2017-02-25 14:08:53 -05:00			`return identity.Region, nil`
builder/amazon/chroot: boilerplate 2013-07-29 19:42:35 -04:00			`}`

amazon/ebs: use new interpolation stuff 2015-05-27 14:35:56 -04:00			`func (c AccessConfig) Prepare(ctx interpolate.Context) []error {`
			`var errs []error`
changing if conditionals to be ! instead of == false 2016-06-07 09:21:43 -04:00			`if c.RawRegion != "" && !c.SkipValidation {`
simplify some code 2017-03-28 21:29:55 -04:00			`if valid := ValidateRegion(c.RawRegion); !valid {`
changing if conditionals to be ! instead of == false 2016-06-07 09:21:43 -04:00			`errs = append(errs, fmt.Errorf("Unknown region: %s", c.RawRegion))`
builder/amazon/chroot: boilerplate 2013-07-29 19:42:35 -04:00			`}`
			`}`

builder/amazon/common: access config uses template processing 2013-08-08 17:29:46 -04:00			`if len(errs) > 0 {`
			`return errs`
			`}`

builder/amazon/common: AccessConfig for standard access config 2013-07-16 00:08:19 -04:00			`return nil`
			`}`