packer-cn/builder/amazon/common/access_config.go

package common

import (
	"crypto/tls"
	"fmt"
	"log"
	"net/http"
	"strings"

	"github.com/aws/aws-sdk-go/aws"
	"github.com/aws/aws-sdk-go/aws/awserr"
	"github.com/aws/aws-sdk-go/aws/credentials"
	"github.com/aws/aws-sdk-go/aws/session"
	"github.com/aws/aws-sdk-go/service/ec2"
	"github.com/aws/aws-sdk-go/service/ec2/ec2iface"
	cleanhttp "github.com/hashicorp/go-cleanhttp"
	commonhelper "github.com/hashicorp/packer/helper/common"
	"github.com/hashicorp/packer/template/interpolate"
)

// AccessConfig is for common configuration related to AWS access
type AccessConfig struct {
	AccessKey             string `mapstructure:"access_key"`
	CustomEndpointEc2     string `mapstructure:"custom_endpoint_ec2"`
	DecodeAuthZMessages   bool   `mapstructure:"decode_authorization_messages"`
	InsecureSkipTLSVerify bool   `mapstructure:"insecure_skip_tls_verify"`
	MFACode               string `mapstructure:"mfa_code"`
	ProfileName           string `mapstructure:"profile"`
	RawRegion             string `mapstructure:"region"`
	SecretKey             string `mapstructure:"secret_key"`
	SkipValidation        bool   `mapstructure:"skip_region_validation"`
	SkipMetadataApiCheck  bool   `mapstructure:"skip_metadata_api_check"`
	Token                 string `mapstructure:"token"`
	session               *session.Session

	getEC2Connection func() ec2iface.EC2API
}

// Config returns a valid aws.Config object for access to AWS services, or
// an error if the authentication and region couldn't be resolved
func (c *AccessConfig) Session() (*session.Session, error) {
	if c.session != nil {
		return c.session, nil
	}

	config := aws.NewConfig().WithCredentialsChainVerboseErrors(true)
	staticCreds := credentials.NewStaticCredentials(c.AccessKey, c.SecretKey, c.Token)
	if _, err := staticCreds.Get(); err != credentials.ErrStaticCredentialsEmpty {
		config.WithCredentials(staticCreds)
	}

	if c.RawRegion != "" {
		config = config.WithRegion(c.RawRegion)
	}

	if c.CustomEndpointEc2 != "" {
		config = config.WithEndpoint(c.CustomEndpointEc2)
	}

	if c.InsecureSkipTLSVerify {
		config := config.WithHTTPClient(cleanhttp.DefaultClient())
		transport := config.HTTPClient.Transport.(*http.Transport)
		transport.TLSClientConfig = &tls.Config{
			InsecureSkipVerify: true,
		}
	}

	opts := session.Options{
		SharedConfigState: session.SharedConfigEnable,
		Config:            *config,
	}

	if c.ProfileName != "" {
		opts.Profile = c.ProfileName
	}

	if c.MFACode != "" {
		opts.AssumeRoleTokenProvider = func() (string, error) {
			return c.MFACode, nil
		}
	}

	sess, err := session.NewSessionWithOptions(opts)
	if err != nil {
		return nil, err
	}
	log.Printf("Found region %s", *sess.Config.Region)
	c.session = sess

	cp, err := c.session.Config.Credentials.Get()
	if err != nil {
		if awsErr, ok := err.(awserr.Error); ok && awsErr.Code() == "NoCredentialProviders" {
			return nil, fmt.Errorf("No valid credential sources found for AWS Builder. " +
				"Please see https://www.packer.io/docs/builders/amazon.html#specifying-amazon-credentials " +
				"for more information on providing credentials for the AWS Builder.")
		} else {
			return nil, fmt.Errorf("Error loading credentials for AWS Provider: %s", err)
		}
	}
	log.Printf("[INFO] AWS Auth provider used: %q", cp.ProviderName)

	if c.DecodeAuthZMessages {
		DecodeAuthZMessages(c.session)
	}
	LogEnvOverrideWarnings()

	return c.session, nil
}

func (c *AccessConfig) SessionRegion() string {
	if c.session == nil {
		panic("access config session should be set.")
	}
	return aws.StringValue(c.session.Config.Region)
}

func (c *AccessConfig) IsGovCloud() bool {
	return strings.HasPrefix(c.SessionRegion(), "us-gov-")
}

func (c *AccessConfig) IsChinaCloud() bool {
	return strings.HasPrefix(c.SessionRegion(), "cn-")
}

func (c *AccessConfig) Prepare(ctx *interpolate.Context) []error {
	var errs []error

	if c.SkipMetadataApiCheck {
		log.Println("(WARN) skip_metadata_api_check ignored.")
	}
	// Either both access and secret key must be set or neither of them should
	// be.
	if (len(c.AccessKey) > 0) != (len(c.SecretKey) > 0) {
		errs = append(errs,
			fmt.Errorf("`access_key` and `secret_key` must both be either set or not set."))
	}

	return errs
}

func (c *AccessConfig) NewEC2Connection() (ec2iface.EC2API, error) {
	if c.getEC2Connection != nil {
		return c.getEC2Connection(), nil
	}
	sess, err := c.Session()
	if err != nil {
		return nil, err
	}

	ec2conn := ec2.New(sess, &aws.Config{
		HTTPClient: commonhelper.HttpClientWithEnvironmentProxy(),
	})

	return ec2conn, nil
}
builder/amazon/common: AccessConfig for standard access config 2013-07-16 00:08:19 -04:00			`package common`

			`import (`
amazon: add option for skipping TLS verification Signed-off-by: Mikhail Ushanov <gm.mephisto@gmail.com> 2017-10-27 09:32:23 -04:00			`"crypto/tls"`
builder/amazon/chroot: boilerplate 2013-07-29 19:42:35 -04:00			`"fmt"`
add support for profile 2017-06-09 14:24:30 -04:00			`"log"`
amazon: add option for skipping TLS verification Signed-off-by: Mikhail Ushanov <gm.mephisto@gmail.com> 2017-10-27 09:32:23 -04:00			`"net/http"`
Add volume and run tags if in us-gov/china We can't tag on instance creation when we're in "restricted" regions, so let's add the tags after the resources have been created. Adds methods to AccessConfig to detect if we're in China or US Gov regions (i.e. "restricted"). Also turns tag:tag maps into a type, and moves methods around validating and converting them to ec2Tags to methods of the type. 2018-02-02 23:16:23 -05:00			`"strings"`
amazon/ebs: use new interpolation stuff 2015-05-27 14:35:56 -04:00
Migrate to new AWS repo 2015-06-03 17:13:52 -04:00			`"github.com/aws/aws-sdk-go/aws"`
"borrow" access config code from terraform. This gives us a few benefits: * timeout early if metadata service can't be reached * report which auth provider we're using * give much better errors if something goes wrong 2018-01-04 18:04:07 -05:00			`"github.com/aws/aws-sdk-go/aws/awserr"`
Migrate to new AWS repo 2015-06-03 17:13:52 -04:00			`"github.com/aws/aws-sdk-go/aws/credentials"`
Create a session for EC2RoleProvider; prevents crash; fixes #3123 2016-02-19 20:10:05 -05:00			`"github.com/aws/aws-sdk-go/aws/session"`
Revert "Revert "Merge pull request #6892 from hashicorp/fix_6890"" This reverts commit 0cd3f36d50becb03fcb8fbfbe0d3061be0271856. 2018-10-23 12:58:27 -04:00			`"github.com/aws/aws-sdk-go/service/ec2"`
make ValidateRegion a member of *AccessConfig and make it variadic 2018-10-24 05:26:53 -04:00			`"github.com/aws/aws-sdk-go/service/ec2/ec2iface"`
name unclear import 2019-01-25 06:59:43 -05:00			`cleanhttp "github.com/hashicorp/go-cleanhttp"`
manually set proxyfromenvironment in default http client for ec2 sessions 2019-01-23 19:58:48 -05:00			`commonhelper "github.com/hashicorp/packer/helper/common"`
move packer to hashicorp 2017-04-04 16:39:01 -04:00			`"github.com/hashicorp/packer/template/interpolate"`
builder/amazon/common: AccessConfig for standard access config 2013-07-16 00:08:19 -04:00			`)`

			`// AccessConfig is for common configuration related to AWS access`
			`type AccessConfig struct {`
amazon: add option for skipping TLS verification Signed-off-by: Mikhail Ushanov <gm.mephisto@gmail.com> 2017-10-27 09:32:23 -04:00			AccessKey string `mapstructure:"access_key"`
			CustomEndpointEc2 string `mapstructure:"custom_endpoint_ec2"`
			DecodeAuthZMessages bool `mapstructure:"decode_authorization_messages"`
			InsecureSkipTLSVerify bool `mapstructure:"insecure_skip_tls_verify"`
			MFACode string `mapstructure:"mfa_code"`
			ProfileName string `mapstructure:"profile"`
			RawRegion string `mapstructure:"region"`
			SecretKey string `mapstructure:"secret_key"`
			SkipValidation bool `mapstructure:"skip_region_validation"`
			SkipMetadataApiCheck bool `mapstructure:"skip_metadata_api_check"`
			Token string `mapstructure:"token"`
			`session *session.Session`
make ValidateRegion a member of *AccessConfig and make it variadic 2018-10-24 05:26:53 -04:00
			`getEC2Connection func() ec2iface.EC2API`
builder/amazon/common: AccessConfig for standard access config 2013-07-16 00:08:19 -04:00			`}`

Migrate from mitchellh/goamz to awslabs/aws-sdk-go This commit moves the Amazon builders of Packer away from the Hashicorp fork of the goamz library to the official AWS SDK for Go, in order that third party plugins may depend on the more complete official library more easily. 2015-04-05 17:58:48 -04:00			`// Config returns a valid aws.Config object for access to AWS services, or`
			`// an error if the authentication and region couldn't be resolved`
I think this was the intention 2017-03-01 19:43:09 -05:00			`func (c AccessConfig) Session() (session.Session, error) {`
			`if c.session != nil {`
			`return c.session, nil`
			`}`
IAM Role Switching Adds initial IAM Role Switching support and support for AWS CLI Credential and Config files. See: https://github.com/mitchellh/packer/issues/3109 2016-02-01 19:55:59 -05:00
builder/amazon: Use sdk default cred providers I think we were overcomplicating things. The SDK provides the correct credential chain by default, so let's use that. This patch does a quick check for static credentials and uses those if found, then defaults to the default credential provider chain. This patch also removes the metadata timeout argument. Current versions of the SDK have short timeouts by default, so I don't believe this is needed. 2018-03-15 12:49:34 -04:00			`config := aws.NewConfig().WithCredentialsChainVerboseErrors(true)`
			`staticCreds := credentials.NewStaticCredentials(c.AccessKey, c.SecretKey, c.Token)`
			`if _, err := staticCreds.Get(); err != credentials.ErrStaticCredentialsEmpty {`
			`config.WithCredentials(staticCreds)`
"borrow" access config code from terraform. This gives us a few benefits: * timeout early if metadata service can't be reached * report which auth provider we're using * give much better errors if something goes wrong 2018-01-04 18:04:07 -05:00			`}`
Don't set region from metadata if profile is set. 2017-11-07 17:03:52 -05:00
aws: unwrap AccessConfig.region func * it was used only in the Session() call. * default region guessing from metadata should happen in the SDK, not 'manually' 2019-01-25 07:02:42 -05:00			`if c.RawRegion != "" {`
			`config = config.WithRegion(c.RawRegion)`
			`}`
I think this was the intention 2017-03-01 19:43:09 -05:00
aws: Drop undocumented option `profile` This was added in 883acb18fac2c732e7fdf05822959bb45977ed00 to support assume role and shared configuration file. This was never completed. 2017-03-06 11:10:39 -05:00			`if c.CustomEndpointEc2 != "" {`
bugfix 2017-06-09 14:01:27 -04:00			`config = config.WithEndpoint(c.CustomEndpointEc2)`
aws: Drop undocumented option `profile` This was added in 883acb18fac2c732e7fdf05822959bb45977ed00 to support assume role and shared configuration file. This was never completed. 2017-03-06 11:10:39 -05:00			`}`
with wrapping 2017-06-09 13:46:01 -04:00
amazon: add option for skipping TLS verification Signed-off-by: Mikhail Ushanov <gm.mephisto@gmail.com> 2017-10-27 09:32:23 -04:00			`if c.InsecureSkipTLSVerify {`
			`config := config.WithHTTPClient(cleanhttp.DefaultClient())`
			`transport := config.HTTPClient.Transport.(*http.Transport)`
			`transport.TLSClientConfig = &tls.Config{`
			`InsecureSkipVerify: true,`
			`}`
			`}`

I think this was the intention 2017-03-01 19:43:09 -05:00			`opts := session.Options{`
			`SharedConfigState: session.SharedConfigEnable,`
			`Config: *config,`
builder/amazon: Support assume role with assume_role_arn This supports assuming a role when using profile or static credentials. 2017-02-26 11:24:34 -05:00			`}`
Don't set region from metadata if profile is set. 2017-11-07 17:03:52 -05:00
Fix issue with assume role credentials 2018-02-15 17:20:50 -05:00			`if c.ProfileName != "" {`
			`opts.Profile = c.ProfileName`
			`}`

I think this was the intention 2017-03-01 19:43:09 -05:00			`if c.MFACode != "" {`
			`opts.AssumeRoleTokenProvider = func() (string, error) {`
			`return c.MFACode, nil`
			`}`
			`}`
Don't set region from metadata if profile is set. 2017-11-07 17:03:52 -05:00
make guard clauses to clearly see success pass 2019-01-25 07:00:21 -05:00			`sess, err := session.NewSessionWithOptions(opts)`
			`if err != nil {`
I think this was the intention 2017-03-01 19:43:09 -05:00			`return nil, err`
make guard clauses to clearly see success pass 2019-01-25 07:00:21 -05:00			`}`
			`log.Printf("Found region %s", *sess.Config.Region)`
			`c.session = sess`

			`cp, err := c.session.Config.Credentials.Get()`
			`if err != nil {`
			`if awsErr, ok := err.(awserr.Error); ok && awsErr.Code() == "NoCredentialProviders" {`
			`return nil, fmt.Errorf("No valid credential sources found for AWS Builder. " +`
			`"Please see https://www.packer.io/docs/builders/amazon.html#specifying-amazon-credentials " +`
			`"for more information on providing credentials for the AWS Builder.")`
			`} else {`
			`return nil, fmt.Errorf("Error loading credentials for AWS Provider: %s", err)`
Fix issue with assume role credentials 2018-02-15 17:20:50 -05:00			`}`
			`}`
make guard clauses to clearly see success pass 2019-01-25 07:00:21 -05:00			`log.Printf("[INFO] AWS Auth provider used: %q", cp.ProviderName)`
use a UI wrapper to auto-decode error messages update docs to reflect optional config 2017-10-02 16:12:42 -04:00
			`if c.DecodeAuthZMessages {`
			`DecodeAuthZMessages(c.session)`
			`}`
Move logging about aws waiters to the access config prepare() so that it's only spit out once per builder. 2018-12-06 16:30:20 -05:00			`LogEnvOverrideWarnings()`
use a UI wrapper to auto-decode error messages update docs to reflect optional config 2017-10-02 16:12:42 -04:00
I think this was the intention 2017-03-01 19:43:09 -05:00			`return c.session, nil`
IAM Role Switching Adds initial IAM Role Switching support and support for AWS CLI Credential and Config files. See: https://github.com/mitchellh/packer/issues/3109 2016-02-01 19:55:59 -05:00			`}`

Add volume and run tags if in us-gov/china We can't tag on instance creation when we're in "restricted" regions, so let's add the tags after the resources have been created. Adds methods to AccessConfig to detect if we're in China or US Gov regions (i.e. "restricted"). Also turns tag:tag maps into a type, and moves methods around validating and converting them to ec2Tags to methods of the type. 2018-02-02 23:16:23 -05:00			`func (c *AccessConfig) SessionRegion() string {`
			`if c.session == nil {`
			`panic("access config session should be set.")`
			`}`
			`return aws.StringValue(c.session.Config.Region)`
			`}`

			`func (c *AccessConfig) IsGovCloud() bool {`
			`return strings.HasPrefix(c.SessionRegion(), "us-gov-")`
			`}`

			`func (c *AccessConfig) IsChinaCloud() bool {`
			`return strings.HasPrefix(c.SessionRegion(), "cn-")`
			`}`

amazon/ebs: use new interpolation stuff 2015-05-27 14:35:56 -04:00			`func (c AccessConfig) Prepare(ctx interpolate.Context) []error {`
			`var errs []error`
builder/aws: catch static credential errors early. If we're using static credentials, either both the access key and secret key must be set, or neither of them should be. 2018-01-04 14:50:27 -05:00
builder/amazon: Use sdk default cred providers I think we were overcomplicating things. The SDK provides the correct credential chain by default, so let's use that. This patch does a quick check for static credentials and uses those if found, then defaults to the default credential provider chain. This patch also removes the metadata timeout argument. Current versions of the SDK have short timeouts by default, so I don't believe this is needed. 2018-03-15 12:49:34 -04:00			`if c.SkipMetadataApiCheck {`
			`log.Println("(WARN) skip_metadata_api_check ignored.")`
			`}`
builder/aws: catch static credential errors early. If we're using static credentials, either both the access key and secret key must be set, or neither of them should be. 2018-01-04 14:50:27 -05:00			`// Either both access and secret key must be set or neither of them should`
			`// be.`
			`if (len(c.AccessKey) > 0) != (len(c.SecretKey) > 0) {`
			`errs = append(errs,`
			fmt.Errorf("`access_key` and `secret_key` must both be either set or not set."))
			`}`

Don't set region from metadata if profile is set. 2017-11-07 17:03:52 -05:00			`return errs`
builder/amazon/common: AccessConfig for standard access config 2013-07-16 00:08:19 -04:00			`}`
make ValidateRegion a member of *AccessConfig and make it variadic 2018-10-24 05:26:53 -04:00
			`func (c *AccessConfig) NewEC2Connection() (ec2iface.EC2API, error) {`
			`if c.getEC2Connection != nil {`
			`return c.getEC2Connection(), nil`
			`}`
			`sess, err := c.Session()`
			`if err != nil {`
			`return nil, err`
			`}`
manually set proxyfromenvironment in default http client for ec2 sessions 2019-01-23 19:58:48 -05:00
			`ec2conn := ec2.New(sess, &aws.Config{`
			`HTTPClient: commonhelper.HttpClientWithEnvironmentProxy(),`
			`})`

			`return ec2conn, nil`
make ValidateRegion a member of *AccessConfig and make it variadic 2018-10-24 05:26:53 -04:00			`}`