packer-cn/builder/amazon/common/access_config.go

package common

import (
	"fmt"
	"log"
	"os"
	"time"

	"github.com/aws/aws-sdk-go/aws"
	"github.com/aws/aws-sdk-go/aws/credentials"
	"github.com/aws/aws-sdk-go/aws/ec2metadata"
	"github.com/aws/aws-sdk-go/aws/session"
	"github.com/hashicorp/go-cleanhttp"
	"github.com/hashicorp/packer/template/interpolate"
)

// AccessConfig is for common configuration related to AWS access
type AccessConfig struct {
	AccessKey         string `mapstructure:"access_key"`
	CustomEndpointEc2 string `mapstructure:"custom_endpoint_ec2"`
	MFACode           string `mapstructure:"mfa_code"`
	ProfileName       string `mapstructure:"profile"`
	RawRegion         string `mapstructure:"region"`
	SecretKey         string `mapstructure:"secret_key"`
	SkipValidation    bool   `mapstructure:"skip_region_validation"`
	Token             string `mapstructure:"token"`
	session           *session.Session
}

// Config returns a valid aws.Config object for access to AWS services, or
// an error if the authentication and region couldn't be resolved
func (c *AccessConfig) Session() (*session.Session, error) {
	if c.session != nil {
		return c.session, nil
	}

	config := aws.NewConfig().WithMaxRetries(11).WithCredentialsChainVerboseErrors(true)

	if c.ProfileName != "" {
		if err := os.Setenv("AWS_PROFILE", c.ProfileName); err != nil {
			return nil, fmt.Errorf("Set env error: %s", err)
		}
	}

	if c.RawRegion != "" {
		config = config.WithRegion(c.RawRegion)
	} else if region := c.metadataRegion(); region != "" {
		config = config.WithRegion(region)
	}

	if c.CustomEndpointEc2 != "" {
		config = config.WithEndpoint(c.CustomEndpointEc2)
	}

	if c.AccessKey != "" {
		config = config.WithCredentials(
			credentials.NewStaticCredentials(c.AccessKey, c.SecretKey, c.Token))
	}

	opts := session.Options{
		SharedConfigState: session.SharedConfigEnable,
		Config:            *config,
	}

	if c.MFACode != "" {
		opts.AssumeRoleTokenProvider = func() (string, error) {
			return c.MFACode, nil
		}
	}

	if sess, err := session.NewSessionWithOptions(opts); err != nil {
		return nil, err
	} else if *sess.Config.Region == "" {
		return nil, fmt.Errorf("Could not find AWS region, make sure it's set.")
	} else {
		log.Printf("Found region %s", *sess.Config.Region)
		c.session = sess
	}

	return c.session, nil
}

// metadataRegion returns the region from the metadata service
func (c *AccessConfig) metadataRegion() string {

	client := cleanhttp.DefaultClient()

	// Keep the default timeout (100ms) low as we don't want to wait in non-EC2 environments
	client.Timeout = 100 * time.Millisecond
	ec2meta := ec2metadata.New(session.New(), &aws.Config{
		HTTPClient: client,
	})
	region, err := ec2meta.Region()
	if err != nil {
		log.Println("Error getting region from metadata service, "+
			"probably because we're not running on AWS.", err)
		return ""
	}
	return region
}

func (c *AccessConfig) Prepare(ctx *interpolate.Context) []error {
	var errs []error

	// Either both access and secret key must be set or neither of them should
	// be.
	if (len(c.AccessKey) > 0) != (len(c.SecretKey) > 0) {
		errs = append(errs,
			fmt.Errorf("`access_key` and `secret_key` must both be either set or not set."))
	}

	if c.RawRegion != "" && !c.SkipValidation {
		if valid := ValidateRegion(c.RawRegion); !valid {
			errs = append(errs, fmt.Errorf("Unknown region: %s", c.RawRegion))
		}
	}

	return errs
}
builder/amazon/common: AccessConfig for standard access config 2013-07-16 00:08:19 -04:00			`package common`

			`import (`
builder/amazon/chroot: boilerplate 2013-07-29 19:42:35 -04:00			`"fmt"`
add support for profile 2017-06-09 14:24:30 -04:00			`"log"`
			`"os"`
Shorten metadata timeout When running in travis, metadata requests will timeout after 5 seconds. After 24 such timeouts, we'll hit travis' build timeout of two minutes, and the build will fail. Lowering it to 100 gets us in a safe time limit. We _may_ need to expose a timeout env var with this logic, however. 2017-10-30 18:14:42 -04:00			`"time"`
amazon/ebs: use new interpolation stuff 2015-05-27 14:35:56 -04:00
Migrate to new AWS repo 2015-06-03 17:13:52 -04:00			`"github.com/aws/aws-sdk-go/aws"`
			`"github.com/aws/aws-sdk-go/aws/credentials"`
try again to get region from metadata 2017-06-14 19:30:18 -04:00			`"github.com/aws/aws-sdk-go/aws/ec2metadata"`
Create a session for EC2RoleProvider; prevents crash; fixes #3123 2016-02-19 20:10:05 -05:00			`"github.com/aws/aws-sdk-go/aws/session"`
Shorten metadata timeout When running in travis, metadata requests will timeout after 5 seconds. After 24 such timeouts, we'll hit travis' build timeout of two minutes, and the build will fail. Lowering it to 100 gets us in a safe time limit. We _may_ need to expose a timeout env var with this logic, however. 2017-10-30 18:14:42 -04:00			`"github.com/hashicorp/go-cleanhttp"`
move packer to hashicorp 2017-04-04 16:39:01 -04:00			`"github.com/hashicorp/packer/template/interpolate"`
builder/amazon/common: AccessConfig for standard access config 2013-07-16 00:08:19 -04:00			`)`

			`// AccessConfig is for common configuration related to AWS access`
			`type AccessConfig struct {`
add an option custom_endpoint_ec2 for amazon builder, add a condition if vpc_id is empty don't add the parameter to the aws call 2017-05-17 12:45:20 -04:00			AccessKey string `mapstructure:"access_key"`
builder/amazon: Support assume role with assume_role_arn This supports assuming a role when using profile or static credentials. 2017-02-26 11:24:34 -05:00			CustomEndpointEc2 string `mapstructure:"custom_endpoint_ec2"`
builder/amazon: Added MFA support 2017-02-27 13:44:07 -05:00			MFACode string `mapstructure:"mfa_code"`
I think this was the intention 2017-03-01 19:43:09 -05:00			ProfileName string `mapstructure:"profile"`
			RawRegion string `mapstructure:"region"`
			SecretKey string `mapstructure:"secret_key"`
add an option custom_endpoint_ec2 for amazon builder, add a condition if vpc_id is empty don't add the parameter to the aws call 2017-05-17 12:45:20 -04:00			SkipValidation bool `mapstructure:"skip_region_validation"`
			Token string `mapstructure:"token"`
I think this was the intention 2017-03-01 19:43:09 -05:00			`session *session.Session`
builder/amazon/common: AccessConfig for standard access config 2013-07-16 00:08:19 -04:00			`}`

Migrate from mitchellh/goamz to awslabs/aws-sdk-go This commit moves the Amazon builders of Packer away from the Hashicorp fork of the goamz library to the official AWS SDK for Go, in order that third party plugins may depend on the more complete official library more easily. 2015-04-05 17:58:48 -04:00			`// Config returns a valid aws.Config object for access to AWS services, or`
			`// an error if the authentication and region couldn't be resolved`
I think this was the intention 2017-03-01 19:43:09 -05:00			`func (c AccessConfig) Session() (session.Session, error) {`
			`if c.session != nil {`
			`return c.session, nil`
			`}`
IAM Role Switching Adds initial IAM Role Switching support and support for AWS CLI Credential and Config files. See: https://github.com/mitchellh/packer/issues/3109 2016-02-01 19:55:59 -05:00
Don't set region from metadata if profile is set. 2017-11-07 17:03:52 -05:00			`config := aws.NewConfig().WithMaxRetries(11).WithCredentialsChainVerboseErrors(true)`

add support for profile 2017-06-09 14:24:30 -04:00			`if c.ProfileName != "" {`
			`if err := os.Setenv("AWS_PROFILE", c.ProfileName); err != nil {`
this is a critical error 2017-11-07 15:52:03 -05:00			`return nil, fmt.Errorf("Set env error: %s", err)`
add support for profile 2017-06-09 14:24:30 -04:00			`}`
Correctly set aws region if given in template along with a profile. 2017-12-07 14:12:57 -05:00			`}`

			`if c.RawRegion != "" {`
Don't set region from metadata if profile is set. 2017-11-07 17:03:52 -05:00			`config = config.WithRegion(c.RawRegion)`
			`} else if region := c.metadataRegion(); region != "" {`
clean up 2017-10-30 18:02:39 -04:00			`config = config.WithRegion(region)`
			`}`
I think this was the intention 2017-03-01 19:43:09 -05:00
aws: Drop undocumented option `profile` This was added in 883acb18fac2c732e7fdf05822959bb45977ed00 to support assume role and shared configuration file. This was never completed. 2017-03-06 11:10:39 -05:00			`if c.CustomEndpointEc2 != "" {`
bugfix 2017-06-09 14:01:27 -04:00			`config = config.WithEndpoint(c.CustomEndpointEc2)`
aws: Drop undocumented option `profile` This was added in 883acb18fac2c732e7fdf05822959bb45977ed00 to support assume role and shared configuration file. This was never completed. 2017-03-06 11:10:39 -05:00			`}`
with wrapping 2017-06-09 13:46:01 -04:00
I think this was the intention 2017-03-01 19:43:09 -05:00			`if c.AccessKey != "" {`
builder/aws: catch static credential errors early. If we're using static credentials, either both the access key and secret key must be set, or neither of them should be. 2018-01-04 14:50:27 -05:00			`config = config.WithCredentials(`
			`credentials.NewStaticCredentials(c.AccessKey, c.SecretKey, c.Token))`
I think this was the intention 2017-03-01 19:43:09 -05:00			`}`
builder/amazon: Added MFA support 2017-02-27 13:44:07 -05:00
I think this was the intention 2017-03-01 19:43:09 -05:00			`opts := session.Options{`
			`SharedConfigState: session.SharedConfigEnable,`
			`Config: *config,`
builder/amazon: Support assume role with assume_role_arn This supports assuming a role when using profile or static credentials. 2017-02-26 11:24:34 -05:00			`}`
Don't set region from metadata if profile is set. 2017-11-07 17:03:52 -05:00
I think this was the intention 2017-03-01 19:43:09 -05:00			`if c.MFACode != "" {`
			`opts.AssumeRoleTokenProvider = func() (string, error) {`
			`return c.MFACode, nil`
			`}`
			`}`
Don't set region from metadata if profile is set. 2017-11-07 17:03:52 -05:00
don't shadow package name 2017-11-07 19:05:43 -05:00			`if sess, err := session.NewSessionWithOptions(opts); err != nil {`
I think this was the intention 2017-03-01 19:43:09 -05:00			`return nil, err`
don't shadow package name 2017-11-07 19:05:43 -05:00			`} else if *sess.Config.Region == "" {`
Don't set region from metadata if profile is set. 2017-11-07 17:03:52 -05:00			`return nil, fmt.Errorf("Could not find AWS region, make sure it's set.")`
			`} else {`
don't shadow package name 2017-11-07 19:05:43 -05:00			`log.Printf("Found region %s", *sess.Config.Region)`
			`c.session = sess`
I think this was the intention 2017-03-01 19:43:09 -05:00			`}`

			`return c.session, nil`
IAM Role Switching Adds initial IAM Role Switching support and support for AWS CLI Credential and Config files. See: https://github.com/mitchellh/packer/issues/3109 2016-02-01 19:55:59 -05:00			`}`

Don't set region from metadata if profile is set. 2017-11-07 17:03:52 -05:00			`// metadataRegion returns the region from the metadata service`
			`func (c *AccessConfig) metadataRegion() string {`
builder/amazon/chroot: boilerplate 2013-07-29 19:42:35 -04:00
Shorten metadata timeout When running in travis, metadata requests will timeout after 5 seconds. After 24 such timeouts, we'll hit travis' build timeout of two minutes, and the build will fail. Lowering it to 100 gets us in a safe time limit. We _may_ need to expose a timeout env var with this logic, however. 2017-10-30 18:14:42 -04:00			`client := cleanhttp.DefaultClient()`

			`// Keep the default timeout (100ms) low as we don't want to wait in non-EC2 environments`
			`client.Timeout = 100 * time.Millisecond`
			`ec2meta := ec2metadata.New(session.New(), &aws.Config{`
			`HTTPClient: client,`
			`})`
clean up 2017-10-30 18:02:39 -04:00			`region, err := ec2meta.Region()`
try again to get region from metadata 2017-06-14 19:30:18 -04:00			`if err != nil {`
			`log.Println("Error getting region from metadata service, "+`
			`"probably because we're not running on AWS.", err)`
clean up 2017-10-30 18:02:39 -04:00			`return ""`
try again to get region from metadata 2017-06-14 19:30:18 -04:00			`}`
clean up 2017-10-30 18:02:39 -04:00			`return region`
builder/amazon/chroot: boilerplate 2013-07-29 19:42:35 -04:00			`}`

amazon/ebs: use new interpolation stuff 2015-05-27 14:35:56 -04:00			`func (c AccessConfig) Prepare(ctx interpolate.Context) []error {`
			`var errs []error`
builder/aws: catch static credential errors early. If we're using static credentials, either both the access key and secret key must be set, or neither of them should be. 2018-01-04 14:50:27 -05:00
			`// Either both access and secret key must be set or neither of them should`
			`// be.`
			`if (len(c.AccessKey) > 0) != (len(c.SecretKey) > 0) {`
			`errs = append(errs,`
			fmt.Errorf("`access_key` and `secret_key` must both be either set or not set."))
			`}`

changing if conditionals to be ! instead of == false 2016-06-07 09:21:43 -04:00			`if c.RawRegion != "" && !c.SkipValidation {`
simplify some code 2017-03-28 21:29:55 -04:00			`if valid := ValidateRegion(c.RawRegion); !valid {`
changing if conditionals to be ! instead of == false 2016-06-07 09:21:43 -04:00			`errs = append(errs, fmt.Errorf("Unknown region: %s", c.RawRegion))`
builder/amazon/chroot: boilerplate 2013-07-29 19:42:35 -04:00			`}`
			`}`

Don't set region from metadata if profile is set. 2017-11-07 17:03:52 -05:00			`return errs`
builder/amazon/common: AccessConfig for standard access config 2013-07-16 00:08:19 -04:00			`}`