packer-cn/builder/amazon/common/access_config.go

203 lines
6.2 KiB
Go
Raw Normal View History

package common
import (
2013-07-29 19:42:35 -04:00
"fmt"
2017-06-09 14:24:30 -04:00
"log"
"os"
"strings"
"time"
2015-06-03 17:13:52 -04:00
"github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/aws/awserr"
2015-06-03 17:13:52 -04:00
"github.com/aws/aws-sdk-go/aws/credentials"
"github.com/aws/aws-sdk-go/aws/credentials/ec2rolecreds"
2017-06-14 19:30:18 -04:00
"github.com/aws/aws-sdk-go/aws/ec2metadata"
"github.com/aws/aws-sdk-go/aws/session"
"github.com/hashicorp/go-cleanhttp"
2017-04-04 16:39:01 -04:00
"github.com/hashicorp/packer/template/interpolate"
)
// AccessConfig is for common configuration related to AWS access
type AccessConfig struct {
AccessKey string `mapstructure:"access_key"`
CustomEndpointEc2 string `mapstructure:"custom_endpoint_ec2"`
MFACode string `mapstructure:"mfa_code"`
ProfileName string `mapstructure:"profile"`
RawRegion string `mapstructure:"region"`
SecretKey string `mapstructure:"secret_key"`
SkipValidation bool `mapstructure:"skip_region_validation"`
SkipMetadataApiCheck bool `mapstructure:"skip_metadata_api_check"`
Token string `mapstructure:"token"`
session *session.Session
}
// Config returns a valid aws.Config object for access to AWS services, or
// an error if the authentication and region couldn't be resolved
2017-03-01 19:43:09 -05:00
func (c *AccessConfig) Session() (*session.Session, error) {
if c.session != nil {
return c.session, nil
}
// build a chain provider, lazy-evaluated by aws-sdk
providers := []credentials.Provider{
&credentials.StaticProvider{Value: credentials.Value{
AccessKeyID: c.AccessKey,
SecretAccessKey: c.SecretKey,
SessionToken: c.Token,
}},
&credentials.EnvProvider{},
&credentials.SharedCredentialsProvider{
Filename: "",
Profile: c.ProfileName,
},
}
// Build isolated HTTP client to avoid issues with globally-shared settings
client := cleanhttp.DefaultClient()
// Keep the default timeout (100ms) low as we don't want to wait in non-EC2 environments
client.Timeout = 100 * time.Millisecond
const userTimeoutEnvVar = "AWS_METADATA_TIMEOUT"
userTimeout := os.Getenv(userTimeoutEnvVar)
if userTimeout != "" {
newTimeout, err := time.ParseDuration(userTimeout)
if err == nil {
if newTimeout.Nanoseconds() > 0 {
client.Timeout = newTimeout
} else {
log.Printf("[WARN] Non-positive value of %s (%s) is meaningless, ignoring", userTimeoutEnvVar, newTimeout.String())
}
} else {
log.Printf("[WARN] Error converting %s to time.Duration: %s", userTimeoutEnvVar, err)
}
}
log.Printf("[INFO] Setting AWS metadata API timeout to %s", client.Timeout.String())
cfg := &aws.Config{
HTTPClient: client,
}
if !c.SkipMetadataApiCheck {
// Real AWS should reply to a simple metadata request.
// We check it actually does to ensure something else didn't just
// happen to be listening on the same IP:Port
metadataClient := ec2metadata.New(session.New(cfg))
if metadataClient.Available() {
providers = append(providers, &ec2rolecreds.EC2RoleProvider{
Client: metadataClient,
})
log.Print("[INFO] AWS EC2 instance detected via default metadata" +
" API endpoint, EC2RoleProvider added to the auth chain")
} else {
log.Printf("[INFO] Ignoring AWS metadata API endpoint " +
"as it doesn't return any instance-id")
}
}
creds := credentials.NewChainCredentials(providers)
config := aws.NewConfig().WithMaxRetries(11).WithCredentialsChainVerboseErrors(true)
if c.RawRegion != "" {
config = config.WithRegion(c.RawRegion)
} else if region := c.metadataRegion(); region != "" {
2017-10-30 18:02:39 -04:00
config = config.WithRegion(region)
}
2017-03-01 19:43:09 -05:00
if c.CustomEndpointEc2 != "" {
2017-06-09 14:01:27 -04:00
config = config.WithEndpoint(c.CustomEndpointEc2)
}
2017-06-09 13:46:01 -04:00
2017-03-01 19:43:09 -05:00
opts := session.Options{
SharedConfigState: session.SharedConfigEnable,
Config: *config,
}
2018-02-15 17:20:50 -05:00
if c.ProfileName != "" {
opts.Profile = c.ProfileName
}
2017-03-01 19:43:09 -05:00
if c.MFACode != "" {
opts.AssumeRoleTokenProvider = func() (string, error) {
return c.MFACode, nil
}
}
2018-02-15 17:20:50 -05:00
config = config.WithCredentials(creds)
2017-11-07 19:05:43 -05:00
if sess, err := session.NewSessionWithOptions(opts); err != nil {
2017-03-01 19:43:09 -05:00
return nil, err
2017-11-07 19:05:43 -05:00
} else if *sess.Config.Region == "" {
return nil, fmt.Errorf("Could not find AWS region, make sure it's set.")
} else {
2017-11-07 19:05:43 -05:00
log.Printf("Found region %s", *sess.Config.Region)
c.session = sess
2017-03-01 19:43:09 -05:00
2018-02-15 17:20:50 -05:00
cp, err := c.session.Config.Credentials.Get()
if err != nil {
if awsErr, ok := err.(awserr.Error); ok && awsErr.Code() == "NoCredentialProviders" {
return nil, fmt.Errorf("No valid credential sources found for AWS Builder. " +
"Please see https://www.packer.io/docs/builders/amazon.html#specifying-amazon-credentials " +
"for more information on providing credentials for the AWS Builder.")
} else {
return nil, fmt.Errorf("Error loading credentials for AWS Provider: %s", err)
}
}
log.Printf("[INFO] AWS Auth provider used: %q", cp.ProviderName)
}
2017-03-01 19:43:09 -05:00
return c.session, nil
}
func (c *AccessConfig) SessionRegion() string {
if c.session == nil {
panic("access config session should be set.")
}
return aws.StringValue(c.session.Config.Region)
}
func (c *AccessConfig) IsGovCloud() bool {
return strings.HasPrefix(c.SessionRegion(), "us-gov-")
}
func (c *AccessConfig) IsChinaCloud() bool {
return strings.HasPrefix(c.SessionRegion(), "cn-")
}
// metadataRegion returns the region from the metadata service
func (c *AccessConfig) metadataRegion() string {
2013-07-29 19:42:35 -04:00
client := cleanhttp.DefaultClient()
// Keep the default timeout (100ms) low as we don't want to wait in non-EC2 environments
client.Timeout = 100 * time.Millisecond
ec2meta := ec2metadata.New(session.New(), &aws.Config{
HTTPClient: client,
})
2017-10-30 18:02:39 -04:00
region, err := ec2meta.Region()
2017-06-14 19:30:18 -04:00
if err != nil {
log.Println("Error getting region from metadata service, "+
"probably because we're not running on AWS.", err)
2017-10-30 18:02:39 -04:00
return ""
2017-06-14 19:30:18 -04:00
}
2017-10-30 18:02:39 -04:00
return region
2013-07-29 19:42:35 -04:00
}
func (c *AccessConfig) Prepare(ctx *interpolate.Context) []error {
var errs []error
// Either both access and secret key must be set or neither of them should
// be.
if (len(c.AccessKey) > 0) != (len(c.SecretKey) > 0) {
errs = append(errs,
fmt.Errorf("`access_key` and `secret_key` must both be either set or not set."))
}
if c.RawRegion != "" && !c.SkipValidation {
2017-03-28 21:29:55 -04:00
if valid := ValidateRegion(c.RawRegion); !valid {
errs = append(errs, fmt.Errorf("Unknown region: %s", c.RawRegion))
2013-07-29 19:42:35 -04:00
}
}
return errs
}