2013-07-16 00:08:19 -04:00
|
|
|
package common
|
|
|
|
|
|
|
|
import (
|
2013-07-29 19:42:35 -04:00
|
|
|
"fmt"
|
2017-06-09 14:24:30 -04:00
|
|
|
"log"
|
2018-02-02 23:16:23 -05:00
|
|
|
"strings"
|
2017-10-30 18:14:42 -04:00
|
|
|
"time"
|
2015-05-27 14:35:56 -04:00
|
|
|
|
2015-06-03 17:13:52 -04:00
|
|
|
"github.com/aws/aws-sdk-go/aws"
|
2018-01-04 18:04:07 -05:00
|
|
|
"github.com/aws/aws-sdk-go/aws/awserr"
|
2015-06-03 17:13:52 -04:00
|
|
|
"github.com/aws/aws-sdk-go/aws/credentials"
|
2017-06-14 19:30:18 -04:00
|
|
|
"github.com/aws/aws-sdk-go/aws/ec2metadata"
|
2016-02-19 20:10:05 -05:00
|
|
|
"github.com/aws/aws-sdk-go/aws/session"
|
2017-10-30 18:14:42 -04:00
|
|
|
"github.com/hashicorp/go-cleanhttp"
|
2017-04-04 16:39:01 -04:00
|
|
|
"github.com/hashicorp/packer/template/interpolate"
|
2013-07-16 00:08:19 -04:00
|
|
|
)
|
|
|
|
|
|
|
|
// AccessConfig is for common configuration related to AWS access
|
|
|
|
type AccessConfig struct {
|
2018-01-04 18:04:07 -05:00
|
|
|
AccessKey string `mapstructure:"access_key"`
|
|
|
|
CustomEndpointEc2 string `mapstructure:"custom_endpoint_ec2"`
|
2017-10-02 16:12:42 -04:00
|
|
|
DecodeAuthZMessages bool `mapstructure:"decode_authorization_messages"`
|
2018-01-04 18:04:07 -05:00
|
|
|
MFACode string `mapstructure:"mfa_code"`
|
|
|
|
ProfileName string `mapstructure:"profile"`
|
|
|
|
RawRegion string `mapstructure:"region"`
|
|
|
|
SecretKey string `mapstructure:"secret_key"`
|
|
|
|
SkipValidation bool `mapstructure:"skip_region_validation"`
|
|
|
|
SkipMetadataApiCheck bool `mapstructure:"skip_metadata_api_check"`
|
|
|
|
Token string `mapstructure:"token"`
|
|
|
|
session *session.Session
|
2013-07-16 00:08:19 -04:00
|
|
|
}
|
|
|
|
|
2015-04-05 17:58:48 -04:00
|
|
|
// Config returns a valid aws.Config object for access to AWS services, or
|
|
|
|
// an error if the authentication and region couldn't be resolved
|
2017-03-01 19:43:09 -05:00
|
|
|
func (c *AccessConfig) Session() (*session.Session, error) {
|
|
|
|
if c.session != nil {
|
|
|
|
return c.session, nil
|
|
|
|
}
|
2016-02-01 19:55:59 -05:00
|
|
|
|
2018-03-15 12:49:34 -04:00
|
|
|
config := aws.NewConfig().WithCredentialsChainVerboseErrors(true)
|
2018-01-04 18:04:07 -05:00
|
|
|
|
2018-03-15 12:49:34 -04:00
|
|
|
staticCreds := credentials.NewStaticCredentials(c.AccessKey, c.SecretKey, c.Token)
|
|
|
|
if _, err := staticCreds.Get(); err != credentials.ErrStaticCredentialsEmpty {
|
|
|
|
config.WithCredentials(staticCreds)
|
2018-01-04 18:04:07 -05:00
|
|
|
}
|
2017-11-07 17:03:52 -05:00
|
|
|
|
2018-08-30 12:31:34 -04:00
|
|
|
// default is 3, and when it was causing failures for users being throttled
|
|
|
|
config = config.WithMaxRetries(20)
|
|
|
|
|
2017-12-07 14:12:57 -05:00
|
|
|
if c.RawRegion != "" {
|
2017-11-07 17:03:52 -05:00
|
|
|
config = config.WithRegion(c.RawRegion)
|
|
|
|
} else if region := c.metadataRegion(); region != "" {
|
2017-10-30 18:02:39 -04:00
|
|
|
config = config.WithRegion(region)
|
|
|
|
}
|
2017-03-01 19:43:09 -05:00
|
|
|
|
2017-03-06 11:10:39 -05:00
|
|
|
if c.CustomEndpointEc2 != "" {
|
2017-06-09 14:01:27 -04:00
|
|
|
config = config.WithEndpoint(c.CustomEndpointEc2)
|
2017-03-06 11:10:39 -05:00
|
|
|
}
|
2017-06-09 13:46:01 -04:00
|
|
|
|
2017-03-01 19:43:09 -05:00
|
|
|
opts := session.Options{
|
|
|
|
SharedConfigState: session.SharedConfigEnable,
|
|
|
|
Config: *config,
|
2017-02-26 11:24:34 -05:00
|
|
|
}
|
2017-11-07 17:03:52 -05:00
|
|
|
|
2018-02-15 17:20:50 -05:00
|
|
|
if c.ProfileName != "" {
|
|
|
|
opts.Profile = c.ProfileName
|
|
|
|
}
|
|
|
|
|
2017-03-01 19:43:09 -05:00
|
|
|
if c.MFACode != "" {
|
|
|
|
opts.AssumeRoleTokenProvider = func() (string, error) {
|
|
|
|
return c.MFACode, nil
|
|
|
|
}
|
|
|
|
}
|
2017-11-07 17:03:52 -05:00
|
|
|
|
2017-11-07 19:05:43 -05:00
|
|
|
if sess, err := session.NewSessionWithOptions(opts); err != nil {
|
2017-03-01 19:43:09 -05:00
|
|
|
return nil, err
|
2017-11-07 19:05:43 -05:00
|
|
|
} else if *sess.Config.Region == "" {
|
2017-11-07 17:03:52 -05:00
|
|
|
return nil, fmt.Errorf("Could not find AWS region, make sure it's set.")
|
|
|
|
} else {
|
2017-11-07 19:05:43 -05:00
|
|
|
log.Printf("Found region %s", *sess.Config.Region)
|
|
|
|
c.session = sess
|
2017-03-01 19:43:09 -05:00
|
|
|
|
2018-02-15 17:20:50 -05:00
|
|
|
cp, err := c.session.Config.Credentials.Get()
|
|
|
|
if err != nil {
|
|
|
|
if awsErr, ok := err.(awserr.Error); ok && awsErr.Code() == "NoCredentialProviders" {
|
|
|
|
return nil, fmt.Errorf("No valid credential sources found for AWS Builder. " +
|
|
|
|
"Please see https://www.packer.io/docs/builders/amazon.html#specifying-amazon-credentials " +
|
|
|
|
"for more information on providing credentials for the AWS Builder.")
|
|
|
|
} else {
|
|
|
|
return nil, fmt.Errorf("Error loading credentials for AWS Provider: %s", err)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
log.Printf("[INFO] AWS Auth provider used: %q", cp.ProviderName)
|
|
|
|
}
|
2017-10-02 16:12:42 -04:00
|
|
|
|
|
|
|
if c.DecodeAuthZMessages {
|
|
|
|
DecodeAuthZMessages(c.session)
|
|
|
|
}
|
|
|
|
|
2017-03-01 19:43:09 -05:00
|
|
|
return c.session, nil
|
2016-02-01 19:55:59 -05:00
|
|
|
}
|
|
|
|
|
2018-02-02 23:16:23 -05:00
|
|
|
func (c *AccessConfig) SessionRegion() string {
|
|
|
|
if c.session == nil {
|
|
|
|
panic("access config session should be set.")
|
|
|
|
}
|
|
|
|
return aws.StringValue(c.session.Config.Region)
|
|
|
|
}
|
|
|
|
|
|
|
|
func (c *AccessConfig) IsGovCloud() bool {
|
|
|
|
return strings.HasPrefix(c.SessionRegion(), "us-gov-")
|
|
|
|
}
|
|
|
|
|
|
|
|
func (c *AccessConfig) IsChinaCloud() bool {
|
|
|
|
return strings.HasPrefix(c.SessionRegion(), "cn-")
|
|
|
|
}
|
|
|
|
|
2017-11-07 17:03:52 -05:00
|
|
|
// metadataRegion returns the region from the metadata service
|
|
|
|
func (c *AccessConfig) metadataRegion() string {
|
2013-07-29 19:42:35 -04:00
|
|
|
|
2017-10-30 18:14:42 -04:00
|
|
|
client := cleanhttp.DefaultClient()
|
|
|
|
|
|
|
|
// Keep the default timeout (100ms) low as we don't want to wait in non-EC2 environments
|
|
|
|
client.Timeout = 100 * time.Millisecond
|
|
|
|
ec2meta := ec2metadata.New(session.New(), &aws.Config{
|
|
|
|
HTTPClient: client,
|
|
|
|
})
|
2017-10-30 18:02:39 -04:00
|
|
|
region, err := ec2meta.Region()
|
2017-06-14 19:30:18 -04:00
|
|
|
if err != nil {
|
|
|
|
log.Println("Error getting region from metadata service, "+
|
|
|
|
"probably because we're not running on AWS.", err)
|
2017-10-30 18:02:39 -04:00
|
|
|
return ""
|
2017-06-14 19:30:18 -04:00
|
|
|
}
|
2017-10-30 18:02:39 -04:00
|
|
|
return region
|
2013-07-29 19:42:35 -04:00
|
|
|
}
|
|
|
|
|
2015-05-27 14:35:56 -04:00
|
|
|
func (c *AccessConfig) Prepare(ctx *interpolate.Context) []error {
|
|
|
|
var errs []error
|
2018-01-04 14:50:27 -05:00
|
|
|
|
2018-03-15 12:49:34 -04:00
|
|
|
if c.SkipMetadataApiCheck {
|
|
|
|
log.Println("(WARN) skip_metadata_api_check ignored.")
|
|
|
|
}
|
2018-01-04 14:50:27 -05:00
|
|
|
// Either both access and secret key must be set or neither of them should
|
|
|
|
// be.
|
|
|
|
if (len(c.AccessKey) > 0) != (len(c.SecretKey) > 0) {
|
|
|
|
errs = append(errs,
|
|
|
|
fmt.Errorf("`access_key` and `secret_key` must both be either set or not set."))
|
|
|
|
}
|
|
|
|
|
2016-06-07 09:21:43 -04:00
|
|
|
if c.RawRegion != "" && !c.SkipValidation {
|
2018-09-10 18:43:01 -04:00
|
|
|
ec2conn := getValidationSession()
|
|
|
|
if valid := ValidateRegion(c.RawRegion, ec2conn); !valid {
|
2016-06-07 09:21:43 -04:00
|
|
|
errs = append(errs, fmt.Errorf("Unknown region: %s", c.RawRegion))
|
2013-07-29 19:42:35 -04:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2017-11-07 17:03:52 -05:00
|
|
|
return errs
|
2013-07-16 00:08:19 -04:00
|
|
|
}
|