make vault engine stuff into a little struct for easier management

2019-02-04 15:29:45 -08:00 · 2019-02-04 15:29:45 -08:00 · 7a78b47e83
parent 6b41a1663a
commit 7a78b47e83
2 changed files with 26 additions and 1 deletions
--- a/builder/amazon/common/access_config.go
+++ b/builder/amazon/common/access_config.go
@ -18,6 +18,12 @@ import (
 	"github.com/hashicorp/packer/template/interpolate"
 )

+type VaultAWSEngineOptions struct {
+	Name    string `mapstructure:"name"`
+	RoleARN string `mapstructure:"role_arn"`
+	TTL     string `mapstructure:"ttl"`
+}
+
 // AccessConfig is for common configuration related to AWS access
 type AccessConfig struct {
 	AccessKey             string `mapstructure:"access_key"`
@ -32,6 +38,7 @@ type AccessConfig struct {
 	SkipMetadataApiCheck  bool   `mapstructure:"skip_metadata_api_check"`
 	Token                 string `mapstructure:"token"`
 	session               *session.Session
+	VaultAWSEngine        VaultAWSEngineOptions `mapstructure:"vault_aws_engine"`

 	getEC2Connection func() ec2iface.EC2API
 }
@ -44,6 +51,7 @@ func (c *AccessConfig) Session() (*session.Session, error) {
 	}

 	config := aws.NewConfig().WithCredentialsChainVerboseErrors(true)
+
 	staticCreds := credentials.NewStaticCredentials(c.AccessKey, c.SecretKey, c.Token)
 	if _, err := staticCreds.Get(); err != credentials.ErrStaticCredentialsEmpty {
 		config.WithCredentials(staticCreds)
@ -130,6 +138,13 @@ func (c *AccessConfig) Prepare(ctx *interpolate.Context) []error {
 	}
 	// Either both access and secret key must be set or neither of them should
 	// be.
+	if c.VaultAWSEngine != nil {
+		if len(c.AccessKey) > 0 {
+			errs = append(errs,
+				fmt.Errorf("If you have set vault_aws_engine, you must not set"+
+					" the access_key or secret_key."))
+		}
+	}
 	if (len(c.AccessKey) > 0) != (len(c.SecretKey) > 0) {
 		errs = append(errs,
 			fmt.Errorf("`access_key` and `secret_key` must both be either set or not set."))
--- a/website/source/docs/builders/amazon-ebs.html.md
+++ b/website/source/docs/builders/amazon-ebs.html.md
@ -507,7 +507,7 @@ builder.
 -   `user_data_file` (string) - Path to a file that will be used for the user
    data when launching the instance.

- `use_vault_aws_engine` (bool) - Get credentials from Hashicorp Vault's aws
+- `vault_aws_engine` (object) - Get credentials from Hashicorp Vault's aws
  secrets engine. You must already have created a role to use. For more
  information about generating credentials via the Vault engine, see the
  [Vault docs.]
@ -534,6 +534,16 @@ builder.
      token are eventually consistent, Packer will pause for ten seconds after
      retrieving the credentials before continuing with the build.

+    ``` json
+    {
+        "vault_aws_engine": {
+            "name": "myrole"
+            "role_arn": "myarn"
+            "ttl": "3600s"
+        }
+    }
+    ```
+
 -   `vpc_id` (string) - If launching into a VPC subnet, Packer needs the VPC ID
    in order to create a temporary security group within the VPC. Requires
    `subnet_id` to be set. If this field is left blank, Packer will try to get