217 lines
6.1 KiB
Go
217 lines
6.1 KiB
Go
package common
|
|
|
|
import (
|
|
"crypto/tls"
|
|
"fmt"
|
|
"log"
|
|
"net/http"
|
|
"strings"
|
|
|
|
"github.com/aws/aws-sdk-go/aws"
|
|
"github.com/aws/aws-sdk-go/aws/awserr"
|
|
"github.com/aws/aws-sdk-go/aws/credentials"
|
|
"github.com/aws/aws-sdk-go/aws/session"
|
|
"github.com/aws/aws-sdk-go/service/ec2"
|
|
"github.com/aws/aws-sdk-go/service/ec2/ec2iface"
|
|
cleanhttp "github.com/hashicorp/go-cleanhttp"
|
|
"github.com/hashicorp/packer/template/interpolate"
|
|
vaultapi "github.com/hashicorp/vault/api"
|
|
)
|
|
|
|
type VaultAWSEngineOptions struct {
|
|
Name string `mapstructure:"name"`
|
|
RoleARN string `mapstructure:"role_arn"`
|
|
TTL string `mapstructure:"ttl"`
|
|
EngineName string `mapstructure:"engine_name"`
|
|
}
|
|
|
|
func (v *VaultAWSEngineOptions) Empty() bool {
|
|
return len(v.Name) == 0 && len(v.RoleARN) == 0 &&
|
|
len(v.EngineName) == 0 && len(v.TTL) == 0
|
|
}
|
|
|
|
// AccessConfig is for common configuration related to AWS access
|
|
type AccessConfig struct {
|
|
AccessKey string `mapstructure:"access_key"`
|
|
CustomEndpointEc2 string `mapstructure:"custom_endpoint_ec2"`
|
|
DecodeAuthZMessages bool `mapstructure:"decode_authorization_messages"`
|
|
InsecureSkipTLSVerify bool `mapstructure:"insecure_skip_tls_verify"`
|
|
MFACode string `mapstructure:"mfa_code"`
|
|
ProfileName string `mapstructure:"profile"`
|
|
RawRegion string `mapstructure:"region"`
|
|
SecretKey string `mapstructure:"secret_key"`
|
|
SkipValidation bool `mapstructure:"skip_region_validation"`
|
|
SkipMetadataApiCheck bool `mapstructure:"skip_metadata_api_check"`
|
|
Token string `mapstructure:"token"`
|
|
session *session.Session
|
|
VaultAWSEngine VaultAWSEngineOptions `mapstructure:"vault_aws_engine"`
|
|
|
|
getEC2Connection func() ec2iface.EC2API
|
|
}
|
|
|
|
// Config returns a valid aws.Config object for access to AWS services, or
|
|
// an error if the authentication and region couldn't be resolved
|
|
func (c *AccessConfig) Session() (*session.Session, error) {
|
|
if c.session != nil {
|
|
return c.session, nil
|
|
}
|
|
|
|
config := aws.NewConfig().WithCredentialsChainVerboseErrors(true)
|
|
|
|
staticCreds := credentials.NewStaticCredentials(c.AccessKey, c.SecretKey, c.Token)
|
|
if _, err := staticCreds.Get(); err != credentials.ErrStaticCredentialsEmpty {
|
|
config.WithCredentials(staticCreds)
|
|
}
|
|
|
|
if c.RawRegion != "" {
|
|
config = config.WithRegion(c.RawRegion)
|
|
}
|
|
|
|
if c.CustomEndpointEc2 != "" {
|
|
config = config.WithEndpoint(c.CustomEndpointEc2)
|
|
}
|
|
|
|
config = config.WithHTTPClient(cleanhttp.DefaultClient())
|
|
transport := config.HTTPClient.Transport.(*http.Transport)
|
|
if c.InsecureSkipTLSVerify {
|
|
transport.TLSClientConfig = &tls.Config{
|
|
InsecureSkipVerify: true,
|
|
}
|
|
}
|
|
transport.Proxy = http.ProxyFromEnvironment
|
|
|
|
opts := session.Options{
|
|
SharedConfigState: session.SharedConfigEnable,
|
|
Config: *config,
|
|
}
|
|
|
|
if c.ProfileName != "" {
|
|
opts.Profile = c.ProfileName
|
|
}
|
|
|
|
if c.MFACode != "" {
|
|
opts.AssumeRoleTokenProvider = func() (string, error) {
|
|
return c.MFACode, nil
|
|
}
|
|
}
|
|
|
|
sess, err := session.NewSessionWithOptions(opts)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
log.Printf("Found region %s", *sess.Config.Region)
|
|
c.session = sess
|
|
|
|
cp, err := c.session.Config.Credentials.Get()
|
|
if err != nil {
|
|
if awsErr, ok := err.(awserr.Error); ok && awsErr.Code() == "NoCredentialProviders" {
|
|
return nil, fmt.Errorf("No valid credential sources found for AWS Builder. " +
|
|
"Please see https://www.packer.io/docs/builders/amazon.html#specifying-amazon-credentials " +
|
|
"for more information on providing credentials for the AWS Builder.")
|
|
} else {
|
|
return nil, fmt.Errorf("Error loading credentials for AWS Provider: %s", err)
|
|
}
|
|
}
|
|
log.Printf("[INFO] AWS Auth provider used: %q", cp.ProviderName)
|
|
|
|
if c.DecodeAuthZMessages {
|
|
DecodeAuthZMessages(c.session)
|
|
}
|
|
LogEnvOverrideWarnings()
|
|
|
|
return c.session, nil
|
|
}
|
|
|
|
func (c *AccessConfig) SessionRegion() string {
|
|
if c.session == nil {
|
|
panic("access config session should be set.")
|
|
}
|
|
return aws.StringValue(c.session.Config.Region)
|
|
}
|
|
|
|
func (c *AccessConfig) IsGovCloud() bool {
|
|
return strings.HasPrefix(c.SessionRegion(), "us-gov-")
|
|
}
|
|
|
|
func (c *AccessConfig) IsChinaCloud() bool {
|
|
return strings.HasPrefix(c.SessionRegion(), "cn-")
|
|
}
|
|
|
|
func (c *AccessConfig) GetCredsFromVault() error {
|
|
// const EnvVaultAddress = "VAULT_ADDR"
|
|
// const EnvVaultToken = "VAULT_TOKEN"
|
|
vaultConfig := vaultapi.DefaultConfig()
|
|
cli, err := vaultapi.NewClient(vaultConfig)
|
|
if err != nil {
|
|
return fmt.Errorf("Error getting Vault client: %s", err)
|
|
}
|
|
if c.VaultAWSEngine.EngineName == "" {
|
|
c.VaultAWSEngine.EngineName = "aws"
|
|
}
|
|
path := fmt.Sprintf("/%s/creds/%s", c.VaultAWSEngine.EngineName,
|
|
c.VaultAWSEngine.Name)
|
|
secret, err := cli.Logical().Read(path)
|
|
if err != nil {
|
|
return fmt.Errorf("Error reading vault secret: %s", err)
|
|
}
|
|
if secret == nil {
|
|
return fmt.Errorf("Vault Secret does not exist at the given path.")
|
|
}
|
|
|
|
c.AccessKey = secret.Data["access_key"].(string)
|
|
c.SecretKey = secret.Data["secret_key"].(string)
|
|
token := secret.Data["security_token"]
|
|
if token != nil {
|
|
c.Token = token.(string)
|
|
} else {
|
|
c.Token = ""
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func (c *AccessConfig) Prepare(ctx *interpolate.Context) []error {
|
|
var errs []error
|
|
|
|
if c.SkipMetadataApiCheck {
|
|
log.Println("(WARN) skip_metadata_api_check ignored.")
|
|
}
|
|
|
|
// Make sure it's obvious from the config how we're getting credentials:
|
|
// Vault, Packer config, or environemnt.
|
|
if !c.VaultAWSEngine.Empty() {
|
|
if len(c.AccessKey) > 0 {
|
|
errs = append(errs,
|
|
fmt.Errorf("If you have set vault_aws_engine, you must not set"+
|
|
" the access_key or secret_key."))
|
|
}
|
|
// Go ahead and grab those credentials from Vault now, so we can set
|
|
// the keys and token now.
|
|
err := c.GetCredsFromVault()
|
|
if err != nil {
|
|
errs = append(errs, err)
|
|
}
|
|
}
|
|
|
|
if (len(c.AccessKey) > 0) != (len(c.SecretKey) > 0) {
|
|
errs = append(errs,
|
|
fmt.Errorf("`access_key` and `secret_key` must both be either set or not set."))
|
|
}
|
|
|
|
return errs
|
|
}
|
|
|
|
func (c *AccessConfig) NewEC2Connection() (ec2iface.EC2API, error) {
|
|
if c.getEC2Connection != nil {
|
|
return c.getEC2Connection(), nil
|
|
}
|
|
sess, err := c.Session()
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
ec2conn := ec2.New(sess)
|
|
|
|
return ec2conn, nil
|
|
}
|