Add assume role support to BBL

danielfor · jpalermo · commit 014d4f19c170 · 2024-06-03T08:48:52.000-07:00
Initial commit.
Includes: BBL assuming the role while terraforming and the iaas
interactions between bbl and aws.
Missing: using the ops file found in bosh-deployment:
`aws/cpi-assume-role-credentials.yml` to make the AWS CPI use the role.
Unit tests/Integration tests.
diff --git a/aws/client.go b/aws/client.go
@@ -8,6 +8,7 @@ import (
 
 	awslib "github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/aws/credentials"
+	"github.com/aws/aws-sdk-go/aws/credentials/stscreds"
 	"github.com/aws/aws-sdk-go/aws/session"
 	awsec2 "github.com/aws/aws-sdk-go/service/ec2"
 	awsroute53 "github.com/aws/aws-sdk-go/service/route53"
@@ -43,14 +44,19 @@ type Client struct {
 }
 
 func NewClient(creds storage.AWS, logger logger) Client {
-	config := &awslib.Config{
-		Credentials: credentials.NewStaticCredentials(creds.AccessKeyID, creds.SecretAccessKey, ""),
-		Region:      awslib.String(creds.Region),
+	config := awslib.NewConfig().
+		WithCredentials(credentials.NewStaticCredentials(creds.AccessKeyID, creds.SecretAccessKey, "")).
+		WithRegion(creds.Region)
+	awsSession := session.Must(session.NewSession(config))
+
+	if creds.AssumeRoleArn != "" {
+		stsCredentials := stscreds.NewCredentials(awsSession, creds.AssumeRoleArn)
+		awsSession = session.Must(session.NewSession(awslib.NewConfig().WithCredentials(stsCredentials).WithRegion(creds.Region)))
 	}
 
 	return Client{
-		ec2Client:     awsec2.New(session.Must(session.NewSession(config))),
-		route53Client: awsroute53.New(session.Must(session.NewSession(config))),
+		ec2Client:     awsec2.New(awsSession),
+		route53Client: awsroute53.New(awsSession),
 		logger:        logger,
 	}
 }
diff --git a/config/global_flags.go b/config/global_flags.go
@@ -13,6 +13,7 @@ type GlobalFlags struct {
 	AWSAccessKeyID     string `long:"aws-access-key-id"       env:"BBL_AWS_ACCESS_KEY_ID"`
 	AWSSecretAccessKey string `long:"aws-secret-access-key"   env:"BBL_AWS_SECRET_ACCESS_KEY"`
 	AWSRegion          string `long:"aws-region"              env:"BBL_AWS_REGION"`
+	AWSAssumeRole      string `long:"aws-assume-role"         env:"BBL_AWS_ASSUME_ROLE"`
 
 	AzureClientID       string `long:"azure-client-id"        env:"BBL_AZURE_CLIENT_ID"`
 	AzureClientSecret   string `long:"azure-client-secret"    env:"BBL_AZURE_CLIENT_SECRET"`
diff --git a/config/load_state_test.go b/config/load_state_test.go
@@ -193,6 +193,7 @@ var _ = Describe("LoadState", func() {
 					Expect(flags.EnvID).To(Equal("some-name"))
 					Expect(flags.AWSAccessKeyID).To(Equal("some-aws-access-key"))
 					Expect(flags.AWSSecretAccessKey).To(Equal("some-aws-secret-access-key"))
+					Expect(flags.AWSAssumeRole).To(Equal("some-aws-assume-role"))
 				})
 			})
 		})
diff --git a/config/merger.go b/config/merger.go
@@ -116,6 +116,7 @@ func (m Merger) updateVSphereState(globalFlags GlobalFlags, state storage.State)
 func (m Merger) updateAWSState(globalFlags GlobalFlags, state storage.State) (storage.State, error) {
 	copyFlagToState(globalFlags.AWSAccessKeyID, &state.AWS.AccessKeyID)
 	copyFlagToState(globalFlags.AWSSecretAccessKey, &state.AWS.SecretAccessKey)
+	copyFlagToState(globalFlags.AWSAssumeRole, &state.AWS.AssumeRoleArn)
 
 	if globalFlags.AWSRegion != "" {
 		if state.AWS.Region != "" && globalFlags.AWSRegion != state.AWS.Region {
diff --git a/storage/aws.go b/storage/aws.go
@@ -3,5 +3,6 @@ package storage
 type AWS struct {
 	AccessKeyID     string `json:"-"`
 	SecretAccessKey string `json:"-"`
+	AssumeRoleArn   string `json:"assumeRole,omitempty"`
 	Region          string `json:"region,omitempty"`
 }
diff --git a/terraform/aws/input_generator.go b/terraform/aws/input_generator.go
@@ -66,5 +66,6 @@ func (i InputGenerator) Credentials(state storage.State) map[string]string {
 	return map[string]string{
 		"access_key": state.AWS.AccessKeyID,
 		"secret_key": state.AWS.SecretAccessKey,
+		"role_arn":   state.AWS.AssumeRoleArn,
 	}
 }
diff --git a/terraform/aws/templates/base.tf b/terraform/aws/templates/base.tf
@@ -15,6 +15,9 @@ provider "aws" {
   access_key = "${var.access_key}"
   secret_key = "${var.secret_key}"
   region     = "${var.region}"
+  assume_role {
+    role_arn = "${var.role_arn}"
+  }
 }
 
 variable "access_key" {
@@ -29,6 +32,11 @@ variable "region" {
   type = string
 }
 
+variable "role_arn" {
+  type = string
+  default = ""
+}
+
 variable "bosh_inbound_cidr" {
   default = "0.0.0.0/0"
 }

Original file line number	Diff line number	Diff line change
`@@ -3,5 +3,6 @@ package storage`
`3`	`3`	`type AWS struct {`
`4`	`4`	AccessKeyID string `json:"-"`
`5`	`5`	SecretAccessKey string `json:"-"`
	`6`	+ AssumeRoleArn string `json:"assumeRole,omitempty"`
`6`	`7`	Region string `json:"region,omitempty"`
`7`	`8`	`}`
Original file line number	Diff line number	Diff line change
`@@ -66,5 +66,6 @@ func (i InputGenerator) Credentials(state storage.State) map[string]string {`
`66`	`66`	`return map[string]string{`
`67`	`67`	`"access_key": state.AWS.AccessKeyID,`
`68`	`68`	`"secret_key": state.AWS.SecretAccessKey,`
	`69`	`+ "role_arn": state.AWS.AssumeRoleArn,`
`69`	`70`	`}`
`70`	`71`	`}`
Original file line number	Diff line number	Diff line change
`@@ -15,6 +15,9 @@ provider "aws" {`
`15`	`15`	`access_key = "${var.access_key}"`
`16`	`16`	`secret_key = "${var.secret_key}"`
`17`	`17`	`region = "${var.region}"`
	`18`	`+ assume_role {`
	`19`	`+ role_arn = "${var.role_arn}"`
	`20`	`+ }`
`18`	`21`	`}`
`19`	`22`
`20`	`23`	`variable "access_key" {`
`@@ -29,6 +32,11 @@ variable "region" {`
`29`	`32`	`type = string`
`30`	`33`	`}`
`31`	`34`
	`35`	`+variable "role_arn" {`
	`36`	`+ type = string`
	`37`	`+ default = ""`
	`38`	`+}`
	`39`	`+`
`32`	`40`	`variable "bosh_inbound_cidr" {`
`33`	`41`	`default = "0.0.0.0/0"`
`34`	`42`	`}`