Pass AWS assume role ops files and variables

If the AWS assume role ARN is set, the scripts to create both the BOSH
Director and jumpbox need to pass additional ops files and variables.

[#184999423] Add AssumeRole support to bbl

Author: ystros

bosh/executor.go

@@ -101,6 +101,10 @@ func (e Executor) getSetupFiles(sourcePath, destPath string) []setupFile {
 }
 
 func (e Executor) PlanJumpbox(input DirInput, deploymentDir, iaas string) error {
+	return e.PlanJumpboxWithState(input, deploymentDir, iaas, storage.State{})
+}
+
+func (e Executor) PlanJumpboxWithState(input DirInput, deploymentDir, iaas string, state storage.State) error {
 	setupFiles := e.getSetupFiles(jumpboxDeploymentRepo, deploymentDir)
 
 	for _, f := range setupFiles {
@@ -128,6 +132,12 @@ func (e Executor) PlanJumpbox(input DirInput, deploymentDir, iaas string) error
 		}
 	}
 
+	if iaas == "aws" {
+		if state.AWS.AssumeRoleArn != "" {
+			sharedArgs = append(sharedArgs, "-o", filepath.Join(deploymentDir, "aws", "cpi-assume-role-credentials.yml"))
+		}
+	}
+
 	jumpboxState := filepath.Join(input.VarsDir, "jumpbox-state.json")
 
 	boshArgs := append([]string{filepath.Join(deploymentDir, "jumpbox.yml"), "--state", jumpboxState}, sharedArgs...)
@@ -138,6 +148,11 @@ func (e Executor) PlanJumpbox(input DirInput, deploymentDir, iaas string) error
 			"-v", `access_key_id="${BBL_AWS_ACCESS_KEY_ID}"`,
 			"-v", `secret_access_key="${BBL_AWS_SECRET_ACCESS_KEY}"`,
 		)
+		if state.AWS.AssumeRoleArn != "" {
+			boshArgs = append(boshArgs,
+				"-v", `role_arn="${BBL_AWS_ASSUME_ROLE}"`,
+			)
+		}
 	case "azure":
 		boshArgs = append(boshArgs,
 			"-v", `subscription_id="${BBL_AZURE_SUBSCRIPTION_ID}"`,
@@ -210,7 +225,7 @@ func (e Executor) getDirectorSetupFiles(stateDir, deploymentDir, iaas string) []
 	return files
 }
 
-func (e Executor) getDirectorOpsFiles(stateDir, deploymentDir, iaas string) []string {
+func (e Executor) getDirectorOpsFiles(stateDir, deploymentDir, iaas string, state storage.State) []string {
 	files := []string{
 		filepath.Join(deploymentDir, iaas, "cpi.yml"),
 		filepath.Join(deploymentDir, "jumpbox-user.yml"),
@@ -223,13 +238,20 @@ func (e Executor) getDirectorOpsFiles(stateDir, deploymentDir, iaas string) []st
 		files = append(files, filepath.Join(stateDir, "bbl-ops-files", iaas, "bosh-director-ephemeral-ip-ops.yml"))
 		files = append(files, filepath.Join(deploymentDir, iaas, "iam-instance-profile.yml"))
 		files = append(files, filepath.Join(deploymentDir, iaas, "encrypted-disk.yml"))
+		if state.AWS.AssumeRoleArn != "" {
+			files = append(files, filepath.Join(deploymentDir, iaas, "cpi-assume-role-credentials.yml"))
+		}
 	} else if iaas == "vsphere" {
 		files = append(files, filepath.Join(deploymentDir, "vsphere", "resource-pool.yml"))
 	}
 	return files
 }
 
 func (e Executor) PlanDirector(input DirInput, deploymentDir, iaas string) error {
+	return e.PlanDirectorWithState(input, deploymentDir, iaas, storage.State{})
+}
+
+func (e Executor) PlanDirectorWithState(input DirInput, deploymentDir, iaas string, state storage.State) error {
 	setupFiles := e.getDirectorSetupFiles(input.StateDir, deploymentDir, iaas)
 
 	for _, f := range setupFiles {
@@ -246,7 +268,7 @@ func (e Executor) PlanDirector(input DirInput, deploymentDir, iaas string) error
 		"--vars-file", filepath.Join(input.VarsDir, "director-vars-file.yml"),
 	}
 
-	for _, f := range e.getDirectorOpsFiles(input.StateDir, deploymentDir, iaas) {
+	for _, f := range e.getDirectorOpsFiles(input.StateDir, deploymentDir, iaas, state) {
 		sharedArgs = append(sharedArgs, "-o", f)
 	}
 
@@ -260,6 +282,11 @@ func (e Executor) PlanDirector(input DirInput, deploymentDir, iaas string) error
 			"-v", `access_key_id="${BBL_AWS_ACCESS_KEY_ID}"`,
 			"-v", `secret_access_key="${BBL_AWS_SECRET_ACCESS_KEY}"`,
 		)
+		if state.AWS.AssumeRoleArn != "" {
+			boshArgs = append(boshArgs,
+				"-v", `role_arn="${BBL_AWS_ASSUME_ROLE}"`,
+			)
+		}
 	case "azure":
 		boshArgs = append(boshArgs,
 			"-v", `subscription_id="${BBL_AZURE_SUBSCRIPTION_ID}"`,

bosh/executor_test.go

@@ -75,55 +75,102 @@ var _ = Describe("Executor", func() {
 	})
 
 	Describe("PlanJumpbox", func() {
-		It("writes bosh-deployment assets to the deployment dir", func() {
-			err := executor.PlanJumpbox(dirInput, deploymentDir, "aws")
-			Expect(err).NotTo(HaveOccurred())
+		Context("on aws", func() {
+			It("writes bosh-deployment assets to the deployment dir", func() {
+				err := executor.PlanJumpbox(dirInput, deploymentDir, "aws")
+				Expect(err).NotTo(HaveOccurred())
 
-			By("writing bosh-deployment assets to the deployment dir", func() {
-				simplePath := filepath.Join(deploymentDir, "no-external-ip.yml")
+				By("writing bosh-deployment assets to the deployment dir", func() {
+					simplePath := filepath.Join(deploymentDir, "no-external-ip.yml")
 
-				contents, err := fs.ReadFile(simplePath)
-				Expect(err).NotTo(HaveOccurred())
-				Expect(string(contents)).To(Equal("no-ip"))
+					contents, err := fs.ReadFile(simplePath)
+					Expect(err).NotTo(HaveOccurred())
+					Expect(string(contents)).To(Equal("no-ip"))
 
-				nestedPath := filepath.Join(deploymentDir, "aws", "cpi.yml")
+					nestedPath := filepath.Join(deploymentDir, "aws", "cpi.yml")
 
-				contents, err = fs.ReadFile(nestedPath)
-				Expect(err).NotTo(HaveOccurred())
-				Expect(string(contents)).To(Equal("aws-cpi"))
+					contents, err = fs.ReadFile(nestedPath)
+					Expect(err).NotTo(HaveOccurred())
+					Expect(string(contents)).To(Equal("aws-cpi"))
+				})
+
+				By("writing create-env and delete-env scripts", func() {
+					expectedArgs := []string{
+						fmt.Sprintf("%s/jumpbox.yml", relativeDeploymentDir),
+						"--state", fmt.Sprintf("%s/jumpbox-state.json", relativeVarsDir),
+						"--vars-store", fmt.Sprintf("%s/jumpbox-vars-store.yml", relativeVarsDir),
+						"--vars-file", fmt.Sprintf("%s/jumpbox-vars-file.yml", relativeVarsDir),
+						"-o", fmt.Sprintf("%s/aws/cpi.yml", relativeDeploymentDir),
+						"-v", `access_key_id="${BBL_AWS_ACCESS_KEY_ID}"`,
+						"-v", `secret_access_key="${BBL_AWS_SECRET_ACCESS_KEY}"`,
+					}
+
+					expectedScript := formatScript("create-env", stateDir, expectedArgs)
+					scriptPath := fmt.Sprintf("%s/create-jumpbox.sh", stateDir)
+					shellScript, err := fs.ReadFile(scriptPath)
+					Expect(err).NotTo(HaveOccurred())
+
+					fileinfo, err := fs.Stat(scriptPath)
+					Expect(err).NotTo(HaveOccurred())
+					Expect(fileinfo.Mode().String()).To(Equal("-rwxr-x---"))
+					Expect(string(shellScript)).To(Equal(expectedScript))
+
+					expectedScript = formatScript("delete-env", stateDir, expectedArgs)
+					scriptPath = fmt.Sprintf("%s/delete-jumpbox.sh", stateDir)
+					shellScript, err = fs.ReadFile(scriptPath)
+					Expect(err).NotTo(HaveOccurred())
+
+					fileinfo, err = fs.Stat(scriptPath)
+					Expect(err).NotTo(HaveOccurred())
+					Expect(fileinfo.Mode().String()).To(Equal("-rwxr-x---"))
+					Expect(err).NotTo(HaveOccurred())
+					Expect(string(shellScript)).To(Equal(expectedScript))
+				})
 			})
 
-			By("writing create-env and delete-env scripts", func() {
-				expectedArgs := []string{
-					fmt.Sprintf("%s/jumpbox.yml", relativeDeploymentDir),
-					"--state", fmt.Sprintf("%s/jumpbox-state.json", relativeVarsDir),
-					"--vars-store", fmt.Sprintf("%s/jumpbox-vars-store.yml", relativeVarsDir),
-					"--vars-file", fmt.Sprintf("%s/jumpbox-vars-file.yml", relativeVarsDir),
-					"-o", fmt.Sprintf("%s/aws/cpi.yml", relativeDeploymentDir),
-					"-v", `access_key_id="${BBL_AWS_ACCESS_KEY_ID}"`,
-					"-v", `secret_access_key="${BBL_AWS_SECRET_ACCESS_KEY}"`,
-				}
+			Context("when assume role is set", func() {
+				It("writes create-env and delete-env scripts with the assume role ops files and variables", func() {
+					state := storage.State{
+						AWS: storage.AWS{
+							AssumeRoleArn: "some-aws-assume-role",
+						},
+					}
+					err := executor.PlanJumpboxWithState(dirInput, deploymentDir, "aws", state)
+					Expect(err).NotTo(HaveOccurred())
 
-				expectedScript := formatScript("create-env", stateDir, expectedArgs)
-				scriptPath := fmt.Sprintf("%s/create-jumpbox.sh", stateDir)
-				shellScript, err := fs.ReadFile(scriptPath)
-				Expect(err).NotTo(HaveOccurred())
+					expectedArgs := []string{
+						fmt.Sprintf("%s/jumpbox.yml", relativeDeploymentDir),
+						"--state", fmt.Sprintf("%s/jumpbox-state.json", relativeVarsDir),
+						"--vars-store", fmt.Sprintf("%s/jumpbox-vars-store.yml", relativeVarsDir),
+						"--vars-file", fmt.Sprintf("%s/jumpbox-vars-file.yml", relativeVarsDir),
+						"-o", fmt.Sprintf("%s/aws/cpi.yml", relativeDeploymentDir),
+						"-o", fmt.Sprintf("%s/aws/cpi-assume-role-credentials.yml", relativeDeploymentDir),
+						"-v", `access_key_id="${BBL_AWS_ACCESS_KEY_ID}"`,
+						"-v", `secret_access_key="${BBL_AWS_SECRET_ACCESS_KEY}"`,
+						"-v", `role_arn="${BBL_AWS_ASSUME_ROLE}"`,
+					}
 
-				fileinfo, err := fs.Stat(scriptPath)
-				Expect(err).NotTo(HaveOccurred())
-				Expect(fileinfo.Mode().String()).To(Equal("-rwxr-x---"))
-				Expect(string(shellScript)).To(Equal(expectedScript))
+					expectedScript := formatScript("create-env", stateDir, expectedArgs)
+					scriptPath := fmt.Sprintf("%s/create-jumpbox.sh", stateDir)
+					shellScript, err := fs.ReadFile(scriptPath)
+					Expect(err).NotTo(HaveOccurred())
 
-				expectedScript = formatScript("delete-env", stateDir, expectedArgs)
-				scriptPath = fmt.Sprintf("%s/delete-jumpbox.sh", stateDir)
-				shellScript, err = fs.ReadFile(scriptPath)
-				Expect(err).NotTo(HaveOccurred())
+					fileinfo, err := fs.Stat(scriptPath)
+					Expect(err).NotTo(HaveOccurred())
+					Expect(fileinfo.Mode().String()).To(Equal("-rwxr-x---"))
+					Expect(string(shellScript)).To(Equal(expectedScript))
 
-				fileinfo, err = fs.Stat(scriptPath)
-				Expect(err).NotTo(HaveOccurred())
-				Expect(fileinfo.Mode().String()).To(Equal("-rwxr-x---"))
-				Expect(err).NotTo(HaveOccurred())
-				Expect(string(shellScript)).To(Equal(expectedScript))
+					expectedScript = formatScript("delete-env", stateDir, expectedArgs)
+					scriptPath = fmt.Sprintf("%s/delete-jumpbox.sh", stateDir)
+					shellScript, err = fs.ReadFile(scriptPath)
+					Expect(err).NotTo(HaveOccurred())
+
+					fileinfo, err = fs.Stat(scriptPath)
+					Expect(err).NotTo(HaveOccurred())
+					Expect(fileinfo.Mode().String()).To(Equal("-rwxr-x---"))
+					Expect(err).NotTo(HaveOccurred())
+					Expect(string(shellScript)).To(Equal(expectedScript))
+				})
 			})
 		})
 
@@ -347,7 +394,7 @@ var _ = Describe("Executor", func() {
 					"-v", `secret_access_key="${BBL_AWS_SECRET_ACCESS_KEY}"`,
 				}
 
-				behavesLikePlan(expectedArgs, cli, fs, executor, dirInput, deploymentDir, "aws", stateDir)
+				behavesLikePlan(expectedArgs, cli, fs, executor, dirInput, deploymentDir, "aws", stateDir, storage.State{})
 			})
 
 			It("writes aws-specific ops files", func() {
@@ -364,6 +411,35 @@ var _ = Describe("Executor", func() {
   value: true
 `))
 			})
+
+			Context("when assume role is set", func() {
+				It("writes create-director.sh and delete-director.sh including the assume role ops files and variables", func() {
+					expectedArgs := []string{
+						filepath.Join(relativeDeploymentDir, "bosh.yml"),
+						"--state", filepath.Join(relativeVarsDir, "bosh-state.json"),
+						"--vars-store", filepath.Join(relativeVarsDir, "director-vars-store.yml"),
+						"--vars-file", filepath.Join(relativeVarsDir, "director-vars-file.yml"),
+						"-o", filepath.Join(relativeDeploymentDir, "aws", "cpi.yml"),
+						"-o", filepath.Join(relativeDeploymentDir, "jumpbox-user.yml"),
+						"-o", filepath.Join(relativeDeploymentDir, "uaa.yml"),
+						"-o", filepath.Join(relativeDeploymentDir, "credhub.yml"),
+						"-o", filepath.Join(relativeStateDir, "bbl-ops-files", "aws", "bosh-director-ephemeral-ip-ops.yml"),
+						"-o", filepath.Join(relativeDeploymentDir, "aws", "iam-instance-profile.yml"),
+						"-o", filepath.Join(relativeDeploymentDir, "aws", "encrypted-disk.yml"),
+						"-o", filepath.Join(relativeDeploymentDir, "aws", "cpi-assume-role-credentials.yml"),
+						"-v", `access_key_id="${BBL_AWS_ACCESS_KEY_ID}"`,
+						"-v", `secret_access_key="${BBL_AWS_SECRET_ACCESS_KEY}"`,
+						"-v", `role_arn="${BBL_AWS_ASSUME_ROLE}"`,
+					}
+
+					state := storage.State{
+						AWS: storage.AWS{
+							AssumeRoleArn: "some-aws-assume-role",
+						},
+					}
+					behavesLikePlan(expectedArgs, cli, fs, executor, dirInput, deploymentDir, "aws", stateDir, state)
+				})
+			})
 		})
 
 		Context("gcp", func() {
@@ -383,7 +459,7 @@ var _ = Describe("Executor", func() {
 					"-v", `zone="${BBL_GCP_ZONE}"`,
 				}
 
-				behavesLikePlan(expectedArgs, cli, fs, executor, dirInput, deploymentDir, "gcp", stateDir)
+				behavesLikePlan(expectedArgs, cli, fs, executor, dirInput, deploymentDir, "gcp", stateDir, storage.State{})
 			})
 
 			It("writes gcp-specific ops files", func() {
@@ -419,7 +495,7 @@ var _ = Describe("Executor", func() {
 					"-v", `tenant_id="${BBL_AZURE_TENANT_ID}"`,
 				}
 
-				behavesLikePlan(expectedArgs, cli, fs, executor, dirInput, deploymentDir, "azure", stateDir)
+				behavesLikePlan(expectedArgs, cli, fs, executor, dirInput, deploymentDir, "azure", stateDir, storage.State{})
 			})
 		})
 
@@ -439,7 +515,7 @@ var _ = Describe("Executor", func() {
 					"-v", `vcenter_password="${BBL_VSPHERE_VCENTER_PASSWORD}"`,
 				}
 
-				behavesLikePlan(expectedArgs, cli, fs, executor, dirInput, deploymentDir, "vsphere", stateDir)
+				behavesLikePlan(expectedArgs, cli, fs, executor, dirInput, deploymentDir, "vsphere", stateDir, storage.State{})
 			})
 		})
 
@@ -458,7 +534,7 @@ var _ = Describe("Executor", func() {
 					"-v", `openstack_password="${BBL_OPENSTACK_PASSWORD}"`,
 				}
 
-				behavesLikePlan(expectedArgs, cli, fs, executor, dirInput, deploymentDir, "openstack", stateDir)
+				behavesLikePlan(expectedArgs, cli, fs, executor, dirInput, deploymentDir, "openstack", stateDir, storage.State{})
 			})
 		})
 		Context("cloudstack", func() {
@@ -1028,13 +1104,13 @@ type behavesLikePlanFs interface {
 	fileio.Stater
 }
 
-func behavesLikePlan(expectedArgs []string, cli *fakes.BOSHCLI, fs behavesLikePlanFs, executor bosh.Executor, input bosh.DirInput, deploymentDir, iaas, stateDir string) {
+func behavesLikePlan(expectedArgs []string, cli *fakes.BOSHCLI, fs behavesLikePlanFs, executor bosh.Executor, input bosh.DirInput, deploymentDir, iaas, stateDir string, state storage.State) {
 	cli.RunStub = func(stdout io.Writer, workingDirectory string, args []string) error {
 		stdout.Write([]byte("some-manifest")) //nolint:errcheck
 		return nil
 	}
 
-	err := executor.PlanDirector(input, deploymentDir, iaas)
+	err := executor.PlanDirectorWithState(input, deploymentDir, iaas, state)
 	Expect(err).NotTo(HaveOccurred())
 	Expect(cli.RunCallCount()).To(Equal(0))
 

bosh/manager.go

@@ -40,8 +40,8 @@ type directorVars struct {
 }
 
 type executor interface {
-	PlanDirector(DirInput, string, string) error
-	PlanJumpbox(DirInput, string, string) error
+	PlanDirectorWithState(DirInput, string, string, storage.State) error
+	PlanJumpboxWithState(DirInput, string, string, storage.State) error
 	CreateEnv(DirInput, storage.State) (string, error)
 	DeleteEnv(DirInput, storage.State) error
 	WriteDeploymentVars(DirInput, string) error
@@ -107,7 +107,7 @@ func (m *Manager) InitializeJumpbox(state storage.State) error {
 		VarsDir:  varsDir,
 	}
 
-	err = m.executor.PlanJumpbox(iaasInputs, deploymentDir, state.IAAS)
+	err = m.executor.PlanJumpboxWithState(iaasInputs, deploymentDir, state.IAAS, state)
 	if err != nil {
 		return fmt.Errorf("Jumpbox interpolate: %s", err)
 	}
@@ -186,7 +186,7 @@ func (m *Manager) InitializeDirector(state storage.State) error {
 		VarsDir:  varsDir,
 	}
 
-	err = m.executor.PlanDirector(iaasInputs, directorDeploymentDir, state.IAAS)
+	err = m.executor.PlanDirectorWithState(iaasInputs, directorDeploymentDir, state.IAAS, state)
 	if err != nil {
 		return err
 	}

bosh/manager_test.go

@@ -102,17 +102,17 @@ director_ssl:
 			It("Calls PlanDirector", func() {
 				err := boshManager.InitializeDirector(state)
 				Expect(err).NotTo(HaveOccurred())
-				Expect(boshExecutor.PlanDirectorCall.Receives.DirInput.VarsDir).To(Equal("some-bbl-vars-dir"))
-				Expect(boshExecutor.PlanDirectorCall.Receives.DirInput.StateDir).To(Equal("some-state-dir"))
-				Expect(boshExecutor.PlanDirectorCall.Receives.DeploymentDir).To(Equal("some-director-deployment-dir"))
-				Expect(boshExecutor.PlanJumpboxCall.CallCount).To(Equal(0))
+				Expect(boshExecutor.PlanDirectorWithStateCall.Receives.DirInput.VarsDir).To(Equal("some-bbl-vars-dir"))
+				Expect(boshExecutor.PlanDirectorWithStateCall.Receives.DirInput.StateDir).To(Equal("some-state-dir"))
+				Expect(boshExecutor.PlanDirectorWithStateCall.Receives.DeploymentDir).To(Equal("some-director-deployment-dir"))
+				Expect(boshExecutor.PlanJumpboxWithStateCall.CallCount).To(Equal(0))
 
 				Expect(boshExecutor.CreateEnvCall.CallCount).To(Equal(0))
 			})
 
 			Context("when create env args fails", func() {
 				BeforeEach(func() {
-					boshExecutor.PlanDirectorCall.Returns.Error = errors.New("failed to interpolate")
+					boshExecutor.PlanDirectorWithStateCall.Returns.Error = errors.New("failed to interpolate")
 				})
 
 				It("returns an error", func() {
@@ -238,13 +238,13 @@ director_ssl:
 		})
 
 		Describe("InitializeJumpbox", func() {
-			It("calls PlanJumpboxCall appropriately", func() {
+			It("calls PlanJumpboxWithStateCall appropriately", func() {
 				err := boshManager.InitializeJumpbox(state)
 				Expect(err).NotTo(HaveOccurred())
 
-				Expect(boshExecutor.PlanJumpboxCall.Receives.DeploymentDir).To(Equal("some-jumpbox-deployment-dir"))
-				Expect(boshExecutor.PlanJumpboxCall.Receives.DirInput.VarsDir).To(Equal("some-bbl-vars-dir"))
-				Expect(boshExecutor.PlanJumpboxCall.Receives.DirInput.StateDir).To(Equal("some-state-dir"))
+				Expect(boshExecutor.PlanJumpboxWithStateCall.Receives.DeploymentDir).To(Equal("some-jumpbox-deployment-dir"))
+				Expect(boshExecutor.PlanJumpboxWithStateCall.Receives.DirInput.VarsDir).To(Equal("some-bbl-vars-dir"))
+				Expect(boshExecutor.PlanJumpboxWithStateCall.Receives.DirInput.StateDir).To(Equal("some-state-dir"))
 			})
 
 			Context("when an error occurs", func() {