Merge pull request #129 from drone-plugins/ci-9188

eoinmcafee00 · web-flow · commit fe9d75b80ebf · 2023-08-30T15:46:24.000+01:00
adds externalID mapping for assume role
diff --git a/main.go b/main.go
@@ -132,6 +132,11 @@ func main() {
 			Name:  "env-file",
 			Usage: "source env file",
 		},
+		cli.StringFlag{
+			Name:   "external-id",
+			Usage:  "external ID to use when assuming role",
+			EnvVar: "PLUGIN_EXTERNAL_ID",
+		},
 	}
 
 	if err := app.Run(os.Args); err != nil {
@@ -165,6 +170,7 @@ func run(c *cli.Context) error {
 		StorageClass:          c.String("storage-class"),
 		PathStyle:             c.Bool("path-style"),
 		DryRun:                c.Bool("dry-run"),
+		ExternalID:            c.String("external-id"),
 	}
 
 	return plugin.Exec()
diff --git a/plugin.go b/plugin.go
@@ -90,6 +90,9 @@ type Plugin struct {
 	PathStyle bool
 	// Dry run without uploading/
 	DryRun bool
+
+	// set externalID for assume role
+	ExternalID string
 }
 
 // Exec runs the plugin
@@ -108,7 +111,7 @@ func (p *Plugin) Exec() error {
 	if p.Key != "" && p.Secret != "" {
 		conf.Credentials = credentials.NewStaticCredentials(p.Key, p.Secret, "")
 	} else if p.AssumeRole != "" {
-		conf.Credentials = assumeRole(p.AssumeRole, p.AssumeRoleSessionName)
+		conf.Credentials = assumeRole(p.AssumeRole, p.AssumeRoleSessionName, p.ExternalID)
 	} else {
 		log.Warn("AWS Key and/or Secret not provided (falling back to ec2 instance profile)")
 	}
@@ -287,7 +290,7 @@ func matchExtension(match string, stringMap map[string]string) string {
 	return ""
 }
 
-func assumeRole(roleArn, roleSessionName string) *credentials.Credentials {
+func assumeRole(roleArn, roleSessionName, externalID string) *credentials.Credentials {
 	sess, _ := session.NewSession()
 	client := sts.New(sess)
 	duration := time.Hour * 1
@@ -298,6 +301,10 @@ func assumeRole(roleArn, roleSessionName string) *credentials.Credentials {
 		RoleSessionName: roleSessionName,
 	}
 
+	if externalID != "" {
+		stsProvider.ExternalID = &externalID
+	}
+
 	return credentials.NewCredentials(stsProvider)
 }
 
@@ -318,17 +325,17 @@ func isDir(source string, matches []string) bool {
 	if err != nil {
 		return true // should never happen
 	}
-	if (stat.IsDir()) {
+	if stat.IsDir() {
 		count := 0
 		for _, match := range matches {
 			if strings.HasPrefix(match, source) {
-				count++;
+				count++
 			}
 		}
 		if count <= 1 {
 			log.Warnf("Skipping '%s' since it is a directory. Please use correct glob expression if this is unexpected.", source)
 		}
-		return true;
+		return true
 	}
 	return false
 }

Original file line number	Diff line number	Diff line change
`@@ -90,6 +90,9 @@ type Plugin struct {`
`90`	`90`	`PathStyle bool`
`91`	`91`	`// Dry run without uploading/`
`92`	`92`	`DryRun bool`
	`93`	`+`
	`94`	`+ // set externalID for assume role`
	`95`	`+ ExternalID string`
`93`	`96`	`}`
`94`	`97`
`95`	`98`	`// Exec runs the plugin`
`@@ -108,7 +111,7 @@ func (p *Plugin) Exec() error {`
`108`	`111`	`if p.Key != "" && p.Secret != "" {`
`109`	`112`	`conf.Credentials = credentials.NewStaticCredentials(p.Key, p.Secret, "")`
`110`	`113`	`} else if p.AssumeRole != "" {`
`111`		`- conf.Credentials = assumeRole(p.AssumeRole, p.AssumeRoleSessionName)`
	`114`	`+ conf.Credentials = assumeRole(p.AssumeRole, p.AssumeRoleSessionName, p.ExternalID)`
`112`	`115`	`} else {`
`113`	`116`	`log.Warn("AWS Key and/or Secret not provided (falling back to ec2 instance profile)")`
`114`	`117`	`}`
`@@ -287,7 +290,7 @@ func matchExtension(match string, stringMap map[string]string) string {`
`287`	`290`	`return ""`
`288`	`291`	`}`
`289`	`292`
`290`		`-func assumeRole(roleArn, roleSessionName string) *credentials.Credentials {`
	`293`	`+func assumeRole(roleArn, roleSessionName, externalID string) *credentials.Credentials {`
`291`	`294`	`sess, _ := session.NewSession()`
`292`	`295`	`client := sts.New(sess)`
`293`	`296`	`duration := time.Hour * 1`
`@@ -298,6 +301,10 @@ func assumeRole(roleArn, roleSessionName string) *credentials.Credentials {`
`298`	`301`	`RoleSessionName: roleSessionName,`
`299`	`302`	`}`
`300`	`303`
	`304`	`+ if externalID != "" {`
	`305`	`+ stsProvider.ExternalID = &externalID`
	`306`	`+ }`
	`307`	`+`
`301`	`308`	`return credentials.NewCredentials(stsProvider)`
`302`	`309`	`}`
`303`	`310`
`@@ -318,17 +325,17 @@ func isDir(source string, matches []string) bool {`
`318`	`325`	`if err != nil {`
`319`	`326`	`return true // should never happen`
`320`	`327`	`}`
`321`		`- if (stat.IsDir()) {`
	`328`	`+ if stat.IsDir() {`
`322`	`329`	`count := 0`
`323`	`330`	`for _, match := range matches {`
`324`	`331`	`if strings.HasPrefix(match, source) {`
`325`		`- count++;`
	`332`	`+ count++`
`326`	`333`	`}`
`327`	`334`	`}`
`328`	`335`	`if count <= 1 {`
`329`	`336`	`log.Warnf("Skipping '%s' since it is a directory. Please use correct glob expression if this is unexpected.", source)`
`330`	`337`	`}`
`331`		`- return true;`
	`338`	`+ return true`
`332`	`339`	`}`
`333`	`340`	`return false`
`334`	`341`	`}`