Fetch credentials from provider block

Author: wata727

aws/client.go

@@ -107,3 +107,35 @@ func formatBaseConfigError(err error) error {
 	}
 	return err
 }
+
+// Merge returns a merged credentials
+func (c Credentials) Merge(other Credentials) Credentials {
+	if other.AccessKey != "" {
+		c.AccessKey = other.AccessKey
+	}
+	if other.SecretKey != "" {
+		c.SecretKey = other.SecretKey
+	}
+	if other.Profile != "" {
+		c.Profile = other.Profile
+	}
+	if other.CredsFile != "" {
+		c.CredsFile = other.CredsFile
+	}
+	if other.Region != "" {
+		c.Region = other.Region
+	}
+	if other.AssumeRoleARN != "" {
+		c.AssumeRoleARN = other.AssumeRoleARN
+	}
+	if other.AssumeRoleSessionName != "" {
+		c.AssumeRoleSessionName = other.AssumeRoleSessionName
+	}
+	if other.AssumeRoleExternalID != "" {
+		c.AssumeRoleExternalID = other.AssumeRoleExternalID
+	}
+	if other.AssumeRolePolicy != "" {
+		c.AssumeRolePolicy = other.AssumeRolePolicy
+	}
+	return c
+}

aws/client_test.go

@@ -58,3 +58,108 @@ func Test_getBaseConfig(t *testing.T) {
 		}
 	}
 }
+
+func Test_Merge(t *testing.T) {
+	cases := []struct {
+		Name     string
+		Self     Credentials
+		Other    Credentials
+		Expected Credentials
+	}{
+		{
+			Name: "self is empty",
+			Self: Credentials{},
+			Other: Credentials{
+				AccessKey:             "AWS_ACCESS_KEY",
+				SecretKey:             "AWS_SECRET_KEY",
+				Profile:               "default",
+				CredsFile:             "~/.aws/creds",
+				AssumeRoleARN:         "arn:aws:iam::ACCOUNT_ID:role/ROLE_NAME",
+				AssumeRoleSessionName: "SESSION_NAME",
+				AssumeRoleExternalID:  "EXTERNAL_ID",
+				AssumeRolePolicy:      "POLICY_NAME",
+				Region:                "us-east-1",
+			},
+			Expected: Credentials{
+				AccessKey:             "AWS_ACCESS_KEY",
+				SecretKey:             "AWS_SECRET_KEY",
+				Profile:               "default",
+				CredsFile:             "~/.aws/creds",
+				AssumeRoleARN:         "arn:aws:iam::ACCOUNT_ID:role/ROLE_NAME",
+				AssumeRoleSessionName: "SESSION_NAME",
+				AssumeRoleExternalID:  "EXTERNAL_ID",
+				AssumeRolePolicy:      "POLICY_NAME",
+				Region:                "us-east-1",
+			},
+		},
+		{
+			Name: "other is empty",
+			Self: Credentials{
+				AccessKey:             "AWS_ACCESS_KEY_2",
+				SecretKey:             "AWS_SECRET_KEY_2",
+				Profile:               "staging",
+				CredsFile:             "~/.aws/creds_stg",
+				AssumeRoleARN:         "arn:aws:iam::ACCOUNT_ID:role/ROLE_NAME",
+				AssumeRoleSessionName: "SESSION_NAME",
+				AssumeRoleExternalID:  "EXTERNAL_ID",
+				AssumeRolePolicy:      "POLICY_NAME",
+				Region:                "ap-northeast-1",
+			},
+			Other: Credentials{},
+			Expected: Credentials{
+				AccessKey:             "AWS_ACCESS_KEY_2",
+				SecretKey:             "AWS_SECRET_KEY_2",
+				Profile:               "staging",
+				CredsFile:             "~/.aws/creds_stg",
+				AssumeRoleARN:         "arn:aws:iam::ACCOUNT_ID:role/ROLE_NAME",
+				AssumeRoleSessionName: "SESSION_NAME",
+				AssumeRoleExternalID:  "EXTERNAL_ID",
+				AssumeRolePolicy:      "POLICY_NAME",
+				Region:                "ap-northeast-1",
+			},
+		},
+		{
+			Name: "merged",
+			Self: Credentials{
+				AccessKey:             "AWS_ACCESS_KEY_2",
+				SecretKey:             "AWS_SECRET_KEY_2",
+				Profile:               "staging",
+				CredsFile:             "~/.aws/creds_stg",
+				AssumeRoleARN:         "arn:aws:iam::ACCOUNT_ID:role/ROLE_NAME_2",
+				AssumeRoleSessionName: "SESSION_NAME_2",
+				AssumeRoleExternalID:  "EXTERNAL_ID_2",
+				AssumeRolePolicy:      "POLICY_NAME_2",
+				Region:                "ap-northeast-1",
+			},
+			Other: Credentials{
+				AccessKey:             "AWS_ACCESS_KEY",
+				SecretKey:             "AWS_SECRET_KEY",
+				Profile:               "default",
+				CredsFile:             "~/.aws/creds",
+				AssumeRoleARN:         "arn:aws:iam::ACCOUNT_ID:role/ROLE_NAME",
+				AssumeRoleSessionName: "SESSION_NAME",
+				AssumeRoleExternalID:  "EXTERNAL_ID",
+				AssumeRolePolicy:      "POLICY_NAME",
+				Region:                "us-east-1",
+			},
+			Expected: Credentials{
+				AccessKey:             "AWS_ACCESS_KEY",
+				SecretKey:             "AWS_SECRET_KEY",
+				Profile:               "default",
+				CredsFile:             "~/.aws/creds",
+				AssumeRoleARN:         "arn:aws:iam::ACCOUNT_ID:role/ROLE_NAME",
+				AssumeRoleSessionName: "SESSION_NAME",
+				AssumeRoleExternalID:  "EXTERNAL_ID",
+				AssumeRolePolicy:      "POLICY_NAME",
+				Region:                "us-east-1",
+			},
+		},
+	}
+
+	for _, tc := range cases {
+		ret := tc.Self.Merge(tc.Other)
+		if !cmp.Equal(tc.Expected, ret) {
+			t.Fatalf("Failed `%s` test: Diff=%s", tc.Name, cmp.Diff(tc.Expected, ret))
+		}
+	}
+}

aws/provider.go

@@ -0,0 +1,210 @@
+package aws
+
+import (
+	"log"
+
+	"github.com/hashicorp/hcl/v2"
+	"github.com/terraform-linters/tflint-plugin-sdk/terraform/configs"
+	"github.com/terraform-linters/tflint-plugin-sdk/tflint"
+)
+
+// AwsProviderBlockSchema is a schema of `aws` provider block
+var AwsProviderBlockSchema = &hcl.BodySchema{
+	Attributes: []hcl.AttributeSchema{
+		{Name: "access_key"},
+		{Name: "secret_key"},
+		{Name: "profile"},
+		{Name: "shared_credentials_file"},
+		{Name: "region"},
+	},
+	Blocks: []hcl.BlockHeaderSchema{
+		{Type: "assume_role"},
+	},
+}
+
+// AwsProviderAssumeRoleBlockShema is a schema of `assume_role` block
+var AwsProviderAssumeRoleBlockShema = &hcl.BodySchema{
+	Attributes: []hcl.AttributeSchema{
+		{Name: "role_arn", Required: true},
+		{Name: "session_name"},
+		{Name: "external_id"},
+		{Name: "policy"},
+	},
+}
+
+// ProviderData represents a provider block with an eval context (runner)
+type ProviderData struct {
+	provider   *configs.Provider
+	runner     tflint.Runner
+	attributes hcl.Attributes
+	blocks     hcl.Blocks
+}
+
+// GetCredentialsFromProvider retrieves credentials from the "provider" block in the Terraform configuration
+func GetCredentialsFromProvider(runner tflint.Runner) (Credentials, error) {
+	creds := Credentials{}
+
+	providerConfig, err := runner.RootProvider("aws")
+	if err != nil || providerConfig == nil {
+		return creds, err
+	}
+
+	d, err := newProviderData(providerConfig, runner)
+	if err != nil {
+		return creds, err
+	}
+
+	accessKey, exists, err := d.Get("access_key")
+	if err != nil {
+		return creds, err
+	}
+	if exists {
+		creds.AccessKey = accessKey
+	}
+
+	secretKey, exists, err := d.Get("secret_key")
+	if err != nil {
+		return creds, err
+	}
+	if exists {
+		creds.SecretKey = secretKey
+	}
+
+	profile, exists, err := d.Get("profile")
+	if err != nil {
+		return creds, err
+	}
+	if exists {
+		creds.Profile = profile
+	}
+
+	credsFile, exists, err := d.Get("shared_credentials_file")
+	if err != nil {
+		return creds, err
+	}
+	if exists {
+		creds.CredsFile = credsFile
+	}
+
+	region, exists, err := d.Get("region")
+	if err != nil {
+		return creds, err
+	}
+	if exists {
+		creds.Region = region
+	}
+
+	assumeRole, exists, err := d.GetBlock("assume_role", AwsProviderAssumeRoleBlockShema)
+	if err != nil {
+		return creds, err
+	}
+	if exists {
+		roleARN, exists, err := assumeRole.Get("role_arn")
+		if err != nil {
+			return creds, err
+		}
+		if exists {
+			creds.AssumeRoleARN = roleARN
+		}
+
+		sessionName, exists, err := assumeRole.Get("session_name")
+		if err != nil {
+			return creds, err
+		}
+		if exists {
+			creds.AssumeRoleSessionName = sessionName
+		}
+
+		externalID, exists, err := assumeRole.Get("external_id")
+		if err != nil {
+			return creds, err
+		}
+		if exists {
+			creds.AssumeRoleExternalID = externalID
+		}
+
+		policy, exists, err := assumeRole.Get("policy")
+		if err != nil {
+			return creds, err
+		}
+		if exists {
+			creds.AssumeRolePolicy = policy
+		}
+	}
+
+	return creds, nil
+}
+
+func newProviderData(provider *configs.Provider, runner tflint.Runner) (*ProviderData, error) {
+	providerData := &ProviderData{
+		provider:   provider,
+		runner:     runner,
+		attributes: map[string]*hcl.Attribute{},
+		blocks:     []*hcl.Block{},
+	}
+
+	if provider != nil {
+		content, _, diags := provider.Config.PartialContent(AwsProviderBlockSchema)
+		if diags.HasErrors() {
+			return nil, diags
+		}
+
+		providerData.attributes = content.Attributes
+		providerData.blocks = content.Blocks
+	}
+
+	return providerData, nil
+}
+
+// Get returns a value corresponding to the given key
+// It should be noted that the value is evaluated if it is evaluable
+// The second return value is a flag that determines whether a value exists
+// We assume the provider has only simple attributes, so it just returns string
+func (d *ProviderData) Get(key string) (string, bool, error) {
+	attribute, exists := d.attributes[key]
+	if !exists {
+		log.Printf("[INFO] `%s` is not found in the provider block.", key)
+		return "", false, nil
+	}
+
+	var val string
+	err := d.runner.EvaluateExprOnRootCtx(attribute.Expr, &val)
+
+	err = d.runner.EnsureNoError(err, func() error { return nil })
+	if err != nil {
+		return "", true, err
+	}
+	return val, true, nil
+}
+
+// GetBlock returns a value just like Get.
+// The difference is that GetBlock returns ProviderData rather than a string value.
+func (d *ProviderData) GetBlock(key string, schema *hcl.BodySchema) (*ProviderData, bool, error) {
+	providerData := &ProviderData{
+		provider:   d.provider,
+		runner:     d.runner,
+		attributes: map[string]*hcl.Attribute{},
+		blocks:     []*hcl.Block{},
+	}
+
+	var ret *hcl.Block
+	for _, block := range d.blocks {
+		if block.Type == key {
+			ret = block
+		}
+	}
+	if ret == nil {
+		log.Printf("[INFO] `%s` is not found in the provider block.", key)
+		return providerData, false, nil
+	}
+
+	content, _, diags := ret.Body.PartialContent(schema)
+	if diags.HasErrors() {
+		return providerData, true, diags
+	}
+
+	providerData.attributes = content.Attributes
+	providerData.blocks = content.Blocks
+
+	return providerData, true, nil
+}

aws/runner.go

@@ -19,8 +19,12 @@ type Runner struct {
 func NewRunner(runner tflint.Runner, config *Config) (*Runner, error) {
 	var client *Client
 	if config.DeepCheck {
-		var err error
-		client, err = NewClient(config.toCredentials())
+		credentials, err := GetCredentialsFromProvider(runner)
+		if err != nil {
+			return nil, err
+		}
+
+		client, err = NewClient(config.toCredentials().Merge(credentials))
 		if err != nil {
 			return nil, err
 		}

go.mod

@@ -5,14 +5,14 @@ go 1.15
 require (
 	github.com/aws/aws-sdk-go v1.35.2
 	github.com/golang/mock v1.4.3
-	github.com/google/go-cmp v0.5.2
+	github.com/google/go-cmp v0.5.3
 	github.com/hashicorp/aws-sdk-go-base v0.7.0
-	github.com/hashicorp/hcl/v2 v2.7.0
+	github.com/hashicorp/hcl/v2 v2.7.1
 	github.com/hashicorp/terraform-plugin-sdk/v2 v2.2.0
 	github.com/mitchellh/go-homedir v1.1.0
 	github.com/onsi/ginkgo v1.14.2 // indirect
 	github.com/onsi/gomega v1.10.3 // indirect
 	github.com/serenize/snaker v0.0.0-20201027110005-a7ad2135616e
-	github.com/terraform-linters/tflint-plugin-sdk v0.5.1-0.20201116165411-717d11fa62f2
+	github.com/terraform-linters/tflint-plugin-sdk v0.6.1-0.20201205142940-d49361e1c42c
 	github.com/terraform-providers/terraform-provider-aws v1.60.1-0.20201015205411-546f68d4a935
 )