From a0a6fef3f8bd9791f10fc3977bac3bedbbd3e1e3 Mon Sep 17 00:00:00 2001 From: Andrew Magana Date: Tue, 12 May 2020 14:36:10 -0400 Subject: [PATCH 1/2] Added a check to make sure credentials are correct, otherwise an error will be thrown with an appropriate error response. --- config.go | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/config.go b/config.go index 4e6645ad..de197160 100644 --- a/config.go +++ b/config.go @@ -5,6 +5,8 @@ import ( "fmt" "log" "os" + "os/exec" + "strings" "time" "github.com/hashicorp/go-cleanhttp" @@ -145,6 +147,12 @@ providing credentials for the ALKS Provider`) return nil, serr } + // check if the user is using a assume-role IAM admin session + if isValidIAM() != true { + return nil, errors.New("Looks like you are not using ALKS IAM credentials. This will result in errors when creating roles. \n " + + "Note: If using ALKS CLI to get credentials, be sure to use the '-i' flag. \n Please see https://coxautoinc.sharepoint.com/sites/service-internal-tools-team/SitePages/ALKS-Terraform-Provider---Troubleshooting.aspx for more information.") + } + // got good creds, create alks sts client client, err := alks.NewSTSClient(c.URL, cp.AccessKeyID, cp.SecretAccessKey, cp.SessionToken) @@ -166,3 +174,22 @@ func getPluginVersion() string { return "unknown" } + +func isValidIAM() bool { + arg0 := "aws" + arg1 := "sts" + arg2 := "get-caller-identity" + arg3 := "--query" + arg4 := "[Arn]" + arg5 := "--output" + arg6 := "text" + + cmd := exec.Command(arg0, arg1, arg2, arg3, arg4, arg5, arg6) + role, _ := cmd.Output() + + if strings.Contains(string(role), "assumed-role/Admin/") || strings.Contains(string(role), "assumed-role/IAMAdmin/") { + return true + } + + return false +} From b413c55d82f66de47855cf4fa231efe14e0e8591 Mon Sep 17 00:00:00 2001 From: Andrew Magana Date: Wed, 13 May 2020 14:57:02 -0400 Subject: [PATCH 2/2] Replaced calling aws CLI with using the already imported AWS Go SDK. Note: Go uses pointers. --- config.go | 19 ++++--------------- 1 file changed, 4 insertions(+), 15 deletions(-) diff --git a/config.go b/config.go index de197160..9eede147 100644 --- a/config.go +++ b/config.go @@ -5,7 +5,6 @@ import ( "fmt" "log" "os" - "os/exec" "strings" "time" @@ -140,7 +139,7 @@ providing credentials for the ALKS Provider`) } // make a basic api call to test creds are valid - _, serr := stsconn.GetCallerIdentity(&sts.GetCallerIdentityInput{}) + cident, serr := stsconn.GetCallerIdentity(&sts.GetCallerIdentityInput{}) // check for valid creds if serr != nil { @@ -148,7 +147,7 @@ providing credentials for the ALKS Provider`) } // check if the user is using a assume-role IAM admin session - if isValidIAM() != true { + if isValidIAM(cident.Arn) != true { return nil, errors.New("Looks like you are not using ALKS IAM credentials. This will result in errors when creating roles. \n " + "Note: If using ALKS CLI to get credentials, be sure to use the '-i' flag. \n Please see https://coxautoinc.sharepoint.com/sites/service-internal-tools-team/SitePages/ALKS-Terraform-Provider---Troubleshooting.aspx for more information.") } @@ -175,19 +174,9 @@ func getPluginVersion() string { return "unknown" } -func isValidIAM() bool { - arg0 := "aws" - arg1 := "sts" - arg2 := "get-caller-identity" - arg3 := "--query" - arg4 := "[Arn]" - arg5 := "--output" - arg6 := "text" +func isValidIAM(cident *string) bool { - cmd := exec.Command(arg0, arg1, arg2, arg3, arg4, arg5, arg6) - role, _ := cmd.Output() - - if strings.Contains(string(role), "assumed-role/Admin/") || strings.Contains(string(role), "assumed-role/IAMAdmin/") { + if strings.Contains(*cident, "assumed-role/Admin/") || strings.Contains(*cident, "assumed-role/IAMAdmin/") { return true }