From d939da7bdea02df81078e87d478a24b457998d70 Mon Sep 17 00:00:00 2001
From: Andrew Magana <amagana3@latlmacw29vjhd4.int.dealer.com>
Date: Fri, 5 Jun 2020 23:36:44 -0400
Subject: [PATCH 1/5] We are now validating for MIs, added some comments too.
 Also changed the parameter name as it is more correct now.

---
 config.go | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/config.go b/config.go
index 9eede147..7f84c929 100644
--- a/config.go
+++ b/config.go
@@ -174,9 +174,15 @@ func getPluginVersion() string {
 	return "unknown"
 }
 
-func isValidIAM(cident *string) bool {
-
-	if strings.Contains(*cident, "assumed-role/Admin/") || strings.Contains(*cident, "assumed-role/IAMAdmin/") {
+func isValidIAM(arn *string) bool {
+
+	/*
+		Validates ARN for assumed-role of:
+			- Admin
+			- IAMAdmin
+			-Machine Identities.
+	*/
+	if strings.Contains(*arn, "assumed-role/Admin/") || strings.Contains(*arn, "assumed-role/IAMAdmin/") || (strings.Contains(*arn, "arn:aws:sts::") && strings.Contains(*arn, "assumed-role/")) {
 		return true
 	}
 

From 34890282e3ebffe06dca6f547c1f279955bcac1c Mon Sep 17 00:00:00 2001
From: Andrew Magana <amagana3@latlmacw29vjhd4.int.dealer.com>
Date: Mon, 8 Jun 2020 08:37:51 -0400
Subject: [PATCH 2/5] Little less strict.

---
 config.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config.go b/config.go
index 7f84c929..781740ab 100644
--- a/config.go
+++ b/config.go
@@ -182,7 +182,7 @@ func isValidIAM(arn *string) bool {
 			- IAMAdmin
 			-Machine Identities.
 	*/
-	if strings.Contains(*arn, "assumed-role/Admin/") || strings.Contains(*arn, "assumed-role/IAMAdmin/") || (strings.Contains(*arn, "arn:aws:sts::") && strings.Contains(*arn, "assumed-role/")) {
+	if strings.Contains(*arn, "assumed-role/Admin/") || strings.Contains(*arn, "assumed-role/IAMAdmin/") || strings.Contains(*arn, "arn:aws:sts::") {
 		return true
 	}
 

From 03d908fdea45c697efa41ad5eace431a1927d248 Mon Sep 17 00:00:00 2001
From: Andrew Magana <amagana3@latlmacw29vjhd4.int.dealer.com>
Date: Mon, 8 Jun 2020 09:58:39 -0400
Subject: [PATCH 3/5] Call endpoint to validate MI from interactive user (ALKS
 user).

---
 config.go | 21 ++++++++++++++-------
 1 file changed, 14 insertions(+), 7 deletions(-)

diff --git a/config.go b/config.go
index 781740ab..dfc8ca44 100644
--- a/config.go
+++ b/config.go
@@ -146,15 +146,15 @@ providing credentials for the ALKS Provider`)
 		return nil, serr
 	}
 
+	// got good creds, create alks sts client
+	client, err := alks.NewSTSClient(c.URL, cp.AccessKeyID, cp.SecretAccessKey, cp.SessionToken)
+
 	// check if the user is using a assume-role IAM admin session
-	if isValidIAM(cident.Arn) != true {
+	if isValidIAM(cident.Arn, client) != true {
 		return nil, errors.New("Looks like you are not using ALKS IAM credentials. This will result in errors when creating roles. \n " +
 			"Note: If using ALKS CLI to get credentials, be sure to use the '-i' flag. \n Please see https://coxautoinc.sharepoint.com/sites/service-internal-tools-team/SitePages/ALKS-Terraform-Provider---Troubleshooting.aspx for more information.")
 	}
 
-	// got good creds, create alks sts client
-	client, err := alks.NewSTSClient(c.URL, cp.AccessKeyID, cp.SecretAccessKey, cp.SessionToken)
-
 	if err != nil {
 		return nil, err
 	}
@@ -174,15 +174,22 @@ func getPluginVersion() string {
 	return "unknown"
 }
 
-func isValidIAM(arn *string) bool {
+func isValidIAM(arn *string, client *alks.Client) bool {
 
 	/*
 		Validates ARN for assumed-role of:
 			- Admin
 			- IAMAdmin
-			-Machine Identities.
+			- Machine Identities.
 	*/
-	if strings.Contains(*arn, "assumed-role/Admin/") || strings.Contains(*arn, "assumed-role/IAMAdmin/") || strings.Contains(*arn, "arn:aws:sts::") {
+	if strings.Contains(*arn, "assumed-role/Admin/") || strings.Contains(*arn, "assumed-role/IAMAdmin/") {
+		return true
+	} else if strings.Contains(*arn, "arn:aws:sts::") {
+		// Check if MI...
+		_, err := client.SearchRoleMachineIdentity(*arn)
+		if err != nil {
+			return false
+		}
 		return true
 	}
 

From 5587d3ec38d419bdfc6e49c04c954f95e70964cc Mon Sep 17 00:00:00 2001
From: Andrew Magana <amagana3@latlmacw29vjhd4.int.dealer.com>
Date: Tue, 9 Jun 2020 09:34:43 -0400
Subject: [PATCH 4/5] Removed redundant ARN check. This SHOULD be good now.

---
 config.go | 30 ++++++++++++++----------------
 1 file changed, 14 insertions(+), 16 deletions(-)

diff --git a/config.go b/config.go
index dfc8ca44..71ee4baa 100644
--- a/config.go
+++ b/config.go
@@ -149,7 +149,7 @@ providing credentials for the ALKS Provider`)
 	// got good creds, create alks sts client
 	client, err := alks.NewSTSClient(c.URL, cp.AccessKeyID, cp.SecretAccessKey, cp.SessionToken)
 
-	// check if the user is using a assume-role IAM admin session
+	// check if the user is using a assume-role IAM admin session or MI.
 	if isValidIAM(cident.Arn, client) != true {
 		return nil, errors.New("Looks like you are not using ALKS IAM credentials. This will result in errors when creating roles. \n " +
 			"Note: If using ALKS CLI to get credentials, be sure to use the '-i' flag. \n Please see https://coxautoinc.sharepoint.com/sites/service-internal-tools-team/SitePages/ALKS-Terraform-Provider---Troubleshooting.aspx for more information.")
@@ -174,24 +174,22 @@ func getPluginVersion() string {
 	return "unknown"
 }
 
+/*
+	Validates ARN for assumed-role of:
+		- Admin
+		- IAMAdmin
+		- Machine Identities.
+*/
 func isValidIAM(arn *string, client *alks.Client) bool {
-
-	/*
-		Validates ARN for assumed-role of:
-			- Admin
-			- IAMAdmin
-			- Machine Identities.
-	*/
+	// Check if Admin || IAMAdmin
 	if strings.Contains(*arn, "assumed-role/Admin/") || strings.Contains(*arn, "assumed-role/IAMAdmin/") {
 		return true
-	} else if strings.Contains(*arn, "arn:aws:sts::") {
-		// Check if MI...
-		_, err := client.SearchRoleMachineIdentity(*arn)
-		if err != nil {
-			return false
-		}
-		return true
 	}
 
-	return false
+	// Check if MI...
+	_, err := client.SearchRoleMachineIdentity(*arn)
+	if err != nil {
+		return false
+	}
+	return true
 }

From 5e76f2fc919fd04936e40ca78007cfeb3263160b Mon Sep 17 00:00:00 2001
From: Andrew Magana <amagana3@latlmacw29vjhd4.int.dealer.com>
Date: Tue, 9 Jun 2020 11:42:43 -0400
Subject: [PATCH 5/5] Formatting the MI arn so we can appropriately check the
 ARN against our API.

---
 config.go | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/config.go b/config.go
index 71ee4baa..1b313a95 100644
--- a/config.go
+++ b/config.go
@@ -14,7 +14,7 @@ import (
 	"github.com/aws/aws-sdk-go/aws/defaults"
 	"github.com/aws/aws-sdk-go/aws/ec2metadata"
 
-	alks "github.com/Cox-Automotive/alks-go"
+	"github.com/Cox-Automotive/alks-go"
 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/aws/credentials"
 	"github.com/aws/aws-sdk-go/aws/credentials/ec2rolecreds"
@@ -187,9 +187,16 @@ func isValidIAM(arn *string, client *alks.Client) bool {
 	}
 
 	// Check if MI...
-	_, err := client.SearchRoleMachineIdentity(*arn)
+	arnParts := strings.FieldsFunc(*arn, splitBy)
+	iamArn := fmt.Sprintf("arn:aws:iam::%s:role/acct-managed/%s", arnParts[3], arnParts[5])
+
+	_, err := client.SearchRoleMachineIdentity(iamArn)
 	if err != nil {
 		return false
 	}
 	return true
 }
+
+func splitBy(r rune) bool {
+	return r == ':' || r == '/'
+}