From b3e879ff357cf56e500f9b7fed3e20e97e415580 Mon Sep 17 00:00:00 2001 From: Andrew Magana Date: Wed, 14 Apr 2021 15:04:53 -0400 Subject: [PATCH 1/6] Update ALKS-Go. --- go.mod | 3 ++- go.sum | 4 ++++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/go.mod b/go.mod index b27301c6..80b4b62b 100644 --- a/go.mod +++ b/go.mod @@ -3,8 +3,9 @@ module github.com/Cox-Automotive/terraform-provider-alks go 1.14 require ( - github.com/Cox-Automotive/alks-go v0.0.0-20210331173447-21b08aca8d67 + github.com/Cox-Automotive/alks-go v0.0.0-20210414185953-754a7e5f7114 github.com/aws/aws-sdk-go v1.31.15 + github.com/hashicorp/go-cleanhttp v0.5.2 // indirect github.com/hashicorp/terraform v0.12.26 github.com/mitchellh/go-homedir v1.1.0 ) diff --git a/go.sum b/go.sum index a7f285b7..4410dcf4 100644 --- a/go.sum +++ b/go.sum @@ -29,6 +29,8 @@ github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym github.com/ChrisTrenkamp/goxpath v0.0.0-20170922090931-c385f95c6022/go.mod h1:nuWgzSkT5PnyOd+272uUmV0dnAnAn42Mk7PiQC5VzN4= github.com/Cox-Automotive/alks-go v0.0.0-20210331173447-21b08aca8d67 h1:vcruzED50hPyycvR6mtPXKy2zQoH+AOicCOuwiWr7Cg= github.com/Cox-Automotive/alks-go v0.0.0-20210331173447-21b08aca8d67/go.mod h1:jJNgXthl59Vt2tJHSC3WZ0vlopV9xqdclfQuLgwHjOw= +github.com/Cox-Automotive/alks-go v0.0.0-20210414185953-754a7e5f7114 h1:U6UO6xb3cFJTMLCJWMVxkhWq2vCrX5c7QnPlsQCPGZE= +github.com/Cox-Automotive/alks-go v0.0.0-20210414185953-754a7e5f7114/go.mod h1:jJNgXthl59Vt2tJHSC3WZ0vlopV9xqdclfQuLgwHjOw= github.com/QcloudApi/qcloud_sign_golang v0.0.0-20141224014652-e4130a326409/go.mod h1:1pk82RBxDY/JZnPQrtqHlUFfCctgdorsd9M06fMynOM= github.com/Unknwon/com v0.0.0-20151008135407-28b053d5a292/go.mod h1:KYCjqMOeHpNuTOiFQU6WEcTG7poCJrUs0YgyHNtn1no= github.com/abdullin/seq v0.0.0-20160510034733-d5467c17e7af/go.mod h1:5Jv4cbFiHJMsVxt52+i0Ha45fjshj6wxYr1r19tB9bw= @@ -151,6 +153,8 @@ github.com/hashicorp/go-checkpoint v0.5.0/go.mod h1:7nfLNL10NsxqO4iWuW6tWW0HjZuD github.com/hashicorp/go-cleanhttp v0.5.0/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80= github.com/hashicorp/go-cleanhttp v0.5.1 h1:dH3aiDG9Jvb5r5+bYHsikaOUIpcM0xvgMXVoDkXMzJM= github.com/hashicorp/go-cleanhttp v0.5.1/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80= +github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ= +github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48= github.com/hashicorp/go-getter v1.4.2-0.20200106182914-9813cbd4eb02 h1:l1KB3bHVdvegcIf5upQ5mjcHjs2qsWnKh4Yr9xgIuu8= github.com/hashicorp/go-getter v1.4.2-0.20200106182914-9813cbd4eb02/go.mod h1:7qxyCd8rBfcShwsvxgIguu4KbS3l8bUCwg2Umn7RjeY= github.com/hashicorp/go-hclog v0.0.0-20180709165350-ff2cf002a8dd/go.mod h1:9bjs9uLqI8l75knNv3lV1kA55veR+WUPSiKIWcQHudI= From 2cbec7d920bdf59f6e668341b79256185fa8137d Mon Sep 17 00:00:00 2001 From: Andrew Magana Date: Fri, 16 Apr 2021 15:49:32 -0400 Subject: [PATCH 2/6] Implemented IAM active check. --- config.go | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/config.go b/config.go index 7522fb82..fd9ede39 100644 --- a/config.go +++ b/config.go @@ -211,21 +211,20 @@ func getPluginVersion() string { - Machine Identities. */ func isValidIAM(arn *string, client *alks.Client) bool { - // Check if Admin || IAMAdmin - if strings.Contains(*arn, "assumed-role/Admin/") || strings.Contains(*arn, "assumed-role/IAMAdmin/") || strings.Contains(*arn, "assumed-role/LabAdmin/") { - return true - } - // Check if MI... - arnParts := strings.FieldsFunc(*arn, splitBy) - iamArn := fmt.Sprintf("arn:aws:iam::%s:role/acct-managed/%s", arnParts[3], arnParts[5]) + // Validate Machine Identity + responseMI, err := client.IsIamEnabled(*arn) + if err != nil { + return false + } - _, err := client.SearchRoleMachineIdentity(iamArn) + // Validate STS + responseSTS, err := client.IsIamEnabled("") if err != nil { return false } - return true + return responseMI.IamEnabled || responseSTS.IamEnabled } func splitBy(r rune) bool { From 0a9cde384a8988f7406886be95361a02b04011a9 Mon Sep 17 00:00:00 2001 From: Andrew Magana Date: Fri, 16 Apr 2021 15:49:40 -0400 Subject: [PATCH 3/6] Update vendor. --- .../Cox-Automotive/alks-go/is_iam_enabled.go | 68 +++++++++++++++++++ .../hashicorp/go-cleanhttp/cleanhttp.go | 1 + .../github.com/hashicorp/go-cleanhttp/go.mod | 2 + vendor/modules.txt | 9 +-- 4 files changed, 74 insertions(+), 6 deletions(-) create mode 100644 vendor/github.com/Cox-Automotive/alks-go/is_iam_enabled.go diff --git a/vendor/github.com/Cox-Automotive/alks-go/is_iam_enabled.go b/vendor/github.com/Cox-Automotive/alks-go/is_iam_enabled.go new file mode 100644 index 00000000..b5d1ed85 --- /dev/null +++ b/vendor/github.com/Cox-Automotive/alks-go/is_iam_enabled.go @@ -0,0 +1,68 @@ +package alks + +import ( + "encoding/json" + "fmt" + "log" + "strings" +) + +type IsIamEnabledRequest struct { + AccountDetails + RoleArn string `json:"roleArn,omitempty"` +} + +// IsIamEnabledResponse is used to represent a role that's IAM active or not. +type IsIamEnabledResponse struct { + BaseResponse + AccountDetails + RoleArn string `json:"roleArn"` + IamEnabled bool `json:"iamEnabled"` +} + +// IsIamEnabled will check if a MI, AccountDetails, or STS assumed role is IAM active or not. +func (c *Client) IsIamEnabled(roleArn string) (*IsIamEnabledResponse, error) { + + if len(roleArn) > 1 { + log.Printf("[INFO] Is IAM enabled for MI: %s", roleArn) + } else { + log.Printf("[INFO] Is IAM enabled for: %s/%s", c.AccountDetails.Account, c.AccountDetails.Role) + } + + iam := IsIamEnabledRequest{ + c.AccountDetails, + roleArn, + } + + body, err := json.Marshal(iam) + + if err != nil { + return nil, fmt.Errorf("error encoding IAM create role JSON: %s", err) + } + + req, err := c.NewRequest(body, "POST", "/isIamEnabled") + if err != nil { + return nil, err + } + + resp, err := c.http.Do(req) + if err != nil { + return nil, err + } + + validate := new(IsIamEnabledResponse) + err = decodeBody(resp, validate) + + if err != nil { + if reqID := GetRequestID(resp); reqID != "" { + return nil, fmt.Errorf("error parsing isIamEnabled response: [%s] %s", reqID, err) + } + + return nil, fmt.Errorf("error parsing isIamEnabled response: %s", err) + } + if validate.RequestFailed() { + return nil, fmt.Errorf("error validating if IAM enabled: [%s] %s", validate.BaseResponse.RequestID, strings.Join(validate.GetErrors(), ", ")) + } + + return validate, nil +} diff --git a/vendor/github.com/hashicorp/go-cleanhttp/cleanhttp.go b/vendor/github.com/hashicorp/go-cleanhttp/cleanhttp.go index 8d306bf5..fe28d15b 100644 --- a/vendor/github.com/hashicorp/go-cleanhttp/cleanhttp.go +++ b/vendor/github.com/hashicorp/go-cleanhttp/cleanhttp.go @@ -32,6 +32,7 @@ func DefaultPooledTransport() *http.Transport { IdleConnTimeout: 90 * time.Second, TLSHandshakeTimeout: 10 * time.Second, ExpectContinueTimeout: 1 * time.Second, + ForceAttemptHTTP2: true, MaxIdleConnsPerHost: runtime.GOMAXPROCS(0) + 1, } return transport diff --git a/vendor/github.com/hashicorp/go-cleanhttp/go.mod b/vendor/github.com/hashicorp/go-cleanhttp/go.mod index 310f0756..005ccdef 100644 --- a/vendor/github.com/hashicorp/go-cleanhttp/go.mod +++ b/vendor/github.com/hashicorp/go-cleanhttp/go.mod @@ -1 +1,3 @@ module github.com/hashicorp/go-cleanhttp + +go 1.13 diff --git a/vendor/modules.txt b/vendor/modules.txt index 0a1739d6..139497ae 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -6,7 +6,7 @@ cloud.google.com/go/internal/optional cloud.google.com/go/internal/trace cloud.google.com/go/internal/version cloud.google.com/go/storage -# github.com/Cox-Automotive/alks-go v0.0.0-20210331173447-21b08aca8d67 +# github.com/Cox-Automotive/alks-go v0.0.0-20210414185953-754a7e5f7114 ## explicit github.com/Cox-Automotive/alks-go # github.com/agext/levenshtein v1.2.2 @@ -94,7 +94,8 @@ github.com/google/uuid github.com/googleapis/gax-go/v2 # github.com/hashicorp/errwrap v1.0.0 github.com/hashicorp/errwrap -# github.com/hashicorp/go-cleanhttp v0.5.1 +# github.com/hashicorp/go-cleanhttp v0.5.2 +## explicit github.com/hashicorp/go-cleanhttp # github.com/hashicorp/go-getter v1.4.2-0.20200106182914-9813cbd4eb02 github.com/hashicorp/go-getter @@ -221,8 +222,6 @@ github.com/mitchellh/hashstructure github.com/mitchellh/mapstructure # github.com/mitchellh/reflectwalk v1.0.0 github.com/mitchellh/reflectwalk -# github.com/motain/gocheck v0.0.0-20131023154940-9beb271d26e6 -## explicit # github.com/oklog/run v1.0.0 github.com/oklog/run # github.com/posener/complete v1.2.1 @@ -374,5 +373,3 @@ google.golang.org/grpc/stats google.golang.org/grpc/status google.golang.org/grpc/tap google.golang.org/grpc/test/bufconn -# launchpad.net/gocheck v0.0.0-20140225173054-000000000087 -## explicit From fdac97b52b6adb3e4fcb99b28ecf0ac133065180 Mon Sep 17 00:00:00 2001 From: Andrew Magana Date: Mon, 19 Apr 2021 11:35:36 -0400 Subject: [PATCH 4/6] MI converts to STS. --- config.go | 36 +++++++----------------------------- 1 file changed, 7 insertions(+), 29 deletions(-) diff --git a/config.go b/config.go index fd9ede39..52d6b3b7 100644 --- a/config.go +++ b/config.go @@ -183,8 +183,13 @@ func (c *Config) Client() (*alks.Client, error) { } } - // check if the user is using a assume-role IAM admin session or MI. - if isValidIAM(cident.Arn, client) != true { + // Validate STS for IAM active. + validateSTS, err := client.IsIamEnabled("") + if err != nil { + return nil, err + } + + if validateSTS.IamEnabled != true { return nil, errors.New("Looks like you are not using ALKS IAM credentials. This will result in errors when creating roles. \n " + "Note: If using ALKS CLI to get credentials, be sure to use the '-i' flag. \n Please see https://coxautoinc.sharepoint.com/sites/service-internal-tools-team/SitePages/ALKS-Terraform-Provider---Troubleshooting.aspx for more information.") } @@ -204,33 +209,6 @@ func getPluginVersion() string { return "unknown" } -/* - Validates ARN for assumed-role of: - - Admin - - IAMAdmin - - Machine Identities. -*/ -func isValidIAM(arn *string, client *alks.Client) bool { - - // Validate Machine Identity - responseMI, err := client.IsIamEnabled(*arn) - if err != nil { - return false - } - - // Validate STS - responseSTS, err := client.IsIamEnabled("") - if err != nil { - return false - } - - return responseMI.IamEnabled || responseSTS.IamEnabled -} - -func splitBy(r rune) bool { - return r == ':' || r == '/' -} - func generateNewClient(c *Config, client *alks.Client) (*alks.Client, error) { // 3. Create account string From cfb1da5f4814841337eb950dedced52f7193f7dd Mon Sep 17 00:00:00 2001 From: Andrew Magana Date: Mon, 19 Apr 2021 11:39:10 -0400 Subject: [PATCH 5/6] Removed unused var. --- config.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config.go b/config.go index 52d6b3b7..0ee9ff58 100644 --- a/config.go +++ b/config.go @@ -162,7 +162,7 @@ func (c *Config) Client() (*alks.Client, error) { } // make a basic api call to test creds are valid - cident, serr := stsconn.GetCallerIdentity(&sts.GetCallerIdentityInput{}) + _, serr := stsconn.GetCallerIdentity(&sts.GetCallerIdentityInput{}) // check for valid creds if serr != nil { return nil, serr From 5944731c1c997211c38272c3e2065095a2898090 Mon Sep 17 00:00:00 2001 From: Andrew Magana Date: Mon, 19 Apr 2021 14:14:19 -0400 Subject: [PATCH 6/6] non-MI error handle. --- config.go | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/config.go b/config.go index 0ee9ff58..9356a8a6 100644 --- a/config.go +++ b/config.go @@ -185,11 +185,7 @@ func (c *Config) Client() (*alks.Client, error) { // Validate STS for IAM active. validateSTS, err := client.IsIamEnabled("") - if err != nil { - return nil, err - } - - if validateSTS.IamEnabled != true { + if err != nil || validateSTS.IamEnabled != true { return nil, errors.New("Looks like you are not using ALKS IAM credentials. This will result in errors when creating roles. \n " + "Note: If using ALKS CLI to get credentials, be sure to use the '-i' flag. \n Please see https://coxautoinc.sharepoint.com/sites/service-internal-tools-team/SitePages/ALKS-Terraform-Provider---Troubleshooting.aspx for more information.") }