Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add option to configure credential_source #64

Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

Add option to configure credential_source #64

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
4d8f3bd
Add option to configure credential_source
jsedlace Aug 29, 2019
6b57460
Merge branch 'master' into credential_source
jdowning Sep 10, 2019
9290f07
Merge branch 'master' into credential_source
jsedlace Apr 4, 2022
065302d
fixup! Add option to configure credential_source
jsedlace Apr 4, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
35 changes: 23 additions & 12 deletions manifests/profile.pp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,12 @@
# [$source_profile]
# The profile to use for credentials to assume the specified role
#
# [credential_source]
# Used within EC2 instances or EC2 containers to specify where the AWS CLI can find credentials
# to use to assume the role you specified with the role_arn parameter.
# You cannot specify both source_profile and credential_source in the same profile.
# More info at https://docs.aws.amazon.com/cli/latest/topic/config-vars.html#using-aws-iam-roles
#
# [$role_session_name]
# An identifier for the assumed role session
#
Expand Down Expand Up @@ -62,18 +68,19 @@
# }
#
define awscli::profile(
$ensure = 'present',
$user = 'root',
$group = undef,
$homedir = undef,
$aws_access_key_id = undef,
$aws_secret_access_key = undef,
$role_arn = undef,
$source_profile = undef,
$role_session_name = undef,
$aws_region = 'us-east-1',
$profile_name = 'default',
$output = 'json',
$ensure = 'present',
$user = 'root',
$group = undef,
$homedir = undef,
$aws_access_key_id = undef,
$aws_secret_access_key = undef,
$role_arn = undef,
$source_profile = undef,
Optional[Enum['Environment', 'Ec2InstanceMetadata', 'EcsContainer']] $credential_source = undef,
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am not familiar with this syntax. Could you link me to the docs?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

see https://puppet.com/docs/puppet/6/lang_data_abstract.html#lang_data_abstract_flexible-enum-data-type and https://puppet.com/docs/puppet/6/lang_data_abstract.html#lang_data_abstract_flexible-optional-data-type

$role_session_name = undef,
$aws_region = 'us-east-1',
$profile_name = 'default',
$output = 'json',
) {
if $aws_access_key_id == undef and $aws_secret_access_key == undef {
info ('AWS keys for awscli::profile. Your will need IAM roles configured.')
Expand Down Expand Up @@ -108,6 +115,10 @@
$group_real = $group
}

if ($source_profile != undef and $credential_source != undef) {
fail('aws cli profile cannot contain both source_profile and credential_source config option')
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It might be good to have a spec to test this. Do you think you could add one?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

tests added

}

# ensure $homedir/.aws is available
if !defined(File["${homedir_real}/.aws"]) {
file { "${homedir_real}/.aws":
Expand Down
49 changes: 49 additions & 0 deletions spec/defines/awscli_profile_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -310,4 +310,53 @@
)
end
end

context 'on AWS Node' do
let(:facts) do
{
os: { family: 'debian' },
concat_basedir: '/var/lib/puppet/concat/',
}
end

let(:title) { 'test_profile' }

let(:params) do
{
'user' => 'test',
'role_arn' => 'TESTAWSROLEARN',
}
end

['Environment', 'Ec2InstanceMetadata', 'EcsContainer'].each do |source|
it "creates profile for user test with credential_source=#{source}" do
params['credential_source'] = source.to_s
is_expected.to contain_file('/home/test/.aws').with(
ensure: 'directory',
owner: 'test',
group: 'test',
mode: '0700',
)
is_expected.to contain_concat('/home/test/.aws/config').with(
owner: 'test',
group: 'test',
mode: '0600',
)
is_expected.to contain_concat__fragment('test_profile-config').with(
target: '/home/test/.aws/config',
)
end
end

it "fails to create profile for user test with credential_source=Invalid" do
params['credential_source'] = 'Invalid'
is_expected.to compile.and_raise_error(/parameter 'credential_source' expects an undef value or a match for Enum/)
end

it 'fails to create profile with both source_profile and credential_source' do
params['credential_source'] = 'Ec2InstanceMetadata'
params['source_profile'] = 'development'
is_expected.to compile.and_raise_error(/aws cli profile cannot contain both source_profile and credential_source config option/)
end
end
end
3 changes: 3 additions & 0 deletions templates/config_concat.erb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,9 @@ role_arn=<%= @role_arn %>
<% if @source_profile -%>
source_profile=<%= @source_profile %>
<% end -%>
<% if @credential_source -%>
credential_source=<%= @credential_source %>
<% end -%>
<% if @role_session_name -%>
role_session_name=<%= @role_session_name %>
<% end -%>