Upgrade aws-vault code and allow for multiple account setup. Rename User to SetupConfig for clarity.

Author: Chris Gilmer

cmd/add_profile.go

@@ -21,6 +21,7 @@ func AddProfileInitFlags(flag *pflag.FlagSet) {
 
 	flag.String(VaultAWSKeychainNameFlag, VaultAWSKeychainNameDefault, "The aws-vault keychain name")
 	flag.StringSlice(AWSProfileAccountFlag, []string{}, "A comma separated list of AWS profiles and account IDs 'PROFILE1:ACCOUNTID1,PROFILE2:ACCOUNTID2,...'")
+	flag.String(AWSBaseProfileFlag, "", fmt.Sprintf("The AWS base profile. If none provided will use first profile name from %q flag", AWSProfileAccountFlag))
 	flag.String(AWSRegionFlag, endpoints.UsWest2RegionID, "The AWS region")
 	flag.String(IAMUserFlag, "", "The IAM user name to setup")
 	flag.String(IAMRoleFlag, "", "The IAM role name assigned to the user being setup")
@@ -43,6 +44,10 @@ func AddProfileCheckConfig(v *viper.Viper) error {
 		return fmt.Errorf("Region check failed: %w", err)
 	}
 
+	if err := checkProfileAccount(v); err != nil {
+		return fmt.Errorf("AWS Profile and Account ID check failed: %w", err)
+	}
+
 	if err := checkIAMUser(v); err != nil {
 		return fmt.Errorf("IAM User check failed: %w", err)
 	}
@@ -69,42 +74,6 @@ func (sc *SetupConfig) AddProfile() error {
 		return fmt.Errorf("unable to load aws config file: %w", err)
 	}
 
-	roleProfileSection := iniFile.Section(fmt.Sprintf("profile %s", *sc.RoleProfileName))
-
-	// Get the source profile
-	sourceProfileKey, err := roleProfileSection.GetKey("source_profile")
-	if err != nil {
-		return fmt.Errorf("Unable to get source profile from %q: %w", *sc.RoleProfileName, err)
-	}
-	sourceProfileName := sourceProfileKey.String()
-
-	// Get the MFA Serial
-	mfaSerialKey, err := roleProfileSection.GetKey("mfa_serial")
-	if err != nil {
-		return err
-	}
-	mfaSerial := mfaSerialKey.String()
-
-	for _, element := range sc.NewProfiles {
-		profileName := strings.Split(element, ":")[0]
-		awsAccountID := strings.Split(element, ":")[1]
-
-		profile := vault.ProfileSection{
-			Name: profileName,
-			RoleARN: fmt.Sprintf("arn:%s:iam::%s:role/%s",
-				sc.Partition,
-				awsAccountID,
-				sc.Role),
-			MfaSerial: mfaSerial,
-			Region:    sc.Region,
-		}
-
-		// Add the role profile with base as the source profile
-		if err := sc.UpdateAWSProfile(iniFile, &profile, &sourceProfileName); err != nil {
-			return err
-		}
-	}
-
 	// save it back to the aws config path
 	return iniFile.SaveTo(sc.Config.Path)
 }
@@ -154,7 +123,7 @@ func addProfileFunction(cmd *cobra.Command, args []string) error {
 	// Get command line flag values
 	awsRegion := v.GetString(AWSRegionFlag)
 	awsVaultKeychainName := v.GetString(VaultAWSKeychainNameFlag)
-	awsVaultProfileAccount := v.GetStringSlice(AWSProfileAccountFlag)
+	// awsProfileAccount := v.GetStringSlice(AWSProfileAccountFlag)
 	iamUser := v.GetString(IAMUserFlag)
 	iamRole := v.GetString(IAMRoleFlag)
 	output := v.GetString(OutputFlag)
@@ -179,16 +148,20 @@ func addProfileFunction(cmd *cobra.Command, args []string) error {
 	}
 
 	setupConfig := SetupConfig{
-		Logger:          logger,
-		Name:            iamUser,
-		Role:            iamRole,
-		Region:          awsRegion,
-		Partition:       partition,
-		RoleProfileName: &awsVaultProfileAccount[0],
-		NewProfiles:     awsVaultProfileAccount[1:],
-		Output:          output,
-		Config:          config,
-		Keyring:         keyring,
+		// Config
+		Logger:  logger,
+		Config:  config,
+		Keyring: keyring,
+
+		// Profile Inputs
+		IAMUser:   iamUser,
+		IAMRole:   iamRole,
+		Region:    awsRegion,
+		Partition: partition,
+		Output:    output,
+
+		// RoleProfileName: &awsVaultProfileAccount[0],
+		// NewProfiles:     awsVaultProfileAccount[1:],
 	}
 
 	if err := setupConfig.AddProfile(); err != nil {

cmd/cli.go

@@ -12,20 +12,18 @@ import (
 const (
 	// AWSRegionFlag is the generic AWS Region Flag
 	AWSRegionFlag string = "aws-region"
-	// AWSAccountIDFlag is the AWS AccountID Flag
-	AWSAccountIDFlag string = "aws-account-id"
 
 	// VaultAWSKeychainNameFlag is the aws-vault keychain name Flag
 	VaultAWSKeychainNameFlag string = "aws-vault-keychain-name"
 	// VaultAWSKeychainNameDefault is the aws-vault default keychain name
 	VaultAWSKeychainNameDefault string = "login"
-	// VaultAWSProfileFlag is the aws-vault profile name Flag
-	VaultAWSProfileFlag string = "aws-profile"
 
 	// AWSProfileAccountFlag is the combined AWS profile name and account ID Flag
 	AWSProfileAccountFlag string = "aws-profile-account"
-	//// AWSBaseProfileFlag is the AWS base profile name Flag
-	//AWSBaseProfileFlag string = "aws-base-profile"
+	// AWSBaseProfileFlag is the AWS base profile name Flag
+	AWSBaseProfileFlag string = "aws-base-profile"
+	// AWSProfileFlag is the AWS Profile flag
+	AWSProfileFlag string = "aws-profile"
 
 	// IAMUserFlag is the IAM User name Flag
 	IAMUserFlag string = "iam-user"
@@ -59,14 +57,6 @@ func (e *errInvalidKeychainName) Error() string {
 	return fmt.Sprintf("invalid keychain name '%s'", e.KeychainName)
 }
 
-// type errInvalidAWSProfile struct {
-// 	Profile string
-// }
-//
-// func (e *errInvalidAWSProfile) Error() string {
-// 	return fmt.Sprintf("invalid aws profile '%s'", e.Profile)
-// }
-
 func checkVault(v *viper.Viper) error {
 	// Both keychain name and profile are required or both must be missing
 	keychainName := v.GetString(VaultAWSKeychainNameFlag)
@@ -77,11 +67,6 @@ func checkVault(v *viper.Viper) error {
 		return fmt.Errorf("%s is invalid, expected %v: %w", VaultAWSKeychainNameFlag, keychainNames, &errInvalidKeychainName{KeychainName: keychainName})
 	}
 
-	// awsProfile := v.GetString(VaultAWSProfileFlag)
-	// if len(awsProfile) == 0 {
-	// 	return fmt.Errorf("%s must not be empty: %w", VaultAWSProfileFlag, &errInvalidAWSProfile{Profile: awsProfile})
-	// }
-
 	return nil
 }
 
@@ -114,7 +99,7 @@ func (e *errInvalidAccountID) Error() string {
 
 func checkAccountID(id string) error {
 	if matched, err := regexp.Match(`^\d{12}$`, []byte(id)); !matched || err != nil {
-		return fmt.Errorf("%s must be a 12 digit number: %w", AWSAccountIDFlag, &errInvalidAccountID{AccountID: id})
+		return fmt.Errorf("AWS Account ID must be a 12 digit number: %w", &errInvalidAccountID{AccountID: id})
 	}
 
 	return nil

cmd/cli_test.go

@@ -61,15 +61,15 @@ func (suite *cliTestSuite) TestCheckVault() {
 	}
 	for _, testValue := range testValues {
 		suite.viper.Set(VaultAWSKeychainNameFlag, testValue)
-		suite.viper.Set(VaultAWSProfileFlag, "profile")
+		suite.viper.Set(AWSProfileFlag, "profile")
 		suite.NoError(checkVault(suite.viper))
 	}
 	testValuesWithErrors := []string{
 		"AnyOtherKeychainName",
 	}
 	for _, testValue := range testValuesWithErrors {
 		suite.viper.Set(VaultAWSKeychainNameFlag, testValue)
-		suite.viper.Set(VaultAWSProfileFlag, "profile")
+		suite.viper.Set(AWSProfileFlag, "profile")
 		suite.Error(checkVault(suite.viper))
 	}
 }

cmd/main_test.go

@@ -0,0 +1,85 @@
+package main
+
+import (
+	"fmt"
+	"io/ioutil"
+	"log"
+	"os"
+	"strings"
+	"testing"
+
+	"github.com/spf13/pflag"
+	"github.com/spf13/viper"
+	"github.com/stretchr/testify/suite"
+)
+
+type commandTestSuite struct {
+	suite.Suite
+	viper  *viper.Viper
+	logger *log.Logger
+}
+
+type initFlags func(f *pflag.FlagSet)
+
+func (suite *commandTestSuite) Setup(fn initFlags, flagSet []string) {
+	// Disable any logging that isn't attached to the logger unless using the verbose flag
+	log.SetOutput(ioutil.Discard)
+	log.SetFlags(0)
+
+	// Setup logger
+	var logger = log.New(os.Stdout, "", log.LstdFlags)
+
+	// Remove the flags for the logger
+	logger.SetFlags(0)
+	suite.SetLogger(logger)
+
+	// Setup viper
+	suite.viper = nil
+
+	flag := pflag.NewFlagSet(os.Args[0], pflag.ExitOnError)
+	fn(flag)
+	errFlagParse := flag.Parse(flagSet)
+	if errFlagParse != nil {
+		suite.logger.Fatal(errFlagParse)
+	}
+
+	v := viper.New()
+	err := v.BindPFlags(flag)
+	if err != nil {
+		suite.logger.Fatal(fmt.Errorf("could not bind flags: %w", err))
+	}
+	v.SetEnvKeyReplacer(strings.NewReplacer("-", "_"))
+	v.AutomaticEnv()
+
+	suite.SetViper(v)
+}
+
+func (suite *commandTestSuite) SetViper(v *viper.Viper) {
+	suite.viper = v
+}
+
+func (suite *commandTestSuite) SetLogger(logger *log.Logger) {
+	suite.logger = logger
+}
+
+func TestCommandSuite(t *testing.T) {
+	suite.Run(t, &commandTestSuite{})
+}
+
+func (suite *commandTestSuite) TestAddProfileFlags() {
+	suite.Setup(AddProfileInitFlags, []string{
+		"--aws-profile-account", "test-new:012345678901",
+		"--iam-user", "me",
+		"--iam-role", "engineer",
+	})
+	suite.NoError(AddProfileCheckConfig(suite.viper))
+}
+
+func (suite *commandTestSuite) TestSetupFlags() {
+	suite.Setup(SetupUserInitFlags, []string{
+		"--aws-profile-account", "test-id:012345678901",
+		"--iam-user", "me",
+		"--iam-role", "engineer",
+	})
+	suite.NoError(SetupUserCheckConfig(suite.viper))
+}