trussworks
diff --git a/‎README.md
Lines changed: 17 additions & 10 deletions b/‎README.md
Lines changed: 17 additions & 10 deletions
diff --git a/‎cmd/cli.go
Lines changed: 181 additions & 0 deletions b/‎cmd/cli.go
Lines changed: 181 additions & 0 deletions
@@ -27,36 +27,42 @@ brew cask install aws-vault
 
 Before running this tool, you will need to following pieces of information
 
-* IAM role - This is the IAM Role with permissions allowing access to AWS APIs
-  and services. This is usually something like `admin` or `engineer`.
-* IAM user name - This is your IAM username.
+* IAM role name - This is the IAM Role with permissions allowing access to AWS APIs
+  and services. This is usually something like `admin` or `engineer`. Use the flag
+  `--iam-role` with this value.
+* IAM user name - This is your IAM username. Use the flag `--iam-user` with this value.
 * AWS profile - This is the name that populates your `~/.aws/config` profile
   name. It is usually the name of the aws account alias you are trying to access.
+  Use the flag name `--aws-profile` with this value.
 * AWS account Id - This is the 12-digit account number of the AWS account you
-  are trying to access.
+  are trying to access. Use the flag `--aws-account-id` with this value.
 * Temporary AWS access keys - These should be given to you by an administrator
   of the AWS account you are trying to access. The tool will prompt you for
   the access key id and secret access key.
 
 ## Running the tool
 
-1. Run the setup-new-user - `setup-new-aws-user --role <IAM_ROLE> --iam-user <USER> --profile=<AWS_PROFILE> --account-id=<AWS_ACCOUNT_ID>`
+1. Run the setup-new-user script - `setup-new-aws-user setup --iam-role <IAM_ROLE> --iam-user <USER> --aws-profile=<AWS_PROFILE> --aws-account-id=<AWS_ACCOUNT_ID>`
 2. Enter the access keys generated when prompted.
-
 3. The script will open a window with a QR code, which you will use to configure a temporary one time password (TOTP).
 4. You'll then need to create a new entry in your 1Password account configure it with a TOTP field.
 5. Use 1Password to scan the QR code and hit save. New TOTP tokens should generate every 30 seconds.
 6. From here the tool will prompt you for 3 unique TOTP tokens. **NOTE Take care not to use the same token more than once, as this will cause the process to fail.**
 7. Once the tool has completed, you should be able to access the AWS account. You can run the following command filling in the AWS_PROFILE value
 
 ```shell
-aws-vault exec AWS_PROFILE -- aws sts get-session
+aws-vault exec $AWS_PROFILE -- aws sts get-session
 ```
 
 ## How this tool modifies your ~/.aws/config
 
-While your AWS access keys are stored in a password protected keychain managed by `aws-vault`, the configuration for how you should access AWS accounts lives in ~/.aws/config. The setup-new-aws-user tool creates two profiles your `~/.aws/config`. The first is the base profile containing your long lived AWS Access Keys and is tied to your IAM user and MFA device. Since these keys are long lived, you should be rotating them regularly with `aws-vault rotate`. The second profile is the IAM role granting you elevated access to the AWS account. Typically these IAM roles are named `admin` or `engineer` and only uses temporary credentials leveraging AWS's Security Token Service (STS). Below is an example config generated from this tool.
-
+While your AWS access keys are stored in a password protected keychain managed by `aws-vault`, the configuration for
+how you should access AWS accounts lives in ~/.aws/config. The setup-new-aws-user tool creates two profiles your
+`~/.aws/config`. The first is the base profile containing your long lived AWS Access Keys and is tied to your IAM user
+and MFA device. Since these keys are long lived, you should be rotating them regularly with `aws-vault rotate`.
+The second profile is the IAM role granting you elevated access to the AWS account. Typically these IAM roles are
+named `admin` or `engineer` and only uses temporary credentials leveraging AWS's Security Token Service (STS).
+Below is an example config generated from this tool.
 
 ```ini
 [profile corp-id-base]
@@ -86,6 +92,7 @@ output=json
 Run pre-commit and Go tests
 
 ```shell
+pre-commit run -a
 make test
 ```
 
@@ -102,7 +109,7 @@ use the real AWS account ID.
 Example:
 
 ```shell
-go run cmd/main.go --role engineer --iam-user testuser --account-id 123456789012  --profile test-profile-name
+go run ./cmd setup --iam-role engineer --iam-user testuser --aws-profile test-profile-name --aws-account-id 123456789012
 ```
 
 After running the script, try a command to ensure the new profile works as
 
@@ -0,0 +1,181 @@
+package main
+
+import (
+	"fmt"
+	"regexp"
+
+	"github.com/aws/aws-sdk-go/aws/endpoints"
+	"github.com/spf13/viper"
+)
+
+const (
+	// AWSRegionFlag is the generic AWS Region Flag
+	AWSRegionFlag string = "aws-region"
+	// AWSAccountIDFlag is the AWS AccountID Flag
+	AWSAccountIDFlag string = "aws-account-id"
+
+	// VaultAWSKeychainNameFlag is the aws-vault keychain name Flag
+	VaultAWSKeychainNameFlag string = "aws-vault-keychain-name"
+	// VaultAWSKeychainNameDefault is the aws-vault default keychain name
+	VaultAWSKeychainNameDefault string = "login"
+	// VaultAWSProfileFlag is the aws-vault profile name Flag
+	VaultAWSProfileFlag string = "aws-profile"
+
+	// IAMUserFlag is the IAM User name Flag
+	IAMUserFlag string = "iam-user"
+	// IAMRoleFlag is the IAM Role name Flag
+	IAMRoleFlag string = "iam-role"
+
+	// OutputFlag is the Output Flag
+	OutputFlag = "output"
+
+	// VerboseFlag is the Verbose Flag
+	VerboseFlag string = "verbose"
+)
+
+func stringSliceContains(stringSlice []string, value string) bool {
+	for _, x := range stringSlice {
+		if value == x {
+			return true
+		}
+	}
+	return false
+}
+
+type errInvalidKeychainName struct {
+	KeychainName string
+}
+
+func (e *errInvalidKeychainName) Error() string {
+	return fmt.Sprintf("invalid keychain name '%s'", e.KeychainName)
+}
+
+type errInvalidAWSProfile struct {
+	Profile string
+}
+
+func (e *errInvalidAWSProfile) Error() string {
+	return fmt.Sprintf("invalid aws profile '%s'", e.Profile)
+}
+
+type errInvalidVault struct {
+	KeychainName string
+	Profile      string
+}
+
+func (e *errInvalidVault) Error() string {
+	return fmt.Sprintf("invalid keychain name %q or profile %q", e.KeychainName, e.Profile)
+}
+
+func checkVault(v *viper.Viper) error {
+	// Both keychain name and profile are required or both must be missing
+	keychainName := v.GetString(VaultAWSKeychainNameFlag)
+	keychainNames := []string{
+		VaultAWSKeychainNameDefault,
+	}
+	if len(keychainName) > 0 && !stringSliceContains(keychainNames, keychainName) {
+		return fmt.Errorf("%s is invalid, expected %v: %w", VaultAWSKeychainNameFlag, keychainNames, &errInvalidKeychainName{KeychainName: keychainName})
+	}
+
+	awsProfile := v.GetString(VaultAWSProfileFlag)
+	if len(awsProfile) == 0 {
+		return fmt.Errorf("%s must not be empty: %w", VaultAWSProfileFlag, &errInvalidAWSProfile{Profile: awsProfile})
+	}
+
+	return nil
+}
+
+type errInvalidRegion struct {
+	Region string
+}
+
+func (e *errInvalidRegion) Error() string {
+	return fmt.Sprintf("invalid region %q", e.Region)
+}
+
+func checkRegion(v *viper.Viper) error {
+
+	r := v.GetString(AWSRegionFlag)
+	if _, ok := endpoints.PartitionForRegion(endpoints.DefaultPartitions(), r); !ok {
+		return fmt.Errorf("%s is invalid: %w", AWSRegionFlag, &errInvalidRegion{Region: r})
+	}
+
+	return nil
+}
+
+type errInvalidAccountID struct {
+	AccountID string
+}
+
+func (e *errInvalidAccountID) Error() string {
+	return fmt.Sprintf("invalid Account ID %q", e.AccountID)
+}
+
+func checkAccountID(v *viper.Viper) error {
+	id := v.GetString(AWSAccountIDFlag)
+	if matched, err := regexp.Match(`\d[12]`, []byte(id)); !matched || err != nil {
+		return fmt.Errorf("%s must be a 12 digit number: %w", AWSAccountIDFlag, &errInvalidAccountID{AccountID: id})
+	}
+
+	return nil
+}
+
+type errInvalidIAMUser struct {
+	IAMUser string
+}
+
+func (e *errInvalidIAMUser) Error() string {
+	return fmt.Sprintf("invalid output %q", e.IAMUser)
+}
+
+func checkIAMUser(v *viper.Viper) error {
+
+	user := v.GetString(IAMUserFlag)
+	if len(user) == 0 {
+		return fmt.Errorf("%s is invalid: %w", IAMUserFlag, &errInvalidIAMUser{IAMUser: user})
+	}
+
+	return nil
+}
+
+type errInvalidIAMRole struct {
+	IAMRole string
+}
+
+func (e *errInvalidIAMRole) Error() string {
+	return fmt.Sprintf("invalid output %q", e.IAMRole)
+}
+
+func checkIAMRole(v *viper.Viper) error {
+
+	role := v.GetString(IAMRoleFlag)
+	if len(role) == 0 {
+		return fmt.Errorf("%s is invalid: %w", IAMRoleFlag, &errInvalidIAMRole{IAMRole: role})
+	}
+
+	return nil
+}
+
+type errInvalidOutput struct {
+	Output string
+}
+
+func (e *errInvalidOutput) Error() string {
+	return fmt.Sprintf("invalid output %q", e.Output)
+}
+
+func checkOutput(v *viper.Viper) error {
+
+	o := v.GetString(OutputFlag)
+	outputTypes := []string{
+		"text",
+		"json",
+		"yaml",
+		"table",
+	}
+	if len(o) > 0 && !stringSliceContains(outputTypes, o) {
+		return fmt.Errorf("%s is invalid, expected one of %v: %w", OutputFlag, outputTypes, &errInvalidOutput{Output: o})
+	}
+
+	return nil
+}