From 2467e831cc9e5a4c44445c14bc7959d68eb2f919 Mon Sep 17 00:00:00 2001 From: admin <33664051+martinstibbe@users.noreply.github.com> Date: Thu, 5 Jan 2023 09:02:07 -0600 Subject: [PATCH 1/6] Add additional logging --- mongodbatlas/provider.go | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/mongodbatlas/provider.go b/mongodbatlas/provider.go index 0ea70465c3..b12842cee6 100644 --- a/mongodbatlas/provider.go +++ b/mongodbatlas/provider.go @@ -302,7 +302,11 @@ func providerConfigure(ctx context.Context, d *schema.ResourceData) (interface{} } func configureCredentialsSTS(config *Config, secret, region, awsAccessKeyID, awsSecretAccessKey, awsSessionToken, endpoint string) (Config, error) { - ep, _ := endpoints.GetSTSRegionalEndpoint("regional") + ep, err := endpoints.GetSTSRegionalEndpoint("regional") + if err != nil { + fmt.Printf("GetSTSRegionalEndpoint error: %s", err) + } + sess := session.Must(session.NewSession(&aws.Config{ Region: aws.String(region), Credentials: credentials.NewStaticCredentials(awsAccessKeyID, awsSecretAccessKey, awsSessionToken), @@ -312,12 +316,18 @@ func configureCredentialsSTS(config *Config, secret, region, awsAccessKeyID, aws creds := stscreds.NewCredentials(sess, config.AssumeRole.RoleARN) - _, _ = sess.Config.Credentials.Get() - _, _ = creds.Get() + _, err = sess.Config.Credentials.Get() + if err != nil { + fmt.Printf("Session get credentils error: %s", err) + } + _, err = creds.Get() + if err != nil { + fmt.Printf("STS get credentials error: %s", err) + } secretString := secretsManagerGetSecretValue(sess, &aws.Config{Credentials: creds, Region: aws.String(region)}, secret) var secretData SecretData - err := json.Unmarshal([]byte(secretString), &secretData) + err = json.Unmarshal([]byte(secretString), &secretData) if err != nil { return *config, nil } From 5aa8e9adca1820ff70a1d614f3a937efa35a5039 Mon Sep 17 00:00:00 2001 From: admin <33664051+martinstibbe@users.noreply.github.com> Date: Mon, 9 Jan 2023 10:49:22 -0600 Subject: [PATCH 2/6] Add error handler exit for failed AWS STS areas --- mongodbatlas/provider.go | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/mongodbatlas/provider.go b/mongodbatlas/provider.go index b12842cee6..40252e921c 100644 --- a/mongodbatlas/provider.go +++ b/mongodbatlas/provider.go @@ -295,7 +295,11 @@ func providerConfigure(ctx context.Context, d *schema.ResourceData) (interface{} awsSecretAccessKey := d.Get("aws_secret_access_key").(string) awsSessionToken := d.Get("aws_session_token").(string) endpoint := d.Get("sts_endpoint").(string) - config, _ = configureCredentialsSTS(&config, secret, region, awsAccessKeyID, awsSecretAccessKey, awsSessionToken, endpoint) + var err error + config, err = configureCredentialsSTS(&config, secret, region, awsAccessKeyID, awsSecretAccessKey, awsSessionToken, endpoint) + if err != nil { + return nil, diag.FromErr(err) + } } return config.NewClient(ctx) @@ -305,6 +309,7 @@ func configureCredentialsSTS(config *Config, secret, region, awsAccessKeyID, aws ep, err := endpoints.GetSTSRegionalEndpoint("regional") if err != nil { fmt.Printf("GetSTSRegionalEndpoint error: %s", err) + return *config, err } sess := session.Must(session.NewSession(&aws.Config{ @@ -319,17 +324,19 @@ func configureCredentialsSTS(config *Config, secret, region, awsAccessKeyID, aws _, err = sess.Config.Credentials.Get() if err != nil { fmt.Printf("Session get credentils error: %s", err) + return *config, err } _, err = creds.Get() if err != nil { fmt.Printf("STS get credentials error: %s", err) + return *config, err } secretString := secretsManagerGetSecretValue(sess, &aws.Config{Credentials: creds, Region: aws.String(region)}, secret) var secretData SecretData err = json.Unmarshal([]byte(secretString), &secretData) if err != nil { - return *config, nil + return *config, err } config.PublicKey = secretData.PublicKey config.PrivateKey = secretData.PrivateKey From 404f5c51ef9065db13bc9846d2bcf521c6c7c496 Mon Sep 17 00:00:00 2001 From: admin <33664051+martinstibbe@users.noreply.github.com> Date: Mon, 9 Jan 2023 13:40:19 -0600 Subject: [PATCH 3/6] Add error handler to get secret value --- mongodbatlas/provider.go | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/mongodbatlas/provider.go b/mongodbatlas/provider.go index 40252e921c..788a8a9e79 100644 --- a/mongodbatlas/provider.go +++ b/mongodbatlas/provider.go @@ -323,7 +323,7 @@ func configureCredentialsSTS(config *Config, secret, region, awsAccessKeyID, aws _, err = sess.Config.Credentials.Get() if err != nil { - fmt.Printf("Session get credentils error: %s", err) + fmt.Printf("Session get credentials error: %s", err) return *config, err } _, err = creds.Get() @@ -331,7 +331,11 @@ func configureCredentialsSTS(config *Config, secret, region, awsAccessKeyID, aws fmt.Printf("STS get credentials error: %s", err) return *config, err } - secretString := secretsManagerGetSecretValue(sess, &aws.Config{Credentials: creds, Region: aws.String(region)}, secret) + secretString, err := secretsManagerGetSecretValue(sess, &aws.Config{Credentials: creds, Region: aws.String(region)}, secret) + if err != nil { + fmt.Printf("Get Secrets error: %s", err) + return *config, err + } var secretData SecretData err = json.Unmarshal([]byte(secretString), &secretData) @@ -343,7 +347,7 @@ func configureCredentialsSTS(config *Config, secret, region, awsAccessKeyID, aws return *config, nil } -func secretsManagerGetSecretValue(sess *session.Session, creds *aws.Config, secret string) string { +func secretsManagerGetSecretValue(sess *session.Session, creds *aws.Config, secret string) (string, error) { svc := secretsmanager.New(sess, creds) input := &secretsmanager.GetSecretValueInput{ SecretId: aws.String(secret), @@ -370,11 +374,11 @@ func secretsManagerGetSecretValue(sess *session.Session, creds *aws.Config, secr } else { fmt.Println(err.Error()) } - return "" + return "", err } fmt.Println(result) - return *result.SecretString + return *result.SecretString, err } func encodeStateID(values map[string]string) string { From 1903c2fa4f0cf59d8b25656dcb15cb01beb80a01 Mon Sep 17 00:00:00 2001 From: admin <33664051+martinstibbe@users.noreply.github.com> Date: Tue, 10 Jan 2023 11:58:38 -0600 Subject: [PATCH 4/6] Add custom resolver for sts service add error handler for API key values --- mongodbatlas/provider.go | 29 ++++++++++++++++++++++++++--- 1 file changed, 26 insertions(+), 3 deletions(-) diff --git a/mongodbatlas/provider.go b/mongodbatlas/provider.go index 788a8a9e79..3e6f4b8cdd 100644 --- a/mongodbatlas/provider.go +++ b/mongodbatlas/provider.go @@ -312,12 +312,27 @@ func configureCredentialsSTS(config *Config, secret, region, awsAccessKeyID, aws return *config, err } - sess := session.Must(session.NewSession(&aws.Config{ + defaultResolver := endpoints.DefaultResolver() + stsCustResolverFn := func(service, region string, optFns ...func(*endpoints.Options)) (endpoints.ResolvedEndpoint, error) { + if service == "sts" { + return endpoints.ResolvedEndpoint{ + URL: fmt.Sprintf("%s.%s.%s", "https://sts", region, "amazonaws.com"), + SigningRegion: region, + }, nil + } + + return defaultResolver.EndpointFor(service, region, optFns...) + } + + cfg := aws.Config{ Region: aws.String(region), Credentials: credentials.NewStaticCredentials(awsAccessKeyID, awsSecretAccessKey, awsSessionToken), STSRegionalEndpoint: ep, - Endpoint: &endpoint, - })) + //Endpoint: aws.String(endpoint), + EndpointResolver: endpoints.ResolverFunc(stsCustResolverFn), + } + + sess := session.Must(session.NewSession(&cfg)) creds := stscreds.NewCredentials(sess, config.AssumeRole.RoleARN) @@ -342,6 +357,14 @@ func configureCredentialsSTS(config *Config, secret, region, awsAccessKeyID, aws if err != nil { return *config, err } + if secretData.PrivateKey == "" { + return *config, fmt.Errorf("secret missing value for credential PrivateKey") + } + + if secretData.PublicKey == "" { + return *config, fmt.Errorf("secret missing value for credential PublicKey") + } + config.PublicKey = secretData.PublicKey config.PrivateKey = secretData.PrivateKey return *config, nil From 257f2ce3e552e325bb6218e432160cf8151b821d Mon Sep 17 00:00:00 2001 From: admin <33664051+martinstibbe@users.noreply.github.com> Date: Tue, 10 Jan 2023 12:36:18 -0600 Subject: [PATCH 5/6] Endpoint changes --- mongodbatlas/provider.go | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/mongodbatlas/provider.go b/mongodbatlas/provider.go index 3e6f4b8cdd..0f2611034d 100644 --- a/mongodbatlas/provider.go +++ b/mongodbatlas/provider.go @@ -314,9 +314,9 @@ func configureCredentialsSTS(config *Config, secret, region, awsAccessKeyID, aws defaultResolver := endpoints.DefaultResolver() stsCustResolverFn := func(service, region string, optFns ...func(*endpoints.Options)) (endpoints.ResolvedEndpoint, error) { - if service == "sts" { + if service == endpoints.StsServiceID { return endpoints.ResolvedEndpoint{ - URL: fmt.Sprintf("%s.%s.%s", "https://sts", region, "amazonaws.com"), + URL: endpoint, SigningRegion: region, }, nil } @@ -328,8 +328,7 @@ func configureCredentialsSTS(config *Config, secret, region, awsAccessKeyID, aws Region: aws.String(region), Credentials: credentials.NewStaticCredentials(awsAccessKeyID, awsSecretAccessKey, awsSessionToken), STSRegionalEndpoint: ep, - //Endpoint: aws.String(endpoint), - EndpointResolver: endpoints.ResolverFunc(stsCustResolverFn), + EndpointResolver: endpoints.ResolverFunc(stsCustResolverFn), } sess := session.Must(session.NewSession(&cfg)) From a39756248e211755a32f27c25be41a25cae8d9a5 Mon Sep 17 00:00:00 2001 From: admin <33664051+martinstibbe@users.noreply.github.com> Date: Tue, 10 Jan 2023 12:48:16 -0600 Subject: [PATCH 6/6] Add default URL for global sts --- mongodbatlas/provider.go | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/mongodbatlas/provider.go b/mongodbatlas/provider.go index 0f2611034d..a65caf3486 100644 --- a/mongodbatlas/provider.go +++ b/mongodbatlas/provider.go @@ -315,6 +315,12 @@ func configureCredentialsSTS(config *Config, secret, region, awsAccessKeyID, aws defaultResolver := endpoints.DefaultResolver() stsCustResolverFn := func(service, region string, optFns ...func(*endpoints.Options)) (endpoints.ResolvedEndpoint, error) { if service == endpoints.StsServiceID { + if endpoint == "" { + return endpoints.ResolvedEndpoint{ + URL: "https://sts.amazonaws.com", + SigningRegion: region, + }, nil + } return endpoints.ResolvedEndpoint{ URL: endpoint, SigningRegion: region,