Skip to content

Commit

Permalink
Re-release: v0.1.2
Browse files Browse the repository at this point in the history
- Added role credential rotation
  • Loading branch information
Nathan Dines committed Apr 22, 2018
1 parent 8535bce commit 27071cd
Show file tree
Hide file tree
Showing 5 changed files with 37 additions and 6 deletions.
2 changes: 2 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,8 @@ state of the stack deployment.
- Acceptance of "No updates to be performed." as a non-erroneous state
- Environment Variable Substitution in Parameter and Tag files
- YAML and JSON formatted stack policies
- Deploy using an assumed IAM role (often used to deploy stacks to other
accounts)

More features are currently on the roadmap, which can be [found on
Trello](https://trello.com/b/ECuGN86A)
Expand Down
9 changes: 6 additions & 3 deletions commands/deploy.go
Original file line number Diff line number Diff line change
Expand Up @@ -69,7 +69,7 @@ var deployCmd = &cobra.Command{
}

// Populate Stack ID
// Deliberately ignore errors here
// Deliberately ignore errors here, as the stack might not exist yet
stack.GetStackInfo()

after, err := stack.GetLastEventTime()
Expand All @@ -90,9 +90,12 @@ var deployCmd = &cobra.Command{
}

for {
// Refresh Stack State
refresh_stack_status:
if err := stack.GetStackInfo(); err != nil {
log.Fatal(err)
if err2 := rotateRoleCredentials(err); err2 != nil {
log.Fatal(err)
}
goto refresh_stack_status
}

printStackEvents(&stack, after)
Expand Down
7 changes: 5 additions & 2 deletions commands/destroy.go
Original file line number Diff line number Diff line change
Expand Up @@ -35,9 +35,12 @@ var destroyCmd = &cobra.Command{
}

for {
// Refresh Stack State
refresh_stack_status:
if err := stack.GetStackInfo(); err != nil {
log.Fatal(err)
if err2 := rotateRoleCredentials(err); err2 != nil {
log.Fatal(err)
}
goto refresh_stack_status
}

printStackEvents(&stack, after)
Expand Down
24 changes: 23 additions & 1 deletion commands/root.go
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ import (

forge "github.com/nathandines/forge/forgelib"

"github.com/aws/aws-sdk-go/aws/awserr"
"github.com/spf13/cobra"
)

Expand Down Expand Up @@ -60,9 +61,13 @@ func Execute() {
}

func printStackEvents(s *forge.Stack, after *time.Time) {
list_events:
bunch, err := s.ListEvents(after)
if err != nil {
log.Fatal(err)
if err2 := rotateRoleCredentials(err); err2 != nil {
log.Fatal(err)
}
goto list_events
}
for _, e := range bunch {
// IDs renamed for JSON output to match the API response data
Expand Down Expand Up @@ -91,3 +96,20 @@ func printStackEvents(s *forge.Stack, after *time.Time) {
*after = *bunch[len(bunch)-1].Timestamp
}
}

func rotateRoleCredentials(err error) error {
if awsErr, ok := err.(awserr.Error); ok && assumeRoleArn != "" {
switch awsErr.Code() {
case "ExpiredToken":
forge.UnassumeAllRoles()
if err2 := forge.AssumeRole(assumeRoleArn); err2 != nil {
return err
}
default:
return err
}
} else {
return err
}
return nil
}
1 change: 1 addition & 0 deletions forgelib/auth.go
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,7 @@ func AssumeRole(roleArn string) error {
return err
}
assumeOut, err := stsClient.AssumeRole(&sts.AssumeRoleInput{
DurationSeconds: aws.Int64(900),
RoleSessionName: aws.String(roleSessionName),
RoleArn: aws.String(roleArn),
})
Expand Down

0 comments on commit 27071cd

Please sign in to comment.