From d95b487af1e2a29786870705595268200bd4486e Mon Sep 17 00:00:00 2001 From: nonchan <50233291+ncs-nozomi-nishinohara@users.noreply.github.com> Date: Sat, 28 May 2022 01:32:39 +0900 Subject: [PATCH] route53: add assume role ARN (#1650) Co-authored-by: Fernandez Ludovic --- cmd/zz_gen_cmd_dnshelp.go | 1 + docs/content/dns/zz_gen_route53.md | 1 + providers/dns/route53/route53.go | 50 +++++++++++++++++++++++------- providers/dns/route53/route53.toml | 1 + 4 files changed, 41 insertions(+), 12 deletions(-) diff --git a/cmd/zz_gen_cmd_dnshelp.go b/cmd/zz_gen_cmd_dnshelp.go index 13dbbe25..c66ce9c9 100644 --- a/cmd/zz_gen_cmd_dnshelp.go +++ b/cmd/zz_gen_cmd_dnshelp.go @@ -1860,6 +1860,7 @@ func displayDNSHelp(name string) error { ew.writeln(`Credentials:`) ew.writeln(` - "AWS_ACCESS_KEY_ID": Managed by the AWS client. Access key ID ('AWS_ACCESS_KEY_ID_FILE' is not supported, use 'AWS_SHARED_CREDENTIALS_FILE' instead)`) + ew.writeln(` - "AWS_ASSUME_ROLE_ARN": Managed by the AWS Role ARN ('AWS_ASSUME_ROLE_ARN' is not supported)`) ew.writeln(` - "AWS_HOSTED_ZONE_ID": Override the hosted zone ID.`) ew.writeln(` - "AWS_PROFILE": Managed by the AWS client ('AWS_PROFILE_FILE' is not supported)`) ew.writeln(` - "AWS_REGION": Managed by the AWS client ('AWS_REGION_FILE' is not supported)`) diff --git a/docs/content/dns/zz_gen_route53.md b/docs/content/dns/zz_gen_route53.md index 1ed0f412..626f0438 100644 --- a/docs/content/dns/zz_gen_route53.md +++ b/docs/content/dns/zz_gen_route53.md @@ -30,6 +30,7 @@ _Please contribute by adding a CLI example._ | Environment Variable Name | Description | |-----------------------|-------------| | `AWS_ACCESS_KEY_ID` | Managed by the AWS client. Access key ID (`AWS_ACCESS_KEY_ID_FILE` is not supported, use `AWS_SHARED_CREDENTIALS_FILE` instead) | +| `AWS_ASSUME_ROLE_ARN` | Managed by the AWS Role ARN (`AWS_ASSUME_ROLE_ARN` is not supported) | | `AWS_HOSTED_ZONE_ID` | Override the hosted zone ID. | | `AWS_PROFILE` | Managed by the AWS client (`AWS_PROFILE_FILE` is not supported) | | `AWS_REGION` | Managed by the AWS client (`AWS_REGION_FILE` is not supported) | diff --git a/providers/dns/route53/route53.go b/providers/dns/route53/route53.go index 696c87d9..05ac212b 100644 --- a/providers/dns/route53/route53.go +++ b/providers/dns/route53/route53.go @@ -10,6 +10,7 @@ import ( "github.com/aws/aws-sdk-go/aws" "github.com/aws/aws-sdk-go/aws/client" + "github.com/aws/aws-sdk-go/aws/credentials/stscreds" "github.com/aws/aws-sdk-go/aws/request" "github.com/aws/aws-sdk-go/aws/session" "github.com/aws/aws-sdk-go/service/route53" @@ -31,26 +32,32 @@ const ( EnvTTL = envNamespace + "TTL" EnvPropagationTimeout = envNamespace + "PROPAGATION_TIMEOUT" EnvPollingInterval = envNamespace + "POLLING_INTERVAL" + EnvAssumeRoleArn = envNamespace + "ASSUME_ROLE_ARN" ) // Config is used to configure the creation of the DNSProvider. type Config struct { - MaxRetries int + HostedZoneID string + MaxRetries int + AssumeRoleArn string + TTL int PropagationTimeout time.Duration PollingInterval time.Duration - HostedZoneID string - Client *route53.Route53 + + Client *route53.Route53 } // NewDefaultConfig returns a default configuration for the DNSProvider. func NewDefaultConfig() *Config { return &Config{ - MaxRetries: env.GetOrDefaultInt(EnvMaxRetries, 5), + HostedZoneID: env.GetOrFile(EnvHostedZoneID), + MaxRetries: env.GetOrDefaultInt(EnvMaxRetries, 5), + AssumeRoleArn: env.GetOrDefaultString(EnvAssumeRoleArn, ""), + TTL: env.GetOrDefaultInt(EnvTTL, 10), PropagationTimeout: env.GetOrDefaultSecond(EnvPropagationTimeout, 2*time.Minute), PollingInterval: env.GetOrDefaultSecond(EnvPollingInterval, 4*time.Second), - HostedZoneID: env.GetOrFile(EnvHostedZoneID), } } @@ -106,17 +113,15 @@ func NewDNSProviderConfig(config *Config) (*DNSProvider, error) { return &DNSProvider{client: config.Client, config: config}, nil } - retry := customRetryer{} - retry.NumMaxRetries = config.MaxRetries - sessionCfg := request.WithRetryer(aws.NewConfig(), retry) - - sess, err := session.NewSessionWithOptions(session.Options{Config: *sessionCfg}) + sess, err := createSession(config) if err != nil { return nil, err } - cl := route53.New(sess) - return &DNSProvider{client: cl, config: config}, nil + return &DNSProvider{ + client: route53.New(sess), + config: config, + }, nil } // Timeout returns the timeout and interval to use when checking for DNS propagation. @@ -294,3 +299,24 @@ func (d *DNSProvider) getHostedZoneID(fqdn string) (string, error) { return hostedZoneID, nil } + +func createSession(config *Config) (*session.Session, error) { + retry := customRetryer{} + retry.NumMaxRetries = config.MaxRetries + + sessionCfg := request.WithRetryer(aws.NewConfig(), retry) + + sess, err := session.NewSessionWithOptions(session.Options{Config: *sessionCfg}) + if err != nil { + return nil, err + } + + if config.AssumeRoleArn == "" { + return sess, nil + } + + return session.NewSession(&aws.Config{ + Region: sess.Config.Region, + Credentials: stscreds.NewCredentials(sess, config.AssumeRoleArn), + }) +} diff --git a/providers/dns/route53/route53.toml b/providers/dns/route53/route53.toml index 31265ab0..5b541d97 100644 --- a/providers/dns/route53/route53.toml +++ b/providers/dns/route53/route53.toml @@ -69,6 +69,7 @@ The following AWS IAM policy document describes the permissions required for leg AWS_HOSTED_ZONE_ID = "Override the hosted zone ID." AWS_PROFILE = "Managed by the AWS client (`AWS_PROFILE_FILE` is not supported)" AWS_SDK_LOAD_CONFIG = "Managed by the AWS client. Retrieve the region from the CLI config file (`AWS_SDK_LOAD_CONFIG_FILE` is not supported)" + AWS_ASSUME_ROLE_ARN = "Managed by the AWS Role ARN (`AWS_ASSUME_ROLE_ARN` is not supported)" [Configuration.Additional] AWS_SHARED_CREDENTIALS_FILE = "Managed by the AWS client. Shared credentials file." AWS_MAX_RETRIES = "The number of maximum returns the service will use to make an individual API request"