diff --git a/manifests/profile.pp b/manifests/profile.pp index 3d4f018..1487272 100644 --- a/manifests/profile.pp +++ b/manifests/profile.pp @@ -32,6 +32,12 @@ # [$source_profile] # The profile to use for credentials to assume the specified role # +# [credential_source] +# Used within EC2 instances or EC2 containers to specify where the AWS CLI can find credentials +# to use to assume the role you specified with the role_arn parameter. +# You cannot specify both source_profile and credential_source in the same profile. +# More info at https://docs.aws.amazon.com/cli/latest/topic/config-vars.html#using-aws-iam-roles +# # [$role_session_name] # An identifier for the assumed role session # @@ -62,18 +68,19 @@ # } # define awscli::profile( - $ensure = 'present', - $user = 'root', - $group = undef, - $homedir = undef, - $aws_access_key_id = undef, - $aws_secret_access_key = undef, - $role_arn = undef, - $source_profile = undef, - $role_session_name = undef, - $aws_region = 'us-east-1', - $profile_name = 'default', - $output = 'json', + $ensure = 'present', + $user = 'root', + $group = undef, + $homedir = undef, + $aws_access_key_id = undef, + $aws_secret_access_key = undef, + $role_arn = undef, + $source_profile = undef, + Optional[Enum['Environment', 'Ec2InstanceMetadata', 'EcsContainer']] $credential_source = undef, + $role_session_name = undef, + $aws_region = 'us-east-1', + $profile_name = 'default', + $output = 'json', ) { if $aws_access_key_id == undef and $aws_secret_access_key == undef { info ('AWS keys for awscli::profile. Your will need IAM roles configured.') @@ -108,6 +115,10 @@ $group_real = $group } + if ($source_profile != undef and $credential_source != undef) { + fail('aws cli profile cannot contain both source_profile and credential_source config option') + } + # ensure $homedir/.aws is available if !defined(File["${homedir_real}/.aws"]) { file { "${homedir_real}/.aws": diff --git a/spec/defines/awscli_profile_spec.rb b/spec/defines/awscli_profile_spec.rb index 9ca9271..628a020 100644 --- a/spec/defines/awscli_profile_spec.rb +++ b/spec/defines/awscli_profile_spec.rb @@ -310,4 +310,53 @@ ) end end + + context 'on AWS Node' do + let(:facts) do + { + os: { family: 'debian' }, + concat_basedir: '/var/lib/puppet/concat/', + } + end + + let(:title) { 'test_profile' } + + let(:params) do + { + 'user' => 'test', + 'role_arn' => 'TESTAWSROLEARN', + } + end + + ['Environment', 'Ec2InstanceMetadata', 'EcsContainer'].each do |source| + it "creates profile for user test with credential_source=#{source}" do + params['credential_source'] = source.to_s + is_expected.to contain_file('/home/test/.aws').with( + ensure: 'directory', + owner: 'test', + group: 'test', + mode: '0700', + ) + is_expected.to contain_concat('/home/test/.aws/config').with( + owner: 'test', + group: 'test', + mode: '0600', + ) + is_expected.to contain_concat__fragment('test_profile-config').with( + target: '/home/test/.aws/config', + ) + end + end + + it "fails to create profile for user test with credential_source=Invalid" do + params['credential_source'] = 'Invalid' + is_expected.to compile.and_raise_error(/parameter 'credential_source' expects an undef value or a match for Enum/) + end + + it 'fails to create profile with both source_profile and credential_source' do + params['credential_source'] = 'Ec2InstanceMetadata' + params['source_profile'] = 'development' + is_expected.to compile.and_raise_error(/aws cli profile cannot contain both source_profile and credential_source config option/) + end + end end diff --git a/templates/config_concat.erb b/templates/config_concat.erb index 83cde6c..aafda2b 100644 --- a/templates/config_concat.erb +++ b/templates/config_concat.erb @@ -11,6 +11,9 @@ role_arn=<%= @role_arn %> <% if @source_profile -%> source_profile=<%= @source_profile %> <% end -%> +<% if @credential_source -%> +credential_source=<%= @credential_source %> +<% end -%> <% if @role_session_name -%> role_session_name=<%= @role_session_name %> <% end -%>