Merge pull request sous-chefs#200 from chef-cookbooks/assume_role_fai…

…lures Fix assume_role attributes missing in ebs_volume provider
CheggEng · Jan 21, 2016 · 975218d · 975218d
2 parents 87dc3af + 42feb4a
commit 975218d
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 10 deletions.
diff --git a/libraries/ec2.rb b/libraries/ec2.rb
@@ -15,8 +15,6 @@
 # limitations under the License.
 #
 
-# TODO: once sync_libraries properly handles sub-directories, move this file to aws/libraries/opscode/aws/ec2.rb
-
 require 'open-uri'
 
 module Opscode
@@ -61,13 +59,9 @@ def instance_availability_zone
 
       private
 
-      def create_aws_interface(aws_interface)
-        begin
-          require 'aws-sdk'
-        rescue LoadError
-          Chef::Log.error("Missing gem 'aws-sdk'. Use the default aws recipe to install it first.")
-        end
-
+      # determine the AWS region of the node
+      # Priority: User set node attribute -> ohai data -> us-east-1
+      def query_aws_region
         region = node['aws']['region']
 
         if region.nil?
@@ -78,13 +72,20 @@ def create_aws_interface(aws_interface)
             region = 'us-east-1'
           end
         end
+        region
+      end
+
+      # setup AWS instance using passed creds, iam profile, or assumed role
+      def create_aws_interface(aws_interface)
+        region = query_aws_region
 
         if !new_resource.aws_access_key.to_s.empty? && !new_resource.aws_secret_access_key.to_s.empty?
           creds = ::Aws::Credentials.new(new_resource.aws_access_key, new_resource.aws_secret_access_key, new_resource.aws_session_token)
         else
           Chef::Log.info('Attempting to use iam profile')
           creds = ::Aws::InstanceProfileCredentials.new
         end
+
         if !new_resource.aws_assume_role_arn.to_s.empty? && !new_resource.aws_role_session_name.to_s.empty?
           Chef::Log.debug("Assuming role #{new_resource.aws_assume_role_arn}")
           sts_client = ::Aws::STS::Client.new(credentials: creds, region: region)
@@ -93,33 +94,38 @@ def create_aws_interface(aws_interface)
         aws_interface.new(credentials: creds, region: region)
       end
 
+      # fetch the instance ID from the metadata endpoint
       def query_instance_id
         instance_id = open('http://169.254.169.254/latest/meta-data/instance-id', options = { proxy: false }, &:gets)
         fail 'Cannot find instance id!' unless instance_id
         Chef::Log.debug("Instance ID is #{instance_id}")
         instance_id
       end
 
+      # fetch the availability zone from the metadata endpoint
       def query_instance_availability_zone
         availability_zone = open('http://169.254.169.254/latest/meta-data/placement/availability-zone/', options = { proxy: false }, &:gets)
         fail 'Cannot find availability zone!' unless availability_zone
         Chef::Log.debug("Instance's availability zone is #{availability_zone}")
         availability_zone
       end
 
+      # fetch the mac address of an interface. eth0 by default
       def query_mac_address(interface = 'eth0')
         node['network']['interfaces'][interface]['addresses'].select do |_, e|
           e['family'] == 'lladdr'
         end.keys.first.downcase
       end
 
+      # fetch the private IP address of an interface from the metadata endpoint. eth0 by default
       def query_private_ip_addresses(interface = 'eth0')
         mac = query_mac_address(interface)
         ip_addresses = open("http://169.254.169.254/latest/meta-data/network/interfaces/macs/#{mac}/local-ipv4s", options = { proxy: false }) { |f| f.read.split("\n") }
         Chef::Log.debug("#{interface} assigned local ipv4s addresses is/are #{ip_addresses.join(',')}")
         ip_addresses
       end
 
+      # fetch the network interface ID of an interface from the metadata endpoint. eth0 by default
       def query_network_interface_id(interface = 'eth0')
         mac = query_mac_address(interface)
         eni_id = open("http://169.254.169.254/latest/meta-data/network/interfaces/macs/#{mac}/interface-id", options = { proxy: false }, &:gets)

diff --git a/providers/ebs_volume.rb b/providers/ebs_volume.rb
@@ -6,7 +6,7 @@ def whyrun_supported?
 end
 
 action :create do
-  fail 'Cannot create a volume with a specific id (EC2 chooses volume ids)' if new_resource.volume_id
+  fail 'Cannot create a volume with a specific volume_id as AWS chooses volume ids' if new_resource.volume_id
   if new_resource.snapshot_id =~ /vol/
     new_resource.snapshot_id(find_snapshot_id(new_resource.snapshot_id, new_resource.most_recent_snapshot))
   end

diff --git a/resources/ebs_volume.rb b/resources/ebs_volume.rb
@@ -19,6 +19,8 @@
 attribute :aws_access_key,        kind_of: String
 attribute :aws_secret_access_key, kind_of: String
 attribute :aws_session_token,     kind_of: String, default: nil
+attribute :aws_assume_role_arn,   kind_of: String
+attribute :aws_role_session_name, kind_of: String
 attribute :size,                  kind_of: Integer
 attribute :snapshot_id,           kind_of: String
 attribute :most_recent_snapshot,  kind_of: [TrueClass, FalseClass], default: false