Fix bug that eksctl and kubectl was not using creds from assume role

Author: mumoshu

pkg/awsclicompat/assume_role.go

@@ -21,7 +21,7 @@ type AssumeRoleConfig struct {
 	TransitiveTagKeys []string
 }
 
-func AssumeRole(sess *session.Session, config AssumeRoleConfig) (*session.Session, error) {
+func AssumeRole(sess *session.Session, config AssumeRoleConfig) (*session.Session, *sts.Credentials, error) {
 	var awsDurationSeconds *int64
 
 	if config.DurationSeconds != 0 {
@@ -70,15 +70,21 @@ func AssumeRole(sess *session.Session, config AssumeRoleConfig) (*session.Sessio
 
 	assumedRole, err := stsSvc.AssumeRole(input)
 	if err != nil {
-		return nil, xerrors.Errorf("failed assuming role: %w", err)
+		return nil, nil, xerrors.Errorf("failed assuming role: %w", err)
 	}
 
-	return session.NewSession(&aws.Config{
+	newSess, err := session.NewSession(&aws.Config{
 		Credentials: credentials.NewStaticCredentials(
 			*assumedRole.Credentials.AccessKeyId,
 			*assumedRole.Credentials.SecretAccessKey,
 			*assumedRole.Credentials.SessionToken,
 		),
 		Region: sess.Config.Region,
 	})
+
+	if err != nil {
+		return nil, nil, xerrors.Errorf("initializing session with assume role: %w", err)
+	}
+
+	return newSess, assumedRole.Credentials, nil
 }

pkg/resource/cluster/attach.go

@@ -6,16 +6,17 @@ import (
 	"github.com/aws/aws-sdk-go/aws/awserr"
 	"github.com/aws/aws-sdk-go/service/autoscaling"
 	"github.com/aws/aws-sdk-go/service/cloudformation"
+	"github.com/mumoshu/terraform-provider-eksctl/pkg/sdk"
 	"log"
 	"strings"
 )
 
-func doAttachAutoScalingGroupsToTargetGroups(set *ClusterSet) error {
+func doAttachAutoScalingGroupsToTargetGroups(ctx *sdk.Context, set *ClusterSet) error {
 	if len(set.ListenerStatuses) == 0 {
 		return nil
 	}
 
-	cfn := cloudformation.New(AWSSessionFromCluster(set.Cluster))
+	cfn := cloudformation.New(ctx.Session())
 
 	var stackSummaries []*cloudformation.StackSummary
 
@@ -48,7 +49,7 @@ func doAttachAutoScalingGroupsToTargetGroups(set *ClusterSet) error {
 
 	log.Printf("Finding stacks whose name is prefixd with %q from %d stack summaries", stackNamePrefix, len(stackSummaries))
 
-	asSvc := autoscaling.New(AWSSessionFromCluster(set.Cluster))
+	asSvc := autoscaling.New(ctx.Session())
 
 	for _, s := range stackSummaries {
 

pkg/resource/cluster/aws_session.go

@@ -2,6 +2,7 @@ package cluster
 
 import (
 	"github.com/aws/aws-sdk-go/aws/session"
+	"github.com/aws/aws-sdk-go/service/sts"
 	"github.com/mumoshu/terraform-provider-eksctl/pkg/awsclicompat"
 )
 
@@ -12,10 +13,25 @@ func AWSSessionFromCluster(cluster *Cluster) *session.Session {
 		return sess
 	}
 
-	newSess, err := awsclicompat.AssumeRole(sess, *cluster.AssumeRoleConfig)
+	newSess, _, err := awsclicompat.AssumeRole(sess, *cluster.AssumeRoleConfig)
 	if err != nil {
 		panic(err)
 	}
 
 	return newSess
 }
+
+func AWSCredsFromConfig(region, profile string, assumeRole *awsclicompat.AssumeRoleConfig) (*session.Session, *sts.Credentials) {
+	sess := awsclicompat.NewSession(region, profile)
+
+	if assumeRole == nil {
+		return sess, nil
+	}
+
+	assumed, creds, err := awsclicompat.AssumeRole(sess, *assumeRole)
+	if err != nil {
+		panic(err)
+	}
+
+	return assumed, creds
+}

pkg/resource/cluster/cluster_create.go

@@ -3,6 +3,7 @@ package cluster
 import (
 	"bytes"
 	"fmt"
+	"github.com/mumoshu/terraform-provider-eksctl/pkg/sdk"
 	"github.com/mumoshu/terraform-provider-eksctl/pkg/sdk/api"
 	"io/ioutil"
 	"log"
@@ -12,8 +13,7 @@ import (
 	"time"
 
 	"github.com/hashicorp/terraform-plugin-sdk/helper/schema"
-	"github.com/mumoshu/terraform-provider-eksctl/pkg/resource"
-)
+	)
 
 func (m *Manager) createCluster(d *schema.ResourceData) (*ClusterSet, error) {
 	id := newClusterID()
@@ -27,6 +27,8 @@ func (m *Manager) createCluster(d *schema.ResourceData) (*ClusterSet, error) {
 
 	cluster := set.Cluster
 
+	ctx := mustNewContext(cluster)
+
 	if err := createVPCResourceTags(cluster, set.ClusterName); err != nil {
 		return nil, err
 	}
@@ -38,27 +40,27 @@ func (m *Manager) createCluster(d *schema.ResourceData) (*ClusterSet, error) {
 
 	cmd.Stdin = bytes.NewReader(set.ClusterConfig)
 
-	if err := resource.Create(cmd, d, id); err != nil {
-		return nil, fmt.Errorf("running `eksctl create cluster: %w: USED CLUSTER CONFIG:\n%s", err, string(set.ClusterConfig))
+	if err := ctx.Create(cmd, d, id); err != nil {
+		return nil, fmt.Errorf("running `eksctl create cluster`: %w: USED CLUSTER CONFIG:\n%s", err, string(set.ClusterConfig))
 	}
 
-	if err := doWriteKubeconfig(d, string(set.ClusterName), cluster.Region); err != nil {
+	if err := doWriteKubeconfig(ctx, d, string(set.ClusterName), cluster.Region); err != nil {
 		return nil, err
 	}
 
-	if err := doApplyKubernetesManifests(cluster, id); err != nil {
+	if err := doApplyKubernetesManifests(ctx, cluster, id); err != nil {
 		return nil, err
 	}
 
-	if err := doAttachAutoScalingGroupsToTargetGroups(set); err != nil {
+	if err := doAttachAutoScalingGroupsToTargetGroups(ctx, set); err != nil {
 		return nil, err
 	}
 
-	if err := doCheckPodsReadiness(cluster, id); err != nil {
+	if err := doCheckPodsReadiness(ctx, cluster, id); err != nil {
 		return nil, err
 	}
 
-	if err := createIAMIdentityMapping(d, cluster); err != nil {
+	if err := createIAMIdentityMapping(ctx, d, cluster); err != nil {
 		return nil, err
 	}
 
@@ -79,7 +81,7 @@ func (m *Manager) doPlanKubeconfig(d *DiffReadWrite) error {
 	return nil
 }
 
-func doWriteKubeconfig(d ReadWrite, clusterName, region string) error {
+func doWriteKubeconfig(ctx *sdk.Context, d ReadWrite, clusterName, region string) error {
 	var path string
 
 	if v := d.Get(KeyKubeconfigPath); v != nil {
@@ -106,8 +108,8 @@ func doWriteKubeconfig(d ReadWrite, clusterName, region string) error {
 	cmd.Env = append(cmd.Env, os.Environ()...)
 	cmd.Env = append(cmd.Env, "KUBECONFIG="+path)
 
-	if out, err := cmd.CombinedOutput(); err != nil {
-		return fmt.Errorf("failed running %s %s: %vw: COMBINED OUTPUT:\n%s", cmd.Path, strings.Join(cmd.Args, " "), err, string(out))
+	if out, err := ctx.Run(cmd); err != nil {
+		return fmt.Errorf("failed running %s %s: %vw: COMBINED OUTPUT:\n%s", cmd.Path, strings.Join(cmd.Args, " "), err, out.Output)
 	}
 
 	log.Printf("Ran `%s %s` with KUBECONFIG=%s", cmd.Path, strings.Join(cmd.Args, " "), path)
@@ -139,8 +141,8 @@ func doWriteKubeconfig(d ReadWrite, clusterName, region string) error {
 	return nil
 }
 
-func createIAMIdentityMapping(d ReadWrite, cluster *Cluster) error {
-	iams, err := runGetIAMIdentityMapping(d, cluster)
+func createIAMIdentityMapping(ctx *sdk.Context, d ReadWrite, cluster *Cluster) error {
+	iams, err := runGetIAMIdentityMapping(ctx, d, cluster)
 	if err != nil {
 		return fmt.Errorf("can not get iamidentitymapping from eks cluster: %w", err)
 	}
@@ -155,7 +157,7 @@ func createIAMIdentityMapping(d ReadWrite, cluster *Cluster) error {
 
 	if d.Get(KeyIAMIdentityMapping) != nil {
 		values := d.Get(KeyIAMIdentityMapping).(*schema.Set)
-		if err := runCreateIAMIdentityMapping(d, values, cluster); err != nil {
+		if err := runCreateIAMIdentityMapping(ctx, d, values, cluster); err != nil {
 			return fmt.Errorf("creating create  imaidentitymapping command: %w", err)
 		}
 
@@ -167,7 +169,7 @@ func createIAMIdentityMapping(d ReadWrite, cluster *Cluster) error {
 	return nil
 }
 
-func runCreateIAMIdentityMapping(d api.Getter, s *schema.Set, cluster *Cluster) error {
+func runCreateIAMIdentityMapping(ctx *sdk.Context, d api.Getter, s *schema.Set, cluster *Cluster) error {
 	values := s.List()
 	for _, v := range values {
 		ele := v.(map[string]interface{})
@@ -196,7 +198,7 @@ func runCreateIAMIdentityMapping(d api.Getter, s *schema.Set, cluster *Cluster)
 			return fmt.Errorf("creating create imaidentitymapping command: %w", err)
 		}
 
-		res, err := resource.Run(cmd)
+		res, err := ctx.Run(cmd)
 		if err != nil {
 			return fmt.Errorf("running create imaidentitymapping command: %w", err)
 		}
@@ -206,7 +208,7 @@ func runCreateIAMIdentityMapping(d api.Getter, s *schema.Set, cluster *Cluster)
 	return nil
 }
 
-func runDeleteIAMIdentityMapping(d api.Getter, s *schema.Set, cluster *Cluster) error {
+func runDeleteIAMIdentityMapping(ctx *sdk.Context, d api.Getter, s *schema.Set, cluster *Cluster) error {
 	values := s.List()
 	for _, v := range values {
 		ele := v.(map[string]interface{})
@@ -225,7 +227,7 @@ func runDeleteIAMIdentityMapping(d api.Getter, s *schema.Set, cluster *Cluster)
 			return fmt.Errorf("creating create imaidentitymapping command: %w", err)
 		}
 
-		res, err := resource.Run(cmd)
+		res, err := ctx.Run(cmd)
 		if err != nil {
 			return fmt.Errorf("creating create-iamidentitymapping command: %w", err)
 		}

pkg/resource/cluster/cluster_delete.go

@@ -4,7 +4,6 @@ import (
 	"bytes"
 	"fmt"
 	"github.com/hashicorp/terraform-plugin-sdk/helper/schema"
-	"github.com/mumoshu/terraform-provider-eksctl/pkg/resource"
 	"log"
 )
 
@@ -25,7 +24,9 @@ func (m *Manager) deleteCluster(d *schema.ResourceData) error {
 		"--wait",
 	}
 
-	if err := doDeleteKubernetesResourcesBeforeDestroy(cluster, d.Id()); err != nil {
+	ctx := mustNewContext(cluster)
+
+	if err := doDeleteKubernetesResourcesBeforeDestroy(ctx, cluster, d.Id()); err != nil {
 		return err
 	}
 
@@ -36,7 +37,7 @@ func (m *Manager) deleteCluster(d *schema.ResourceData) error {
 
 	cmd.Stdin = bytes.NewReader(set.ClusterConfig)
 
-	if err := resource.Delete(cmd, d); err != nil {
+	if err := ctx.Delete(cmd); err != nil {
 		return err
 	}
 

pkg/resource/cluster/cluster_k8s_vesrion.go

@@ -5,7 +5,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"github.com/hashicorp/terraform-plugin-sdk/helper/schema"
-	"github.com/mumoshu/terraform-provider-eksctl/pkg/resource"
+	"github.com/mumoshu/terraform-provider-eksctl/pkg/sdk"
 	"log"
 	"strconv"
 )
@@ -15,7 +15,7 @@ type LiveClusterInfo struct {
 	Revision          int
 }
 
-func getLiveClusterInfo(d *schema.ResourceData) (*LiveClusterInfo, error) {
+func getLiveClusterInfo(ctx *sdk.Context, d *schema.ResourceData) (*LiveClusterInfo, error) {
 	log.Printf("[DEBUG] getting eksctl cluster k8s version with id %q", d.Id())
 
 	m := &Manager{}
@@ -44,7 +44,7 @@ func getLiveClusterInfo(d *schema.ResourceData) (*LiveClusterInfo, error) {
 
 	cmd.Stdin = bytes.NewReader(set.ClusterConfig)
 
-	res, err := resource.Run(cmd)
+	res, err := ctx.Run(cmd)
 	if err != nil {
 		return nil, err
 	}

pkg/resource/cluster/cluster_read.go

@@ -13,7 +13,6 @@ import (
 
 	"github.com/google/go-cmp/cmp"
 	"github.com/hashicorp/terraform-plugin-sdk/helper/schema"
-	"github.com/mumoshu/terraform-provider-eksctl/pkg/resource"
 )
 
 type ReadWrite interface {
@@ -51,6 +50,8 @@ func (d *DiffReadWrite) Id() string {
 func (m *Manager) readCluster(d ReadWrite) (*Cluster, error) {
 	cluster, err := m.readClusterInternal(d)
 
+	ctx := mustNewContext(cluster)
+
 	if err != nil {
 		return nil, fmt.Errorf("reading cluster: %w", err)
 	}
@@ -68,12 +69,13 @@ func (m *Manager) readCluster(d ReadWrite) (*Cluster, error) {
 	if path != "" {
 		if _, err := os.Stat(path); os.IsNotExist(err) {
 			log.Printf("running customdiff: no kubeconfig file found at kubeconfig_path=%s: recreating it", path)
-			if err := doWriteKubeconfig(d, string(m.getClusterName(cluster, d.Id())), cluster.Region); err != nil {
+			if err := doWriteKubeconfig(nil, d, string(m.getClusterName(cluster, d.Id())), cluster.Region); err != nil {
 				return nil, fmt.Errorf("writing missing kubeconfig on plan: %w", err)
 			}
 		}
 	}
-	if err := readIAMIdentityMapping(d, cluster); err != nil {
+
+	if err := readIAMIdentityMapping(ctx, d, cluster); err != nil {
 		return nil, fmt.Errorf("reading aws-auth via eksctl get iamidentitymaping: %w", err)
 	}
 
@@ -121,15 +123,15 @@ func (m *Manager) planCluster(d *DiffReadWrite) error {
 	return nil
 }
 
-func readIAMIdentityMapping(d ReadWrite, cluster *Cluster) error {
+func readIAMIdentityMapping(ctx *sdk.Context, d ReadWrite, cluster *Cluster) error {
 	iamWithOIDCEnabled, err := cluster.IAMWithOIDCEnabled()
 	if err != nil {
 		return fmt.Errorf("reading iam.withOIDC setting from cluster.yaml: %w", err)
 	} else if !iamWithOIDCEnabled {
 		return nil
 	}
 
-	iams, err := runGetIAMIdentityMapping(d, cluster)
+	iams, err := runGetIAMIdentityMapping(ctx, d, cluster)
 	if err != nil {
 		return fmt.Errorf("can not get iamidentitymapping from eks cluster: %w", err)
 	}
@@ -153,8 +155,7 @@ func readIAMIdentityMapping(d ReadWrite, cluster *Cluster) error {
 	return nil
 }
 
-func runGetIAMIdentityMapping(d api.Getter, cluster *Cluster) ([]map[string]interface{}, error) {
-
+func runGetIAMIdentityMapping(ctx *sdk.Context, d api.Getter, cluster *Cluster) ([]map[string]interface{}, error) {
 	//get iamidentitymapping
 	args := []string{
 		"get",
@@ -170,7 +171,7 @@ func runGetIAMIdentityMapping(d api.Getter, cluster *Cluster) ([]map[string]inte
 		return nil, fmt.Errorf("creating get imaidentitymapping command: %w", err)
 	}
 
-	iamJson, err := resource.Run(cmd)
+	iamJson, err := ctx.Run(cmd)
 
 	if err != nil {
 		return nil, fmt.Errorf("running get iamidentitymapping : %w", err)
@@ -268,7 +269,9 @@ func runGetCluster(d api.Getter, cluster *Cluster) (*ClusterState, error) {
 		return nil, fmt.Errorf("creating get imaidentitymapping command: %w", err)
 	}
 
-	run, err := resource.Run(cmd)
+	ctx := mustNewContext(cluster)
+
+	run, err := ctx.Run(cmd)
 	if err != nil {
 		return nil, xerrors.Errorf("running get-cluster: %w", err)
 	}