feat: Add AWS STS authentication method for AWS validation (#129)

* Initial Commit

* Update aws.go

Updates time.Duration to time.Seconds

* Move STS Struct, Update Comments

* Update go.sum

* Update Deepcopy and Comments

* Seperate STS Authentication

* Update Based on Review

* Update CRD Validators

---------

Signed-off-by: Will <30413278+wcrum@users.noreply.github.com>
Signed-off-by: Tyler Gillson <tyler.gillson@gmail.com>
Co-authored-by: Tyler Gillson <tyler.gillson@gmail.com>

Author: wcrum

api/v1alpha1/awsvalidator_types.go

@@ -40,6 +40,22 @@ type AwsAuth struct {
 	SecretName string `json:"secretName,omitempty" yaml:"secretName,omitempty"`
 	// Option 2: specify a service account (EKS)
 	ServiceAccountName string `json:"serviceAccountName,omitempty" yaml:"serviceAccountName,omitempty"`
+	// STS authentication properties (optional, to be provided in conjunction with Option 1 or 2)
+	StsAuth *AwsSTSAuth `json:"stsAuth,omitempty" yaml:"stsAuth,omitempty"`
+}
+
+type AwsSTSAuth struct {
+	// The Amazon Resource Name (ARN) of the role to assume.
+	RoleArn string `json:"roleArn" yaml:"roleArn"`
+	// An identifier for the assumed role session.
+	RoleSessionName string `json:"roleSessionName" yaml:"roleSessionName"`
+	// The duration, in seconds, of the role session.
+	// +kubebuilder:default=3600
+	// +kubebuilder:validation:Minimum=900
+	// +kubebuilder:validation:Maximum=43200
+	DurationSeconds int `json:"durationSeconds" yaml:"durationSeconds"`
+	// A unique identifier that might be required when you assume a role in another account.
+	ExternalId string `json:"externalId,omitempty" yaml:"externalId,omitempty"`
 }
 
 type IamRoleRule struct {

api/v1alpha1/zz_generated.deepcopy.go

@@ -42,6 +42,32 @@ spec:
                   serviceAccountName:
                     description: 'Option 2: specify a service account (EKS)'
                     type: string
+                  stsAuth:
+                    description: STS authentication properties (optional, to be provided
+                      in conjunction with Option 1 or 2)
+                    properties:
+                      durationSeconds:
+                        default: 3600
+                        description: The duration, in seconds, of the role session.
+                        maximum: 43200
+                        minimum: 900
+                        type: integer
+                      externalId:
+                        description: A unique identifier that might be required when
+                          you assume a role in another account.
+                        type: string
+                      roleArn:
+                        description: The Amazon Resource Name (ARN) of the role to
+                          assume.
+                        type: string
+                      roleSessionName:
+                        description: An identifier for the assumed role session.
+                        type: string
+                    required:
+                    - durationSeconds
+                    - roleArn
+                    - roleSessionName
+                    type: object
                 type: object
               defaultRegion:
                 type: string

config/crd/bases/validation.spectrocloud.labs_awsvalidators.yaml

@@ -4,8 +4,11 @@ go 1.20
 
 require (
 	github.com/L30Bola/aws-policy v0.0.0-20230126045340-5e6118545ac1
+	github.com/aws/aws-sdk-go-v2 v1.22.1
+	github.com/aws/aws-sdk-go-v2/credentials v1.15.1
 	github.com/aws/aws-sdk-go-v2/config v1.22.0
 	github.com/aws/aws-sdk-go-v2/service/ec2 v1.130.0
+	github.com/aws/aws-sdk-go-v2/service/sts v1.25.0
 	github.com/aws/aws-sdk-go-v2/service/efs v1.23.0
 	github.com/aws/aws-sdk-go-v2/service/elasticloadbalancing v1.20.0
 	github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2 v1.24.0
@@ -23,16 +26,13 @@ require (
 )
 
 require (
-	github.com/aws/aws-sdk-go-v2 v1.22.1 // indirect
-	github.com/aws/aws-sdk-go-v2/credentials v1.15.1 // indirect
 	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.14.2 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/configsources v1.2.1 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.5.1 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/ini v1.5.0 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.10.1 // indirect
 	github.com/aws/aws-sdk-go-v2/service/sso v1.17.0 // indirect
 	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.19.0 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sts v1.25.0 // indirect
 	github.com/aws/smithy-go v1.16.0 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/cespare/xxhash/v2 v2.2.0 // indirect

go.mod

@@ -88,7 +88,7 @@ func (r *AwsValidatorReconciler) Reconcile(ctx context.Context, req ctrl.Request
 	failed := &types.MonotonicBool{}
 
 	// IAM rules
-	awsApi, err := aws_utils.NewAwsApi(validator.Spec.DefaultRegion)
+	awsApi, err := aws_utils.NewAwsApi(r.Log, validator)
 	if err != nil {
 		r.Log.V(0).Error(err, "failed to get AWS client")
 	} else {
@@ -126,7 +126,7 @@ func (r *AwsValidatorReconciler) Reconcile(ctx context.Context, req ctrl.Request
 
 	// Service Quota rules
 	for _, rule := range validator.Spec.ServiceQuotaRules {
-		awsApi, err := aws_utils.NewAwsApi(rule.Region)
+		awsApi, err := aws_utils.NewAwsApi(r.Log, validator)
 		if err != nil {
 			r.Log.V(0).Error(err, "failed to reconcile Service Quota rule")
 			continue
@@ -148,7 +148,7 @@ func (r *AwsValidatorReconciler) Reconcile(ctx context.Context, req ctrl.Request
 
 	// Tag rules
 	for _, rule := range validator.Spec.TagRules {
-		awsApi, err := aws_utils.NewAwsApi(rule.Region)
+		awsApi, err := aws_utils.NewAwsApi(r.Log, validator)
 		if err != nil {
 			r.Log.V(0).Error(err, "failed to reconcile Tag rule")
 			continue

internal/controller/awsvalidator_controller.go

@@ -2,14 +2,20 @@ package aws
 
 import (
 	"context"
+	"time"
 
+	"github.com/aws/aws-sdk-go-v2/aws"
 	"github.com/aws/aws-sdk-go-v2/config"
+	"github.com/aws/aws-sdk-go-v2/credentials/stscreds"
 	"github.com/aws/aws-sdk-go-v2/service/ec2"
 	"github.com/aws/aws-sdk-go-v2/service/efs"
 	"github.com/aws/aws-sdk-go-v2/service/elasticloadbalancing"
 	"github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2"
 	"github.com/aws/aws-sdk-go-v2/service/iam"
 	"github.com/aws/aws-sdk-go-v2/service/servicequotas"
+	"github.com/aws/aws-sdk-go-v2/service/sts"
+	"github.com/go-logr/logr"
+	"github.com/spectrocloud-labs/validator-plugin-aws/api/v1alpha1"
 )
 
 type AwsApi struct {
@@ -22,11 +28,16 @@ type AwsApi struct {
 }
 
 // NewAwsApi creates an AwsApi object that aggregates AWS service clients
-func NewAwsApi(region string) (*AwsApi, error) {
-	cfg, err := config.LoadDefaultConfig(context.TODO(), config.WithRegion(region))
+func NewAwsApi(log logr.Logger, validator *v1alpha1.AwsValidator) (*AwsApi, error) {
+	cfg, err := config.LoadDefaultConfig(context.TODO(), config.WithDefaultRegion(validator.Spec.DefaultRegion))
 	if err != nil {
 		return nil, err
 	}
+
+	if validator.Spec.Auth.StsAuth != nil {
+		awsStsConfig(&cfg, validator.Spec.Auth.StsAuth)
+	}
+
 	return &AwsApi{
 		IAM:   iam.NewFromConfig(cfg),
 		EC2:   ec2.NewFromConfig(cfg),
@@ -36,3 +47,17 @@ func NewAwsApi(region string) (*AwsApi, error) {
 		SQ:    servicequotas.NewFromConfig(cfg),
 	}, nil
 }
+
+func awsStsConfig(cfg *aws.Config, auth *v1alpha1.AwsSTSAuth) {
+	creds := stscreds.NewAssumeRoleProvider(sts.NewFromConfig(*cfg), auth.RoleArn, func(o *stscreds.AssumeRoleOptions) {
+		o.Duration = time.Duration(auth.DurationSeconds) * time.Second
+		o.RoleSessionName = auth.RoleSessionName
+
+		if auth.ExternalId != "" {
+			o.ExternalID = &auth.ExternalId
+		}
+
+	})
+
+	cfg.Credentials = aws.NewCredentialsCache(creds)
+}