awscfg

package
v0.0.0-...-82ab749 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Aug 16, 2024 License: BSD-3-Clause Imports: 52 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	CachedOrganizationFilename = ".substrate.organization.json" // cached on disk (obviously)

	TooManyRequestsException    = "TooManyRequestsException"
	UnrecognizedClientException = "UnrecognizedClientException"
)
View Source 
const (
	AWS_ACCESS_KEY_ID                = "AWS_ACCESS_KEY_ID"
	AWS_SECRET_ACCESS_KEY            = "AWS_SECRET_ACCESS_KEY"
	AWS_SESSION_TOKEN                = "AWS_SESSION_TOKEN"
	SUBSTRATE_CREDENTIALS_EXPIRATION = "SUBSTRATE_CREDENTIALS_EXPIRATION"
)
View Source 
const (
	AWSOrganizationsNotInUseException = "AWSOrganizationsNotInUseException"
	AccessDenied                      = "AccessDenied"
)
View Source 
const (
	AccountsFilename       = "substrate.accounts.txt"
	CachedAccountsFilename = ".substrate.accounts.json" // cached on disk (obviously)
	MemoizedAccountsTTL    = time.Hour                  // memoized in memory
)
View Source 
const (
	ManagementAccountIdFilename    = "substrate.management-account-id"
	OldManagementAccountIdFilename = "substrate.master-account-id"
)
View Source 
const WaitUntilCredentialsWorkTries = 18 // approximately seconds; API Gateway won't wait longer than 29 seconds, anyway

Variables

This section is empty.

Functions

func EnsureManagementAccountIdMatchesDisk 

func EnsureManagementAccountIdMatchesDisk(managementAccountId string) error

func Getenv 

func Getenv() (creds aws.Credentials)

func NewAccountNotFound 

func NewAccountNotFound(tags ...string) error

func Setenv 

func Setenv(creds aws.Credentials) (err error)

func WriteManagementAccountIdToDisk 

func WriteManagementAccountIdToDisk(managementAccountId string) error

Types

type Account 

type Account struct {
	types.Account
	Tags tagging.Map
}

func (*Account) AdministratorRoleName 

func (a *Account) AdministratorRoleName() string

func (*Account) Config 

func (a *Account) Config(
	ctx context.Context,
	cfg *Config,
	roleName string,
	duration time.Duration,
) (*Config, error)

func (*Account) MarshalJSON 

func (a *Account) MarshalJSON() ([]byte, error)

func (*Account) Quality 

func (a *Account) Quality() (quality string, err error)

func (*Account) String 

func (a *Account) String() string

type AccountNotFound 

type AccountNotFound string

func (AccountNotFound) Error 

func (err AccountNotFound) Error() string

type Config 

type Config struct {
	// contains filtered or unexported fields
}

func Must 

func Must(cfg *Config, err error) *Config

func NewConfig 

func NewConfig(ctx context.Context) (c *Config, err error)

func (*Config) ACM 

func (c *Config) ACM() *acm.Client

func (*Config) APIGateway 

func (c *Config) APIGateway() *apigateway.Client

func (*Config) APIGatewayV2 

func (c *Config) APIGatewayV2() *apigatewayv2.Client

func (*Config) AccountId 

func (c *Config) AccountId(ctx context.Context) (string, error)

func (*Config) AssumeManagementRole 

func (c *Config) AssumeManagementRole(
	ctx context.Context,
	roleName string,
	duration time.Duration,
) (*Config, error)

AssumeManagementRole assumes the given role in the organization's management account. It can only be called on a *Config with the Administrator role in an admin account, Substrate role or user in the Substrate account, or the OrganizationAdministrator or Substrate role or user already in the management account. The duration parameter is limited to an AWS-enforced maximum of 3600 when the *Config receiving the call has a role instead of a user, which is called role chaining. See <https://aws.amazon.com/premiumsupport/knowledge-center/iam-role-chaining-limit/> for more information.

func (*Config) AssumeRole 

func (c *Config) AssumeRole(
	ctx context.Context,
	accountId string,
	roleName string,
	duration time.Duration,
) (*Config, error)

AssumeRole assumes the given role in the given account and returns a new *Config there. It can be called on any *Config but is most often (and most effectively) called on one with the Administrator role in an admin account, the Substrate role or user in the Substrate account, or the OrganizationAdministrator or Substrate role or user in the management account.

func (*Config) AssumeRoleARN 

func (c *Config) AssumeRoleARN(ctx context.Context, roleARN string, duration time.Duration) (*Config, error)

func (*Config) AssumeServiceRole 

func (c *Config) AssumeServiceRole(
	ctx context.Context,
	domain, environment, quality string,
	roleName string,
	duration time.Duration,
) (*Config, error)

AssumeServiceRole assumes the given role in the service account identified by the given domain, environment, and quality. It can be called on any *Config but is most often (and most effectively) called on one with the Administrator role in an admin account, the Substrate role or user in the Substrate account, or the OrganizationAdministrator or Substrate role or user in the management account.

func (*Config) AssumeSpecialRole 

func (c *Config) AssumeSpecialRole(
	ctx context.Context,
	name string,
	roleName string,
	duration time.Duration,
) (*Config, error)

AssumeSpecialRole assumes the given role in the named special account. It can be called on any *Config but is most often (and most effectively) called on one with the Administrator role in an admin account, the Substrate role or user in the Substrate account, or the OrganizationAdministrator or Substrate role or user in the management account.

func (*Config) AssumeSubstrateRole 

func (c *Config) AssumeSubstrateRole(
	ctx context.Context,
	roleName string,
	duration time.Duration,
) (*Config, error)

AssumeSubstrateRole assumes the given role in the Substrate account. It can be called on any *Config but is most often (and most effectively) called from Administrator or Substrate in the Substrate account or OrganizationAdministrator or Substrate in the management account. It's for times when you want to be sure you're in the Substrate account.

func (*Config) BootstrapCredentials 

func (c *Config) BootstrapCredentials(ctx context.Context) (callerIdentity *sts.GetCallerIdentityOutput, err error)

func (*Config) ClearCachedAccounts 

func (c *Config) ClearCachedAccounts() error

func (*Config) CloudFront 

func (c *Config) CloudFront() *cloudfront.Client

func (*Config) CloudTrail 

func (c *Config) CloudTrail() *cloudtrail.Client

func (*Config) CloudWatchLogs 

func (c *Config) CloudWatchLogs() *cloudwatchlogs.Client

func (*Config) Copy 

func (c *Config) Copy() *Config

func (*Config) DescribeOrganization 

func (c *Config) DescribeOrganization(ctx context.Context) (*Organization, error)

func (*Config) DynamoDB 

func (c *Config) DynamoDB() *dynamodb.Client

func (*Config) EC2 

func (c *Config) EC2() *ec2.Client

func (*Config) FindAccount 

func (c *Config) FindAccount(
	ctx context.Context,
	f func(*Account) bool,
) (*Account, error)

FindAccount returns the first *Account for which the given acceptance test function returns true. This may be called from any account.

func (*Config) FindAccounts 

func (c *Config) FindAccounts(
	ctx context.Context,
	f func(*Account) bool,
) (accounts []*Account, err error)

FindAccounts returns all []*Account for which the given acceptance test function returns true. This may be called from any account. We expect to find an account that matches so if we don't we remove the cache file and try once more.

func (*Config) FindAdminAccount 

func (c *Config) FindAdminAccount(ctx context.Context, quality string) (*Account, error)

FindAdminAccount returns the *Account for the admin account with the given quality. This may be called from any account.

func (*Config) FindAdminAccounts 

func (c *Config) FindAdminAccounts(ctx context.Context) ([]*Account, error)

FindAdminAccounts returns an *Account for every admin account. This will, in practice, never return more than one account, but it does so without the caller having to know the quality ahead of time. Thankfully, it's also deprecated the moment it's introduced since admin accounts are going away in favor of the singular and simplified Substrate account. This may be called from any account.

func (*Config) FindManagementAccount 

func (c *Config) FindManagementAccount(ctx context.Context) (*Account, error)

FindManagementAccount returns the *Account for the management account. This may be called from any account.

func (*Config) FindServiceAccount 

func (c *Config) FindServiceAccount(ctx context.Context, domain, environment, quality string) (*Account, error)

FindServiceAccount returns the *Account for the admin account with the given domain, environment, and quality. This may be called from any account.

func (*Config) FindSpecialAccount 

func (c *Config) FindSpecialAccount(ctx context.Context, name string) (*Account, error)

FindSpecialAccount returns the *Account for the admin account with the given name. This may be called from any account.

func (*Config) FindSubstrateAccount 

func (c *Config) FindSubstrateAccount(ctx context.Context) (*Account, error)

FindSubstrateAccount returns the *Account for the Substrate account or nil (with a nil error) if the organization has not yet run `substrate setup`. This may be called from any account.

func (*Config) GetCallerIdentity 

func (c *Config) GetCallerIdentity(ctx context.Context) (*sts.GetCallerIdentityOutput, error)

func (*Config) IAM 

func (c *Config) IAM() *iam.Client

func (*Config) Identity 

func (c *Config) Identity(ctx context.Context) (*Identity, error)

func (*Config) IdentityStore 

func (c *Config) IdentityStore() *identitystore.Client

func (*Config) Lambda 

func (c *Config) Lambda() *lambda.Client

func (*Config) ListAccounts 

func (c *Config) ListAccounts(ctx context.Context) (accounts []*Account, err error)

ListAccounts returns all the accounts in the organization in a single slice. For a higher-level interface, see accounts.Grouped. This may be called from any account.

func (*Config) MustAccountId 

func (c *Config) MustAccountId(ctx context.Context) string

func (*Config) MustDescribeOrganization 

func (c *Config) MustDescribeOrganization(ctx context.Context) *Organization

func (*Config) MustGetCallerIdentity 

func (c *Config) MustGetCallerIdentity(ctx context.Context) *sts.GetCallerIdentityOutput

func (*Config) OrganizationReader 

func (c *Config) OrganizationReader(ctx context.Context) (*Config, error)

func (*Config) Organizations 

func (c *Config) Organizations() *organizations.Client

func (*Config) RAM 

func (c *Config) RAM() *ram.Client

func (*Config) Region 

func (c *Config) Region() string

func (*Config) Regional 

func (c *Config) Regional(region string) *Config

func (*Config) Retrieve 

func (c *Config) Retrieve(ctx context.Context) (aws.Credentials, error)

func (*Config) Route53 

func (c *Config) Route53() *route53.Client

func (*Config) S3 

func (c *Config) S3() *s3.Client

func (*Config) SSO 

func (c *Config) SSO() *sso.Client

func (*Config) SSOAdmin 

func (c *Config) SSOAdmin() *ssoadmin.Client

func (*Config) STS 

func (c *Config) STS() *sts.Client

func (*Config) SecretsManager 

func (c *Config) SecretsManager() *secretsmanager.Client

func (*Config) ServiceQuotas 

func (c *Config) ServiceQuotas() *servicequotas.Client

func (*Config) SetCredentials 

func (c *Config) SetCredentials(
	ctx context.Context,
	creds aws.Credentials,
) (
	callerIdentity *sts.GetCallerIdentityOutput,
	err error,
)

SetCredentials reconfigures the receiver to use the given credentials (whether root, user, or session credentials) and waits until they begin working (which concerns mostly user credentials). It returns the caller identity because it's already gone to the trouble of getting it and callers often need it right afterward, anyway.

func (*Config) Tags 

func (c *Config) Tags(ctx context.Context) (tagging.Map, error)

func (*Config) Telemetry 

func (c *Config) Telemetry() *telemetry.Event

func (*Config) WaitUntilCredentialsWork 

func (c *Config) WaitUntilCredentialsWork(ctx context.Context) (
	callerIdentity *sts.GetCallerIdentityOutput,
	err error,
)

WaitUntilCredentialsWork waits in a sleeping loop until the configured credentials (whether provided via SetCredentials or discovered in environment variables or an IAM instance profile) work, which it tests using both sts:GetCallerIdentity and organizations:DescribeOrganization. This seems silly but IAM is an eventually consistent global service so it's not guaranteed that newly created credentials will work immediately. In fact, even just testing via sts:GetCallerIdentity is demonstrably not good enough as `substrate setup`, when run with root credentials, will fail a significant fraction of the time because, though sts:GetCallerIdentity succeeded, the credentials haven't yet become visible to other services. Thus, organizations:DescribeOrganization was chosen as a second test to ensure the credentials really, actually work. Typically when this has to wait it waits about five seconds.

type Identity 

type Identity struct {
	ARN       string
	AccountID string
	Tags      struct {
		Domain, Environment, Quality string
		SubstrateSpecialAccount      string
		SubstrateType                string
	}
}

type ManagementAccountMismatchError 

type ManagementAccountMismatchError string

func (ManagementAccountMismatchError) Error 

func (err ManagementAccountMismatchError) Error() string

type NonManagementAccountError 

type NonManagementAccountError struct {
	// contains filtered or unexported fields
}

func (NonManagementAccountError) Error 

func (err NonManagementAccountError) Error() string

type Organization 

type Organization = types.Organization

type OrganizationReaderError 

type OrganizationReaderError struct {
	// contains filtered or unexported fields
}

func NewOrganizationReaderError 

func NewOrganizationReaderError(err error, roleName string) *OrganizationReaderError

func (*OrganizationReaderError) Err 

func (err *OrganizationReaderError) Err() error

func (*OrganizationReaderError) Error 

func (err *OrganizationReaderError) Error() string

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.