[WIP] New Feature: assume_role connection config

[brittandeyoung]

I am new to contributing to this project so some guidance to make sure I follow the correct procedures would be appreciated. This pull request is currently a Work In Progress. I am attempting to add the ability to use the assume_role in the connection configuration in order to leverage role assumption when configuring a connection to an AWS account instead of having to provide a profile or a static set of credentials.

I did not see any integration tests related to the creating and testing of the AWS connection itself for me to run.

Closes: #1844

Example config:

connection "aws" {
  plugin = "aws"
  type        = "aggregator"
  connections = ["aws_sandbox", "aws_ci", "aws_pre_prod"]
}

connection "aws_sandbox" {
  plugin      = "aws" 
  assume_role = {
    role_arn = "arn:aws:iam::111111111111:role/steampipe"
    duration = "300s"
    external_id = "testing"
    session_name = "steampipe"
  } 
  regions     = ["us-east-1", "us-west-2"]
}

I was able to use this config to run successful queries

[rajlearner17]

@brittandeyoung Thanks for trying out Steampipe!
We appreciate your interest in contributing to the community 👍

As you are still working on it, please check the following docs for your reference

• Writing Plugins
• AssumeRole - I am not sure if this is the one you are looking for in your PR?

[brittandeyoung]

@rajlearner17 There have been more details in the issue around the reason for these suggested changes. The biggest reason is that it would be nice to avoid having to both manage the ./aws/config file and the aws.spc file when setting up connections. It would be ideal to be able to manage all of this within the steampipe aws connection file.

I have updated the PR with setting these configurations at the root config, but am looking at some suggestions on how we can make this a config block.

[brittandeyoung]

For awareness, I have the assume role configuration working. The last piece is the optional items under the assume_role config. More details are in the issue. With the current code in the PR, assuming roles works, but the optional fields duration, external_id and session_name do not work.

[cbruno10]

@brittandeyoung Is there a reason you shortened the cache time, was this used just for testing?

[brittandeyoung]

@cbruno10 Yes this change was made for testing, I have reverted this change.

[cbruno10]

Is this example still correct, or does it follow the nested structure now?

[brittandeyoung]

@cbruno10 Thank you, I had forgot to update the example after changing to a map for configuration. The example has now been updated.

[cbruno10]

@brittandeyoung Referencing your most recent issue comment #1844 (comment), you mention using cty, but here in the code I see all fields using hcl instead.

How does the code currently behave? Does it not work in some scenarios?

[brittandeyoung]

@cbruno10 In the current state, the role_arn loads in properly and assuming the role works as expected as it has the cty tag.

Currently the remainder of the fields to not have the cty tag. Without this tag, these items DO NOT load in from the config. This means these values are nil.

If I add the cty tag, the values do load in, but then are no longer optional and must be provided. If you do not provide them all, steampipe crashes and fails to load. If i attempt to add the optional tag, steampipe crashes when attempting to load the config.

Any tips on direction from here is appreciated

[bigdatasourav]

We were able to reproduce the above issue -

Error: failed to start plugin 'hub.steampipe.io/plugins/turbot/aws@latest': failed to start 'hub.steampipe.io/plugins/turbot/aws@latest': failed to parse connection config for connection 'aws':
Unsuitable value type: Unsuitable value: attribute "external_id" is required

This could be an HCL parsing error - https://github.com/turbot/steampipe-plugin-sdk/blob/main/plugin/connection_config_schema.go#L88

I have raised a Steampipe SDK issue for the same with the details.

[bigdatasourav]

@brittandeyoung, please let us know if you are getting any other issues than the above.

[brittandeyoung]

@bigdatasourav Great thanks! That was the only issue i was running into. I will keep an eye on this issue.

[opsanatoliy]

@brittandeyoung could you please tell me how you replace aws plugin on your local version to run?

[brittandeyoung]

@brittandeyoung could you please tell me how you replace aws plugin on your local version to run?

@opsanatoliy Using the install make target. So:

make install

[cbruno10]

@brittandeyoung Why did you remove this along with Schema: ConfigSchema, in plugin.go?

[brittandeyoung]

@cbruno10 This was done in order to support the map for assume_role as the schema does not support map objects. The idea was to use tagging to dynamically pull in the settings.

I had this working with root level configurations instead of a map and utilizing the defined schema. Would this pull request be better to be reverted to using root level configurations instead of a map configuration?

[bigdatasourav]

Thanks for highlighting this; I have raised a Steampipe SDK issue to track.

[brittandeyoung]

@bigdatasourav Great! This getting added to the SDK will likely enable me to complete this PR with working code. I will be sure to follow this issue.

[github-actions]

This PR is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 30 days.

[misraved]

Closing the PR for now, since it is waiting on the resolution of the following SDK issues -
turbot/steampipe-plugin-sdk#692
turbot/steampipe-plugin-sdk#691