This repository has been archived by the owner on Sep 30, 2020. It is now read-only.
/
iamconfig.go
69 lines (57 loc) · 2.39 KB
/
iamconfig.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
package model
import (
"errors"
"fmt"
"regexp"
)
type IAMConfig struct {
Role IAMRole `yaml:"role,omitempty"`
InstanceProfile IAMInstanceProfile `yaml:"instanceProfile,omitempty"`
UnknownKeys `yaml:",inline"`
Policy IAMPolicy
}
type IAMRole struct {
ARN `yaml:",inline"`
Name string `yaml:"name,omitempty"`
StrictName bool `yaml:"strictName,omitempty"`
ManageExternally bool `yaml:"manageExternally,omitempty"`
ManagedPolicies []IAMManagedPolicy `yaml:"managedPolicies,omitempty"`
}
type IAMManagedPolicy struct {
ARN `yaml:",inline"`
}
type IAMInstanceProfile struct {
ARN `yaml:",inline"`
}
type IAMPolicy struct {
// Statements is a list of IAM policy statements for the IAM policy associated to the nodes
// Each statement must be a valid go text template producing a valid json object
Statements IAMPolicyStatements `yaml:"statements,omitempty"`
}
type IAMPolicyStatements []IAMPolicyStatement
type IAMPolicyStatement struct {
Actions []string `yaml:"actions,omitempty"`
Effect string `yaml:"effect,omitempty"`
Resources []string `yaml:"resources,omitempty"`
}
func (c IAMConfig) Validate() error {
if c.InstanceProfile.Arn != "" && c.Role.Name != "" {
return errors.New("failed to parse `iam` config: either you set `role.*` options or `instanceProfile.arn` ones but not both")
}
if c.InstanceProfile.Arn != "" && len(c.Role.ManagedPolicies) > 0 {
return errors.New("failed to parse `iam` config: either you set `role.*` options or `instanceProfile.arn` ones but not both")
}
managedPolicyRegexp := regexp.MustCompile(`arn:aws:iam::((\d{12})|aws):policy/([a-zA-Z0-9-=,\\.@_]{1,128})`)
instanceProfileRegexp := regexp.MustCompile(`arn:aws:iam::(\d{12}):instance-profile/([a-zA-Z0-9-=,\\.@_]{1,128})`)
for _, policy := range c.Role.ManagedPolicies {
if !managedPolicyRegexp.MatchString(policy.Arn) {
return fmt.Errorf("invalid managed policy arn, your managed policy must match this (=arn:aws:iam::(YOURACCOUNTID|aws):policy/POLICYNAME), provided this (%s)", policy.Arn)
}
}
if c.InstanceProfile.Arn != "" {
if !instanceProfileRegexp.MatchString(c.InstanceProfile.Arn) {
return fmt.Errorf("invalid instance profile, your instance profile must match (=arn:aws:iam::YOURACCOUNTID:instance-profile/INSTANCEPROFILENAME), provided (%s)", c.InstanceProfile.Arn)
}
}
return nil
}