Skip to content

Commit

Permalink
Use new config schema
Browse files Browse the repository at this point in the history
  • Loading branch information
@mgaeta
mgaeta committed Aug 27, 2024
1 parent 74e6501 commit 3c59e7b
Show file tree
Hide file tree
Showing 2 changed files with 135 additions and 70 deletions.
154 changes: 103 additions & 51 deletions cmd/baton-aws/config.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,70 +4,122 @@ import (
"context"
"fmt"

"github.com/conductorone/baton-sdk/pkg/cli"
"github.com/spf13/cobra"

"github.com/conductorone/baton-aws/pkg/connector"
"github.com/conductorone/baton-sdk/pkg/field"
"github.com/spf13/viper"
)

// config defines the external configuration required for the connector to run.
type config struct {
cli.BaseConfig `mapstructure:",squash"` // Puts the base config options in the same place as the connector options

ExternalID string `mapstructure:"external-id"`
RoleARN string `mapstructure:"role-arn"`
var (
ExternalIdField = field.StringField(
"external-id",
field.WithDescription("The external id for the aws account"),
)
GlobalAccessKeyIdField = field.StringField(
"global-access-key-id",
field.WithDescription("The global-access-key-id for the aws account"),
)
GlobalAwsOrgsEnabledField = field.BoolField(
"global-aws-orgs-enabled",
field.WithDescription("Enable support for AWS Organizations"),
)
GlobalAwsSsoEnabledField = field.BoolField(
"global-aws-sso-enabled",
field.WithDescription("Enable support for AWS IAM Identity Center"),
)
GlobalAwsSsoRegionField = field.StringField(
"global-aws-sso-region",
field.WithDescription("The region for the sso identities"),
field.WithDefaultValue("us-east-1"),
)
GlobalBindingExternalIdField = field.StringField(
"global-binding-external-id",
field.WithDescription("The global external id for the aws account"),
)
GlobalRegionField = field.StringField(
"global-region",
field.WithDescription("The region for the aws account"),
)
GlobalRoleArnField = field.StringField(
"global-role-arn",
field.WithDescription("The role arn for the aws account"),
)
GlobalSecretAccessKeyField = field.StringField(
"global-secret-access-key",
field.WithDescription("The global-secret-access-key for the aws account"),
)
RoleArnField = field.StringField(
"role-arn",
field.WithDescription("The role arn for the aws account"),
)
ScimEnabledField = field.BoolField(
"scim-enabled",
field.WithDescription("Enable support for pulling SSO User status from the AWS SCIM API"),
)
ScimEndpointField = field.StringField(
"scim-endpoint",
field.WithDescription("The SCIMv2 endpoint for aws identity center"),
)
ScimTokenField = field.StringField(
"scim-token",
field.WithDescription("The SCIMv2 token for aws identity center"),
)
UseAssumeField = field.BoolField(
"use-assume",
field.WithDescription("Enable support for assume role"),
)

GlobalBindingExternalID string `mapstructure:"global-binding-external-id"`
GlobalRegion string `mapstructure:"global-region"`
GlobalRoleARN string `mapstructure:"global-role-arn"`
GlobalSecretAccessKey string `mapstructure:"global-secret-access-key"`
GlobalAccessKeyID string `mapstructure:"global-access-key-id"`

GlobalAwsSsoRegion string `mapstructure:"global-aws-sso-region"`
GlobalAwsSsoEnabled bool `mapstructure:"global-aws-sso-enabled"`
GlobalAwsOrgsEnabled bool `mapstructure:"global-aws-orgs-enabled"`
Configuration = field.NewConfiguration(
[]field.SchemaField{
ExternalIdField,
GlobalAccessKeyIdField,
GlobalAwsOrgsEnabledField,
GlobalAwsSsoEnabledField,
GlobalAwsSsoRegionField,
GlobalBindingExternalIdField,
GlobalRegionField,
GlobalRoleArnField,
GlobalSecretAccessKeyField,
RoleArnField,
ScimEnabledField,
ScimEndpointField,
ScimTokenField,
UseAssumeField,
},
field.FieldsDependentOn(
[]field.SchemaField{
UseAssumeField,
},
[]field.SchemaField{
ExternalIdField,
RoleArnField,
},
),
)
)

SCIMEndpoint string `mapstructure:"scim-endpoint"`
SCIMToken string `mapstructure:"scim-token"`
SCIMEnabled bool `mapstructure:"scim-enabled"`
func ValidateExternalId(input string) error {
fieldLength := len(input)
if fieldLength <= 0 {
return fmt.Errorf("external id is missing")
}

UseAssumeRole bool `mapstructure:"use-assume-role"`
if fieldLength < 32 || fieldLength > 65 {
return fmt.Errorf("aws_external_id must be between 32 and 64 bytes")
}
return nil
}

// validateConfig is run after the configuration is loaded, and should return an error if it isn't valid.
func validateConfig(ctx context.Context, cfg *config) error {
if cfg.GlobalAwsSsoRegion == "" {
cfg.GlobalAwsSsoRegion = "us-east-1"
}

if cfg.UseAssumeRole {
if cfg.ExternalID == "" {
return fmt.Errorf("external id is missing")
} else if len(cfg.ExternalID) < 32 || len(cfg.ExternalID) > 65 {
return fmt.Errorf("aws_external_id must be between 32 and 64 bytes")
func validateConfig(ctx context.Context, v *viper.Viper) error {
if v.GetBool(UseAssumeField.FieldName) {
err := ValidateExternalId(v.GetString(ExternalIdField.FieldName))
if err != nil {
return err
}
err := connector.IsValidRoleARN(cfg.RoleARN)
err = connector.IsValidRoleARN(v.GetString(RoleArnField.FieldName))
if err != nil {
return err
}
}
return nil
}

// cmdFlags sets the cmdFlags required for the connector.
func cmdFlags(cmd *cobra.Command) {
cmd.PersistentFlags().String("external-id", "", "The external id for the aws account. ($BATON_EXTERNAL_ID)")
cmd.PersistentFlags().String("role-arn", "", "The role arn for the aws account. ($BATON_ROLE_ARN)")
cmd.PersistentFlags().String("global-aws-sso-region", "", "The region for the sso identities. ($BATON_GLOBAL_AWS_SSO_REGION)")
cmd.PersistentFlags().Bool("global-aws-sso-enabled", false, "Enable support for AWS IAM Identity Center. ($BATON_GLOBAL_AWS_SSO_ENABLED)")
cmd.PersistentFlags().Bool("global-aws-orgs-enabled", false, "Enable support for AWS Organizations. ($BATON_GLOBAL_AWS_ORGS_ENABLED)")
cmd.PersistentFlags().String("global-binding-external-id", "", "The global external id for the aws account. ($BATON_GLOBAL_BINDING_EXTERNAL_ID)")
cmd.PersistentFlags().String("global-region", "", "The region for the aws account. ($BATON_GLOBAL_REGION)")
cmd.PersistentFlags().String("global-role-arn", "", "The role arn for the aws account. ($BATON_GLOBAL_ROLE_ARN)")
cmd.PersistentFlags().String("global-secret-access-key", "", "The global-secret-access-key for the aws account. ($BATON_GLOBAL_SECRET_ACCESS_KEY)")
cmd.PersistentFlags().String("global-access-key-id", "", "The global-access-key-id for the aws account. ($BATON_GLOBAL_ACCESS_KEY_ID)")
cmd.PersistentFlags().Bool("use-assume-role", false, "Enable support for assume role. ($BATON_GLOBAL_USE_ASSUME_ROLE)")
cmd.PersistentFlags().Bool("scim-enabled", false, "Enable support for pulling SSO User status from the AWS SCIM API. ($BATON_SCIM_ENABLED)")
cmd.PersistentFlags().String("scim-endpoint", "", "The SCIMv2 endpoint for aws identity center. ($BATON_SCIM_ENDPOINT)")
cmd.PersistentFlags().String("scim-token", "", "The SCIMv2 token for aws identity center. ($BATON_SCIM_TOKEN)")
}
51 changes: 32 additions & 19 deletions cmd/baton-aws/main.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,10 +5,12 @@ import (
"fmt"
"os"

"github.com/conductorone/baton-sdk/pkg/cli"
"github.com/conductorone/baton-sdk/pkg/config"
"github.com/conductorone/baton-sdk/pkg/connectorbuilder"
"github.com/conductorone/baton-sdk/pkg/field"
"github.com/conductorone/baton-sdk/pkg/types"
"github.com/grpc-ecosystem/go-grpc-middleware/logging/zap/ctxzap"
"github.com/spf13/viper"
"go.uber.org/zap"

"github.com/conductorone/baton-aws/pkg/connector"
Expand All @@ -19,41 +21,52 @@ var version = "dev"
func main() {
ctx := context.Background()

cfg := &config{}
cmd, err := cli.NewCmd(ctx, "baton-aws", cfg, validateConfig, getConnector)
_, cmd, err := config.DefineConfiguration(
ctx,
"baton-aws",
getConnector,
Configuration,
)
if err != nil {
fmt.Fprintln(os.Stderr, err.Error())
os.Exit(1)
}

cmd.Version = version

cmdFlags(cmd)

err = cmd.Execute()
if err != nil {
fmt.Fprintln(os.Stderr, err.Error())
os.Exit(1)
}
}

func getConnector(ctx context.Context, cfg *config) (types.ConnectorServer, error) {
func getConnector(ctx context.Context, v *viper.Viper) (types.ConnectorServer, error) {
l := ctxzap.Extract(ctx)

err := field.Validate(Configuration, v)
if err != nil {
return nil, err
}
err = validateConfig(ctx, v)
if err != nil {
return nil, err
}

config := connector.Config{
GlobalBindingExternalID: cfg.GlobalBindingExternalID,
GlobalRegion: cfg.GlobalRegion,
GlobalRoleARN: cfg.GlobalRoleARN,
GlobalSecretAccessKey: cfg.GlobalSecretAccessKey,
GlobalAccessKeyID: cfg.GlobalAccessKeyID,
GlobalAwsSsoRegion: cfg.GlobalAwsSsoRegion,
GlobalAwsOrgsEnabled: cfg.GlobalAwsOrgsEnabled,
GlobalAwsSsoEnabled: cfg.GlobalAwsSsoEnabled,
ExternalID: cfg.ExternalID,
RoleARN: cfg.RoleARN,
SCIMEndpoint: cfg.SCIMEndpoint,
SCIMToken: cfg.SCIMToken,
SCIMEnabled: cfg.SCIMEnabled,
GlobalBindingExternalID: v.GetString(GlobalBindingExternalIdField.FieldName),
GlobalRegion: v.GetString(GlobalRegionField.FieldName),
GlobalRoleARN: v.GetString(GlobalRoleArnField.FieldName),
GlobalSecretAccessKey: v.GetString(GlobalSecretAccessKeyField.FieldName),
GlobalAccessKeyID: v.GetString(GlobalAccessKeyIdField.FieldName),
GlobalAwsSsoRegion: v.GetString(GlobalAwsSsoRegionField.FieldName),
GlobalAwsOrgsEnabled: v.GetBool(GlobalAwsOrgsEnabledField.FieldName),
GlobalAwsSsoEnabled: v.GetBool(GlobalAwsSsoEnabledField.FieldName),
ExternalID: v.GetString(ExternalIdField.FieldName),
RoleARN: v.GetString(RoleArnField.FieldName),
SCIMEndpoint: v.GetString(ScimEndpointField.FieldName),
SCIMToken: v.GetString(ScimTokenField.FieldName),
SCIMEnabled: v.GetBool(ScimEnabledField.FieldName),
}

cb, err := connector.New(ctx, config)
Expand Down

0 comments on commit 3c59e7b

Please sign in to comment.