Skip to content
This repository has been archived by the owner on Aug 16, 2022. It is now read-only.

Commit

Permalink
feat: Account specific default_region (#1177)
Browse files Browse the repository at this point in the history
  • Loading branch information
bbernays authored Jul 7, 2022
1 parent 0619b4e commit ac0e91b
Show file tree
Hide file tree
Showing 3 changed files with 29 additions and 4 deletions.
23 changes: 23 additions & 0 deletions client/client.go
Original file line number Diff line number Diff line change
Expand Up @@ -411,6 +411,11 @@ func configureAwsClient(ctx context.Context, logger hclog.Logger, awsConfig *Con
config.WithRetryer(newRetryer(logger, awsConfig.MaxRetries, awsConfig.MaxBackoff)),
}

if account.DefaultRegion != "" {
// According to the docs: If multiple WithDefaultRegion calls are made, the last call overrides the previous call values
configFns = append(configFns, config.WithDefaultRegion(account.DefaultRegion))
}

if account.LocalProfile != "" {
configFns = append(configFns, config.WithSharedConfigProfile(account.LocalProfile))
}
Expand Down Expand Up @@ -450,6 +455,20 @@ func configureAwsClient(ctx context.Context, logger hclog.Logger, awsConfig *Con
// Test out retrieving credentials
if _, err := awsCfg.Credentials.Retrieve(ctx); err != nil {
logger.Error("error retrieving credentials", "err", err)

var ae smithy.APIError
if errors.As(err, &ae) {
if strings.Contains(ae.ErrorCode(), "InvalidClientTokenId") {
return awsCfg, diag.FromError(
err,
diag.USER,
diag.WithSummary("Invalid credentials for assuming role"),
diag.WithDetails("The credentials being used to assume role are invalid. Please check that your credentials are valid in the partition you are using. If you are using a partition other than the AWS commercial region, be sure set the default_region attribute in the cloudquery.yml file."),
diag.WithSeverity(diag.WARNING),
)
}
}

return awsCfg, diag.FromError(
err,
diag.USER,
Expand Down Expand Up @@ -548,6 +567,10 @@ func Configure(logger hclog.Logger, providerConfig interface{}) (schema.ClientMe
&ec2.DescribeRegionsInput{AllRegions: aws.Bool(false)},
func(o *ec2.Options) {
o.Region = defaultRegion
if account.DefaultRegion != "" {
o.Region = account.DefaultRegion
}

if len(localRegions) > 0 && !isAllRegions(localRegions) {
o.Region = localRegions[0]
}
Expand Down
1 change: 1 addition & 0 deletions client/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ type Account struct {
RoleARN string `yaml:"role_arn,omitempty" hcl:"role_arn,optional"`
RoleSessionName string `yaml:"role_session_name,omitempty" hcl:"role_session_name,optional"`
ExternalID string `yaml:"external_id,omitempty" hcl:"external_id,optional"`
DefaultRegion string `yaml:"default_region,omitempty" hcl:"default_region,optional"`
Regions []string `yaml:"regions,omitempty" hcl:"regions,optional"`
source string
}
Expand Down
9 changes: 5 additions & 4 deletions docs/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -263,10 +263,11 @@ providers:
#### Arguments for Accounts block:
- `role_arn` **(Optional)** - The role that CloudQuery will use to perform the fetch
- `local_profile` **(Optional)** - Local Profile is the named profile in your shared configuration file (usually `~/.aws/config`) that you want to use for the account
- `external_id` **(Optional)** - The unique identifier used to by non aws entities to assume a role in an AWS account
- `role_session_name` **(Optional)** - Override the default Session name.
- `role_arn` **(Optional)** - The role that CloudQuery will use to perform the fetch
- `local_profile` **(Optional)** - Local Profile is the named profile in your shared configuration file (usually `~/.aws/config`) that you want to use for the account
- `external_id` **(Optional)** - The unique identifier used by non-AWS entities to assume a role in an AWS account
- `role_session_name` **(Optional)** - Override the default Session name.
- `default_region` **(Optional)** - this sets the Default Region for the AWS SDK. If you are assuming a role in a partition other than the AWS commercial region, it is important that this attribute is set
- `regions` **(Optional)** - Limit fetching resources within this specific account to only these regions. This will override any regions specified in the provider block. You can specify all regions by using the `*` character as the only argument in the array


Expand Down

0 comments on commit ac0e91b

Please sign in to comment.