From ab15c31c619218612e1f5afdac99d0284b76edd7 Mon Sep 17 00:00:00 2001
From: xxli <xxli@thoughtworks.com>
Date: Mon, 20 Nov 2017 16:18:50 +0800
Subject: [PATCH] add support for AWS temporary tokens

---
 algo                                     | 10 +++++++++-
 roles/cloud-ec2/tasks/cloudformation.yml |  4 +++-
 roles/cloud-ec2/tasks/encrypt_image.yml  |  5 +++++
 roles/cloud-ec2/tasks/main.yml           |  7 +++++++
 4 files changed, 24 insertions(+), 2 deletions(-)
 mode change 100644 => 100755 roles/cloud-ec2/tasks/cloudformation.yml
 mode change 100644 => 100755 roles/cloud-ec2/tasks/encrypt_image.yml
 mode change 100644 => 100755 roles/cloud-ec2/tasks/main.yml

diff --git a/algo b/algo
index 392464e1..37b40262 100755
--- a/algo
+++ b/algo
@@ -242,6 +242,13 @@ Enter your aws_secret_key (http://docs.aws.amazon.com/general/latest/gr/managing
 $ADDITIONAL_PROMPT
 [ABCD...]: " -rs aws_secret_key
 
+#for AWS's temporary credentials, aws_session_token (aka aws_security_token) is also required
+  read -p "
+
+If you are using AWS Temporary Security Credentials (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html), enter your aws_session_token (aka aws_security_token); otherwise just press ENTER
+$ADDITIONAL_PROMPT
+[ABCD...]: " -rs aws_session_token
+
 read -p "
 
 Name the vpn server:
@@ -287,7 +294,8 @@ Enter the number of your desired region:
   esac
 
   ROLES="ec2 vpn cloud"
-  EXTRA_VARS="aws_access_key=$aws_access_key aws_secret_key=$aws_secret_key aws_server_name=$aws_server_name ssh_public_key=$ssh_public_key region=$region"
+  #for AWS's temporary credentials, aws_session_token (aka aws_security_token) is also required
+  EXTRA_VARS="aws_access_key=$aws_access_key aws_secret_key=$aws_secret_key aws_session_token=$aws_session_token aws_server_name=$aws_server_name ssh_public_key=$ssh_public_key region=$region"
 }
 
 gce () {
diff --git a/roles/cloud-ec2/tasks/cloudformation.yml b/roles/cloud-ec2/tasks/cloudformation.yml
old mode 100644
new mode 100755
index 1f24b007..f2b8ff05
--- a/roles/cloud-ec2/tasks/cloudformation.yml
+++ b/roles/cloud-ec2/tasks/cloudformation.yml
@@ -9,10 +9,12 @@
   cloudformation:
     aws_access_key: "{{ aws_access_key | default(lookup('env','AWS_ACCESS_KEY_ID'), true)}}"
     aws_secret_key: "{{ aws_secret_key | default(lookup('env','AWS_SECRET_ACCESS_KEY'), true)}}"
+    #for AWS's temporary credentials, aws_session_token (aka aws_security_token) is also required
+    security_token: "{{ aws_session_token | default(lookup('env','AWS_SESSION_TOKEN'), true) }}"
     stack_name: "{{ stack_name }}"
     state: "present"
     region: "{{ region }}"
     template: "configs/{{ aws_server_name }}.yml"
     tags:
       Environment: Algo
-  register: stack
\ No newline at end of file
+  register: stack
diff --git a/roles/cloud-ec2/tasks/encrypt_image.yml b/roles/cloud-ec2/tasks/encrypt_image.yml
old mode 100644
new mode 100755
index 11779ea4..ee07b682
--- a/roles/cloud-ec2/tasks/encrypt_image.yml
+++ b/roles/cloud-ec2/tasks/encrypt_image.yml
@@ -2,6 +2,9 @@
   ec2_ami_find:
     aws_access_key: "{{ aws_access_key | default(lookup('env','AWS_ACCESS_KEY_ID'), true)}}"
     aws_secret_key: "{{ aws_secret_key | default(lookup('env','AWS_SECRET_ACCESS_KEY'), true)}}"
+    #for AWS's temporary credentials, aws_session_token (aka aws_security_token) is also required
+    #it’s odd that the parameter name (“security_token”) is shown in an error message generated by this ansible     module, rather than being recorded in the module’s official docs
+    security_token: "{{ aws_session_token | default(lookup('env','AWS_SESSION_TOKEN'), true) }}"
     owner: self
     sort: creationDate
     sort_order: descending
@@ -20,6 +23,8 @@
   ec2_ami_copy:
     aws_access_key: "{{ aws_access_key | default(lookup('env','AWS_ACCESS_KEY_ID'), true)}}"
     aws_secret_key: "{{ aws_secret_key | default(lookup('env','AWS_SECRET_ACCESS_KEY'), true)}}"
+    #for AWS's temporary credentials, aws_session_token (aka aws_security_token) is also required
+    security_token: "{{ aws_session_token | default(lookup('env','AWS_SESSION_TOKEN'), true) }}"
     encrypted: yes
     name: algo
     kms_key_id: "{{ kms_key_id | default(omit) }}"
diff --git a/roles/cloud-ec2/tasks/main.yml b/roles/cloud-ec2/tasks/main.yml
old mode 100644
new mode 100755
index e32e70a5..dbf70972
--- a/roles/cloud-ec2/tasks/main.yml
+++ b/roles/cloud-ec2/tasks/main.yml
@@ -2,12 +2,17 @@
     - set_fact:
         access_key: "{{ aws_access_key | default(lookup('env','AWS_ACCESS_KEY_ID'), true) }}"
         secret_key: "{{ aws_secret_key | default(lookup('env','AWS_SECRET_ACCESS_KEY'), true) }}"
+        #for AWS's temporary credentials, aws_session_token (aka aws_security_token) is also required
+        security_token: "{{ aws_session_token | default(lookup('env','AWS_SESSION_TOKEN'), true) }}"
         stack_name: "{{ aws_server_name | replace('.', '-') }}"
 
     - name: Locate official AMI for region
       ec2_ami_find:
         aws_access_key: "{{ access_key }}"
         aws_secret_key: "{{ secret_key }}"
+        #for AWS's temporary credentials, aws_session_token (aka aws_security_token) is also required
+        #it’s odd that the parameter name (“security_token”) is shown in an error message generated by this ansible module, rather than being recorded in the module’s official docs
+        security_token: "{{ security_token }}"
         name: "ubuntu/images/hvm-ssd/{{ cloud_providers.ec2.image.name }}-amd64-server-*"
         owner: "{{ cloud_providers.ec2.image.owner }}"
         sort: creationDate
@@ -41,6 +46,8 @@
       ec2_remote_facts:
         aws_access_key: "{{ access_key }}"
         aws_secret_key: "{{ secret_key }}"
+        #for AWS's temporary credentials, aws_session_token (aka aws_security_token) is also required
+        security_token: "{{ security_token }}"
         region: "{{ region }}"
         filters:
           instance-state-name: running