From 601e5a79e93870ba6ae3d3259f644f9816354d37 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alfredo=20Espa=C3=B1a?= <alfespa17@gmail.com>
Date: Tue, 7 May 2024 17:28:52 -0600
Subject: [PATCH] AWS Dynamic provider credentials support (#837)

* AWS Dynamic provider credentials support
---
 .../dynamic/DynamicCredentialsService.java    | 32 +++++++++++++++----
 .../service/workspace/SetupWorkspaceImpl.java | 19 ++++++++++-
 2 files changed, 43 insertions(+), 8 deletions(-)

diff --git a/api/src/main/java/org/terrakube/api/plugin/token/dynamic/DynamicCredentialsService.java b/api/src/main/java/org/terrakube/api/plugin/token/dynamic/DynamicCredentialsService.java
index 7650935fc..bfd0a6604 100644
--- a/api/src/main/java/org/terrakube/api/plugin/token/dynamic/DynamicCredentialsService.java
+++ b/api/src/main/java/org/terrakube/api/plugin/token/dynamic/DynamicCredentialsService.java
@@ -89,7 +89,21 @@ private String generateJwt(String organizationName, String workspaceName, String
 
     @Transactional
     public HashMap<String, String> generateDynamicCredentialsAws(Job job, HashMap<String, String> workspaceEnvVariables) {
-        log.warn("AWS Dynamic Credentials not implemented yet");
+        String awsWebIdentityToken = generateJwt(
+                job.getOrganization().getName(),
+                job.getWorkspace().getName(),
+                workspaceEnvVariables.get("WORKLOAD_IDENTITY_AUDIENCE_AWS"),
+                job.getOrganization().getId().toString(),
+                job.getWorkspace().getId().toString(),
+                job.getId()
+        );
+
+        log.info("TERRAKUBE_AWS_CREDENTIALS_FILE: {}", awsWebIdentityToken);
+
+        workspaceEnvVariables.put("TERRAKUBE_AWS_CREDENTIALS_FILE", awsWebIdentityToken);
+        workspaceEnvVariables.put("AWS_ROLE_ARN", workspaceEnvVariables.get("WORKLOAD_IDENTITY_ROLE_AWS"));
+        workspaceEnvVariables.put("AWS_WEB_IDENTITY_TOKEN_FILE", getDefaultExecutorPath(job) + "/terrakube_config_dynamic_credentials_aws.txt");
+
         return workspaceEnvVariables;
     }
 
@@ -125,12 +139,7 @@ public HashMap<String, String> generateDynamicCredentialsGcp(Job job, HashMap<St
                 "    }\n" +
                 "  }";
 
-        String executorDirectory = String.format(
-                "%s/.terraform-spring-boot/executor/%s/%s",
-                FileUtils.getUserDirectoryPath(),
-                job.getOrganization().getId().toString(),
-                job.getWorkspace().getId().toString()
-        );
+        String executorDirectory = getDefaultExecutorPath(job);
 
         String audience = workspaceEnvVariables.get("WORKLOAD_IDENTITY_AUDIENCE_GCP");
         String serviceAccountEmail = workspaceEnvVariables.get("WORKLOAD_IDENTITY_SERVICE_ACCOUNT_EMAIL");
@@ -189,4 +198,13 @@ public String getPublicKey() {
 
         return publicKeyPEM;
     }
+
+    private static String getDefaultExecutorPath(Job job) {
+        return String.format(
+                "%s/.terraform-spring-boot/executor/%s/%s",
+                FileUtils.getUserDirectoryPath(),
+                job.getOrganization().getId().toString(),
+                job.getWorkspace().getId().toString()
+        );
+    }
 }
diff --git a/executor/src/main/java/org/terrakube/executor/service/workspace/SetupWorkspaceImpl.java b/executor/src/main/java/org/terrakube/executor/service/workspace/SetupWorkspaceImpl.java
index 054bc6c6a..ddb5ef3d8 100644
--- a/executor/src/main/java/org/terrakube/executor/service/workspace/SetupWorkspaceImpl.java
+++ b/executor/src/main/java/org/terrakube/executor/service/workspace/SetupWorkspaceImpl.java
@@ -68,6 +68,7 @@ public File prepareWorkspace(TerraformJob terraformJob) {
             if (enableRegistrySecurity)
                 workspaceSecurity.addTerraformCredentials();
 
+            log.info("Executor WorkingDir: {}", workspaceCloneFolder);
             if (terraformJob.getEnvironmentVariables().containsKey("ENABLE_DYNAMIC_CREDENTIALS_GCP")) {
                 setupGcpDynamicCredentials(
                         workspaceCloneFolder,
@@ -75,17 +76,33 @@ public File prepareWorkspace(TerraformJob terraformJob) {
                         terraformJob.getEnvironmentVariables().get("TERRAKUBE_GCP_CREDENTIALS_CONFIG_FILE")
                 );
             }
+
+            if (terraformJob.getEnvironmentVariables().containsKey("ENABLE_DYNAMIC_CREDENTIALS_AWS")) {
+                setupAwsDynamicCredentials(
+                        workspaceCloneFolder,
+                        terraformJob.getEnvironmentVariables().get("TERRAKUBE_AWS_CREDENTIALS_FILE")
+                );
+            }
         } catch (IOException e) {
             log.error(e.getMessage());
         }
         return workspaceCloneFolder != null ? workspaceCloneFolder : new File("/tmp/" + UUID.randomUUID());
     }
 
+    private void setupAwsDynamicCredentials(File workspaceCloneFolder, String awsCredentialsFileContent ) {
+        try {
+            log.info("Generating AWS dynamic credentials files inside the workspace execution");
+            log.info("Writing AWS credentials to {}/terrakube_config_dynamic_credentials_aws.txt", workspaceCloneFolder.getAbsolutePath());
+            FileUtils.writeStringToFile(new File(workspaceCloneFolder.getAbsolutePath() + "/terrakube_config_dynamic_credentials_aws.txt"), awsCredentialsFileContent, Charset.defaultCharset());
+            } catch (Exception ex) {
+            log.error(ex.getMessage());
+        }
+    }
+
     private void setupGcpDynamicCredentials(File workspaceCloneFolder, String gcpCredentialsFileContent, String gcpCredentialConfigFileContent) {
         try {
             log.info("Generating GCP dynamic credentials files inside the workspace execution");
 
-            log.info("WorkingDir: {}", workspaceCloneFolder);
             log.info("Writing GCP credentials to {}/terrakube_dynamic_credentials.json", workspaceCloneFolder.getAbsolutePath());
             log.info("Writing GCP credentials Configuration File to {}/terrakube_config_dynamic_credentials.json", workspaceCloneFolder.getAbsolutePath());