Vault AWS EC2 auth

[stuart-c]

This requires #177 to be merged first.

Add AWS ec2 auth support for Vault.

[hairyhenderson]

Awesome! This'll need to be rebased now that #177 is merged.

[hairyhenderson]

I think if VAULT_AUTH_AWS_METHOD is required (i.e. must be set to ec2, and doesn't default), then this environment variable can be dropped.

[stuart-c]

I was thinking of moving it last in the order so both environment variables can be removed

[hairyhenderson]

Isn't VAULT_AUTH_AWS_METHOD required to differentiate between ec2 and iam? Or do you mean you'd default to ec2?

[hairyhenderson]

As far as moving it last in order, that's probably fine. There are cases where I use gomplate in CI environments and pass it a VAULT_TOKEN var so it can auth correctly. Those CI environments are generally in EC2, so it'd be good to not get tripped up there.

[hairyhenderson]

I just exposed a new MustAtoi in github.com/hairyhenderson/gomplate/typeconv, so you can do this instead:

opts.Timeout = time.Duration(typeconv.MustAtoi(os.Getenv("AWS_TIMEOUT"))) * time.Millisecond

[stuart-c]

I'm just trying to add some integration tests.

[hairyhenderson]

There's actually no need to have this check, because opts.Timeout's default is 0 anyways. There's no harm to simply setting it to 0 explicitly.

You could make things even simpler by setting Timeout while creating the struct (up on ln169):

opts := aws.ClientOptions{
  Timeout: time.Duration(typeconv.MustAtoi(os.Getenv("AWS_TIMEOUT"))) * time.Millisecond,
}

[stuart-c]

@hairyhenderson could you take a look at this now?

[hairyhenderson]

@stuart-c the integration test is failing:

not ok 33 Testing ec2 vault auth
# (in test file test/integration/datasources_vault.bats, line 134)
#   `vault auth-enable aws' failed with status 2
# Success! Data written to: secret/foo
# Error: Error making API request.
# 
# URL: POST http://127.0.0.1:8200/v1/sys/auth/aws
# Code: 400. Errors:
# 
# * unknown backend type: aws
# Success! Deleted 'secret/foo' if it existed.
# Disabled auth provider at path 'userpass' if it was enabled
# Disabled auth provider at path 'userpass2' if it was enabled
# Disabled auth provider at path 'approle' if it was enabled
# Disabled auth provider at path 'approle2' if it was enabled
# Disabled auth provider at path 'app-id' if it was enabled
# Disabled auth provider at path 'app-id2' if it was enabled
# Disabled auth provider at path 'aws' if it was enabled
# Policy 'writepol' deleted.
# Policy 'readpol' deleted.
# Successfully unmounted 'ssh' if it was mounted

[hairyhenderson]

I think this block belongs here instead: https://github.com/hairyhenderson/gomplate/blob/master/aws/ec2meta.go#L89

[stuart-c]

You mean you'd prefer the AWS_META_ENDPOINT to be set in the ec2meta file?

[hairyhenderson]

I'd prefer it to be read there - so that the metadata endpoint can be overridden in general, not just when using Vault EC2 auth

[hairyhenderson]

Why the extra strings.Replace? strings.TrimSpace will trim off \n characters... Or is this intended to remove all newlines in the middle of the string?

[stuart-c]

Yep all embedded newlines need to be removed.

[hairyhenderson]

the integration test is failing

Ah - it's because the version of Vault in hairyhenderson/gomplate-ci-build is too old - just pushed an update in hairyhenderson/dockerfiles@7af0f95

[hairyhenderson]

@stuart-c can you bump the Vault version in https://github.com/hairyhenderson/gomplate/blob/master/test/integration/Dockerfile#L3 so that make test-integration-docker succeeds?

[stuart-c]

That is now fixed, but the tests are hanging a bit further down. Not sure what's going on. Is it working for you locally?

[hairyhenderson]

Looks like you accidentally committed test/integration/aws and test/integration/meta - maybe should add those to a .gitignore

[hairyhenderson]

the tests are hanging a bit further down. Not sure what's going on

Maybe related to a CircleCI issue: https://status.circleci.com/incidents/1hf3n7yf8zrn?

[stuart-c]

Fixed the .gitignore

[stuart-c]

Looks to be a bats bug which I think I've now worked around...

So I think everything should now be good @hairyhenderson?