// AwsConfig returns the default aws.Config object while the appropriate
// credentials. Callers should override returned config properties with any
// values they want for service specific overrides.
func AwsConfig() (awsConfig *aws.Config) {
// create default config
awsConfig = &aws.Config{
Retryer: newRetryer(),
SleepDelay: sleepDelay,
}
// update region from platform
region, err := platform.Region()
if region != "" {
awsConfig.Region = ®ion
}
// load managed credentials if applicable
if isManaged, err := registration.HasManagedInstancesCredentials(); isManaged && err == nil {
awsConfig.Credentials =
rolecreds.ManagedInstanceCredentialsInstance()
return
}
// look for profile credentials
appConfig, err := appconfig.Config(false)
if err == nil {
creds, _ := appConfig.ProfileCredentials()
if creds != nil {
awsConfig.Credentials = creds
}
}
return
}
func AwsConfig() *aws.Config {
// create default config
awsConfig := &aws.Config{
Retryer: newRetryer(),
SleepDelay: sleepDelay,
}
// parse appConfig overrides
appConfig, err := appconfig.Config(false)
if err != nil {
return awsConfig
}
if appConfig.Ssm.Endpoint != "" {
awsConfig.Endpoint = &appConfig.Ssm.Endpoint
}
if appConfig.Agent.Region != "" {
awsConfig.Region = &appConfig.Agent.Region
}
// TODO: test hook, can be removed before release
// this is to skip ssl verification for the beta self signed certs
if appConfig.Ssm.InsecureSkipVerify {
tr := &http.Transport{
TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
}
awsConfig.HTTPClient = &http.Client{Transport: tr}
}
return awsConfig
}
// NewService creates a new SSM service instance.
func NewService() Service {
if ssmStopPolicy == nil {
// create a stop policy where we will stop after 10 consecutive errors and if time period expires.
ssmStopPolicy = sdkutil.NewStopPolicy("ssmService", 10)
}
awsConfig := sdkutil.AwsConfig()
// parse appConfig overrides
appConfig, err := appconfig.Config(false)
if err == nil {
if appConfig.Ssm.Endpoint != "" {
awsConfig.Endpoint = &appConfig.Ssm.Endpoint
}
// TODO: test hook, can be removed before release
// this is to skip ssl verification for the beta self signed certs
if appConfig.Ssm.InsecureSkipVerify {
tr := &http.Transport{
TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
}
awsConfig.HTTPClient = &http.Client{Transport: tr}
}
}
ssmService := ssm.New(session.New(awsConfig))
return &sdkService{sdk: ssmService}
}
// NewCoreManager creates a new core plugin manager.
func NewCoreManager(instanceIdPtr *string, regionPtr *string, log logger.T) (cm *CoreManager, err error) {
// initialize appconfig
var config appconfig.SsmagentConfig
if config, err = appconfig.Config(false); err != nil {
log.Errorf("Could not load config file: %v", err)
return
}
// initialize region
if *regionPtr != "" {
if err = platform.SetRegion(*regionPtr); err != nil {
log.Errorf("error occured setting the region, %v", err)
return
}
}
var region string
if region, err = platform.Region(); err != nil {
log.Errorf("error fetching the region, %v", err)
return
}
log.Debug("Using region:", region)
// initialize instance ID
if *instanceIdPtr != "" {
if err = platform.SetInstanceID(*instanceIdPtr); err != nil {
log.Errorf("error occured setting the instance ID, %v", err)
return
}
}
var instanceId string
if instanceId, err = platform.InstanceID(); err != nil {
log.Errorf("error fetching the instanceID, %v", err)
return
}
log.Debug("Using instanceID:", instanceId)
if err = fileutil.HardenDataFolder(); err != nil {
log.Errorf("error initializing SSM data folder with hardened ACL, %v", err)
return
}
//Initialize all folders where interim states of executing commands will be stored.
if !initializeBookkeepingLocations(log, instanceId) {
log.Error("unable to initialize. Exiting")
return
}
context := context.Default(log, config).With("[instanceID=" + instanceId + "]")
corePlugins := coreplugins.RegisteredCorePlugins(context)
return &CoreManager{
context: context,
corePlugins: *corePlugins,
}, nil
}
// uploadOutput uploads the stdout and stderr file to S3
func (c *contextManager) uploadOutput(log log.T, context *UpdateContext) (err error) {
awsConfig := sdkutil.AwsConfig()
var config appconfig.SsmagentConfig
config, err = appconfig.Config(false)
if err != nil {
return fmt.Errorf("could not load config file: %v", err)
}
// If customers have provided override in app config, honor that.
if config.S3.Region != "" {
awsConfig.Region = &config.S3.Region
}
log.Infof("Uploading output files to region: %v", *awsConfig.Region)
s3 := s3.New(session.New(awsConfig))
// upload outputs (if any) to s3
uploader := s3util.NewManager(s3)
uploadOutputsToS3 := func() {
// delete temp outputDir once we're done
defer pluginutil.DeleteDirectory(log, updateutil.UpdateOutputDirectory(context.Current.UpdateRoot))
// get stdout file path
stdoutPath := updateutil.UpdateStandOutPath(context.Current.UpdateRoot, context.Current.StdoutFileName)
s3Key := path.Join(context.Current.OutputS3KeyPrefix, context.Current.StdoutFileName)
log.Debugf("Uploading %v to s3://%v/%v", stdoutPath, context.Current.OutputS3BucketName, s3Key)
err = uploader.S3Upload(context.Current.OutputS3BucketName, s3Key, stdoutPath)
if err != nil {
log.Errorf("failed uploading %v to s3://%v/%v \n err:%v",
stdoutPath,
context.Current.OutputS3BucketName,
s3Key,
err)
}
// get stderr file path
stderrPath := updateutil.UpdateStandOutPath(context.Current.UpdateRoot, context.Current.StderrFileName)
s3Key = path.Join(context.Current.OutputS3KeyPrefix, context.Current.StderrFileName)
log.Debugf("Uploading %v to s3://%v/%v", stderrPath, context.Current.OutputS3BucketName, s3Key)
err = uploader.S3Upload(context.Current.OutputS3BucketName, s3Key, stderrPath)
if err != nil {
log.Errorf("failed uploading %v to s3://%v/%v \n err:%v", stderrPath, context.Current.StderrFileName, s3Key, err)
}
}
uploadOutputsToS3()
return nil
}
// ManagedInstanceCredentialsInstance returns a singleton instance of
// Crednetials which provides credentials of a managed instance.
func ManagedInstanceCredentialsInstance() *credentials.Credentials {
lock.Lock()
defer lock.Unlock()
logger = log.Logger()
shareCreds = true
if config, err := appconfig.Config(false); err == nil {
shareCreds = config.Profile.ShareCreds
shareProfile = config.Profile.ShareProfile
}
if credentialsSingleton == nil {
credentialsSingleton = newManagedInstanceCredentials()
}
return credentialsSingleton
}
// NewAnonymousService creates a new SSM service instance.
func NewAnonymousService(region string) AnonymousService {
log.SetFlags(0)
awsConfig := util.AwsConfig().WithLogLevel(aws.LogOff)
awsConfig.Region = ®ion
awsConfig.Credentials = credentials.AnonymousCredentials
//parse appConfig override to get ssm endpoint if there is any
appConfig, err := appconfig.Config(true)
if err == nil {
if appConfig.Ssm.Endpoint != "" {
awsConfig.Endpoint = &appConfig.Ssm.Endpoint
}
} else {
log.Printf("encountered error while loading appconfig - %s", err)
}
// Create a session to share service client config and handlers with
ssmSess := session.New(awsConfig)
ssmService := ssm.New(ssmSess)
return &sdkService{sdk: ssmService}
}
// s3Download attempts to download a file via the aws sdk.
func s3Download(log log.T, amazonS3URL s3util.AmazonS3URL, destFile string) (output DownloadOutput, err error) {
log.Debugf("attempting to download as s3 download %v", destFile)
eTagFile := destFile + ".etag"
config := &aws.Config{}
var appConfig appconfig.SsmagentConfig
appConfig, err = appconfig.Config(false)
if err != nil {
log.Error("failed to read appconfig.")
} else {
creds, err1 := appConfig.ProfileCredentials()
if err1 != nil {
config.Credentials = creds
}
}
config.S3ForcePathStyle = aws.Bool(amazonS3URL.IsPathStyle)
config.Region = aws.String(amazonS3URL.Region)
params := &s3.GetObjectInput{
Bucket: aws.String(amazonS3URL.Bucket),
Key: aws.String(amazonS3URL.Key),
}
if fileutil.Exists(destFile) == true && fileutil.Exists(eTagFile) == true {
var existingETag string
existingETag, err = fileutil.ReadAllText(eTagFile)
if err != nil {
log.Debugf("failed to read etag file %v, %v", eTagFile, err)
return
}
params.IfNoneMatch = aws.String(existingETag)
}
s3client := s3.New(session.New(config))
req, resp := s3client.GetObjectRequest(params)
err = req.Send()
if err != nil {
if req.HTTPResponse == nil || req.HTTPResponse.StatusCode != http.StatusNotModified {
log.Debug("failed to download from s3, ", err)
fileutil.DeleteFile(destFile)
fileutil.DeleteFile(eTagFile)
return
}
log.Debugf("Unchanged file.")
output.IsUpdated = false
output.LocalFilePath = destFile
return output, nil
}
if *resp.ETag != "" {
log.Debug("files etag is ", *resp.ETag)
err = fileutil.WriteAllText(eTagFile, *resp.ETag)
if err != nil {
log.Errorf("failed to write eTagfile %v, %v ", eTagFile, err)
return
}
}
defer resp.Body.Close()
_, err = FileCopy(log, destFile, resp.Body)
if err == nil {
output.LocalFilePath = destFile
output.IsUpdated = true
} else {
log.Errorf("failed to write destFile %v, %v ", destFile, err)
}
return
}