From 0558e501e54920e6bd699d3bbd0574da546e596c Mon Sep 17 00:00:00 2001
From: Michael Smith <michael.smith@puppet.com>
Date: Tue, 2 Apr 2019 12:18:11 -0700
Subject: [PATCH] Add a hack to make AWS Roles usable

Enable using a manually-generated session token for AWS Roles.

A better solution would be to use
https://docs.ansible.com/ansible/latest/modules/sts_assume_role_module.html,
but I'm not sure how to add the conditional logic required to add that
to the Streisand setup workflow.
---
 playbooks/amazon.yml                              | 5 +++++
 playbooks/roles/ec2-security-group/tasks/main.yml | 8 ++++++++
 playbooks/roles/genesis-amazon/tasks/main.yml     | 6 ++++++
 3 files changed, 19 insertions(+)

diff --git a/playbooks/amazon.yml b/playbooks/amazon.yml
index 72eb6df3d..f204033f5 100644
--- a/playbooks/amazon.yml
+++ b/playbooks/amazon.yml
@@ -98,6 +98,11 @@
       prompt: "\nWhat is your AWS Secret Access Key?\n"
       private: no
 
+    - name: "aws_session_token"
+      prompt: "\nIf you use AWS Roles, what is your AWS Token? Press enter for none.\n"
+      default: ""
+      private: no
+
     - name: "confirmation"
       prompt: "\nStreisand will now set up your server. This process usually takes around ten minutes. Press Enter to begin setup...\n"
 
diff --git a/playbooks/roles/ec2-security-group/tasks/main.yml b/playbooks/roles/ec2-security-group/tasks/main.yml
index 849cc83a3..c0b0f0d74 100644
--- a/playbooks/roles/ec2-security-group/tasks/main.yml
+++ b/playbooks/roles/ec2-security-group/tasks/main.yml
@@ -7,6 +7,7 @@
     vpc_id: "{{ aws_vpc_id | default(omit) }}"
     aws_access_key: "{{ aws_access_key }}"
     aws_secret_key: "{{ aws_secret_key }}"
+    security_token: "{{ aws_session_token }}"
 
 - name: Pause for fifteen seconds to ensure the EC2 security group has been created
   pause:
@@ -20,6 +21,7 @@
     vpc_id: "{{ aws_vpc_id | default(omit) }}"
     aws_access_key: "{{ aws_access_key }}"
     aws_secret_key: "{{ aws_secret_key }}"
+    security_token: "{{ aws_session_token }}"
     rules:
       # Nginx
       # ---
@@ -55,6 +57,7 @@
     vpc_id: "{{ aws_vpc_id | default(omit) }}"
     aws_access_key: "{{ aws_access_key }}"
     aws_secret_key: "{{ aws_secret_key }}"
+    security_token: "{{ aws_session_token }}"
     purge_rules: no
     purge_rules_egress: no
     rules:
@@ -82,6 +85,7 @@
     vpc_id: "{{ aws_vpc_id | default(omit) }}"
     aws_access_key: "{{ aws_access_key }}"
     aws_secret_key: "{{ aws_secret_key }}"
+    security_token: "{{ aws_session_token }}"
     purge_rules: no
     purge_rules_egress: no
     rules:
@@ -109,6 +113,7 @@
     vpc_id: "{{ aws_vpc_id | default(omit) }}"
     aws_access_key: "{{ aws_access_key }}"
     aws_secret_key: "{{ aws_secret_key }}"
+    security_token: "{{ aws_session_token }}"
     purge_rules: no
     purge_rules_egress: no
     rules:
@@ -130,6 +135,7 @@
     vpc_id: "{{ aws_vpc_id | default(omit) }}"
     aws_access_key: "{{ aws_access_key }}"
     aws_secret_key: "{{ aws_secret_key }}"
+    security_token: "{{ aws_session_token }}"
     purge_rules: no
     purge_rules_egress: no
     rules:
@@ -157,6 +163,7 @@
     vpc_id: "{{ aws_vpc_id | default(omit) }}"
     aws_access_key: "{{ aws_access_key }}"
     aws_secret_key: "{{ aws_secret_key }}"
+    security_token: "{{ aws_session_token }}"
     purge_rules: no
     purge_rules_egress: no
     rules:
@@ -184,6 +191,7 @@
     vpc_id: "{{ aws_vpc_id | default(omit) }}"
     aws_access_key: "{{ aws_access_key }}"
     aws_secret_key: "{{ aws_secret_key }}"
+    security_token: "{{ aws_session_token }}"
     purge_rules: no
     purge_rules_egress: no
     rules:
diff --git a/playbooks/roles/genesis-amazon/tasks/main.yml b/playbooks/roles/genesis-amazon/tasks/main.yml
index 003be7e5c..89b40ae97 100644
--- a/playbooks/roles/genesis-amazon/tasks/main.yml
+++ b/playbooks/roles/genesis-amazon/tasks/main.yml
@@ -13,6 +13,7 @@
     state: absent
     aws_access_key: "{{ aws_access_key }}"
     aws_secret_key: "{{ aws_secret_key }}"
+    security_token: "{{ aws_session_token }}"
     region: "{{ aws_region }}"
     wait: yes
 
@@ -22,6 +23,7 @@
     key_material: "{{ ssh_key.stdout }}"
     aws_access_key: "{{ aws_access_key }}"
     aws_secret_key: "{{ aws_secret_key }}"
+    security_token: "{{ aws_session_token }}"
     region: "{{ aws_region }}"
     wait: yes
 
@@ -29,6 +31,7 @@
   ec2_ami_facts:
     aws_access_key: "{{ aws_access_key }}"
     aws_secret_key: "{{ aws_secret_key }}"
+    security_token: "{{ aws_session_token }}"
     owners: "{{ aws_ami_owner }}"
     region: "{{ aws_region }}"
     filters:
@@ -39,6 +42,7 @@
   ec2:
     aws_access_key: "{{ aws_access_key }}"
     aws_secret_key: "{{ aws_secret_key }}"
+    security_token: "{{ aws_session_token }}"
     instance_type: "{{ aws_instance_type }}"
     image: "{{ ami.images|sort(reverse=True,attribute='name')|map(attribute='image_id')|first }}"
     region: "{{ aws_region }}"
@@ -58,6 +62,7 @@
     state: present
     aws_access_key: "{{ aws_access_key }}"
     aws_secret_key: "{{ aws_secret_key }}"
+    security_token: "{{ aws_session_token }}"
     region: "{{ aws_region }}"
     namespace: "AWS/EC2"
     metric: StatusCheckFailed_System
@@ -83,6 +88,7 @@
   ec2_eip:
     aws_access_key: "{{ aws_access_key }}"
     aws_secret_key: "{{ aws_secret_key }}"
+    security_token: "{{ aws_session_token }}"
     region: "{{ aws_region }}"
     device_id: "{{ streisand_server.instances[0].id }}"
     in_vpc: "{{ aws_vpc_id is defined and aws_vpc_id != '' }}"