Add support to multi-account environments (#30)

Co-authored-by: Gábor NÉMETH <[email protected]>

Author: lakkeger

.gitignore

@@ -4,3 +4,115 @@ dist/
 
 *.pyc
 __pycache__/
+
+# Created by https://www.toptal.com/developers/gitignore/api/pycharm+all,visualstudiocode
+# Edit at https://www.toptal.com/developers/gitignore?templates=pycharm+all,visualstudiocode
+
+### PyCharm+all ###
+# Covers JetBrains IDEs: IntelliJ, RubyMine, PhpStorm, AppCode, PyCharm, CLion, Android Studio, WebStorm and Rider
+# Reference: https://intellij-support.jetbrains.com/hc/en-us/articles/206544839
+
+# User-specific stuff
+.idea/**/workspace.xml
+.idea/**/tasks.xml
+.idea/**/usage.statistics.xml
+.idea/**/dictionaries
+.idea/**/shelf
+
+# AWS User-specific
+.idea/**/aws.xml
+
+# Generated files
+.idea/**/contentModel.xml
+
+# Sensitive or high-churn files
+.idea/**/dataSources/
+.idea/**/dataSources.ids
+.idea/**/dataSources.local.xml
+.idea/**/sqlDataSources.xml
+.idea/**/dynamic.xml
+.idea/**/uiDesigner.xml
+.idea/**/dbnavigator.xml
+
+# Gradle
+.idea/**/gradle.xml
+.idea/**/libraries
+
+# Gradle and Maven with auto-import
+# When using Gradle or Maven with auto-import, you should exclude module files,
+# since they will be recreated, and may cause churn.  Uncomment if using
+# auto-import.
+# .idea/artifacts
+# .idea/compiler.xml
+# .idea/jarRepositories.xml
+# .idea/modules.xml
+# .idea/*.iml
+# .idea/modules
+# *.iml
+# *.ipr
+
+# CMake
+cmake-build-*/
+
+# Mongo Explorer plugin
+.idea/**/mongoSettings.xml
+
+# File-based project format
+*.iws
+
+# IntelliJ
+out/
+
+# mpeltonen/sbt-idea plugin
+.idea_modules/
+
+# JIRA plugin
+atlassian-ide-plugin.xml
+
+# Cursive Clojure plugin
+.idea/replstate.xml
+
+# SonarLint plugin
+.idea/sonarlint/
+
+# Crashlytics plugin (for Android Studio and IntelliJ)
+com_crashlytics_export_strings.xml
+crashlytics.properties
+crashlytics-build.properties
+fabric.properties
+
+# Editor-based Rest Client
+.idea/httpRequests
+
+# Android studio 3.1+ serialized cache file
+.idea/caches/build_file_checksums.ser
+
+### PyCharm+all Patch ###
+# Ignore everything but code style settings and run configurations
+# that are supposed to be shared within teams.
+
+.idea/*
+
+!.idea/codeStyles
+!.idea/runConfigurations
+
+### VisualStudioCode ###
+.vscode/*
+!.vscode/settings.json
+!.vscode/tasks.json
+!.vscode/launch.json
+!.vscode/extensions.json
+!.vscode/*.code-snippets
+
+# Local History for Visual Studio Code
+.history/
+
+# Built Visual Studio Code Extensions
+*.vsix
+
+### VisualStudioCode Patch ###
+# Ignore all local history of files
+.history
+.ionide
+
+# End of https://www.toptal.com/developers/gitignore/api/pycharm+all,visualstudiocode

README.md

@@ -31,6 +31,14 @@ The following environment variables can be configured:
 * `USE_EXEC`: whether to use `os.exec` instead of `subprocess.Popen` (try using this in case of I/O issues)
 * `<SERVICE>_ENDPOINT`: setting a custom service endpoint, e.g., `COGNITO_IDP_ENDPOINT=http://example.com`
 * `AWS_DEFAULT_REGION`: the AWS region to use (default: `us-east-1`, or determined from local credentials if `boto3` is installed)
+* `CUSTOMIZE_ACCESS_KEY`: enables to override the static AWS Access Key ID. The following cases are taking precedence over each other from top to bottom:
+    * `AWS_ACCESS_KEY_ID` environment variable is set
+    * `access_key` is set in the Terraform AWS provider
+    * `AWS_PROFILE` environment variable is set and configured
+    * `AWS_DEFAULT_PROFILE` environment variable is set and configured
+    * `default` profile's credentials are configured
+    * falls back to the default `AWS_ACCESS_KEY_ID` mock value
+* `AWS_ACCESS_KEY_ID`: AWS Access Key ID to use for multi account setups (default: `test` -> account ID: `000000000000`)
 
 ## Usage
 
@@ -39,6 +47,7 @@ please refer to the man pages of `terraform --help`.
 
 ## Change Log
 
+* v0.14: Add support to multi-account environments
 * v0.13: Fix S3 automatic `use_s3_path_style` detection when setting S3_HOSTNAME or LOCALSTACK_HOSTNAME
 * v0.12: Fix local endpoint overrides for Terraform AWS provider 5.9.0; fix parsing of alias and region defined as value lists
 * v0.11: Minor fix to handle boolean values in S3 backend configs

bin/tflocal

@@ -24,6 +24,8 @@ from localstack_client import config  # noqa: E402
 import hcl2  # noqa: E402
 
 DEFAULT_REGION = "us-east-1"
+DEFAULT_ACCESS_KEY = "test"
+CUSTOMIZE_ACCESS_KEY = str(os.environ.get("CUSTOMIZE_ACCESS_KEY")).strip().lower() in ["1", "true"]
 LOCALHOST_HOSTNAME = "localhost.localstack.cloud"
 S3_HOSTNAME = os.environ.get("S3_HOSTNAME") or f"s3.{LOCALHOST_HOSTNAME}"
 USE_EXEC = str(os.environ.get("USE_EXEC")).strip().lower() in ["1", "true"]
@@ -33,7 +35,7 @@ LOCALSTACK_HOSTNAME = os.environ.get("LOCALSTACK_HOSTNAME") or "localhost"
 EDGE_PORT = int(os.environ.get("EDGE_PORT") or 4566)
 TF_PROVIDER_CONFIG = """
 provider "aws" {
-  access_key                  = "test"
+  access_key                  = "<access_key>"
   secret_key                  = "test"
   skip_credentials_validation = true
   skip_metadata_api_check     = true
@@ -116,8 +118,12 @@ def create_provider_config_file(provider_aliases=None):
     # create provider configs
     provider_configs = []
     for provider in provider_aliases:
+        provider_config = TF_PROVIDER_CONFIG.replace(
+            "<access_key>",
+            get_access_key(provider) if CUSTOMIZE_ACCESS_KEY else DEFAULT_ACCESS_KEY
+        )
         endpoints = "\n".join([f'{s} = "{get_service_endpoint(s)}"' for s in services])
-        provider_config = TF_PROVIDER_CONFIG.replace("<endpoints>", endpoints)
+        provider_config = provider_config.replace("<endpoints>", endpoints)
         additional_configs = []
         if use_s3_path_style():
             additional_configs += [" s3_use_path_style = true"]
@@ -243,6 +249,29 @@ def get_region() -> str:
     return region or DEFAULT_REGION
 
 
+def get_access_key(provider: dict) -> str:
+    access_key = str(os.environ.get("AWS_ACCESS_KEY_ID") or provider.get("access_key", "")).strip()
+    if access_key and access_key != DEFAULT_ACCESS_KEY:
+        # Change live access key to mocked one
+        return deactivate_access_key(access_key)
+    try:
+        # If boto3 is installed, try to get the access_key from local credentials.
+        # Note that boto3 is currently not included in the dependencies, to
+        # keep the library lightweight.
+        import boto3
+        access_key = boto3.session.Session().get_credentials().access_key
+    except Exception:
+        pass
+    # fall back to default region
+    return deactivate_access_key(access_key or DEFAULT_ACCESS_KEY)
+
+
+def deactivate_access_key(access_key: str) -> str:
+    """Safe guarding user from accidental live credential usage by deactivating access key IDs.
+        See more: https://docs.localstack.cloud/references/credentials/"""
+    return "L" + access_key[1:] if access_key[0] == "A" else access_key
+
+
 def get_service_endpoint(service: str) -> str:
     """Get the service endpoint URL for the given service name"""
     # allow configuring a custom endpoint via the environment

setup.cfg

@@ -1,6 +1,6 @@
 [metadata]
 name = terraform-local
-version = 0.13
+version = 0.14
 url = https://github.com/localstack/terraform-local
 author = LocalStack Team
 author_email = [email protected]

tests/test_apply.py

@@ -1,16 +1,98 @@
-import tempfile
 import os
-import boto3
-import uuid
+import random
 import subprocess
-from typing import Dict
+import tempfile
+import uuid
+from typing import Dict, Generator
+
+import boto3
+import pytest
 
 THIS_PATH = os.path.abspath(os.path.dirname(__file__))
 ROOT_PATH = os.path.join(THIS_PATH, "..")
 TFLOCAL_BIN = os.path.join(ROOT_PATH, "bin", "tflocal")
 LOCALSTACK_ENDPOINT = "http://localhost:4566"
 
 
+@pytest.mark.parametrize("customize_access_key", [True, False])
+def test_customize_access_key_feature_flag(monkeypatch, customize_access_key: bool):
+    monkeypatch.setenv("CUSTOMIZE_ACCESS_KEY", str(customize_access_key))
+
+    # create buckets in multiple accounts
+    access_key = mock_access_key()
+    monkeypatch.setenv("AWS_ACCESS_KEY_ID", access_key)
+    bucket_name = short_uid()
+
+    create_test_bucket(bucket_name)
+
+    s3_bucket_names_default_account = get_bucket_names()
+    s3_bucket_names_specific_account = get_bucket_names(aws_access_key_id=access_key)
+
+    if customize_access_key:
+        # if CUSTOMISE_ACCESS_KEY is enabled, the bucket name is only in the specific account
+        assert bucket_name not in s3_bucket_names_default_account
+        assert bucket_name in s3_bucket_names_specific_account
+    else:
+        # if CUSTOMISE_ACCESS_KEY is disabled, the bucket name is only in the default account
+        assert bucket_name in s3_bucket_names_default_account
+        assert bucket_name not in s3_bucket_names_specific_account
+
+
+def _profile_names() -> Generator:
+    yield short_uid()
+    yield "default"
+
+
+def _generate_test_name(param: str) -> str:
+    return "random" if param != "default" else param
+
+
+@pytest.mark.parametrize("profile_name", _profile_names(), ids=_generate_test_name)
+def test_access_key_override_by_profile(monkeypatch, profile_name: str):
+    monkeypatch.setenv("CUSTOMIZE_ACCESS_KEY", "1")
+    access_key = mock_access_key()
+    bucket_name = short_uid()
+    credentials = """
+    [%s]
+    aws_access_key_id = %s
+    aws_secret_access_key = test
+    region = eu-west-1
+    """ % (profile_name, access_key)
+    with tempfile.TemporaryDirectory() as temp_dir:
+        credentials_file = os.path.join(temp_dir, "credentials")
+        with open(credentials_file, "w") as f:
+            f.write(credentials)
+
+        if profile_name != "default":
+            monkeypatch.setenv("AWS_PROFILE", profile_name)
+        monkeypatch.setenv("AWS_SHARED_CREDENTIALS_FILE", credentials_file)
+
+        create_test_bucket(bucket_name)
+
+        extra_param = {"aws_access_key_id": None, "aws_secret_access_key": None} if profile_name == "default" else {}
+        s3_bucket_names_specific_profile = get_bucket_names(**extra_param)
+
+        monkeypatch.delenv("AWS_PROFILE", raising=False)
+
+        s3_bucket_names_default_account = get_bucket_names()
+
+        assert bucket_name in s3_bucket_names_specific_profile
+        assert bucket_name not in s3_bucket_names_default_account
+
+
+def test_access_key_override_by_provider(monkeypatch):
+    monkeypatch.setenv("CUSTOMIZE_ACCESS_KEY", "1")
+    access_key = mock_access_key()
+    bucket_name = short_uid()
+    create_test_bucket(bucket_name, access_key)
+
+    s3_bucket_names_default_account = get_bucket_names()
+    s3_bucket_names_specific_account = get_bucket_names(aws_access_key_id=access_key)
+
+    assert bucket_name not in s3_bucket_names_default_account
+    assert bucket_name in s3_bucket_names_specific_account
+
+
 def test_s3_path_addressing():
     bucket_name = f"bucket.{short_uid()}"
     config = """
@@ -45,7 +127,7 @@ def test_use_s3_path_style(monkeypatch):
     assert not use_s3_path_style()  # noqa
 
 
-def test_provider_aliases(monkeypatch):
+def test_provider_aliases():
     queue_name1 = f"q{short_uid()}"
     queue_name2 = f"q{short_uid()}"
     config = """
@@ -127,15 +209,43 @@ def deploy_tf_script(script: str, env_vars: Dict[str, str] = None):
         return out
 
 
+def get_bucket_names(**kwargs: dict) -> list:
+    s3 = client("s3", region_name="eu-west-1", **kwargs)
+    s3_buckets = s3.list_buckets().get("Buckets")
+    return [s["Name"] for s in s3_buckets]
+
+
+def create_test_bucket(bucket_name: str, access_key: str = None) -> None:
+    access_key_section = f'access_key = "{access_key}"' if access_key else ""
+    config = """
+    provider "aws" {
+      %s
+      region = "eu-west-1"
+    }
+    resource "aws_s3_bucket" "test_bucket" {
+      bucket = "%s"
+    }""" % (access_key_section, bucket_name)
+    deploy_tf_script(config)
+
+
 def short_uid() -> str:
     return str(uuid.uuid4())[0:8]
 
 
+def mock_access_key() -> str:
+    return str(random.randrange(999999999999)).zfill(12)
+
+
 def client(service: str, **kwargs):
+    # if aws access key is not set AND no profile is in the environment,
+    # we want to set the accesss key and the secret key to test
+    if "aws_access_key_id" not in kwargs and "AWS_PROFILE" not in os.environ:
+        kwargs["aws_access_key_id"] = "test"
+    if "aws_access_key_id" in kwargs and "aws_secret_access_key" not in kwargs:
+        kwargs["aws_secret_access_key"] = "test"
+    boto3.setup_default_session()
     return boto3.client(
         service,
-        aws_access_key_id="test",
-        aws_secret_access_key="test",
         endpoint_url=LOCALSTACK_ENDPOINT,
         **kwargs,
     )