trick/run.go at main · wakeful/trick · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
// Copyright 2025 variHQ OÜ
// SPDX-License-Identifier: BSD-3-Clause

package main

import (
	"context"
	"fmt"
	"log/slog"
	"strings"
	"time"

	"github.com/aws/aws-sdk-go-v2/service/sts/types"
)

func (a *App) run(ctx context.Context, ticker *time.Ticker) {
	err := a.tick(ctx)
	if err != nil {
		slog.Error("initial tick failed", slog.String("error", err.Error()))

		return
	}

	for {
		select {
		case <-ticker.C:
			err := a.tick(ctx)
			if err != nil {
				slog.Error("tick failed", slog.String("error", err.Error()))

				return
			}

			slog.Info("credentials refresh")

		case <-ctx.Done():
			ticker.Stop()

			return
		}
	}
}

func (a *App) tick(ctx context.Context) error {
	credentials, err := a.assumeNextInterestingRole(ctx)
	if err != nil {
		return fmt.Errorf("unable to assume role on tick: %w", err)
	}

	errWrite := a.profileWriter.writeAWSProfile(ctx, credentials, a.region)
	if errWrite != nil {
		return fmt.Errorf("unable to write AWS credentials: %w", errWrite)
	}

	return nil
}

//nolint:funlen
func (p *ProfileWriter) writeAWSProfile(
	ctx context.Context,
	credentials *types.Credentials,
	region string,
) error {
	if credentials == nil || credentials.AccessKeyId == nil ||
		credentials.SecretAccessKey == nil || credentials.SessionToken == nil {
		return ErrInvalidCredentials
	}

	commands := []struct {
		args []string
		desc string
	}{
		{
			args: []string{
				"configure",
				"set",
				"aws_access_key_id",
				*credentials.AccessKeyId,
				"--profile",
				p.profileName,
			},
			desc: "setting access key",
		},
		{
			args: []string{
				"configure",
				"set",
				"aws_secret_access_key",
				*credentials.SecretAccessKey,
				"--profile",
				p.profileName,
			},
			desc: "setting secret key",
		},
		{
			args: []string{
				"configure",
				"set",
				"aws_session_token",
				*credentials.SessionToken,
				"--profile",
				p.profileName,
			},
			desc: "setting secret token",
		},
		{
			args: []string{"configure", "set", "region", region, "--profile", p.profileName},
			desc: "setting region",
		},
	}

	for _, cmd := range commands {
		_, err := p.cmdExecutor.Execute(ctx, "aws", cmd.args...)
		if err != nil {
			slog.Error(cmd.desc, slog.String("error", err.Error()))

			return fmt.Errorf(
				"failed to execute aws command %q: %w",
				strings.Join(cmd.args, " "),
				err,
			)
		}
	}

	slog.Debug("aws credentials updated", slog.String("profile", p.profileName))

	return nil
}