Merge pull request #1595 from TimeIncOSS/aws-account-protection

aws: Allow defining blacklist/whitelist of account IDs
11 years ago · 3176e5b44a
parent 54e3e6104e 150fd00932
commit 3176e5b44a
4 changed files with 86 additions and 0 deletions
--- a/builtin/providers/aws/config.go
+++ b/builtin/providers/aws/config.go
@ -3,6 +3,7 @@ package aws
 import (
 	"fmt"
 	"log"
+	"strings"

 	"github.com/hashicorp/terraform/helper/multierror"

@ -21,6 +22,9 @@ type Config struct {
 	SecretKey string
 	Token     string
 	Region    string
+
+	AllowedAccountIds   []interface{}
+	ForbiddenAccountIds []interface{}
 }

 type AWSClient struct {
@ -71,6 +75,12 @@ func (c *Config) Client() (interface{}, error) {

 		log.Println("[INFO] Initializing IAM Connection")
 		client.iamconn = iam.New(awsConfig)
+
+		err := c.ValidateAccountId(client.iamconn)
+		if err != nil {
+			errs = append(errs, err)
+		}
+
 		log.Println("[INFO] Initializing AutoScaling connection")
 		client.autoscalingconn = autoscaling.New(awsConfig)

@ -109,3 +119,37 @@ func (c *Config) ValidateRegion() error {
 	}
 	return fmt.Errorf("Not a valid region: %s", c.Region)
 }
+
+func (c *Config) ValidateAccountId(iamconn *iam.IAM) error {
+	if c.AllowedAccountIds == nil && c.ForbiddenAccountIds == nil {
+		return nil
+	}
+
+	log.Printf("[INFO] Validating account ID")
+
+	out, err := iamconn.GetUser(nil)
+	if err != nil {
+		return fmt.Errorf("Failed getting account ID from IAM: %s", err)
+	}
+
+	account_id := strings.Split(*out.User.ARN, ":")[4]
+
+	if c.ForbiddenAccountIds != nil {
+		for _, id := range c.ForbiddenAccountIds {
+			if id == account_id {
+				return fmt.Errorf("Forbidden account ID (%s)", id)
+			}
+		}
+	}
+
+	if c.AllowedAccountIds != nil {
+		for _, id := range c.AllowedAccountIds {
+			if id == account_id {
+				return nil
+			}
+		}
+		return fmt.Errorf("Account ID not allowed (%s)", account_id)
+	}
+
+	return nil
+}
--- a/builtin/providers/aws/provider.go
+++ b/builtin/providers/aws/provider.go
@ -1,6 +1,7 @@
 package aws

 import (
+	"github.com/hashicorp/terraform/helper/hashcode"
 	"github.com/hashicorp/terraform/helper/schema"
 	"github.com/hashicorp/terraform/terraform"
 )
@ -51,6 +52,26 @@ func Provider() terraform.ResourceProvider {
 				Description:  descriptions["region"],
 				InputDefault: "us-east-1",
 			},
+
+			"allowed_account_ids": &schema.Schema{
+				Type:          schema.TypeSet,
+				Elem:          &schema.Schema{Type: schema.TypeString},
+				Optional:      true,
+				ConflictsWith: []string{"forbidden_account_ids"},
+				Set: func(v interface{}) int {
+					return hashcode.String(v.(string))
+				},
+			},
+
+			"forbidden_account_ids": &schema.Schema{
+				Type:          schema.TypeSet,
+				Elem:          &schema.Schema{Type: schema.TypeString},
+				Optional:      true,
+				ConflictsWith: []string{"allowed_account_ids"},
+				Set: func(v interface{}) int {
+					return hashcode.String(v.(string))
+				},
+			},
 		},

 		ResourcesMap: map[string]*schema.Resource{
@ -110,5 +131,13 @@ func providerConfigure(d *schema.ResourceData) (interface{}, error) {
 		Region:    d.Get("region").(string),
 	}

+	if v, ok := d.GetOk("allowed_account_ids"); ok {
+		config.AllowedAccountIds = v.(*schema.Set).List()
+	}
+
+	if v, ok := d.GetOk("forbidden_account_ids"); ok {
+		config.ForbiddenAccountIds = v.(*schema.Set).List()
+	}
+
 	return config.Client()
 }
--- a/helper/schema/schema.go
+++ b/helper/schema/schema.go
@ -384,6 +384,8 @@ func (m schemaMap) Input(
 			fallthrough
 		case TypeFloat:
 			fallthrough
+		case TypeSet:
+			continue
 		case TypeString:
 			value, err = m.inputString(input, k, v)
 		default:
--- a/website/source/docs/providers/aws/index.html.markdown
+++ b/website/source/docs/providers/aws/index.html.markdown
@ -22,6 +22,9 @@ provider "aws" {
    access_key = "${var.aws_access_key}"
    secret_key = "${var.aws_secret_key}"
    region = "us-east-1"
+
+    # Not run this in live account
+    forbidden_account_ids = ["1234567890"]
 }

 # Create a web server
@ -43,5 +46,13 @@ The following arguments are supported in the `provider` block:
 * `region` - (Required) This is the AWS region. It must be provided, but
  it can also be sourced from the `AWS_DEFAULT_REGION` environment variables.

+* `allowed_account_ids` - (Optional) List of allowed AWS account IDs (whitelist)
+  to prevent you mistakenly using a wrong one (and end up destroying live environment).
+  Conflicts with `forbidden_account_ids`.
+
+* `forbidden_account_ids` - (Optional) List of forbidden AWS account IDs (blacklist)
+  to prevent you mistakenly using a wrong one (and end up destroying live environment).
+  Conflicts with `allowed_account_ids`.
+
 In addition to the above parameters, the `AWS_SECURITY_TOKEN` environmental
 variable can be set to set an MFA token.