DUPLO-4081: support duplo-ops JIT access

duplocloud · Jun 23, 2022 · f328456 · f328456
1 parent 34f619f
commit f328456
Show file tree

Hide file tree

Showing 2 changed files with 48 additions and 6 deletions.
diff --git a/cmd/duplo-aws-credential-process/main.go b/cmd/duplo-aws-credential-process/main.go
@@ -94,6 +94,7 @@ func main() {
 	host := flag.String("host", "", "Duplo API base URL")
 	token := flag.String("token", "", "Duplo API token")
 	admin := flag.Bool("admin", false, "Get admin credentials")
+	duploOps := flag.Bool("duplo-ops", false, "Get Duplo operations credentials")
 	tenantID := flag.String("tenant", "", "Get credentials for the given tenant")
 	debug := flag.Bool("debug", false, "Turn on verbose (debugging) output")
 	noCache = flag.Bool("no-cache", false, "Disable caching (not recommended)")
@@ -147,6 +148,22 @@ func main() {
 			creds = convertCreds(result)
 		}
 
+	} else if *duploOps {
+
+		// Build the cache key
+		cacheKey = strings.Join([]string{strings.TrimPrefix(*host, "https://"), "duplo-ops"}, ",")
+
+		// Try to find credentials from the cache.
+		creds = cacheGetAwsConfigOutput(cacheKey)
+
+		// Otherwise, get the credentials from Duplo.
+		if creds == nil {
+			client := mustDuploClient(*host, *token, *interactive, true)
+			result, err := client.AdminAwsGetJitAccess("duplo-ops")
+			dieIf(err, "failed to get credentials")
+			creds = convertCreds(result)
+		}
+
 	} else if tenantID == nil || *tenantID == "" {
 
 		// Tenant credentials require an additional argument.
@@ -166,11 +183,11 @@ func main() {
 
 			// If it doesn't look like a UUID, get the tenant ID from the name.
 			if len(*tenantID) < 32 {
-                var err error
+				var err error
 				tenant, err := client.GetTenantByNameForUser(*tenantID)
-                if tenant == nil {
-                    err = errors.New("")
-                }
+				if tenant == nil {
+					err = errors.New("no such tenant available to your user")
+				}
 				dieIf(err, fmt.Sprintf("%s: tenant not found", *tenantID))
 				tenantID = &tenant.TenantID
 			}

diff --git a/duplocloud/api.go b/duplocloud/api.go
@@ -19,8 +19,33 @@ type UserTenant struct {
 	PlanID      string `json:"PlanID"`
 }
 
-// AdminGetAwsCredentials retrieves just-in-time admin AWS credentials via the Duplo API.
+// AdminAwsGetJitAccess retrieves just-in-time admin AWS credentials for the requested role via the Duplo API.
+func (c *Client) AdminAwsGetJitAccess(role string) (*AwsJitCredentials, ClientError) {
+	creds := AwsJitCredentials{}
+	err := c.getAPI("AdminAwsGetJitAccess()", fmt.Sprintf("v3/admin/aws/jitAccess/%s", role), &creds)
+	if err != nil {
+		return nil, err
+	}
+	return &creds, nil
+}
+
+// AdminGetJITAwsCredentials retrieves just-in-time admin AWS credentials via the Duplo API.
 func (c *Client) AdminGetJITAwsCredentials() (*AwsJitCredentials, ClientError) {
+	creds, err := c.AdminAwsGetJitAccess("admin")
+
+	// Fallback to legacy API
+	if err != nil && err.Status() == 404 {
+		creds, err = c.LegacyAdminGetJITAwsCredentials()
+	}
+
+	if err != nil {
+		return nil, err
+	}
+	return creds, err
+}
+
+// LegacyAdminGetJITAwsCredentials retrieves just-in-time admin AWS credentials via the Duplo API.
+func (c *Client) LegacyAdminGetJITAwsCredentials() (*AwsJitCredentials, ClientError) {
 	creds := AwsJitCredentials{}
 	err := c.getAPI("AdminGetJITAwsCredentials()", "adminproxy/GetJITAwsConsoleAccessUrl", &creds)
 	if err != nil {
@@ -29,7 +54,7 @@ func (c *Client) AdminGetJITAwsCredentials() (*AwsJitCredentials, ClientError) {
 	return &creds, nil
 }
 
-// TenantGetAwsCredentials retrieves just-in-time AWS credentials for a tenant via the Duplo API.
+// TenantGetJITAwsCredentials retrieves just-in-time AWS credentials for a tenant via the Duplo API.
 func (c *Client) TenantGetJITAwsCredentials(tenantID string) (*AwsJitCredentials, ClientError) {
 	creds := AwsJitCredentials{}
 	err := c.getAPI(