Merge pull request #28 from PaloAltoNetworks/FWAAS-12453

FWAAS-12453: Account onboarding support with AWS profile

Author: panw-ppalkar

go.mod

@@ -7,7 +7,7 @@ require (
 	github.com/aws/aws-sdk-go-v2/service/sts v1.28.12
 	github.com/hashicorp/terraform-plugin-log v0.2.1
 	github.com/hashicorp/terraform-plugin-sdk/v2 v2.10.1
-	github.com/paloaltonetworks/cloud-ngfw-aws-go v1.0.6
+	github.com/paloaltonetworks/cloud-ngfw-aws-go v1.0.7
 	go.uber.org/zap v1.25.0
 	gopkg.in/natefinch/lumberjack.v2 v2.2.1
 )

go.sum

@@ -318,8 +318,8 @@ github.com/nsf/jsondiff v0.0.0-20200515183724-f29ed568f4ce h1:RPclfga2SEJmgMmz2k
 github.com/nsf/jsondiff v0.0.0-20200515183724-f29ed568f4ce/go.mod h1:uFMI8w+ref4v2r9jz+c9i1IfIttS/OkmLfrk1jne5hs=
 github.com/oklog/run v1.0.0 h1:Ru7dDtJNOyC66gQ5dQmaCa0qIsAUFY3sFpK1Xk8igrw=
 github.com/oklog/run v1.0.0/go.mod h1:dlhp/R75TPv97u0XWUtDeV/lRKWPKSdTuV0TZvrmrQA=
-github.com/paloaltonetworks/cloud-ngfw-aws-go v1.0.6 h1:YwhSlFbXHwDC0fxqSMiG0gG032PJH5FqDhgQTVanAfo=
-github.com/paloaltonetworks/cloud-ngfw-aws-go v1.0.6/go.mod h1:K7l99F0euqi1IXc20j0AXKBVElI77RGD5U5+LU8FYVQ=
+github.com/paloaltonetworks/cloud-ngfw-aws-go v1.0.7 h1:f91TS1cjyec7SKVsFOPSOr1eZHC4ZyuE+xAIoMhogPY=
+github.com/paloaltonetworks/cloud-ngfw-aws-go v1.0.7/go.mod h1:K7l99F0euqi1IXc20j0AXKBVElI77RGD5U5+LU8FYVQ=
 github.com/pjbgf/sha1cd v0.3.0 h1:4D5XXmUUBUl/xQ6IjCkEAbqXskkq/4O7LmGn0AqMDs4=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=

internal/provider/account_onboarding.go

@@ -5,9 +5,9 @@ import (
 	"fmt"
 	"time"
 
+	"github.com/hashicorp/terraform-plugin-log/tflog"
 	"github.com/paloaltonetworks/cloud-ngfw-aws-go/api"
 	"github.com/paloaltonetworks/cloud-ngfw-aws-go/api/account"
-	"github.com/hashicorp/terraform-plugin-log/tflog"
 
 	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"

internal/provider/account_onboarding_stack.go

@@ -40,12 +40,19 @@ type accountOnboardingStackInput struct {
 	onboardingCft       string
 	stackId             string
 	region              string
+	profile             string
 }
 
 // CloudFormationClient returns a AWS cloudformation client by assuming the CFT role in the specified account.
-func CloudFormationClient(ctx context.Context, accountId string, cftRoleName string, region string) (*cloudformation.Client, error) {
+func CloudFormationClient(ctx context.Context, accountId, cftRoleName, region, profile string) (*cloudformation.Client, error) {
 	cftRoleArn := fmt.Sprintf("arn:aws:iam::%s:role/%s", accountId, cftRoleName)
-	cfg, err := config.LoadDefaultConfig(ctx, config.WithRegion(region))
+	options := []func(*config.LoadOptions) error{
+		config.WithRegion(region),
+	}
+	if profile != "" {
+		options = append(options, config.WithSharedConfigProfile(profile))
+	}
+	cfg, err := config.LoadDefaultConfig(ctx, options...)
 	if err != nil {
 		tflog.Info(ctx, "error: %s", err)
 		return nil, err
@@ -95,7 +102,7 @@ func FindStackByName(ctx context.Context, name string, nextToken *string,
 }
 
 func CreateAccountOnboardingStack(ctx context.Context, input accountOnboardingStackInput) (string, error) {
-	cfrClient, err := CloudFormationClient(ctx, input.accountId, input.cftRoleName, input.region)
+	cfrClient, err := CloudFormationClient(ctx, input.accountId, input.cftRoleName, input.region, input.profile)
 	if err != nil {
 		tflog.Info(ctx, "error: %s", err)
 		return "", err
@@ -232,7 +239,7 @@ func WaitForStackDeletion(ctx context.Context, svc *cloudformation.Client, stack
 }
 
 func DeleteStack(ctx context.Context, input accountOnboardingStackInput) error {
-	cfrClient, err := CloudFormationClient(ctx, input.accountId, input.cftRoleName, input.region)
+	cfrClient, err := CloudFormationClient(ctx, input.accountId, input.cftRoleName, input.region, input.profile)
 	if err != nil {
 		tflog.Info(ctx, "error: %s", err)
 		return err
@@ -254,7 +261,7 @@ func DeleteStack(ctx context.Context, input accountOnboardingStackInput) error {
 }
 
 func ReadStack(ctx context.Context, input accountOnboardingStackInput) (string, error) {
-	cfrClient, err := CloudFormationClient(ctx, input.accountId, input.cftRoleName, input.region)
+	cfrClient, err := CloudFormationClient(ctx, input.accountId, input.cftRoleName, input.region, input.profile)
 	if err != nil {
 		tflog.Info(ctx, "error: %s", err)
 		return "", err
@@ -293,6 +300,7 @@ func resourceAccountOnboardingStack() *schema.Resource {
 func createAccountOnboardingStack(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
 	svc := meta.(*api.ApiClient)
 	mpRegion := svc.GetMPRegion(ctx)
+	profile := svc.GetProfile(ctx)
 	accountId := d.Get("account_id").(string)
 	stackInput := accountOnboardingStackInput{
 		auditLogGroup:       d.Get("auditlog_group").(string),
@@ -309,6 +317,7 @@ func createAccountOnboardingStack(ctx context.Context, d *schema.ResourceData, m
 		snsTopicArn:         d.Get("sns_topic_arn").(string),
 		accountId:           accountId,
 		region:              mpRegion,
+		profile:             profile,
 	}
 	stackId, err := CreateAccountOnboardingStack(ctx, stackInput)
 	if err != nil {
@@ -323,12 +332,14 @@ func createAccountOnboardingStack(ctx context.Context, d *schema.ResourceData, m
 func deleteAccountOnboardingStack(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
 	svc := meta.(*api.ApiClient)
 	mpRegion := svc.GetMPRegion(ctx)
+	profile := svc.GetProfile(ctx)
 	accountId := d.Get("account_id").(string)
 	stackInput := accountOnboardingStackInput{
 		cftRoleName: d.Get("cft_role_name").(string),
 		stackId:     d.Get("stack_id").(string),
 		accountId:   accountId,
 		region:      mpRegion,
+		profile:     profile,
 	}
 	err := DeleteStack(ctx, stackInput)
 	if err != nil {
@@ -341,13 +352,15 @@ func deleteAccountOnboardingStack(ctx context.Context, d *schema.ResourceData, m
 func readAccountOnboardingStack(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
 	svc := meta.(*api.ApiClient)
 	mpRegion := svc.GetMPRegion(ctx)
+	profile := svc.GetProfile(ctx)
 	accountId := d.Get("account_id").(string)
 	stackId := d.Get("stack_id").(string)
 	stackInput := accountOnboardingStackInput{
 		cftRoleName: d.Get("cft_role_name").(string),
 		stackId:     stackId,
 		accountId:   accountId,
 		region:      mpRegion,
+		profile:     profile,
 	}
 	stackStatus, err := ReadStack(ctx, stackInput)
 	if err != nil {

internal/provider/provider.go

@@ -6,13 +6,13 @@ import (
 	"strings"
 	"time"
 
-	ngfw "github.com/paloaltonetworks/cloud-ngfw-aws-go"
-	"github.com/paloaltonetworks/cloud-ngfw-aws-go/api"
-	"github.com/paloaltonetworks/cloud-ngfw-aws-go/ngfw/aws"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/logging"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation"
+	ngfw "github.com/paloaltonetworks/cloud-ngfw-aws-go"
+	"github.com/paloaltonetworks/cloud-ngfw-aws-go/api"
+	"github.com/paloaltonetworks/cloud-ngfw-aws-go/ngfw/aws"
 )
 
 var resourceTimeout = 120 * time.Minute

internal/provider/security_rule.go

@@ -6,12 +6,12 @@ import (
 	"strconv"
 	"strings"
 
-	"github.com/paloaltonetworks/cloud-ngfw-aws-go/api"
-	"github.com/paloaltonetworks/cloud-ngfw-aws-go/api/security"
 	"github.com/hashicorp/terraform-plugin-log/tflog"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation"
+	"github.com/paloaltonetworks/cloud-ngfw-aws-go/api"
+	"github.com/paloaltonetworks/cloud-ngfw-aws-go/api/security"
 )
 
 // Data source.