Merge pull request #13 from jamestelfer/region-support

feat: region parameter support

README.md

@@ -24,7 +24,7 @@ Use the plugin in your steps like this:
 steps:
   - command: aws sts get-caller-identity
     plugins:
-      - aws-assume-role-with-web-identity#v1.0.0:
+      - aws-assume-role-with-web-identity#v1.1.0:
           role-arn: arn:aws:iam::AWS-ACCOUNT-ID:role/SOME-ROLE
 ```
 
@@ -50,6 +50,15 @@ An integer number of seconds that the assumed role session should last. Passed a
 
 Defaults to `3600` (via the AWS CLI).
 
+### `region` (optional, string)
+
+Exports `AWS_REGION` and `AWS_DEFAULT_REGION` with the value you set. If not set
+the values of `AWS_REGION` and `AWS_DEFAULT_REGION` will not be changed.
+
+Note that and `AWS_REGION` is used by the AWS CLI v2 and most SDKs.
+`AWS_DEFAULT_REGION` is included for compatibility with older SDKs and CLI
+versions.
+
 ## AWS configuration with Terraform
 
 If you automate your infrastructure with Terraform, the following configuration will setup a valid OIDC IdP in AWS -- adapted from [an example for using OIDC with EKS](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_cluster.html#enabling-iam-roles-for-service-accounts):

hooks/environment

@@ -40,3 +40,10 @@ export AWS_SECRET_ACCESS_KEY="$(jq -r ".Credentials.SecretAccessKey" <<< "${RESP
 export AWS_SESSION_TOKEN="$(jq -r ".Credentials.SessionToken" <<< "${RESPONSE}")"
 
 echo "Assumed role: $(jq -r .AssumedRoleUser.AssumedRoleId <<< "${RESPONSE}")"
+
+region="${BUILDKITE_PLUGIN_AWS_ASSUME_ROLE_WITH_WEB_IDENTITY_REGION:-}"
+if [[ -n $region ]]; then
+  export AWS_REGION="$region"
+  export AWS_DEFAULT_REGION="$region"
+  echo "Using region: ${AWS_REGION}"
+fi

plugin.yml

@@ -12,6 +12,8 @@ configuration:
       type: string
     role-session-duration:
       type: integer
+    region:
+      type: string
   required:
     - role-arn
   additionalProperties: false

tests/environment.bats

@@ -13,6 +13,8 @@ run_test_command() {
   echo "TESTRESULT:AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID:-"<value not set>"}"
   echo "TESTRESULT:AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY:-"<value not set>"}"
   echo "TESTRESULT:AWS_SESSION_TOKEN=${AWS_SESSION_TOKEN:-"<value not set>"}"
+  echo "TESTRESULT:AWS_REGION=${AWS_REGION:-"<value not set>"}"
+  echo "TESTRESULT:AWS_DEFAULT_REGION=${AWS_DEFAULT_REGION:-"<value not set>"}"
 }
 
 @test "calls aws sts and exports AWS_ env vars" {
@@ -92,3 +94,76 @@ EOF
   unstub aws
   unstub buildkite-agent
 }
+
+@test "passes in a custom region" {
+  export BUILDKITE_JOB_ID="job-uuid-42"
+  export BUILDKITE_PLUGIN_AWS_ASSUME_ROLE_WITH_WEB_IDENTITY_ROLE_ARN="role123"
+  export BUILDKITE_PLUGIN_AWS_ASSUME_ROLE_WITH_WEB_IDENTITY_REGION="eu-central-1"
+
+  stub buildkite-agent "oidc request-token --audience sts.amazonaws.com * : echo 'buildkite-oidc-token'"
+  stub aws "sts assume-role-with-web-identity --role-arn role123 --role-session-name buildkite-job-job-uuid-42 --web-identity-token buildkite-oidc-token : cat tests/sts.json"
+
+  run run_test_command $PWD/hooks/environment
+
+  assert_success
+  assert_output --partial "Using region: eu-central-1"
+  assert_output --partial "Role ARN: role123"
+
+  assert_output --partial "TESTRESULT:AWS_ACCESS_KEY_ID=access-key-id-value"
+  assert_output --partial "TESTRESULT:AWS_SECRET_ACCESS_KEY=secret-access-key-value"
+  assert_output --partial "TESTRESULT:AWS_SESSION_TOKEN=session-token-value"
+  assert_output --partial "TESTRESULT:AWS_REGION=eu-central-1"
+  assert_output --partial "TESTRESULT:AWS_DEFAULT_REGION=eu-central-1"
+
+  unstub aws
+  unstub buildkite-agent
+}
+
+@test "region not used for STS call" {
+  export BUILDKITE_JOB_ID="job-uuid-42"
+  export BUILDKITE_PLUGIN_AWS_ASSUME_ROLE_WITH_WEB_IDENTITY_ROLE_ARN="role123"
+  export BUILDKITE_PLUGIN_AWS_ASSUME_ROLE_WITH_WEB_IDENTITY_REGION="eu-central-1"
+
+  stub buildkite-agent "oidc request-token --audience sts.amazonaws.com * : echo 'buildkite-oidc-token'"
+  stub aws "sts assume-role-with-web-identity --role-arn role123 --role-session-name buildkite-job-job-uuid-42 --web-identity-token buildkite-oidc-token : echo \"STS-REGION:[\${AWS_REGION-<not set>}]\" 1>&2; cat tests/sts.json"
+
+  run run_test_command $PWD/hooks/environment
+
+  assert_success
+  assert_output --partial "Using region: eu-central-1"
+  assert_output --partial "Role ARN: role123"
+  refute_output --partial "STS-REGION:[eu-central-1]"
+  assert_output --partial "STS-REGION:[<not set>]"
+
+  assert_output --partial "TESTRESULT:AWS_ACCESS_KEY_ID=access-key-id-value"
+  assert_output --partial "TESTRESULT:AWS_SECRET_ACCESS_KEY=secret-access-key-value"
+  assert_output --partial "TESTRESULT:AWS_SESSION_TOKEN=session-token-value"
+  assert_output --partial "TESTRESULT:AWS_REGION=eu-central-1"
+  assert_output --partial "TESTRESULT:AWS_DEFAULT_REGION=eu-central-1"
+
+  unstub aws
+  unstub buildkite-agent
+}
+
+@test "does not pass in a custom region" {
+  export BUILDKITE_JOB_ID="job-uuid-42"
+  export BUILDKITE_PLUGIN_AWS_ASSUME_ROLE_WITH_WEB_IDENTITY_ROLE_ARN="role123"
+
+  stub buildkite-agent "oidc request-token --audience sts.amazonaws.com * : echo 'buildkite-oidc-token'"
+  stub aws "sts assume-role-with-web-identity --role-arn role123 --role-session-name buildkite-job-job-uuid-42 --web-identity-token buildkite-oidc-token : cat tests/sts.json"
+
+  run run_test_command $PWD/hooks/environment
+
+  assert_success
+  assert_output --partial "Role ARN: role123"
+  assert_output --partial "Assumed role: assumed-role-id-value"
+
+  assert_output --partial "TESTRESULT:AWS_ACCESS_KEY_ID=access-key-id-value"
+  assert_output --partial "TESTRESULT:AWS_SECRET_ACCESS_KEY=secret-access-key-value"
+  assert_output --partial "TESTRESULT:AWS_SESSION_TOKEN=session-token-value"
+  assert_output --partial "TESTRESULT:AWS_REGION=<value not set>"
+  assert_output --partial "TESTRESULT:AWS_DEFAULT_REGION=<value not set>"
+
+  unstub aws
+  unstub buildkite-agent
+}