Cross-account parameter resolving

README.md

@@ -198,6 +198,40 @@ One benefit of using parameter resolvers instead of hard coding values like VPC
 IDs and resource ARNs is that the same configuration works cross
 region/account, even though the resolved values will be different.
 
+### Cross-account parameter resolving
+
+One way to resolve parameter values from different accounts to the one StackMaster runs in, is to
+assume a role in another account with the relevant IAM permissions to execute successfully.
+
+This is supported in StackMaster by specifying the `role` and `account` properties for any
+parameter resolver in the stack's parameters file.
+
+```yaml
+vpc_peering_id:
+  role: cross-account-parameter-resolver
+  account: 1234567890
+  stack_output: vpc-peering-stack-in-other-account/peering_name
+
+an_array_param:
+  role: cross-account-parameter-resolver
+  account: 1234567890
+  stack_outputs:
+    - stack-in-account1/output
+    - stack-in-account1/another_output
+
+another_array_param:
+  - role: cross-account-parameter-resolver
+    account: 1234567890
+    stack_output: stack-in-account1/output
+  - role: cross-account-parameter-resolver
+    account: 0987654321
+    stack_output: stack-in-account2/output
+```
+
+An example of use case where cross-account parameter resolving is particularly useful is when
+setting up VPC peering where you need the VPC ID of the peer. Without the ability to assume
+a role in another account, the only option was to hard code the peer's VPC ID.
+
 ### Stack Output
 
 The stack output parameter resolver looks up outputs from other stacks in the
@@ -270,7 +304,7 @@ db_password:
 ```
 
 ### 1Password Lookup
-An Alternative to the alternative secret store is accessing 1password secrets using the 1password cli (`op`).
+An alternative to the alternative secret store is accessing 1password secrets using the 1password cli (`op`).
 You declare a 1password lookup with the following parameters in your parameters file:
 
 ```

features/apply_with_assume_role_parameter_resolvers.feature

@@ -0,0 +1,57 @@
+Feature: Apply command with assume role parameter resolvers
+
+  Background:
+    Given a file named "stack_master.yml" with:
+      """
+      stacks:
+        us-east-2:
+          vpc:
+            template: vpc.rb
+          myapp_web:
+            template: myapp_web.rb
+      """
+    And a directory named "parameters"
+    And a file named "parameters/myapp_web.yml" with:
+      """
+      vpc_id:
+        role: my-role
+        account: 1234567890
+        stack_output: vpc/vpc_id
+      """
+    And a directory named "templates"
+    And a file named "templates/myapp_web.rb" with:
+      """
+      SparkleFormation.new(:myapp_web) do
+        description "Test template"
+        set!('AWSTemplateFormatVersion', '2010-09-09')
+
+        parameters.vpc_id do
+          description 'VPC ID'
+          type 'AWS::EC2::VPC::Id'
+        end
+
+        resources.test_sg do
+          type 'AWS::EC2::SecurityGroup'
+          properties do
+            group_description 'Test SG'
+            vpc_id ref!(:vpc_id)
+          end
+        end
+      end
+      """
+
+  Scenario: Run apply and create a new stack
+    Given I stub the CloudFormation driver
+    Given I stub the following stack events:
+      | stack_id | event_id | stack_name | logical_resource_id | resource_status | resource_type              | timestamp           |
+      | 1        | 1        | myapp-web  | myapp-web           | CREATE_COMPLETE | AWS::CloudFormation::Stack | 2020-10-29 00:00:00 |
+    And I stub the following stacks:
+      | stack_id | stack_name | parameters           | outputs      | region    |
+      | 1        | vpc        | VpcCidr=10.0.0.16/22 | VpcId=vpc-id | us-east-2 |
+      | 2        | myapp_web  |                      |              | us-east-2 |
+    Then I expect the role "my-role" is assumed in account "1234567890"
+    When I run `stack_master apply us-east-2 myapp_web --trace`
+    And the output should contain all of these lines:
+      | +---           |
+      | +VpcId: vpc-id |
+    Then the exit status should be 0

features/step_definitions/asume_role_steps.rb

@@ -0,0 +1,6 @@
+Then(/^I expect the role "([^"]*)" is assumed in account "([^"]*)"$/) do |role, account|
+  expect(Aws::AssumeRoleCredentials).to receive(:new).with(
+    role_arn: "arn:aws:iam::#{account}:role/#{role}",
+    role_session_name: instance_of(String)
+  )
+end

features/step_definitions/stack_steps.rb

@@ -65,6 +65,10 @@ def extract_hash_from_kv_string(string)
   allow(StackMaster.cloud_formation_driver).to receive(:validate_template).and_raise(Aws::CloudFormation::Errors::ValidationError.new('', message))
 end
 
+Given(/^I stub the CloudFormation driver$/) do
+  allow(StackMaster.cloud_formation_driver.class).to receive(:new).and_return(StackMaster.cloud_formation_driver)
+end
+
 When(/^an S3 file in bucket "([^"]*)" with key "([^"]*)" exists with content:$/) do |bucket, key, body|
   file = StackMaster.s3_driver.find_file(bucket: bucket, object_key: key)
   expect(file).to eq body

lib/stack_master.rb

@@ -30,6 +30,7 @@ module StackMaster
   autoload :SecurityGroupFinder, 'stack_master/security_group_finder'
   autoload :ParameterLoader, 'stack_master/parameter_loader'
   autoload :ParameterResolver, 'stack_master/parameter_resolver'
+  autoload :RoleAssumer, 'stack_master/role_assumer'
   autoload :ResolverArray, 'stack_master/resolver_array'
   autoload :Resolver, 'stack_master/resolver_array'
   autoload :Utils, 'stack_master/utils'

lib/stack_master/parameter_resolver.rb

@@ -49,16 +49,37 @@ def resolve_parameter_value(key, parameter_value)
       return parameter_value.to_s if Numeric === parameter_value || parameter_value == true || parameter_value == false
       return resolve_array_parameter_values(key, parameter_value).join(',') if Array === parameter_value
       return parameter_value unless Hash === parameter_value
-      validate_parameter_value!(key, parameter_value)
+      resolve_parameter_resolver_hash(key, parameter_value)
+    rescue Aws::CloudFormation::Errors::ValidationError
+      raise InvalidParameter, $!.message
+    end
+
+    def resolve_parameter_resolver_hash(key, parameter_value)
+      # strip out account and role
+      resolver_hash = parameter_value.except('account', 'role')
+      account, role = parameter_value.values_at('account', 'role')
 
-      resolver_name = parameter_value.keys.first.to_s
+      validate_parameter_value!(key, resolver_hash)
+
+      resolver_name = resolver_hash.keys.first.to_s
       load_parameter_resolver(resolver_name)
 
-      value = parameter_value.values.first
+      value = resolver_hash.values.first
       resolver_class_name = resolver_name.camelize
-      call_resolver(resolver_class_name, value)
-    rescue Aws::CloudFormation::Errors::ValidationError
-      raise InvalidParameter, $!.message
+
+      assume_role_if_present(account, role, key) do
+        call_resolver(resolver_class_name, value)
+      end
+    end
+
+    def assume_role_if_present(account, role, key)
+      return yield if account.nil? && role.nil?
+      if account.nil? || role.nil?
+        raise InvalidParameter, "Both 'account' and 'role' are required to assume role for parameter '#{key}'"
+      end
+      role_assumer.assume_role(account, role) do
+        yield
+      end
     end
 
     def resolve_array_parameter_values(key, parameter_values)
@@ -94,5 +115,9 @@ def validate_parameter_value!(key, parameter_value)
         raise InvalidParameter, "#{key} hash contained more than one key: #{parameter_value.inspect}"
       end
     end
+
+    def role_assumer
+      @role_assumer ||= RoleAssumer.new
+    end
   end
 end

lib/stack_master/role_assumer.rb

@@ -0,0 +1,59 @@
+require 'active_support/core_ext/object/deep_dup'
+
+module StackMaster
+  class RoleAssumer
+    BlockNotSpecified = Class.new(StandardError)
+
+    def initialize
+      @credentials = {}
+    end
+
+    def assume_role(account, role, &block)
+      raise BlockNotSpecified unless block_given?
+      raise ArgumentError, "Both 'account' and 'role' are required to assume a role" if account.nil? || role.nil?
+
+      original_aws_config = replace_aws_global_config
+      Aws.config[:credentials] = assume_role_credentials(account, role)
+      begin
+        original_cf_driver = replace_cf_driver
+        block.call
+      ensure
+        restore_aws_global_config(original_aws_config)
+        restore_cf_driver(original_cf_driver)
+      end
+    end
+
+    private
+
+    def replace_aws_global_config
+      config = Aws.config
+      Aws.config = config.deep_dup
+      config
+    end
+
+    def restore_aws_global_config(config)
+      Aws.config = config
+    end
+
+    def replace_cf_driver
+      driver = StackMaster.cloud_formation_driver
+      StackMaster.cloud_formation_driver = driver.class.new
+      driver
+    end
+
+    def restore_cf_driver(driver)
+      return if driver.nil?
+      StackMaster.cloud_formation_driver = driver
+    end
+
+    def assume_role_credentials(account, role)
+      credentials_key = "#{account}:#{role}"
+      @credentials.fetch(credentials_key) do
+        @credentials[credentials_key] = Aws::AssumeRoleCredentials.new(
+          role_arn: "arn:aws:iam::#{account}:role/#{role}",
+          role_session_name: "stack-master-assume-role-parameter-resolver"
+        )
+      end
+    end
+  end
+end

spec/stack_master/parameter_resolver_spec.rb

@@ -98,6 +98,91 @@ def resolve(params)
     end
   end
 
+  context 'when assuming a role' do
+    let(:role_assumer) { instance_double(StackMaster::RoleAssumer, assume_role: nil ) }
+    let(:account) { '1234567890' }
+    let(:role) { 'my-role' }
+
+    before do
+      allow(StackMaster::RoleAssumer).to receive(:new).and_return(role_assumer)
+    end
+
+    context 'with valid assume role properties' do
+      let(:params) do
+        {
+          param: {
+            'account' => account,
+            'role' => role,
+            'my_resolver' => 2
+          }
+        }
+      end
+
+      it 'assumes the role' do
+        expect(StackMaster::RoleAssumer).to receive(:new)
+        expect(role_assumer).to receive(:assume_role).with(account, role)
+
+        parameter_resolver.resolve
+      end
+    end
+
+    context 'when multiple params assume roles' do
+      let(:params) do
+        {
+          param: {
+            'account' => account,
+            'role' => role,
+            'my_resolver' => 1
+          },
+          param2: {
+            'account' => account,
+            'role' => 'different-role',
+            'my_resolver' => 2
+          }
+        }
+      end
+
+      it 'caches the role assumer' do
+        expect(StackMaster::RoleAssumer).to receive(:new).once
+
+        parameter_resolver.resolve
+      end
+
+      it 'calls assume role once for every param' do
+        expect(role_assumer).to receive(:assume_role).with(account, role).once
+        expect(role_assumer).to receive(:assume_role).with(account, 'different-role').once
+
+        parameter_resolver.resolve
+      end
+    end
+
+    context 'with missing assume role properties' do
+      it 'does not assume a role' do
+        expect(StackMaster::RoleAssumer).not_to receive(:new)
+
+        parameter_resolver.resolve
+      end
+    end
+
+    context "with missing 'account' property" do
+      it 'raises an invalid parameter error' do
+        expect {
+          resolve(param: { 'role' => role, 'my_resolver' => 2 })
+        }.to raise_error StackMaster::ParameterResolver::InvalidParameter,
+                         match("Both 'account' and 'role' are required to assume role for parameter 'param'")
+      end
+    end
+
+    context "with missing 'role' property" do
+      it 'raises an invalid parameter error' do
+        expect {
+          resolve(param: { 'account' => account, 'my_resolver' => 2 })
+        }.to raise_error StackMaster::ParameterResolver::InvalidParameter,
+                         match("Both 'account' and 'role' are required to assume role for parameter 'param'")
+      end
+    end
+  end
+
   context 'resolver class caching' do
     it "uses the same instance of the resolver for the duration of the resolve run" do
       expect(my_resolver).to receive(:new).once.and_call_original