Merge pull request #16 from john-shaffer/15-allow-use-of-iam-roles

leonstafford · web-flow · commit 2f654db36d33 · 2020-05-15T14:52:09.000+09:30
Allow use of IAM roles
diff --git a/src/Deployer.php b/src/Deployer.php
@@ -24,36 +24,8 @@ public function upload_files( string $processed_site_path ) : void {
             return;
         }
 
-        $client_options = [
-            'profile' => Controller::getValue( 's3Profile' ),
-            'version' => 'latest',
-            'region' => Controller::getValue( 's3Region' ),
-        ];
-
-        /*
-            If no credentials option, SDK attempts to load credentials from
-            your environment in the following order:
-
-                 - environment variables.
-                 - a credentials .ini file.
-                 - an IAM role.
-        */
-        if (
-            Controller::getValue( 's3AccessKeyID' ) &&
-            Controller::getValue( 's3SecretAccessKey' )
-        ) {
-            $client_options['credentials'] = [
-                'key' => Controller::getValue( 's3AccessKeyID' ),
-                'secret' => \WP2Static\CoreOptions::encrypt_decrypt(
-                    'decrypt',
-                    Controller::getValue( 's3SecretAccessKey' )
-                ),
-            ];
-            unset( $client_options['profile'] );
-        }
-
         // instantiate S3 client
-        $s3 = new \Aws\S3\S3Client( $client_options );
+        $s3 = self::s3_client();
 
         // iterate each file in ProcessedSite
         $iterator = new RecursiveIteratorIterator(
@@ -114,44 +86,95 @@ public function upload_files( string $processed_site_path ) : void {
         }
     }
 
+    public function s3_client() : \Aws\S3\S3Client {
+        $client_options = [
+            'version' => 'latest',
+            'region' => Controller::getValue( 's3Region' ),
+        ];
+
+        /*
+           If no credentials option, SDK attempts to load credentials from
+           your environment in the following order:
 
-    public function cloudfront_invalidate_all_items() : void {
-        if ( ! Controller::getValue( 'cfDistributionID' ) ) {
-            return;
+           - environment variables.
+           - a credentials .ini file.
+           - an IAM role.
+         */
+        if (
+            Controller::getValue( 's3AccessKeyID' ) &&
+            Controller::getValue( 's3SecretAccessKey' )
+        ) {
+            $client_options['credentials'] = [
+                'key' => Controller::getValue( 's3AccessKeyID' ),
+                'secret' => \WP2Static\CoreOptions::encrypt_decrypt(
+                    'decrypt',
+                    Controller::getValue( 's3SecretAccessKey' )
+                ),
+            ];
+        } else if ( Controller::getValue( 's3Profile' ) ) {
+            $client_options['profile'] = Controller::getValue( 's3Profile' );
         }
 
-        \WP2Static\WsLog::l( 'Invalidating all CloudFront items' );
+        return new \Aws\S3\S3Client( $client_options );
+    }
 
+    public function cloudfront_client() : \Aws\CloudFront\CloudFrontClient {
         /*
             If no credentials option, SDK attempts to load credentials from
             your environment in the following order:
-
                  - environment variables.
                  - a credentials .ini file.
                  - an IAM role.
         */
         if (
-            Controller::getValue( 's3AccessKeyID' ) &&
-            Controller::getValue( 's3SecretAccessKey' )
+            Controller::getValue( 'cfAccessKeyID' ) &&
+            Controller::getValue( 'cfSecretAccessKey' )
         ) {
-
+            // Use the supplied access keys.
             $credentials = new \Aws\Credentials\Credentials(
-                Controller::getValue( 's3AccessKeyID' ),
+                Controller::getValue( 'cfAccessKeyID' ),
                 \WP2Static\CoreOptions::encrypt_decrypt(
                     'decrypt',
-                    Controller::getValue( 's3SecretAccessKey' )
+                    Controller::getValue( 'cfSecretAccessKey' )
                 )
             );
+            $client = \Aws\CloudFront\CloudFrontClient::factory(
+                [
+                    'region' => Controller::getValue( 'cfRegion' ),
+                    'version' => 'latest',
+                    'credentials' => $credentials,
+                ]
+            );
+        } else if ( Controller::getValue( 'cfProfile' ) ) {
+            // Use the specified profile.
+            $client = \Aws\CloudFront\CloudFrontClient::factory(
+                [
+                    'profile' => Controller::getValue( 'cfProfile' ),
+                    'region' => Controller::getValue( 'cfRegion' ),
+                    'version' => 'latest',
+                ]
+            );
+        } else {
+            // Use the IAM role.
+            $client = \Aws\CloudFront\CloudFrontClient::factory(
+                [
+                    'region' => Controller::getValue( 'cfRegion' ),
+                    'version' => 'latest',
+                ]
+            );
         }
 
-        $client = \Aws\CloudFront\CloudFrontClient::factory(
-            [
-                'profile' => Controller::getValue( 'cfProfile' ),
-                'region' => Controller::getValue( 'cfRegion' ),
-                'version' => 'latest',
-                'credentials' => isset( $credentials ) ? $credentials : '',
-            ]
-        );
+        return $client;
+    }
+
+    public function cloudfront_invalidate_all_items() : void {
+        if ( ! Controller::getValue( 'cfDistributionID' ) ) {
+            return;
+        }
+
+        \WP2Static\WsLog::l( 'Invalidating all CloudFront items' );
+
+        $client = self::cloudfront_client();
 
         try {
             $result = $client->createInvalidation(
