Add cloud account CRUD endpoints

1 files changed, 35 insertions, 0 deletions

diff --git a/cloud/aws/aws.go b/cloud/aws/aws.go
index 180b2c4..36ac338 100644
--- a/cloud/aws/aws.go
+++ b/cloud/aws/aws.go
@@ -82,6 +82,41 @@ func NewAWSClientFromAccount(a *models.Account) (AWSClient, error) {
         }, nil
 }
 
+// ValidateVaultMaterial is used to check that a Vault material can be accessed
+// and that the shape of that material is correct for an AWS access key and
+// role list.
+//
+// This should be used for admission control for the creation of new accounts.
+func ValidateVaultMaterial(m string) error {
+        var ac account
+        if err := vault.GetVaultKeyStruct(m, &ac); err != nil {
+                return fmt.Errorf("Unable to access vault material: %w", err)
+        }
+
+        if ac.AccessKeyId == "" {
+                return fmt.Errorf("AccessKeyId is empty")
+        }
+
+        if ac.SecretAccessKey == "" {
+                return fmt.Errorf("SecretAccessKey is empty")
+        }
+
+        if len(ac.Roles) == 0 {
+                return fmt.Errorf("No roles specified")
+        }
+
+        for k, r := range ac.Roles {
+                if r.ARN == "" {
+                        return fmt.Errorf("ARN for role %s is empty", k)
+                }
+                if r.ExternalId == "" {
+                        return fmt.Errorf("ExternalId for role %s is empty", k)
+                }
+        }
+
+        return nil
+}
+
 // AssumeRole uses an IAM user credential with higher privilege to assume a
 // role in an AWS account and region. It returns the STS credentials.
 //