From deeb1d85f8f0af0f200ec30d5e017e1c36ce2691 Mon Sep 17 00:00:00 2001
From: Sarah Zinger <sarah.zinger@grafana.com>
Date: Fri, 4 Aug 2023 16:06:01 -0400
Subject: [PATCH] Config: making [aws][external_id] part of env (#72062)

* Config: making [aws][external_id] part of env

* Fix go.sum

* Add a test
---
 go.mod                                           |  2 +-
 go.sum                                           |  2 ++
 pkg/plugins/config/config.go                     |  4 +++-
 pkg/plugins/envvars/envvars.go                   |  3 +++
 pkg/plugins/envvars/envvars_test.go              | 14 ++++++++++++++
 pkg/services/pluginsintegration/config/config.go |  1 +
 pkg/setting/setting.go                           |  6 ++++++
 7 files changed, 30 insertions(+), 2 deletions(-)

diff --git a/go.mod b/go.mod
index 9c136c83306..b32e312b1e3 100644
--- a/go.mod
+++ b/go.mod
@@ -64,7 +64,7 @@ require (
 	github.com/gorilla/websocket v1.5.0 // @grafana/grafana-app-platform-squad
 	github.com/grafana/alerting v0.0.0-20230606080147-55b8d71c7890 // @grafana/alerting-squad-backend
 	github.com/grafana/cuetsy v0.1.10 // @grafana/grafana-as-code
-	github.com/grafana/grafana-aws-sdk v0.16.1 // @grafana/aws-datasources
+	github.com/grafana/grafana-aws-sdk v0.18.0 // @grafana/aws-datasources
 	github.com/grafana/grafana-azure-sdk-go v1.7.0 // @grafana/backend-platform
 	github.com/grafana/grafana-plugin-sdk-go v0.171.0 // @grafana/plugins-platform-backend
 	github.com/grpc-ecosystem/go-grpc-middleware v1.4.0 // @grafana/backend-platform
diff --git a/go.sum b/go.sum
index 361817f81e7..f8cd0abb237 100644
--- a/go.sum
+++ b/go.sum
@@ -1793,6 +1793,8 @@ github.com/grafana/grafana-aws-sdk v0.16.0 h1:FFVab0jvhENce5cMEAodANCa5ARjyObN1d
 github.com/grafana/grafana-aws-sdk v0.16.0/go.mod h1:rCXLYoMpPqF90U7XqgVJ1HIAopFVF0bB3SXBVEJIm3I=
 github.com/grafana/grafana-aws-sdk v0.16.1 h1:R/hMtQP7H0+8nWFoIOApaZj0qstmZM+5Pw0rRzk3A3Y=
 github.com/grafana/grafana-aws-sdk v0.16.1/go.mod h1:rCXLYoMpPqF90U7XqgVJ1HIAopFVF0bB3SXBVEJIm3I=
+github.com/grafana/grafana-aws-sdk v0.18.0 h1:cWuJAWGQeaTOShpH6tb+Ui/JPBw6Fl+VawYbuKV21+E=
+github.com/grafana/grafana-aws-sdk v0.18.0/go.mod h1:rCXLYoMpPqF90U7XqgVJ1HIAopFVF0bB3SXBVEJIm3I=
 github.com/grafana/grafana-azure-sdk-go v1.7.0 h1:2EAPwNl/qsDMHwKjlzaHif+H+bHcF1W7sM8/jAcxVcI=
 github.com/grafana/grafana-azure-sdk-go v1.7.0/go.mod h1:X4PdEQIYgHfn0KTa2ZTKvufhNz6jbCEKUQPZIlcyOGw=
 github.com/grafana/grafana-google-sdk-go v0.1.0 h1:LKGY8z2DSxKjYfr2flZsWgTRTZ6HGQbTqewE3JvRaNA=
diff --git a/pkg/plugins/config/config.go b/pkg/plugins/config/config.go
index cd40e433c8b..317e8bfc464 100644
--- a/pkg/plugins/config/config.go
+++ b/pkg/plugins/config/config.go
@@ -21,6 +21,7 @@ type Cfg struct {
 	// AWS Plugin Auth
 	AWSAllowedAuthProviders []string
 	AWSAssumeRoleEnabled    bool
+	AWSExternalId           string
 
 	// Azure Cloud settings
 	Azure *azsettings.AzureSettings
@@ -46,7 +47,7 @@ type Cfg struct {
 }
 
 func NewCfg(devMode bool, pluginsPath string, pluginSettings setting.PluginSettings, pluginsAllowUnsigned []string,
-	awsAllowedAuthProviders []string, awsAssumeRoleEnabled bool, azure *azsettings.AzureSettings, secureSocksDSProxy setting.SecureSocksDSProxySettings,
+	awsAllowedAuthProviders []string, awsAssumeRoleEnabled bool, awsExternalId string, azure *azsettings.AzureSettings, secureSocksDSProxy setting.SecureSocksDSProxySettings,
 	grafanaVersion string, logDatasourceRequests bool, pluginsCDNURLTemplate string, appURL string, tracing Tracing, features plugins.FeatureToggles, angularSupportEnabled bool,
 	grafanaComURL string) *Cfg {
 	return &Cfg{
@@ -58,6 +59,7 @@ func NewCfg(devMode bool, pluginsPath string, pluginSettings setting.PluginSetti
 		PluginsAllowUnsigned:    pluginsAllowUnsigned,
 		AWSAllowedAuthProviders: awsAllowedAuthProviders,
 		AWSAssumeRoleEnabled:    awsAssumeRoleEnabled,
+		AWSExternalId:           awsExternalId,
 		Azure:                   azure,
 		ProxySettings:           secureSocksDSProxy,
 		LogDatasourceRequests:   logDatasourceRequests,
diff --git a/pkg/plugins/envvars/envvars.go b/pkg/plugins/envvars/envvars.go
index 6b80cfed23b..0e8058b3b7b 100644
--- a/pkg/plugins/envvars/envvars.go
+++ b/pkg/plugins/envvars/envvars.go
@@ -92,6 +92,9 @@ func (s *Service) awsEnvVars() []string {
 	if len(s.cfg.AWSAllowedAuthProviders) > 0 {
 		variables = append(variables, awsds.AllowedAuthProvidersEnvVarKeyName+"="+strings.Join(s.cfg.AWSAllowedAuthProviders, ","))
 	}
+	if s.cfg.AWSExternalId != "" {
+		variables = append(variables, awsds.GrafanaAssumeRoleExternalIdKeyName+"="+s.cfg.AWSExternalId)
+	}
 
 	return variables
 }
diff --git a/pkg/plugins/envvars/envvars_test.go b/pkg/plugins/envvars/envvars_test.go
index c50bf64790b..81f435335ae 100644
--- a/pkg/plugins/envvars/envvars_test.go
+++ b/pkg/plugins/envvars/envvars_test.go
@@ -337,3 +337,17 @@ func TestInitializer_oauthEnvVars(t *testing.T) {
 		assert.Equal(t, "GF_PLUGIN_APP_PRIVATE_KEY=privatePem", envVars[4])
 	})
 }
+
+func TestInitalizer_awsEnvVars(t *testing.T) {
+	t.Run("backend datasource with aws settings", func(t *testing.T) {
+		p := &plugins.Plugin{}
+		envVarsProvider := NewProvider(&config.Cfg{
+			AWSAssumeRoleEnabled:    true,
+			AWSAllowedAuthProviders: []string{"grafana_assume_role", "keys"},
+			AWSExternalId:           "mock_external_id",
+		}, nil)
+		envVars, err := envVarsProvider.Get(context.Background(), p)
+		require.NoError(t, err)
+		assert.ElementsMatch(t, []string{"GF_VERSION=", "AWS_AUTH_AssumeRoleEnabled=true", "AWS_AUTH_AllowedAuthProviders=grafana_assume_role,keys", "AWS_AUTH_EXTERNAL_ID=mock_external_id"}, envVars)
+	})
+}
diff --git a/pkg/services/pluginsintegration/config/config.go b/pkg/services/pluginsintegration/config/config.go
index ab333980eaa..fafca1e9d0a 100644
--- a/pkg/services/pluginsintegration/config/config.go
+++ b/pkg/services/pluginsintegration/config/config.go
@@ -34,6 +34,7 @@ func ProvideConfig(settingProvider setting.Provider, grafanaCfg *setting.Cfg, fe
 		allowedUnsigned,
 		allowedAuth,
 		aws.KeyValue("assume_role_enabled").MustBool(grafanaCfg.AWSAssumeRoleEnabled),
+		aws.KeyValue("external_id").Value(),
 		grafanaCfg.Azure,
 		grafanaCfg.SecureSocksDSProxy,
 		grafanaCfg.BuildVersion,
diff --git a/pkg/setting/setting.go b/pkg/setting/setting.go
index 8ed3989a43d..fceb8300007 100644
--- a/pkg/setting/setting.go
+++ b/pkg/setting/setting.go
@@ -289,6 +289,7 @@ type Cfg struct {
 	AWSAllowedAuthProviders []string
 	AWSAssumeRoleEnabled    bool
 	AWSListMetricsPageLimit int
+	AWSExternalId           string
 
 	// Azure Cloud settings
 	Azure *azsettings.AzureSettings
@@ -1300,6 +1301,11 @@ func (cfg *Cfg) handleAWSConfig() {
 	if err != nil {
 		cfg.Logger.Error(fmt.Sprintf("could not set environment variable '%s'", awsds.AllowedAuthProvidersEnvVarKeyName), err)
 	}
+
+	cfg.AWSExternalId = awsPluginSec.Key("external_id").Value()
+	if err != nil {
+		cfg.Logger.Error(fmt.Sprintf("could not set environment variable '%s'", awsds.GrafanaAssumeRoleExternalIdKeyName), err)
+	}
 }
 
 func (cfg *Cfg) readSessionConfig() {