Reinstate assume-role functionality (-R) (#302)

* Reinstate assume-role functionality (-R)

* Update changelog

Co-authored-by: Ben Abrams <[email protected]>

CHANGELOG.md

@@ -5,10 +5,12 @@ This CHANGELOG follows the format listed [here](https://github.com/sensu-plugins
 
 ## [Unreleased]
 
+
 ### Added
 - `check-subnet-ip-consumption.rb` - Added `--warn-only` option (@ChrisCalavera)
 - new `metrics-reservation-utilization.rb`: retrieve metrics about reserved instances usage. (@boutetnico)
 - `check-ebs-burst-limit.rb`: add `--tag`/`-t` option to specify a volume tag to output in status message. (@boutetnico)
+- check-instance-events.rb: re-instate assume-role functionality (@pmiles)
 
 ### Fixed
 - `check-sqs-messages.rb`: properly surface false positives when pulling an unsupported metric (@majormoses)

bin/check-instance-events.rb

@@ -67,6 +67,11 @@ class CheckInstanceEvents < Sensu::Plugin::Check::CLI
          description: "Includes any offending instance's 'Name' tag in the check output",
          default: false
 
+  option :role,
+         short:       '-R ASSUME_ROLE',
+         long:        '--assume-role-arn ARN',
+         description: 'IAM Role to assume'
+
   def aws_config
     { access_key_id: config[:aws_access_key],
       secret_access_key: config[:aws_secret_access_key],
@@ -77,6 +82,23 @@ def ec2_regions
     Aws.partition('aws').regions.map(&:name)
   end
 
+  def assume_role
+    role_config = aws_config
+
+    # Delete keys so we can use an IAM role
+    role_config.delete(:access_key_id)
+    role_config.delete(:secret_access_key)
+
+    Aws.config[:region]=role_config[:region]
+
+    role_credentials = Aws::AssumeRoleCredentials.new(
+      role_arn: config[:role],
+      role_session_name: "sensu-monitoring"
+    )
+
+    role_config.merge!(credentials: role_credentials)
+  end
+
   def run
     event_instances = []
     aws_config = {}