From a6c66dcf95f36f916726a26b28bc606d40fe299d Mon Sep 17 00:00:00 2001
From: Paul Miles <pmiles@users.noreply.github.com>
Date: Sun, 27 Sep 2020 07:03:46 +0100
Subject: [PATCH] Reinstate assume-role functionality (-R) (#302)

* Reinstate assume-role functionality (-R)

* Update changelog

Co-authored-by: Ben Abrams <me@benabrams.it>
---
 CHANGELOG.md                 |  2 ++
 bin/check-instance-events.rb | 22 ++++++++++++++++++++++
 2 files changed, 24 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 9772fc47..b24e9934 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,10 +5,12 @@ This CHANGELOG follows the format listed [here](https://github.com/sensu-plugins
 
 ## [Unreleased]
 
+
 ### Added
 - `check-subnet-ip-consumption.rb` - Added `--warn-only` option (@ChrisCalavera)
 - new `metrics-reservation-utilization.rb`: retrieve metrics about reserved instances usage. (@boutetnico)
 - `check-ebs-burst-limit.rb`: add `--tag`/`-t` option to specify a volume tag to output in status message. (@boutetnico)
+- check-instance-events.rb: re-instate assume-role functionality (@pmiles)
 
 ### Fixed
 - `check-sqs-messages.rb`: properly surface false positives when pulling an unsupported metric (@majormoses)
diff --git a/bin/check-instance-events.rb b/bin/check-instance-events.rb
index b9b18ecc..91dc9386 100755
--- a/bin/check-instance-events.rb
+++ b/bin/check-instance-events.rb
@@ -67,6 +67,11 @@ class CheckInstanceEvents < Sensu::Plugin::Check::CLI
          description: "Includes any offending instance's 'Name' tag in the check output",
          default: false
 
+  option :role,
+         short:       '-R ASSUME_ROLE',
+         long:        '--assume-role-arn ARN',
+         description: 'IAM Role to assume'
+
   def aws_config
     { access_key_id: config[:aws_access_key],
       secret_access_key: config[:aws_secret_access_key],
@@ -77,6 +82,23 @@ def ec2_regions
     Aws.partition('aws').regions.map(&:name)
   end
 
+  def assume_role
+    role_config = aws_config
+
+    # Delete keys so we can use an IAM role
+    role_config.delete(:access_key_id)
+    role_config.delete(:secret_access_key)
+
+    Aws.config[:region]=role_config[:region]
+
+    role_credentials = Aws::AssumeRoleCredentials.new(
+      role_arn: config[:role],
+      role_session_name: "sensu-monitoring"
+    )
+
+    role_config.merge!(credentials: role_credentials)
+  end
+
   def run
     event_instances = []
     aws_config = {}