generated from aws-ia/.github
-
Notifications
You must be signed in to change notification settings - Fork 389
/
aft-global-customizations-terraform.yml
128 lines (115 loc) · 7.6 KB
/
aft-global-customizations-terraform.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
# Copyright Amazon.com, Inc. or its affiliates. All rights reserved.
# SPDX-License-Identifier: Apache-2.0
#
version: 0.2
phases:
install:
commands:
- set -e
# Populate Required Variables
- DEFAULT_PATH=$(pwd)
- TIMESTAMP=$(date '+%Y-%m-%d %H:%M:%S')
- TF_VERSION=$(aws ssm get-parameter --name "/aft/config/terraform/version" --query "Parameter.Value" --output text)
- TF_DISTRIBUTION=$(aws ssm get-parameter --name "/aft/config/terraform/distribution" --query "Parameter.Value" --output text)
- CT_MGMT_REGION=$(aws ssm get-parameter --name "/aft/config/ct-management-region" --query "Parameter.Value" --output text)
- AFT_MGMT_ACCOUNT=$(aws ssm get-parameter --name "/aft/account/aft-management/account-id" --query "Parameter.Value" --output text)
- AFT_EXEC_ROLE_ARN=arn:$AWS_PARTITION:iam::$AFT_MGMT_ACCOUNT:role/AWSAFTExecution
- VENDED_EXEC_ROLE_ARN=arn:$AWS_PARTITION:iam::$VENDED_ACCOUNT_ID:role/AWSAFTExecution
- AFT_ADMIN_ROLE_NAME=$(aws ssm get-parameter --name /aft/resources/iam/aft-administrator-role-name | jq --raw-output ".Parameter.Value")
- AFT_ADMIN_ROLE_ARN=arn:$AWS_PARTITION:iam::$AFT_MGMT_ACCOUNT:role/$AFT_ADMIN_ROLE_NAME
- ROLE_SESSION_NAME=$(aws ssm get-parameter --name /aft/resources/iam/aft-session-name | jq --raw-output ".Parameter.Value")
# Configure Development SSH Key
- |
ssh_key_parameter=$(aws ssm get-parameter --name /aft/config/aft-ssh-key --with-decryption 2> /dev/null || echo "None")
if [[ $ssh_key_parameter != "None" ]]; then
ssh_key=$(jq --raw-output ".Parameter.Value" <<< $ssh_key_parameter)
mkdir -p ~/.ssh
echo "Host *" >> ~/.ssh/config
echo "StrictHostKeyChecking no" >> ~/.ssh/config
echo "UserKnownHostsFile=/dev/null" >> ~/.ssh/config
echo "$ssh_key" > ~/.ssh/ssh_key
echo -e "\n\n" >> ~/.ssh/ssh_key
chmod 600 ~/.ssh/ssh_key
eval "$(ssh-agent -s)"
ssh-add ~/.ssh/ssh_key
fi
# Clone AFT
- AWS_MODULE_SOURCE=$(aws ssm get-parameter --name "/aft/config/aft-pipeline-code-source/repo-url" --query "Parameter.Value" --output text)
- AWS_MODULE_GIT_REF=$(aws ssm get-parameter --name "/aft/config/aft-pipeline-code-source/repo-git-ref" --query "Parameter.Value" --output text)
- git config --global credential.helper '!aws codecommit credential-helper $@'
- git config --global credential.UseHttpPath true
- git clone --quiet -b $AWS_MODULE_GIT_REF $AWS_MODULE_SOURCE aws-aft-core-framework
# Generate session profiles
- chmod +x $DEFAULT_PATH/aws-aft-core-framework/sources/scripts/creds.sh
- $DEFAULT_PATH/aws-aft-core-framework/sources/scripts/creds.sh
# Install AFT Python Dependencies
- python3 -m venv $DEFAULT_PATH/aft-venv
- $DEFAULT_PATH/aft-venv/bin/pip install pip==22.1.2
- $DEFAULT_PATH/aft-venv/bin/pip install jinja2-cli==0.7.0 Jinja2==3.0.1 MarkupSafe==2.0.1 boto3==1.18.56 requests==2.26.0
# Install API Helper Python Dependencies
- python3 -m venv $DEFAULT_PATH/api-helpers-venv
- $DEFAULT_PATH/api-helpers-venv/bin/pip install -r $DEFAULT_PATH/api_helpers/python/requirements.txt
# Mark helper scripts as executable
- chmod +x $DEFAULT_PATH/api_helpers/pre-api-helpers.sh
- chmod +x $DEFAULT_PATH/api_helpers/post-api-helpers.sh
pre_build:
on-failure: ABORT
commands:
- source $DEFAULT_PATH/api-helpers-venv/bin/activate
- export AWS_PROFILE=aft-target
- $DEFAULT_PATH/api_helpers/pre-api-helpers.sh
- unset AWS_PROFILE
build:
on-failure: CONTINUE
commands:
# Apply customizations
- source $DEFAULT_PATH/aft-venv/bin/activate
- |
if [ $TF_DISTRIBUTION = "oss" ]; then
TF_BACKEND_REGION=$(aws ssm get-parameter --name "/aft/config/oss-backend/primary-region" --query "Parameter.Value" --output text)
TF_KMS_KEY_ID=$(aws ssm get-parameter --name "/aft/config/oss-backend/kms-key-id" --query "Parameter.Value" --output text)
TF_DDB_TABLE=$(aws ssm get-parameter --name "/aft/config/oss-backend/table-id" --query "Parameter.Value" --output text)
TF_S3_BUCKET=$(aws ssm get-parameter --name "/aft/config/oss-backend/bucket-id" --query "Parameter.Value" --output text)
TF_S3_KEY=$VENDED_ACCOUNT_ID-aft-global-customizations/terraform.tfstate
cd /tmp
echo "Installing Terraform"
curl -q -o terraform_${TF_VERSION}_linux_amd64.zip https://releases.hashicorp.com/terraform/${TF_VERSION}/terraform_${TF_VERSION}_linux_amd64.zip
mkdir -p /opt/aft/bin
unzip -q -o terraform_${TF_VERSION}_linux_amd64.zip
mv terraform /opt/aft/bin
/opt/aft/bin/terraform -no-color --version
# Move back to customization module
cd $DEFAULT_PATH/terraform
for f in *.jinja; do jinja2 $f -D timestamp="$TIMESTAMP" -D tf_distribution_type=$TF_DISTRIBUTION -D provider_region=$CT_MGMT_REGION -D region=$TF_BACKEND_REGION -D aft_admin_role_arn=$AFT_EXEC_ROLE_ARN -D target_admin_role_arn=$VENDED_EXEC_ROLE_ARN -D bucket=$TF_S3_BUCKET -D key=$TF_S3_KEY -D dynamodb_table=$TF_DDB_TABLE -D kms_key_id=$TF_KMS_KEY_ID >> ./$(basename $f .jinja).tf; done
for f in *.tf; do echo "\n \n"; echo $f; cat $f; done
cd $DEFAULT_PATH/terraform
export AWS_PROFILE=aft-management-admin
/opt/aft/bin/terraform init -no-color
/opt/aft/bin/terraform apply -no-color --auto-approve
else
TF_ORG_NAME=$(aws ssm get-parameter --name "/aft/config/terraform/org-name" --query "Parameter.Value" --output text)
TF_TOKEN=$(aws ssm get-parameter --name "/aft/config/terraform/token" --with-decryption --query "Parameter.Value" --output text)
TF_ENDPOINT=$(aws ssm get-parameter --name "/aft/config/terraform/api-endpoint" --query "Parameter.Value" --output text)
TF_WORKSPACE_NAME=$VENDED_ACCOUNT_ID-aft-global-customizations
TF_CONFIG_PATH="./temp_configuration_file.tar.gz"
cd $DEFAULT_PATH/terraform
for f in *.jinja; do jinja2 $f -D timestamp="$TIMESTAMP" -D provider_region=$CT_MGMT_REGION -D tf_distribution_type=$TF_DISTRIBUTION -D aft_admin_role_arn=$AFT_EXEC_ROLE_ARN -D target_admin_role_arn=$VENDED_EXEC_ROLE_ARN -D terraform_org_name=$TF_ORG_NAME -D terraform_workspace_name=$TF_WORKSPACE_NAME >> ./$(basename $f .jinja).tf; done
for f in *.tf; do echo "\n \n"; echo $f; cat $f; done
cd $DEFAULT_PATH
tar -czf temp_configuration_file.tar.gz -C terraform --exclude .git --exclude venv .
python3 $DEFAULT_PATH/aws-aft-core-framework/sources/scripts/workspace_manager.py --operation "deploy" --organization_name $TF_ORG_NAME --workspace_name $TF_WORKSPACE_NAME --assume_role_arn $AFT_ADMIN_ROLE_ARN --assume_role_session_name $ROLE_SESSION_NAME --api_endpoint $TF_ENDPOINT --api_token $TF_TOKEN --terraform_version $TF_VERSION --config_file $TF_CONFIG_PATH
fi
post_build:
on-failure: ABORT
commands:
- export PYTHONPATH="$DEFAULT_PATH/aws-aft-core-framework/sources/aft-lambda-layer:$PYTHONPATH"
- export AWS_PROFILE=aft-management
- python3 $DEFAULT_PATH/aws-aft-core-framework/sources/aft-lambda-layer/aft_common/metrics.py --codebuild-name "aft-global-customizations" --codebuild-status $CODEBUILD_BUILD_SUCCEEDING
- unset AWS_PROFILE
- |
if [[ $CODEBUILD_BUILD_SUCCEEDING == 0 ]]; then
exit 1
fi
- source $DEFAULT_PATH/api-helpers-venv/bin/activate
- export AWS_PROFILE=aft-target
- $DEFAULT_PATH/api_helpers/post-api-helpers.sh