/
aws-config
executable file
·217 lines (183 loc) · 6.41 KB
/
aws-config
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
#!/bin/bash
## Production ready, but still being developed and subject to frequent breaking changes.
functions+=(help)
function help() {
fns=($(printf '%s\n' "${functions[@]}" | sort | uniq))
# usage=${fns//$'\n'/ | }
printf "Usage: %s <command>\n Where <command> is one of:\n\n" "$(basename $0)"
printf ' %s\n' "${fns[@]}"
echo
cat <<'EOF'
## Examples:
## aws-config teams > rootfs/etc/aws-config/aws-config-teams
## Generates full `aws` CLI configuration for use in Geodesic
## to access aws-teams and aws-team-roles.
##
## aws-config switch-roles > rootfs/etc/aws-config/aws-extend-switch-roles
## aws-config switch-roles billing > rootfs/etc/aws-config/aws-extend-switch-roles-billing
## aws-config switch-roles billing_admin > rootfs/etc/aws-config/aws-extend-switch-roles-billing_admin
## Generates configuration for AWS Extend Switch Roles browser plugin
## https://github.com/tilfinltd/aws-extend-switch-roles
##
## aws-config spacelift > rootfs/etc/aws-config/aws-config-spacelift
## Generates `aws` CLI/SDK configuration for Spacelift workers to use
##
EOF
}
# main needs to be defined before sourcing other files
function main() {
if printf '%s\0' "${functions[@]}" | grep -Fxqz -- "$1"; then
"$@"
else
help
exit 99
fi
}
## TODO: maybe pull the source files from S3 rather than file system
account_sources=("$ATMOS_BASE_PATH/"components/terraform/account-map/account-info/*sh)
iam_sources=("$ATMOS_BASE_PATH/"components/terraform/aws-team-roles/iam-role-info/*sh)
namespaces=($(for script in "${account_sources[@]}"; do $script namespace; done))
declare -A source_profiles
for script in "${account_sources[@]}"; do
namespace=$($script namespace)
source_profiles[$namespace]=$($script source-profile)
[[ -n "${source_profiles[$namespace]}" ]] || source_profiles[$namespace]="${namespace}-identity"
done
unset namespace
unset _auto_generated_warning
function _auto-generated-warning() {
[[ -z $_auto_generated_warning ]] || return 0
printf ';; Generated by aws-config %s\n' "${args[*]}"
printf ';; Do not edit directly.\n\n'
_auto_generated_warning=done
}
unset _no_source_profile
function _no-source-profile() {
[[ -z $_no_source_profile ]] || return 0
printf ';; Note that no source profile is included in this file.\n'
printf ';; The source profile(s) should be defined in Leapp.\n\n'
_no_source_profile=done
}
unset _extra_profiles
function _extra-profiles() {
[[ -z $_extra_profiles ]] || return 0
printf ';; Note that this automatically generated file contains profiles for every role.\n'
printf ';; The user may not have access to a role despite it having a profile defined here.\n\n'
_extra_profiles=done
}
# Usage: _saml [<role-name> ...]
function _saml() {
local namespace
local selected_roles
local region="${AWS_REGION:-${AWS_DEFAULT_REGION}}"
[[ -n "$*" ]] && selected_roles=" $* "
for source in "${iam_sources[@]}"; do
namespace=$($source namespace)
for role in $($source role-names); do
[[ -n $selected_roles ]] && ! [[ $selected_roles =~ " $role " ]] && continue
printf "[profile %s]\n" "$($source profile $role)"
[[ -n ${region} ]] && printf "region = %s\n" "$region"
printf "source_profile = %s\n" "${source_profiles[$namespace]}"
printf "role_arn = %s\n\n" $($source role-arn $role)
done
done
}
# Generate AWS config file for assuming "SAML Roles"
# Will generate a profile for every role in every account, unless a role is specified,
# in which case it will only generate a profile for that role in every account.
# Usage: saml [<role-name>]
functions+=(saml)
function saml() {
set -e
_auto-generated-warning
[[ -n $1 ]] || _extra-profiles
_no-source-profile
_saml "$@"
}
# Generate AWS config file for assuming `aws-teams` and `aws-team-roles` roles.
# Will generate a profile for every role in every account, unless a role is specified,
# in which case it will only generate a profile for that role in every account.
# Usage: teams [<role-name>]
functions+=(teams)
function teams() {
saml "$@"
}
functions+=(switch-roles)
function switch-roles() {
local region="${AWS_REGION:-${AWS_DEFAULT_REGION}}"
printf ";; This configuration file is for the AWS Extend Switch Roles browser plugin.\n\n"
_auto-generated-warning
for namespace in "${namespaces[@]}"; do
printf "[profile %s]\n" "${source_profiles[$namespace]}"
[[ -n ${region} ]] && printf "region = %s\n" "$region"
printf "aws_account_id = %s\n\n" $($0 -n $namespace account-profile $($0 -n $namespace account-for-role identity))
done
echo
_no_source_profile=skip
saml "${@:-admin}"
}
functions+=(spacelift)
function spacelift() {
local region="${AWS_REGION:-${AWS_DEFAULT_REGION}}"
local profile_base
local account_id
_auto-generated-warning
for namespace in "${namespaces[@]}"; do
# TODO: lookup Spacelift target Role ARN rather than guess/hard code it.
profile_base="$($0 -n $namespace account-profile $($0 -n $namespace account-for-role identity))"
account_id="$($0 -n $namespace account-id $($0 -n $namespace account-for-role identity))"
printf "[profile %s]\n" "${source_profiles[$namespace]}"
[[ -n ${region} ]] && printf "region = %s\n" "$region"
printf "role_arn = arn:aws:iam::%s:role/%s-spacelift\n" "$account_id" "$profile_base"
printf "credential_source = Ec2InstanceMetadata\n"
printf "role_session_name = Spacelift\n\n"
done
echo
_no_source_profile=skip
saml admin terraform planner
}
functions+=(accounts)
function accounts() {
account-ids
}
case $1 in
-a*)
target_namespace=("${namespaces[@]}")
shift
;;
-n*)
if [[ $1 == ${1#*=} ]]; then
# -n namespace
target_namespace=($2)
shift 2
else
# -n=namespace
target_namespace=(${1#*=})
shift
fi
;;
*)
if [[ -n $NAMESPACE ]]; then
target_namespace=($NAMESPACE)
else
target_namespace=("${namespaces[@]}")
fi
;;
esac
case $1 in
# These commands automatically use all namespaces, so we don't need to loop over them.
spacelift|switch-roles|teams|saml)
target_namespace=("${namespaces[0]}")
;;
esac
args=("$@")
for namespace in "${target_namespace[@]}"; do
source "$ATMOS_BASE_PATH/components/terraform/account-map/account-info/$namespace"*.sh
if [[ ${#target_namespace[@]} != 1 ]]; then
export CONFIG_NAMESPACE=$namespace
fi
main "${args[@]}"
exit_code=$?
[[ $exit_code == 99 ]] && exit 0
done
exit $exit_code