#!/usr/bin/env bash
# vim:ts=4:sts=4:sw=4:et
#
# Author: Hari Sekhon
# Date: 2022-06-15 15:21:27 +0100 (Wed, 15 Jun 2022)
#
# https://github.com/HariSekhon/DevOps-Bash-tools
#
# License: see accompanying Hari Sekhon LICENSE file
#
# If you're using my code you're welcome to connect with me on LinkedIn and optionally send me feedback to help steer this or other code I publish
#
# https://www.linkedin.com/in/HariSekhon
#
set -euo pipefail
[ -n " ${ DEBUG :- } " ] && set -x
srcdir = " $( cd " $( dirname " ${ BASH_SOURCE [0] } " ) " && pwd ) "
# shellcheck disable=SC1090
. " $srcdir /lib/utils.sh "
# shellcheck disable=SC2034,SC2154
usage_description = "
Creates a Terraform CLI machine account, S3 bucket and DynamoDB locking table with policy for restricted accounts
Required:
- account name used to suffix S3 bucket, DynamoDB table and policy names
Optional:
- user name ( default: \$ USER-terraform)
- group or policy ( default: Admins group if found, else AdministratorAccess standard AWS-managed policy)
- keyfile ( default: ~/.aws/keys/\$ { user} _\$ { aws_account_id} _accessKeys.csv) - be careful if specifying this, a non-existent keyfile will create a new key, deleting the older of 2 existing keys if necessary to be able to create this
Examples:
# create buckets, tables and user with all IAM policies for an account called 'myaccount' and a user called 'github-actions-myrepo'
${ 0 ##*/ } myaccount github-actions-terraform # gets AdministratorAccess by default
${ 0 ##*/ } myaccount github-actions-terraform-plan ReadOnly
"
# used by usage() in lib/utils.sh
# shellcheck disable=SC2034
usage_args = "<account_name> [<username> <group_or_policy> <keyfile>]"
help_usage " $@ "
min_args 1 " $@ "
max_args 4 " $@ "
account_name = " $1 "
user = " ${ 2 :- $USER -terraform } "
group_or_policy = " ${ 3 :- } "
keyfile = " ${ 4 :- } "
bucket = " terraform-state- $account_name "
table = " terraform-state- $account_name "
# must match the name generated in aws_terraform_create_dynamodb_table.sh
dynamodb_policy = " Terraform-DynamoDB-Lock-Table- $table "
" $srcdir /aws_terraform_create_s3_bucket.sh " " $bucket "
echo
" $srcdir /aws_terraform_create_dynamodb_table.sh " " $table "
echo
s3_policy = " Terraform-S3-Bucket- $bucket "
timestamp " Generating policy document ' $s3_policy ' "
s3_policy_document = " $( cat <<EOF
{
"Version" : "2012-10-17" ,
"Statement" : [
{
"Sid" : "TerraformS3Bucket" ,
"Effect" : "Allow" ,
"Action" : [
"s3:GetObject" ,
"s3:PutObject"
] ,
"Resource" : [
" arn:aws:s3::: $bucket /* "
]
}
]
}
EOF
) "
timestamp " Checking if policy ' $s3_policy ' exists "
set +o pipefail # early termination from the pipeline will fail the check otherwise
if aws iam list-policies | jq -r '.Policies[].PolicyName' | grep -Fxq " $s3_policy " ; then
timestamp " WARNING: policy ' $s3_policy ' already exists, not creating... "
else
timestamp " Creating Terraform S3 Policy ' $s3_policy ' "
aws iam create-policy --policy-name " $s3_policy " --policy-document " $s3_policy_document "
timestamp "Ppolicy created"
fi
set -o pipefail
" $srcdir /aws_terraform_create_credential.sh " " $user " " $s3_policy , $dynamodb_policy " ${ group_or_policy : +, " $group_or_policy " } ${ keyfile : + " $keyfile " }