You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
111 lines
3.2 KiB
Bash
111 lines
3.2 KiB
Bash
#!/usr/bin/env bash
|
|
# vim:ts=4:sts=4:sw=4:et
|
|
#
|
|
# Author: Hari Sekhon
|
|
# Date: 2022-06-15 15:21:27 +0100 (Wed, 15 Jun 2022)
|
|
#
|
|
# https://github.com/HariSekhon/DevOps-Bash-tools
|
|
#
|
|
# License: see accompanying Hari Sekhon LICENSE file
|
|
#
|
|
# If you're using my code you're welcome to connect with me on LinkedIn and optionally send me feedback to help steer this or other code I publish
|
|
#
|
|
# https://www.linkedin.com/in/HariSekhon
|
|
#
|
|
|
|
set -euo pipefail
|
|
[ -n "${DEBUG:-}" ] && set -x
|
|
srcdir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
|
|
|
|
# shellcheck disable=SC1090
|
|
. "$srcdir/lib/utils.sh"
|
|
|
|
# shellcheck disable=SC2034,SC2154
|
|
usage_description="
|
|
Creates a Terraform CLI machine account, S3 bucket and DynamoDB locking table with policy for restricted accounts
|
|
|
|
Required:
|
|
|
|
- account name used to suffix S3 bucket, DynamoDB table and policy names
|
|
|
|
Optional:
|
|
|
|
- user name (default: \$USER-terraform)
|
|
- group or policy (default: Admins group if found, else AdministratorAccess standard AWS-managed policy)
|
|
- keyfile (default: ~/.aws/keys/\${user}_\${aws_account_id}_accessKeys.csv) - be careful if specifying this, a non-existent keyfile will create a new key, deleting the older of 2 existing keys if necessary to be able to create this
|
|
|
|
Examples:
|
|
|
|
# create buckets, tables and user with all IAM policies for an account called 'myaccount' and a user called 'github-actions-myrepo'
|
|
|
|
${0##*/} myaccount github-actions-terraform # gets AdministratorAccess by default
|
|
|
|
${0##*/} myaccount github-actions-terraform-plan ReadOnly
|
|
|
|
"
|
|
|
|
# used by usage() in lib/utils.sh
|
|
# shellcheck disable=SC2034
|
|
usage_args="<account_name> [<username> <group_or_policy> <keyfile>]"
|
|
|
|
help_usage "$@"
|
|
|
|
min_args 1 "$@"
|
|
max_args 4 "$@"
|
|
|
|
account_name="$1"
|
|
user="${2:-$USER-terraform}"
|
|
group_or_policy="${3:-}"
|
|
keyfile="${4:-}"
|
|
|
|
bucket="terraform-state-$account_name"
|
|
table="terraform-state-$account_name"
|
|
|
|
# must match the name generated in aws_terraform_create_dynamodb_table.sh
|
|
dynamodb_policy="Terraform-DynamoDB-Lock-Table-$table"
|
|
|
|
"$srcdir/aws_terraform_create_s3_bucket.sh" "$bucket"
|
|
|
|
echo
|
|
|
|
"$srcdir/aws_terraform_create_dynamodb_table.sh" "$table"
|
|
|
|
echo
|
|
|
|
s3_policy="Terraform-S3-Bucket-$bucket"
|
|
|
|
timestamp "Generating policy document '$s3_policy'"
|
|
s3_policy_document="$(cat <<EOF
|
|
{
|
|
"Version": "2012-10-17",
|
|
"Statement": [
|
|
{
|
|
"Sid": "TerraformS3Bucket",
|
|
"Effect": "Allow",
|
|
"Action": [
|
|
"s3:GetObject",
|
|
"s3:PutObject"
|
|
],
|
|
"Resource": [
|
|
"arn:aws:s3:::$bucket/*"
|
|
]
|
|
}
|
|
]
|
|
}
|
|
EOF
|
|
)"
|
|
|
|
timestamp "Checking if policy '$s3_policy' exists"
|
|
set +o pipefail # early termination from the pipeline will fail the check otherwise
|
|
if aws iam list-policies | jq -r '.Policies[].PolicyName' | grep -Fxq "$s3_policy"; then
|
|
timestamp "WARNING: policy '$s3_policy' already exists, not creating..."
|
|
else
|
|
timestamp "Creating Terraform S3 Policy '$s3_policy'"
|
|
aws iam create-policy --policy-name "$s3_policy" --policy-document "$s3_policy_document"
|
|
timestamp "Policy created"
|
|
fi
|
|
set -o pipefail
|
|
echo
|
|
|
|
"$srcdir/aws_terraform_create_credential.sh" "$user" "$s3_policy,$dynamodb_policy"${group_or_policy:+,"$group_or_policy"} ${keyfile:+"$keyfile"}
|