-
Notifications
You must be signed in to change notification settings - Fork 1k
/
.envrc-aws
144 lines (123 loc) · 4.93 KB
/
.envrc-aws
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
#!/usr/bin/env bash
# vim:ts=4:sts=4:sw=4:et
#
# Author: Hari Sekhon
# Date: 2021-07-27 12:42:32 +0100 (Tue, 27 Jul 2021)
#
# https://github.com/HariSekhon/DevOps-Bash-tools
#
# License: see accompanying Hari Sekhon LICENSE file
#
# If you're using my code you're welcome to connect with me on LinkedIn and optionally send me feedback to help steer this or other code I publish
#
# https://www.linkedin.com/in/HariSekhon
#
# ============================================================================ #
# A W S D i r E n v
# ============================================================================ #
# https://direnv.net/man/direnv-stdlib.1.html
# See Also:
#
# .envrc
# .envrc-gcp
# .envrc-kubernetes
# direnv stdlib - loads .envrc from parent dir up to /
#
# useful to accumulate parent and child directory .envrc settings eg. adding Kubernetes namespace, ArgoCD app etc.
#
# bypasses security authorization though - use with care
#source_up
#
# source_up must be loaded before set -u otherwise gets this error:
#
# direnv: loading .envrc
# /bin/bash: line 226: $1: unbound variable
set -euo pipefail
[ -n "${DEBUG:-}" ] && set -x
srcdir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
# XXX: Edit - crucial to set to the right environment, the rest of the inferred settings below depend on this
if [ -z "${CI:-}" ]; then
export AWS_PROFILE="default"
aws configure list 2>/dev/null || :
echo
# If not logged in:
#
# - check for SSO key in config section for this profile
# - if found then do an automatic 'aws sso login'
#
if ! aws sts get-caller-identity --output table; then
# assumes you're not putting a blank line until the next section block
#if sed -n "/profile.*$AWS_PROFILE/,/^[[:space:]]*$/p" ~/.aws/config | grep -q sso_start_url; then
# goes until the next [profile ...] section instead, should be more reliable
if sed -n "/profile.*$AWS_PROFILE/,/^[[:space:]]*\[.+\]/p" ~/.aws/config | grep -q sso_start_url; then
echo
aws sso login
fi
fi
echo
fi
# 'aws sts get-caller-identity --query Account' succeeds in returning the account id
# from the ~/.aws/config even if 'aws sso login' has expired
AWS_ACCOUNT_ID="$(
aws sts get-caller-identity --query Account --output text ||
aws configure get sso_account_id ||
:
)"
echo "AWS Account ID: $AWS_ACCOUNT_ID"
export AWS_ACCOUNT_ID
# might not have permissions to the Organizations in which case this will error instead of return
AWS_ACCOUNT="$(aws organizations describe-account --account-id "$AWS_ACCOUNT_ID" 2>/dev/null)"
if [ -n "$AWS_ACCOUNT" ]; then
echo "AWS Account: $AWS_ACCOUNT"
export AWS_ACCOUNT
fi
AWS_DEFAULT_REGION="$(aws configure get region || :)" # use region configured in profile by default
AWS_DEFAULT_REGION="${AWS_DEFAULT_REGION:-eu-west-1}" # XXX: Edit default fallback region
export AWS_DEFAULT_REGION
export AWS_DEFAULT_OUTPUT=json
# XXX: Edit, or remove if only have 1 cluster in account, will auto-determine below
export EKS_CLUSTER="mycluster"
# If EKS_CLUSTER isn't set and there is only one EKS cluster in this account and region, then use it - smart, but slower, prefer setting it explicitly for speed
if [ -z "${EKS_CLUSTER:-}" ]; then
eks_clusters=()
while IFS='' read -r line; do
eks_clusters+=("$line")
#done < <(aws eks list-clusters --output=json | jq -r '.clusters[]')
done < <(aws eks list-clusters --query 'clusters[]' --output text)
if [ "${#eks_clusters[@]}" -eq 1 ]; then
export EKS_CLUSTER="${eks_clusters[*]}"
fi
fi
if [ -n "${EKS_CLUSTER:-}" ]; then
# kubectl context is easily created by running adjacent aws_kube_creds.sh script first
export EKS_CONTEXT="arn:aws:eks:$AWS_DEFAULT_REGION:$AWS_ACCOUNT_ID:cluster/$EKS_CLUSTER"
# XXX: safer to inline .envrc-kubernetes if you're worried about changes to it bypassing 'direnv allow' authorization
# shellcheck disable=SC1090,SC1091
. "$srcdir/.envrc-kubernetes" "$EKS_CONTEXT"
fi
# better to load this dynamically from credentials, using functions in .bash.d/aws.sh
#export AWS_ACCESS_KEY_ID=...
#export AWS_SECRET_ACCESS_KEY=...
#export AWS_SESSION_TOKEN=...
#export AWS_CONFIG_FILE=~/.aws/config
#export AWS_SHARED_CREDENTIALS_FILE=~/.aws/credentials
#export AWS_MAX_ATTEMPTS=3
# to quickly export prefixed AWS environment keys if they exist for simple overrides, see examples below
aws_access_key_env(){
env="$1"
for key in AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY; do
varname="${env}_${key}"
if [ -n "${!varname:-}" ]; then
export "$key"="${!varname}"
fi
done
}
#aws_access_key_env "DEV"
#aws_access_key_env "STAGING"
#aws_access_key_env "PROD"
#aws_access_key_env "MGMT"
# pull the secret using this command whenever you need it:
#
# aws_secret_get.sh "$JENKINS_ADMIN_PASSWORD_AWS_SECRET" | copy_to_clipboard.sh
#
export JENKINS_ADMIN_PASSWORD_AWS_SECRET="jenkins-admin-password"