Function to exclude specific accounts from the configuration

Dockerfile

@@ -4,7 +4,7 @@ ARG TARGETPLATFORM
 
 USER root:0
 RUN apt-get update -y \
-    && apt-get install -y git wget curl unzip
+    && apt-get install -y git wget curl unzip && apt-get install python3 -y
 
 RUN if [ "$TARGETPLATFORM" = "linux/amd64" ]; then ARCHITECTURE=amd64; elif [ "$TARGETPLATFORM" = "linux/arm/v7" ]; then ARCHITECTURE=arm; elif [ "$TARGETPLATFORM" = "linux/arm64" ]; then ARCHITECTURE=aarch64; else ARCHITECTURE=amd64; fi && \
     if [ "$ARCHITECTURE" = "amd64" ]; then curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"; else curl "https://awscli.amazonaws.com/awscli-exe-linux-aarch64.zip" -o "awscliv2.zip"; fi && \
@@ -18,9 +18,13 @@ USER steampipe:0
 RUN steampipe plugin install steampipe aws
 
 # RUN curl -o ./generate_config_for_cross_account_roles.sh https://raw.githubusercontent.com/turbot/steampipe-samples/main/all/aws-organizations-scripts/generate_config_for_cross_account_roles.sh
-RUN curl -o ./generate_config_for_cross_account_roles.sh https://raw.githubusercontent.com/brakf/steampipe-samples/main/all/aws-organizations-scripts/generate_config_for_cross_account_roles.sh
+#using my own fork of the script until the PR is merged: https://github.com/turbot/steampipe-samples/pull/27
+RUN curl -o ./generate_config_for_cross_account_roles.sh https://raw.githubusercontent.com/brakf/steampipe-samples/main/all/aws-organizations-scripts/generate_config_for_cross_account_roles.sh 
 RUN chmod +x ./generate_config_for_cross_account_roles.sh
 
+COPY --chown=steampipe scripts/exclude_accounts.py . 
+RUN chmod +x ./exclude_accounts.py
+
 COPY --chown=steampipe scripts/setup_and_execute_steampipe.sh . 
 RUN chmod +x ./setup_and_execute_steampipe.sh
 
@@ -30,7 +34,8 @@ ENV SOURCE_PROFILE=default
 ENV STEAMPIPE_PASSWORD=secretpassword
 ENV ENABLED_REGIONS=*
 ENV MODE=SERVER
+ENV EXCLUDED_ACCOUNTS=
 
 RUN mkdir -p /home/steampipe/.aws
 
-ENTRYPOINT ["/bin/sh", "-c", "./setup_and_execute_steampipe.sh $ENVIRONMENT_TYPE $AUDIT_ROLE $STEAMPIPE_PASSWORD $SOURCE_PROFILE $ENABLED_REGIONS $MODE"]
+ENTRYPOINT ["/bin/sh", "-c", "./setup_and_execute_steampipe.sh $ENVIRONMENT_TYPE $AUDIT_ROLE $STEAMPIPE_PASSWORD $SOURCE_PROFILE $ENABLED_REGIONS $MODE $EXCLUDED_ACCOUNTS"]

README.md

@@ -54,3 +54,4 @@ docker run -it --rm \
 - `SOURCE_PROFILE`: The AWS CLI profile to use (only required if `ENVIRONMENT_TYPE` is `LOCAL`).
 - `MODE`: `SERVER` or `INTERACTIVE` mode
 - `ENABLED_REGIONS`: Specified the AWS regions that should be included. `*` for all regions.
+- `EXCLUDED_ACCOUNTS`: Exclude specific accounts from the config, e.g. because the audit role isn't deployed there, etc. Format: '123456789012,987654321098' 

scripts/exclude_accounts.py

@@ -0,0 +1,100 @@
+#!/usr/bin/env python3
+
+import sys
+import os
+
+def remove_profile_block(file_path, account_id):
+    # Read the content of the file
+    with open(file_path, 'r') as file:
+        lines = file.readlines()
+
+    # Variables to store profile name and block indices
+    profile_name = None
+    start_index = None
+    end_index = None
+
+    # Iterate through the lines to find the block containing the account ID
+    for i, line in enumerate(lines):
+        if line.strip().startswith('[profile '):
+            # Start of a profile block
+            start_index = i
+            profile_name = line.strip().split()[1].strip(']')
+        if f"arn:aws:iam::{account_id}" in line:
+            # Found the account ID within the current block
+            # Identify the end of the block (next block start or end of file)
+            for j in range(i, len(lines)):
+                if lines[j].strip().startswith('[profile ') and j != start_index:
+                    end_index = j
+                    break
+            if end_index is None:
+                end_index = len(lines)  # If it's the last block in the file
+            break
+
+    # If profile block is found, remove it from the lines
+    if start_index is not None and end_index is not None:
+        del lines[start_index:end_index]
+
+        # Write the modified content back to the file
+        with open(file_path, 'w') as file:
+            file.writelines(lines)
+
+        return profile_name
+    else:
+        return None
+
+def remove_connection_block(file_path, profile_name):
+    # Read the content of the file
+    with open(file_path, 'r') as file:
+        lines = file.readlines()
+
+    # Variables to store block indices
+    start_index = None
+    end_index = None
+
+    # Iterate through the lines to find the block containing the profile name
+    for i, line in enumerate(lines):
+        if line.strip().startswith('connection '):
+            # Start of a connection block
+            start_index = i
+        if f'profile = "{profile_name}"' in line:
+            # Found the profile within the current block
+            # Identify the end of the block (next block start or end of file)
+            for j in range(i, len(lines)):
+                if lines[j].strip().startswith('connection ') and j != start_index:
+                    end_index = j
+                    break
+            if end_index is None:
+                end_index = len(lines)  # If it's the last block in the file
+            break
+
+    # If connection block is found, remove it from the lines
+    if start_index is not None and end_index is not None:
+        del lines[start_index:end_index]
+
+        # Write the modified content back to the file
+        with open(file_path, 'w') as file:
+            file.writelines(lines)
+
+        print(f"Connection block with profile '{profile_name}' has been removed from the file.")
+    else:
+        print(f"No connection block found for profile '{profile_name}'.")
+
+
+if __name__ == "__main__":
+    if len(sys.argv) != 4:
+        print("Usage: ./script_name.py <aws_config_file_path> <connections_file_path> <account_id>")
+        sys.exit(1)
+
+    aws_config_file_path = sys.argv[1]
+    connections_file_path = sys.argv[2]
+    account_id = sys.argv[3]
+
+    # Remove profile block from AWS config file
+    profile_name = remove_profile_block(aws_config_file_path, account_id)
+
+    if profile_name:
+        print(f"Profile block '{profile_name}' has been removed from the AWS config file.")
+        # Remove connection block from connections file
+        remove_connection_block(connections_file_path, profile_name)
+    else:
+        print(f"No profile block found for account ID {account_id}.")

scripts/setup_and_execute_steampipe.sh

@@ -8,6 +8,10 @@ STEAMPIPE_PASSWORD=$3
 SOURCE_PROFLE=$4 #only needed if ENVIRONMENT_TYPE=LOCAL
 ENABLED_REGIONS=$5
 MODE=$6
+EXCLUDED_ACCOUNTS=$7 #list of accounts ids to exclude from the configuration
+
+AWS_CONFIG_FILE_PATH=~/.aws/config  # Update with your AWS config file path
+STEAMPIPE_CONFIG_PATH=~/.steampipe/config/aws.spc
 
 
 if [ -z "$ENABLED_REGIONS" ] || [ "$ENABLED_REGIONS" = "*" ]; then
@@ -25,25 +29,44 @@ fi
 
 
 #cleanup old configuration
-rm -f ~/.steampipe/config/aws.spc
-rm -f ~/.aws/config
+rm -f $STEAMPIPE_CONFIG_PATH
+rm -f $AWS_CONFIG_FILE_PATH
 
 
 echo "ENVIRONMENT_TYPE: $ENVIRONMENT_TYPE"
 if [ "$ENVIRONMENT_TYPE" = "LOCAL" ]; then
     echo "SOURCE_PROFILE: $SOURCE_PROFILE"
-    ./generate_config_for_cross_account_roles.sh LOCAL $AUDIT_ROLE ~/.aws/config $SOURCE_PROFLE $ENABLED_REGIONS 
+    ./generate_config_for_cross_account_roles.sh LOCAL $AUDIT_ROLE $AWS_CONFIG_FILE_PATH $SOURCE_PROFLE $ENABLED_REGIONS 
 
 else
-    ./generate_config_for_cross_account_roles.sh $ENVIRONMENT_TYPE $AUDIT_ROLE ~/.aws/config "" $ENABLED_REGIONS
+    ./generate_config_for_cross_account_roles.sh $ENVIRONMENT_TYPE $AUDIT_ROLE $AWS_CONFIG_FILE_PATH "" $ENABLED_REGIONS
+fi
+
+# Exclude accounts if needed
+if [ ! -z "$EXCLUDED_ACCOUNTS" ]; then
+    # Convert the comma-separated list into an array
+    IFS=',' read -ra ACCOUNTS <<< "$EXCLUDED_ACCOUNTS"
+
+    for ACCOUNT_ID in "${ACCOUNTS[@]}"; do
+        echo "Excluding account $ACCOUNT_ID"
+
+        # Call the Python script to remove the profile and connection blocks
+        ./exclude_accounts.py "$AWS_CONFIG_FILE_PATH" "$STEAMPIPE_CONFIG_PATH" "$ACCOUNT_ID"
+
+        # Check the exit status of the Python script
+        if [ $? -ne 0 ]; then
+            echo "Failed to exclude account $ACCOUNT_ID"
+            exit 1
+        fi
+    done
 fi
 
 
 echo "Number of created AWS Profiles:"
-grep -c '^\[profile' ~/.aws/config
+grep -c '^\[profile' $AWS_CONFIG_FILE_PATH
 
 echo "Number of created Steampipe Connections (incl. 1 aggregate connection ):"
-grep -c '^connection' ~/.steampipe/config/aws.spc
+grep -c '^connection' $STEAMPIPE_CONFIG_PATH
 
 if [ "$MODE" = "INTERACTIVE" ]; then
     steampipe query