Skip to content

Commit

Permalink
Sync with AWS env updates
Browse files Browse the repository at this point in the history 
Signed-off-by: Łukasz Gryglicki <[email protected]>
  • Loading branch information
@lukaszgryglicki
lukaszgryglicki committed Nov 27, 2024
1 parent 7946887 commit 1c0db12
Show file tree
Hide file tree
Showing 4 changed files with 220 additions and 2 deletions.
130 changes: 130 additions & 0 deletions aws_env.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,130 @@
# Setting up AWS environment

You need to have MFA enabled for your AWS user, your `~/.aws/config` shoudl look like this:
```
[profile lfproduct-dev]
role_arn = arn:aws:iam::395594542180:role/product-contractors-role
source_profile = lfproduct
region = us-east-1
output = json
[profile lfproduct-test]
role_arn = arn:aws:iam::726224182707:role/product-contractors-role
source_profile = lfproduct
region = us-east-1
output = json
[profile lfproduct-staging]
role_arn = arn:aws:iam::844390194980:role/product-contractors-role
source_profile = lfproduct
region = us-east-1
output = json
[profile lfproduct-prod]
role_arn = arn:aws:iam::716487311010:role/product-contractors-role
source_profile = lfproduct
region = us-east-1
output = json
[default]
region = us-east-1
output = json
```

It defines 4 profiles to use: `dev`, `staging`, `test` and `prod`.

You will be using one of them.


Your `~/.aws/credentials` file shoudl initially look like this (replace `redacted`):
```
[lfproduct-long-term]
aws_secret_access_key = [access_key_redacted]
aws_access_key_id = [key_id_redacted]
aws_mfa_device = arn:aws:iam::[arn_number_redacted]:mfa/[your_aws_user_redacted]
[default]
aws_access_key_id = [key_id_redacted]
aws_secret_access_key = [access_key_redacted]
```

Now every 36 hours or less you need to refresh your MFA key by calling: `aws-mfa --force --duration 129600 --profile lfproduct`.

When called it adds or replaces the following section (`[lfproduct]` which is used as a source profile for `dev`, `test`, `staging` or `prod` in aws config) in `~/.aws/credentials`:
```
[lfproduct]
assumed_role = False
aws_access_key_id = [key_id_redacted]
aws_secret_access_key = [secret_access_key_redacted]
aws_session_token = [session_token_redacted]
aws_security_token = [session_token_redacted]
expiration = 2024-11-28 16:54:59 [now + 36 hours]
```


Once you have all of this, you must set a correct set of environment variables to run either `python` or `golang` backends.

To do so you need to get credentials for a specific profile `lfproduct-`: `dev`, `test`, `staging`, `prod`. To see full one-time set of credentials you can call:
- for `dev`: `` aws sts assume-role --role-arn arn:aws:iam::395594542180:role/product-contractors-role --profile lfproduct --role-session-name lfproduct-dev-session ``.
- for `prod`: `` aws sts assume-role --role-arn arn:aws:iam::716487311010:role/product-contractors-role --profile lfproduct --role-session-name lfproduct-prod-session ``.

Note - just replace the iam::[number] depending on environment type (`[stage]`) and update `lfproduct-[stage]-name`.

You can set up a script like `setenv.sh` which will set all required variables, example for `dev`:
```
#!/bin/bash
rm -rf /tmp/aws
cp -R /root/.aws /tmp/.aws
data="$(aws sts assume-role --role-arn arn:aws:iam::395594542180:role/product-contractors-role --profile lfproduct --role-session-name lfproduct-dev-session)"
export AWS_ACCESS_KEY_ID="$(echo "${data}" | jq -r '.Credentials.AccessKeyId')"
export AWS_SECRET_ACCESS_KEY="$(echo "${data}" | jq -r '.Credentials.SecretAccessKey')"
export AWS_SESSION_TOKEN="$(echo "${data}" | jq -r '.Credentials.SessionToken')"
export AWS_SECURITY_TOKEN="$(echo "${data}" | jq -r '.Credentials.SessionToken')"
export AWS_SDK_LOAD_CONFIG=true
export AWS_PROFILE='lfproduct-dev'
export AWS_REGION='us-east-1'
export AWS_DEFAULT_REGION='us-east-1'
export DYNAMODB_AWS_REGION='us-east-1'
export REGION='us-east-1'
export PRODUCT_DOMAIN='dev.lfcla.com'
export ROOT_DOMAIN='lfcla.dev.platform.linuxfoundation.org'
export PORT='5000'
export STAGE='dev'
# export STAGE='local'
export GH_ORG_VALIDATION=false
export DISABLE_LOCAL_PERMISSION_CHECKS=true
export COMPANY_USER_VALIDATION=false
export CLA_SIGNATURE_FILES_BUCKET=cla-signature-files-dev
```

Call it via `` . ./setenv.sh `` or `` source setenv.sh `` to execute in the current shell.

You can reset environment variables by exiting the shell session or calling the following `unsetenv.sh` in the current shell via: `` . ./unsetenv.sh `` or `` source unsetenv.sh ``:
```
#!/bin/bash
rm -rf /tmp/.aws
unset AWS_PROFILE
unset AWS_REGION
unset AWS_ACCESS_KEY_ID
unset AWS_SECRET_ACCESS_KEY
unset PRODUCT_DOMAIN
unset ROOT_DOMAIN
unset PORT
unset STAGE
unset AWS_SESSION_TOKEN
unset AWS_SECURITY_TOKEN
unset GH_ORG_VALIDATION
unset DISABLE_LOCAL_PERMISSION_CHECKS
unset COMPANY_USER_VALIDATION
unset CLA_SIGNATURE_FILES_BUCKET
unset DYNAMODB_AWS_REGION
unset REGION
unset AWS_ROLE_ARN
unset AWS_TOKEN_SERIAL
unset AWS_SDK_LOAD_CONFIG
```
44 changes: 42 additions & 2 deletions dev.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -133,6 +133,46 @@ locally and simply point to the DEV environment. The `STAGE` environment
variable controls where we point. Make sure you export/provide/setup the AWS
properties in order to connect.


When running on Linux it looks like `.venv` sets $HOME to /tmp, and then python backend is looking for the AWS config file in `~/.aws/config`
This means it ends up in `/tmp/.aws/config`. You can use the following scritp to activate your environment (`setenv.secret`) via: `source setenv.secret`:
```
#!/bin/bash
rm -rf /tmp/aws
cp -R ~/.aws /tmp/.aws
export AWS_SDK_LOAD_CONFIG=1
export AWS_PROFILE='lfproduct-dev'
export AWS_REGION='us-east-1'
data="$(aws sts assume-role --role-arn arn:aws:iam::395594542180:role/product-contractors-role --profile lfproduct --role-session-name lfproduct-dev-session)"
export AWS_ACCESS_KEY_ID="$(echo "${data}" | jq -r '.Credentials.AccessKeyId')"
export AWS_SECRET_ACCESS_KEY="$(echo "${data}" | jq -r '.Credentials.SecretAccessKey')"
export AWS_SESSION_TOKEN="$(echo "${data}" | jq -r '.Credentials.SessionToken')"
export AWS_SECURITY_TOKEN="$(echo "${data}" | jq -r '.Credentials.SessionToken')"
export PRODUCT_DOMAIN='dev.lfcla.com'
export ROOT_DOMAIN='lfcla.dev.platform.linuxfoundation.org'
export PORT='5000'
export STAGE='dev'
```

And the following one to unset the environment:
```
#!/bin/bash
rm -rf /tmp/.aws
unset AWS_SDK_LOAD_CONFIG=1
unset AWS_PROFILE
unset AWS_REGION
unset AWS_ACCESS_KEY_ID
unset AWS_SECRET_ACCESS_KEY
unset AWS_SESSION_TOKEN
unset AWS_SECURITY_TOKEN
unset PRODUCT_DOMAIN
unset ROOT_DOMAIN
unset PORT
unset STAGE
```

Please refer to [aws_env.md](aws_env.md) for more details.

## Run the Python Backend

```bash
Expand Down Expand Up @@ -331,9 +371,9 @@ First build and setup the environment. Then simply run it:

```bash
# Mac
./cla-mac
./bin/cla-mac
# or linux
./cla
./bin/cla
```

You should see the typical diagnostic details on startup indicating that it
Expand Down
27 changes: 27 additions & 0 deletions setenv.sh
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
#!/bin/bash

rm -rf /tmp/aws
cp -R /root/.aws /tmp/.aws

data="$(aws sts assume-role --role-arn arn:aws:iam::395594542180:role/product-contractors-role --profile lfproduct --role-session-name lfproduct-dev-session)"
export AWS_ACCESS_KEY_ID="$(echo "${data}" | jq -r '.Credentials.AccessKeyId')"
export AWS_SECRET_ACCESS_KEY="$(echo "${data}" | jq -r '.Credentials.SecretAccessKey')"
export AWS_SESSION_TOKEN="$(echo "${data}" | jq -r '.Credentials.SessionToken')"
export AWS_SECURITY_TOKEN="$(echo "${data}" | jq -r '.Credentials.SessionToken')"

export AWS_SDK_LOAD_CONFIG=true
export AWS_PROFILE='lfproduct-dev'
export AWS_REGION='us-east-1'
export AWS_DEFAULT_REGION='us-east-1'
export DYNAMODB_AWS_REGION='us-east-1'
export REGION='us-east-1'

export PRODUCT_DOMAIN='dev.lfcla.com'
export ROOT_DOMAIN='lfcla.dev.platform.linuxfoundation.org'
export PORT='5000'
export STAGE='dev'
# export STAGE='local'
export GH_ORG_VALIDATION=false
export DISABLE_LOCAL_PERMISSION_CHECKS=true
export COMPANY_USER_VALIDATION=false
export CLA_SIGNATURE_FILES_BUCKET=cla-signature-files-dev
21 changes: 21 additions & 0 deletions unsetenv.sh
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
#!/bin/bash
rm -rf /tmp/.aws
unset AWS_PROFILE
unset AWS_REGION
unset AWS_ACCESS_KEY_ID
unset AWS_SECRET_ACCESS_KEY
unset PRODUCT_DOMAIN
unset ROOT_DOMAIN
unset PORT
unset STAGE
unset AWS_SESSION_TOKEN
unset AWS_SECURITY_TOKEN
unset GH_ORG_VALIDATION
unset DISABLE_LOCAL_PERMISSION_CHECKS
unset COMPANY_USER_VALIDATION
unset CLA_SIGNATURE_FILES_BUCKET
unset DYNAMODB_AWS_REGION
unset REGION
unset AWS_ROLE_ARN
unset AWS_TOKEN_SERIAL
unset AWS_SDK_LOAD_CONFIG

0 comments on commit 1c0db12

Please sign in to comment.