-
Notifications
You must be signed in to change notification settings - Fork 4
Expand file tree
/
Copy pathbootstrap.sh
More file actions
executable file
·209 lines (192 loc) · 10.2 KB
/
bootstrap.sh
File metadata and controls
executable file
·209 lines (192 loc) · 10.2 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
#!/bin/bash
# Setup mgmt and non-mgmt AWS accounts for NRLF
set -o errexit -o nounset -o pipefail
AWS_REGION_NAME="eu-west-2"
PROFILE_PREFIX="nhsd-nrlf"
TERRAFORM_ROLE_NAME="terraform"
MGMT_ACCOUNT_ID_LOCATION="${PROFILE_PREFIX}--mgmt--mgmt-account-id"
PROD_ACCOUNT_ID_LOCATION="${PROFILE_PREFIX}--mgmt--prod-account-id"
TEST_ACCOUNT_ID_LOCATION="${PROFILE_PREFIX}--mgmt--test-account-id"
TEST_BACKUP_ACCOUNT_ID_LOCATION="${PROFILE_PREFIX}--mgmt--test-backup-account-id"
DEV_ACCOUNT_ID_LOCATION="${PROFILE_PREFIX}--mgmt--dev-account-id"
function _bootstrap_help() {
echo
echo "bootstrap.sh <command> [options]"
echo
echo "commands:"
echo " help - this help screen"
echo " create-mgmt - Creates required aws resource for terraform access in mgmt account"
echo " delete-mgmt - Deletes required aws resource for terraform access in mgmt account"
echo " create-non-mgmt - Creates required aws resource for terraform access in non-mgmt account"
echo " delete-non-mgmt - Deletes required aws resource for terraform access in non-mgmt account"
echo " destroy-non-mgmt - Destroys a workspace completely in non-mgmt (Dev) account. ONLY USE IF TERRAFORM DESTROY HAS NOT COMPLETED"
echo
return 1
}
function _check_mgmt() {
if [[ "$(aws iam list-account-aliases --query 'AccountAliases[0]' --output text)" != "nhsd-ddc-spine-nrlf-mgmt" ]]; then
echo "Please log in as the mgmt account" >&2
return 1
fi
return 0
}
function _check_non_mgmt() {
if [[ "$(aws iam list-account-aliases --query 'AccountAliases[0]' --output text)" == 'nhsd-ddc-spine-nrlf-mgmt' ]]; then
echo "Please log in as a non-mgmt account" >&2
return 1
fi
return 0
}
function _bootstrap() {
local command=$1
local admin_policy_arn="arn:aws:iam::aws:policy/AdministratorAccess"
local truststore_bucket_name="${PROFILE_PREFIX}--truststore"
local state_bucket_name="${PROFILE_PREFIX}--terraform-state"
local state_lock_table_name="${PROFILE_PREFIX}--terraform-state-lock"
case $command in
"create-mgmt")
_check_mgmt || return 1
cd terraform/bootstrap/mgmt
aws s3api create-bucket --bucket "${truststore_bucket_name}" --region us-east-1 --create-bucket-configuration LocationConstraint="${AWS_REGION_NAME}"
aws s3api create-bucket --bucket "${state_bucket_name}" --region us-east-1 --create-bucket-configuration LocationConstraint="${AWS_REGION_NAME}"
aws s3api put-public-access-block --bucket "${state_bucket_name}" --public-access-block-configuration "BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true"
aws dynamodb create-table --cli-input-json file://locktable.json --region "${AWS_REGION_NAME}"
aws secretsmanager create-secret --name "${MGMT_ACCOUNT_ID_LOCATION}"
aws secretsmanager create-secret --name "${DEV_ACCOUNT_ID_LOCATION}"
aws secretsmanager create-secret --name "${TEST_ACCOUNT_ID_LOCATION}"
aws secretsmanager create-secret --name "${TEST_BACKUP_ACCOUNT_ID_LOCATION}"
aws secretsmanager create-secret --name "${PROD_ACCOUNT_ID_LOCATION}"
aws secretsmanager create-secret --name "${PROFILE_PREFIX}--codebuild-github-pat"
;;
#----------------
"delete-mgmt")
_check_mgmt || return 1
cd terraform/bootstrap/mgmt
aws dynamodb delete-table --table-name "${state_lock_table_name}" || return 1
local versioned_objects
versioned_objects=$(aws s3api list-object-versions \
--bucket "${state_bucket_name}" \
--output=json \
--query='{Objects: Versions[].{Key:Key,VersionId:VersionId}}') || return 1
aws s3api delete-objects \
--bucket "${state_bucket_name}" \
--delete "${versioned_objects}" || echo "Ignore the previous warning - an empty bucket is a good thing"
echo "Waiting for bucket contents to be deleted..." && sleep 10
aws s3 rb "s3://${state_bucket_name}" || echo "Bucket could not be deleted at this time. You should go to the AWS Console and delete the bucket manually."
aws secretsmanager delete-secret --secret-id "${MGMT_ACCOUNT_ID_LOCATION}"
aws secretsmanager delete-secret --secret-id "${DEV_ACCOUNT_ID_LOCATION}"
aws secretsmanager delete-secret --secret-id "${TEST_ACCOUNT_ID_LOCATION}"
aws secretsmanager delete-secret --secret-id "${TEST_BACKUP_ACCOUNT_ID_LOCATION}"
aws secretsmanager delete-secret --secret-id "${PROD_ACCOUNT_ID_LOCATION}"
aws secretsmanager delete-secret --secret-id "${PROFILE_PREFIX}--codebuild-github-pat"
;;
#----------------
"create-non-mgmt")
_check_non_mgmt || return 1
cd terraform/bootstrap/non-mgmt
local tf_assume_role_policy
local mgmt_account_id
set +e
mgmt_account_id=$(aws secretsmanager get-secret-value --secret-id "${MGMT_ACCOUNT_ID_LOCATION}" --query SecretString --output text)
if [[ "${mgmt_account_id}" == "" ]]; then
aws secretsmanager create-secret --name "${MGMT_ACCOUNT_ID_LOCATION}"
echo "Please set ${MGMT_ACCOUNT_ID_LOCATION} in the Secrets Manager and rerun the script"
exit 1
fi
set -e
tf_assume_role_policy=$(awk "{sub(/REPLACEME/,\"${mgmt_account_id}\")}1" terraform-trust-policy.json)
aws iam create-role --role-name "${TERRAFORM_ROLE_NAME}" --assume-role-policy-document "${tf_assume_role_policy}" || return 1
aws iam attach-role-policy --policy-arn "${admin_policy_arn}" --role-name "${TERRAFORM_ROLE_NAME}" || return 1
;;
#----------------
"delete-non-mgmt")
_check_non_mgmt || return 1
aws iam detach-role-policy --policy-arn "${admin_policy_arn}" --role-name "${TERRAFORM_ROLE_NAME}" || return 1
aws iam delete-role --role-name "${TERRAFORM_ROLE_NAME}" || return 1
echo "Deleted role ${TERRAFORM_ROLE_NAME} and associated policy ${admin_policy_arn}"
;;
#----------------
"destroy-non-mgmt")
_check_non_mgmt || return 1
local workspace
workspace=$2
# Fetch the resources using the AWS CLI command
aws resourcegroupstaggingapi get-resources --tag-filters Key=workspace,Values="${workspace}" | jq -c '.ResourceTagMappingList[]' |
while IFS= read -r item; do
arn=$(jq -r '.ResourceARN' <<< "$item")
case $arn in
arn:aws:lambda* )
echo "Deleting... : $arn"
aws lambda delete-function --function-name $arn
;;
arn:aws:kms* )
echo "Disabling... : $arn"
aws kms disable-key --key-id $arn
echo "Deleting... ': $arn"
aws kms schedule-key-deletion --key-id $arn --pending-window-in-days 7
;;
arn:aws:logs* )
echo "Deleting... : $arn"
new_var=$(echo "$arn" | awk -F':' '{print $NF}') # NOSONAR (S1192) NF is not a env var
aws logs delete-log-group --log-group-name $new_var
;;
arn:aws:secretsmanager* )
echo "Deleting... : $arn"
aws secretsmanager delete-secret --secret-id $arn
;;
arn:aws:apigateway* )
echo "Deleting domain-name... : $workspace"
aws apigateway delete-domain-name --domain-name "$workspace.api.record-locator.dev.national.nhs.uk"
echo "Deleting... : $arn"
ag_id=$(echo "$arn" | awk -F'/restapis/' '{print $2}' | awk -F'/' '{print $1}')
aws apigateway delete-rest-api --rest-api-id $ag_id
;;
arn:aws:dynamodb* )
echo "Deleting... : $arn"
new_var=$(echo "$arn" | awk -F':' '{print $NF}') # NOSONAR (S1192) NF is not a env var
table=$(echo "$arn" | awk -F'/' '{print $NF}') # NOSONAR (S1192) NF is not a env var
aws dynamodb delete-table --table-name $table
;;
arn:aws:s3* )
echo "Deleting... : $arn"
new_var=$(echo "$arn" | awk -F':' '{print $NF}') # NOSONAR (S1192) NF is not a env var
local versioned_objects
versioned_objects=$(aws s3api list-object-versions \
--bucket "${new_var}" \
--output=json \
--query='{Objects: Versions[].{Key:Key,VersionId:VersionId}}') || return 1
aws s3api delete-objects \
--bucket "${new_var}" \
--delete "${versioned_objects}" || echo "Ignore the previous warning - an empty bucket is a good thing"
echo "Waiting for bucket contents to be deleted..." && sleep 10
aws s3 rb "s3://${new_var}" --force || echo "Bucket could not be deleted at this time. You should go to the AWS Console and delete the bucket manually."
;;
arn:aws:ssm* )
echo "Deleting... : $arn"
new_var=$(echo "$arn" | awk -F':' '{print $NF}') # NOSONAR (S1192) NF is not a env var
suffix=$(echo "$arn" | awk -F'/' '{print $NF}') # NOSONAR (S1192) NF is not a env var
name=$(echo "$new_var" | awk -F'/' '{print $(NF-1)}') # NOSONAR (S1192) NF is not a env var
aws ssm delete-parameter --name $name/$suffix
;;
arn:aws:acm* )
echo "Deleting... : $arn"
aws acm delete-certificate --certificate-arn $arn
;;
arn:aws:firehose* )
echo "Deleting... : $arn"
new_var=$(echo "$arn" | awk -F':' '{print $NF}') # NOSONAR (S1192) NF is not a env var
name=$(echo "$new_var" | awk -F'/' '{print $NF}') # NOSONAR (S1192) NF is not a env var
aws firehose delete-delivery-stream --delivery-stream-name $name
;;
* )
echo "Unknown ARN type: $arn"
;;
esac
done
;;
#----------------
*) _bootstrap_help ;;
esac
return 0
}
_bootstrap "${@:1}"