Update aws sessions to use sso login

Opetushallitus · Nov 27, 2024 · 3ae8a23 · 3ae8a23
1 parent 81d0067
commit 3ae8a23
Show file tree

Hide file tree

Showing 6 changed files with 39 additions and 32 deletions.
diff --git a/cdk/aws.sh b/cdk/aws.sh
@@ -5,11 +5,11 @@ set -o errexit -o nounset -o pipefail
 source "$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )/../scripts/common-functions.sh"
 
 function main {
+  require_docker
   parse_env_from_script_name "aws"
-  configure_aws
 
-  require_docker
-  require_federation_session
+  configure_aws
+  require_aws_session "$ENV"
 
   aws "$@"
 }

diff --git a/cdk/scripts/bootstrap.sh b/cdk/scripts/bootstrap.sh
@@ -53,7 +53,7 @@ function bootstrap_cdk {
   cd "$repo/cdk"
   info "Bootstrapping CDK"
 
-  require_federation_session
+  require_aws_session "$ENV"
   require_cdk_context
 
   readonly context_variable_name="AWS_ACCOUNT_ID_$env_upper"
@@ -62,9 +62,6 @@ function bootstrap_cdk {
   readonly us_east_1="us-east-1"
 
   info "Running cdk bootstrap in account $aws_account_id in region $aws_region and $us_east_1"
-  export AWS_PROFILE="oph-va-$ENV"
-  export AWS_CONFIG_FILE="$VA_SECRETS_REPO/aws_config"
-
   REVISION=${revision} \
   npm run cdk -- bootstrap "$aws_account_id/$aws_region" "$aws_account_id/$us_east_1"
 }

diff --git a/scripts/common-functions.sh b/scripts/common-functions.sh
@@ -20,15 +20,6 @@ readonly VIRKAILIJA_HOSTNAME=${VIRKAILIJA_HOSTNAME:-"localhost"}
 
 readonly AWS_CLI_VERSION="2.15.1"
 
-function require_federation_session {
-  info "Verifying that oph-federation session has not expired"
-
-  aws sts get-caller-identity --profile=oph-federation 1>/dev/null || {
-    fatal "Could not check that AWS credentials are working. Please log in with cdk/scripts/refresh-oph-federation-session.sh"
-    exit 254
-  }
-}
-
 function require_cdk_context {
   if ! running_on_gh_actions; then
     source "$VA_SECRETS_REPO/cdk_context.sh"
@@ -39,8 +30,8 @@ function configure_aws {
   export AWS_REGION="eu-west-1"
   if ! running_on_gh_actions; then
     check_env
-    export AWS_PROFILE="oph-va-$ENV"
-    info "Using AWS config from secrets repo, with profile $AWS_PROFILE"
+    export AWS_PROFILE="oph-valtionavustukset-$ENV"
+    info "Using AWS config with profile $AWS_PROFILE"
   fi
 }
 
@@ -59,14 +50,25 @@ function aws {
       --env AWS_PROFILE \
       --env AWS_REGION \
       --env AWS_DEFAULT_REGION \
-      --env AWS_CONFIG_FILE="/aws_config" \
-      --mount "type=bind,source=$VA_SECRETS_REPO/aws_config,destination=/aws_config,readonly" \
       --volume "$HOME/.aws:/root/.aws" \
+      --env AWS_CONFIG_FILE="/root/.aws/config" \
       "public.ecr.aws/aws-cli/aws-cli:$AWS_CLI_VERSION" \
       "$@"
   fi
 }
 
+function require_aws_session {
+    info "Verifying that AWS session has not expired for oph-valtionavustukset-$1"
+    aws sts get-caller-identity --profile "oph-valtionavustukset-$1" 1>/dev/null || {
+      info "Session is expired"
+      aws --profile "oph-valtionavustukset-$1" sso login
+    }
+    export AWS_PROFILE="oph-valtionavustukset-$1"
+    export AWS_REGION="eu-west-1"
+    export AWS_DEFAULT_REGION="$AWS_REGION"
+    info "Using AWS profile $AWS_PROFILE"
+}
+
 function check_env {
   if [ -z "${ENV:-}" ]; then
     fatal "\$ENV not set"

diff --git a/scripts/psql/docker-compose.yml b/scripts/psql/docker-compose.yml
@@ -13,9 +13,8 @@ services:
       timeout: 2s
     volumes:
       - $HOME/.aws:/root/.aws
-      - $AWS_CONFIG_FILE:/aws_config:ro
     environment:
       - AWS_PROFILE
       - AWS_REGION
       - AWS_DEFAULT_REGION
-      - AWS_CONFIG_FILE=/aws_config
+      - AWS_CONFIG_FILE=/root/.aws/config
diff --git a/scripts/psql/psql-va.sh b/scripts/psql/psql-va.sh
@@ -25,7 +25,7 @@ function main {
 
   parse_env_from_script_name "psql-va"
   configure_aws
-  require_federation_session
+  require_aws_session "$ENV"
   start_db_tunnel
 
   echo "Connecting to VA db on [${ENV}]"

diff --git a/servers/README.md b/servers/README.md
@@ -12,18 +12,27 @@
 Lisää `~/.aws/config` tiedostoon seuraavat profiilit:
 
 ```
-[profile oph-va-dev]
-source_profile = oph-federation
-role_arn = arn:aws:iam::744751949839:role/CustomerCloudAdmin
+[sso-session oph-federation]
+sso_session=oph-federation
+sso_region=eu-west-1
+sso_start_url = https://oph-aws-sso.awsapps.com/start
+sso_registration_scopes = sso:account:access
+
+[profile oph-valtionavustukset-dev]
 region = eu-west-1
+sso_session = oph-federation
+sso_account_id = 744751949839
+sso_role_name = AdministratorAccess
 
-[profile oph-va-qa]
-source_profile = oph-federation
-role_arn = arn:aws:iam::596991599170:role/CustomerCloudAdmin
+[profile oph-valtionavustukset-qa]
 region = eu-west-1
+sso_session = oph-federation
+sso_account_id = 596991599170
+sso_role_name = AdministratorAccess
 
-[profile oph-va-prod]
-source_profile = oph-federation
-role_arn = arn:aws:iam::250854697970:role/CustomerCloudAdmin
+[profile oph-valtionavustukset-prod]
 region = eu-west-1
+sso_session = oph-federation
+sso_account_id = 250854697970
+sso_role_name = AdministratorAccess
 ```