From 3ae8a232d7a8f667cbee6c0d709b9de699efe05c Mon Sep 17 00:00:00 2001 From: Ville Aaltonen Date: Wed, 27 Nov 2024 12:10:50 +0200 Subject: [PATCH] Update aws sessions to use sso login --- cdk/aws.sh | 6 +++--- cdk/scripts/bootstrap.sh | 5 +---- scripts/common-functions.sh | 28 +++++++++++++++------------- scripts/psql/docker-compose.yml | 3 +-- scripts/psql/psql-va.sh | 2 +- servers/README.md | 27 ++++++++++++++++++--------- 6 files changed, 39 insertions(+), 32 deletions(-) diff --git a/cdk/aws.sh b/cdk/aws.sh index ef5bc963b4..ee5dc415c8 100755 --- a/cdk/aws.sh +++ b/cdk/aws.sh @@ -5,11 +5,11 @@ set -o errexit -o nounset -o pipefail source "$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )/../scripts/common-functions.sh" function main { + require_docker parse_env_from_script_name "aws" - configure_aws - require_docker - require_federation_session + configure_aws + require_aws_session "$ENV" aws "$@" } diff --git a/cdk/scripts/bootstrap.sh b/cdk/scripts/bootstrap.sh index 7f246bc990..6e1aaffb63 100755 --- a/cdk/scripts/bootstrap.sh +++ b/cdk/scripts/bootstrap.sh @@ -53,7 +53,7 @@ function bootstrap_cdk { cd "$repo/cdk" info "Bootstrapping CDK" - require_federation_session + require_aws_session "$ENV" require_cdk_context readonly context_variable_name="AWS_ACCOUNT_ID_$env_upper" @@ -62,9 +62,6 @@ function bootstrap_cdk { readonly us_east_1="us-east-1" info "Running cdk bootstrap in account $aws_account_id in region $aws_region and $us_east_1" - export AWS_PROFILE="oph-va-$ENV" - export AWS_CONFIG_FILE="$VA_SECRETS_REPO/aws_config" - REVISION=${revision} \ npm run cdk -- bootstrap "$aws_account_id/$aws_region" "$aws_account_id/$us_east_1" } diff --git a/scripts/common-functions.sh b/scripts/common-functions.sh index 5dda38e59d..5bd46d767f 100644 --- a/scripts/common-functions.sh +++ b/scripts/common-functions.sh @@ -20,15 +20,6 @@ readonly VIRKAILIJA_HOSTNAME=${VIRKAILIJA_HOSTNAME:-"localhost"} readonly AWS_CLI_VERSION="2.15.1" -function require_federation_session { - info "Verifying that oph-federation session has not expired" - - aws sts get-caller-identity --profile=oph-federation 1>/dev/null || { - fatal "Could not check that AWS credentials are working. Please log in with cdk/scripts/refresh-oph-federation-session.sh" - exit 254 - } -} - function require_cdk_context { if ! running_on_gh_actions; then source "$VA_SECRETS_REPO/cdk_context.sh" @@ -39,8 +30,8 @@ function configure_aws { export AWS_REGION="eu-west-1" if ! running_on_gh_actions; then check_env - export AWS_PROFILE="oph-va-$ENV" - info "Using AWS config from secrets repo, with profile $AWS_PROFILE" + export AWS_PROFILE="oph-valtionavustukset-$ENV" + info "Using AWS config with profile $AWS_PROFILE" fi } @@ -59,14 +50,25 @@ function aws { --env AWS_PROFILE \ --env AWS_REGION \ --env AWS_DEFAULT_REGION \ - --env AWS_CONFIG_FILE="/aws_config" \ - --mount "type=bind,source=$VA_SECRETS_REPO/aws_config,destination=/aws_config,readonly" \ --volume "$HOME/.aws:/root/.aws" \ + --env AWS_CONFIG_FILE="/root/.aws/config" \ "public.ecr.aws/aws-cli/aws-cli:$AWS_CLI_VERSION" \ "$@" fi } +function require_aws_session { + info "Verifying that AWS session has not expired for oph-valtionavustukset-$1" + aws sts get-caller-identity --profile "oph-valtionavustukset-$1" 1>/dev/null || { + info "Session is expired" + aws --profile "oph-valtionavustukset-$1" sso login + } + export AWS_PROFILE="oph-valtionavustukset-$1" + export AWS_REGION="eu-west-1" + export AWS_DEFAULT_REGION="$AWS_REGION" + info "Using AWS profile $AWS_PROFILE" +} + function check_env { if [ -z "${ENV:-}" ]; then fatal "\$ENV not set" diff --git a/scripts/psql/docker-compose.yml b/scripts/psql/docker-compose.yml index 701b800d98..5afabff1bd 100644 --- a/scripts/psql/docker-compose.yml +++ b/scripts/psql/docker-compose.yml @@ -13,9 +13,8 @@ services: timeout: 2s volumes: - $HOME/.aws:/root/.aws - - $AWS_CONFIG_FILE:/aws_config:ro environment: - AWS_PROFILE - AWS_REGION - AWS_DEFAULT_REGION - - AWS_CONFIG_FILE=/aws_config + - AWS_CONFIG_FILE=/root/.aws/config diff --git a/scripts/psql/psql-va.sh b/scripts/psql/psql-va.sh index e5d714cb70..6acad2dd0d 100755 --- a/scripts/psql/psql-va.sh +++ b/scripts/psql/psql-va.sh @@ -25,7 +25,7 @@ function main { parse_env_from_script_name "psql-va" configure_aws - require_federation_session + require_aws_session "$ENV" start_db_tunnel echo "Connecting to VA db on [${ENV}]" diff --git a/servers/README.md b/servers/README.md index 08b7a76b49..32e050d1a1 100644 --- a/servers/README.md +++ b/servers/README.md @@ -12,18 +12,27 @@ Lisää `~/.aws/config` tiedostoon seuraavat profiilit: ``` -[profile oph-va-dev] -source_profile = oph-federation -role_arn = arn:aws:iam::744751949839:role/CustomerCloudAdmin +[sso-session oph-federation] +sso_session=oph-federation +sso_region=eu-west-1 +sso_start_url = https://oph-aws-sso.awsapps.com/start +sso_registration_scopes = sso:account:access + +[profile oph-valtionavustukset-dev] region = eu-west-1 +sso_session = oph-federation +sso_account_id = 744751949839 +sso_role_name = AdministratorAccess -[profile oph-va-qa] -source_profile = oph-federation -role_arn = arn:aws:iam::596991599170:role/CustomerCloudAdmin +[profile oph-valtionavustukset-qa] region = eu-west-1 +sso_session = oph-federation +sso_account_id = 596991599170 +sso_role_name = AdministratorAccess -[profile oph-va-prod] -source_profile = oph-federation -role_arn = arn:aws:iam::250854697970:role/CustomerCloudAdmin +[profile oph-valtionavustukset-prod] region = eu-west-1 +sso_session = oph-federation +sso_account_id = 250854697970 +sso_role_name = AdministratorAccess ```