From 25b517b6769d8cf51abd65852e2cc264e2368730 Mon Sep 17 00:00:00 2001
From: xpk <xpk@headdesk.me>
Date: Mon, 3 Jul 2023 19:57:25 +0800
Subject: [PATCH] UPD: changed to bash, added pipeline option, and switched to
 jq @base64

---
 modules/util/assume_role/assumeRole.sh        |  5 +++-
 modules/util/assume_role/main.tf              |  6 +---
 modules/util/awscli/main.tf                   |  7 ++---
 .../{awsWithAssumeRole.sh => run_awscli.sh}   | 30 ++++++++-----------
 modules/util/awscli/variables.tf              | 19 +++++++-----
 5 files changed, 30 insertions(+), 37 deletions(-)
 rename modules/util/awscli/{awsWithAssumeRole.sh => run_awscli.sh} (52%)

diff --git a/modules/util/assume_role/assumeRole.sh b/modules/util/assume_role/assumeRole.sh
index 37d5478..0fc0b21 100755
--- a/modules/util/assume_role/assumeRole.sh
+++ b/modules/util/assume_role/assumeRole.sh
@@ -1,4 +1,7 @@
-#!/usr/bin/env sh
+#!/usr/bin/env bash
+
+# tell bash to exit if any subcommand fails
+set -eo pipefail
 
 # Validate required commands
 if ! [ -x "$(command -v aws)" ]; then
diff --git a/modules/util/assume_role/main.tf b/modules/util/assume_role/main.tf
index bb125e2..ed8bed7 100644
--- a/modules/util/assume_role/main.tf
+++ b/modules/util/assume_role/main.tf
@@ -1,11 +1,7 @@
-locals {
-  assume_role_arn = "arn:aws:iam::${var.account_id}:role/${var.role_name}"
-}
-
 data "external" "awscli" {
   program = [format("%s/assumeRole.sh", path.module)]
   query = {
-    assume_role_arn   = local.assume_role_arn
+    assume_role_arn   = "arn:aws:iam::${var.account_id}:role/${var.role_name}"
     role_session_name = var.role_session_name
   }
 }
diff --git a/modules/util/awscli/main.tf b/modules/util/awscli/main.tf
index 44aa3bf..a24320c 100644
--- a/modules/util/awscli/main.tf
+++ b/modules/util/awscli/main.tf
@@ -1,9 +1,5 @@
-#locals {
-#  joined_aws_cli_command = join(" ", var.aws_cli_commands)
-#}
-
 data "external" "awscli_program" {
-  program = [format("%s/awsWithAssumeRole.sh", path.module)]
+  program = [format("%s/run_awscli.sh", path.module)]
   query = {
     access_key       = var.access_key
     secret_key       = var.secret_key
@@ -12,6 +8,7 @@ data "external" "awscli_program" {
   }
 }
 
+# decode encapsulated string back to original
 output awscliout {
   value = jsondecode(base64decode(data.external.awscli_program.result.awscliout))
 }
\ No newline at end of file
diff --git a/modules/util/awscli/awsWithAssumeRole.sh b/modules/util/awscli/run_awscli.sh
similarity index 52%
rename from modules/util/awscli/awsWithAssumeRole.sh
rename to modules/util/awscli/run_awscli.sh
index 8e95483..1de5447 100755
--- a/modules/util/awscli/awsWithAssumeRole.sh
+++ b/modules/util/awscli/run_awscli.sh
@@ -1,4 +1,7 @@
-#!/usr/bin/env sh
+#!/usr/bin/env bash
+
+# tell bash to exit if any subcommand fails
+set -eo pipefail
 
 # Validate required commands
 if ! [ -x "$(command -v aws)" ]; then
@@ -10,33 +13,24 @@ if ! [ -x "$(command -v jq)" ]; then
   exit 1
 fi
 
-# Get the query
+# Process inputs
 TERRAFORM_QUERY=$(jq -Mc .)
-
-# Extract the query attributes
 AWS_CLI_COMMANDS=$(echo "${TERRAFORM_QUERY}" | jq -r '.aws_cli_commands')
-AWS_CLI_QUERY=$(echo "${TERRAFORM_QUERY}" | jq -r '.aws_cli_query')
 access_key=$(echo "${TERRAFORM_QUERY}" | jq -r '.access_key')
 secret_key=$(echo "${TERRAFORM_QUERY}" | jq -r '.secret_key')
 session_token=$(echo "${TERRAFORM_QUERY}" | jq -r '.session_token')
 
-# Do we need to assume a role?
+# Set temp credentials if provided
 if [ -n "${access_key}" ]; then
   export AWS_ACCESS_KEY_ID=$access_key
   export AWS_SECRET_ACCESS_KEY=$secret_key
   export AWS_SESSION_TOKEN=$session_token
 fi
 
-# Disable any assigned pager
-export AWS_PAGER=""
+# awscli options
+export AWS_PAGER="" # disable pager
+export AWS_RETRY_MODE=standard # adaptive causes throttling, use standard for now
+export AWS_MAX_ATTEMPTS=3 # default is 2
 
-# Configure adaptive retry mode
-# export AWS_RETRY_MODE=adaptive
-export AWS_RETRY_MODE=standard
-export AWS_MAX_ATTEMPTS=3
-
-# Run the AWS_CLI command
-# aws sts get-caller-identity --query Arn > /tmp/awscli.log
-# echo '{"awscliout" : "'$(aws ${AWS_CLI_COMMANDS}  | base64 -w0)'"}' | tee -a /tmp/awscli.log
-
-jq -n --arg jqarg1 $(aws ${AWS_CLI_COMMANDS}  | base64 -w0) '{ "awscliout" : $jqarg1 }'
+# Run the awscli command, encapsulate output in base64
+jq -n --arg jqarg1 "$(aws ${AWS_CLI_COMMANDS})" '{ "awscliout" : $jqarg1 | @base64 }'
diff --git a/modules/util/awscli/variables.tf b/modules/util/awscli/variables.tf
index 73e8132..026549f 100644
--- a/modules/util/awscli/variables.tf
+++ b/modules/util/awscli/variables.tf
@@ -1,15 +1,18 @@
 variable "aws_cli_commands" {
-  type        = string
-}
-
-variable access_key {
   type = string
 }
 
-variable secret_key {
-  type = string
+variable "access_key" {
+  type      = string
+  sensitive = true
 }
 
-variable session_token {
-  type = string
+variable "secret_key" {
+  type      = string
+  sensitive = true
+}
+
+variable "session_token" {
+  type      = string
+  sensitive = true
 }
\ No newline at end of file