UPD: changed to bash, added pipeline option, and switched to jq @base64

2023-07-03 19:57:25 +08:00 · 2023-07-03 19:57:25 +08:00 · 25b517b676
commit 25b517b676
parent c3d8b0a030
5 changed files with 30 additions and 37 deletions
--- a/modules/util/assume_role/assumeRole.sh
+++ b/modules/util/assume_role/assumeRole.sh
@ -1,4 +1,7 @@
-#!/usr/bin/env sh
+#!/usr/bin/env bash
 # tell bash to exit if any subcommand fails
 set -eo pipefail
 # Validate required commands
 if ! [ -x "$(command -v aws)" ]; then
--- a/modules/util/assume_role/main.tf
+++ b/modules/util/assume_role/main.tf
@ -1,11 +1,7 @@
 locals {
  assume_role_arn = "arn:aws:iam::${var.account_id}:role/${var.role_name}"
 }
 data "external" "awscli" {
  program = [format("%s/assumeRole.sh", path.module)]
  query = {
-    assume_role_arn   = local.assume_role_arn
+    assume_role_arn   = "arn:aws:iam::${var.account_id}:role/${var.role_name}"
    role_session_name = var.role_session_name
  }
 }
--- a/modules/util/awscli/main.tf
+++ b/modules/util/awscli/main.tf
@ -1,9 +1,5 @@
 #locals {
 #  joined_aws_cli_command = join(" ", var.aws_cli_commands)
 #}
 data "external" "awscli_program" {
-  program = [format("%s/awsWithAssumeRole.sh", path.module)]
+  program = [format("%s/run_awscli.sh", path.module)]
  query = {
    access_key       = var.access_key
    secret_key       = var.secret_key
@ -12,6 +8,7 @@ data "external" "awscli_program" {
  }
 }
 # decode encapsulated string back to original
 output awscliout {
  value = jsondecode(base64decode(data.external.awscli_program.result.awscliout))
 }
--- a/modules/util/awscli/awsWithAssumeRole.sh
+++ b/modules/util/awscli/awsWithAssumeRole.sh
@ -1,4 +1,7 @@
-#!/usr/bin/env sh
+#!/usr/bin/env bash
 # tell bash to exit if any subcommand fails
 set -eo pipefail
 # Validate required commands
 if ! [ -x "$(command -v aws)" ]; then
@ -10,33 +13,24 @@ if ! [ -x "$(command -v jq)" ]; then
  exit 1
 fi
-# Get the query
+# Process inputs
 TERRAFORM_QUERY=$(jq -Mc .)
 # Extract the query attributes
 AWS_CLI_COMMANDS=$(echo "${TERRAFORM_QUERY}" | jq -r '.aws_cli_commands')
 AWS_CLI_QUERY=$(echo "${TERRAFORM_QUERY}" | jq -r '.aws_cli_query')
 access_key=$(echo "${TERRAFORM_QUERY}" | jq -r '.access_key')
 secret_key=$(echo "${TERRAFORM_QUERY}" | jq -r '.secret_key')
 session_token=$(echo "${TERRAFORM_QUERY}" | jq -r '.session_token')
-# Do we need to assume a role?
+# Set temp credentials if provided
 if [ -n "${access_key}" ]; then
  export AWS_ACCESS_KEY_ID=$access_key
  export AWS_SECRET_ACCESS_KEY=$secret_key
  export AWS_SESSION_TOKEN=$session_token
 fi
-# Disable any assigned pager
+# awscli options
-export AWS_PAGER=""
+export AWS_PAGER="" # disable pager
 export AWS_RETRY_MODE=standard # adaptive causes throttling, use standard for now
 export AWS_MAX_ATTEMPTS=3 # default is 2
-# Configure adaptive retry mode
+# Run the awscli command, encapsulate output in base64
-# export AWS_RETRY_MODE=adaptive
+jq -n --arg jqarg1 "$(aws ${AWS_CLI_COMMANDS})" '{ "awscliout" : $jqarg1 | @base64 }'
 export AWS_RETRY_MODE=standard
 export AWS_MAX_ATTEMPTS=3
 # Run the AWS_CLI command
 # aws sts get-caller-identity --query Arn > /tmp/awscli.log
 # echo '{"awscliout" : "'$(aws ${AWS_CLI_COMMANDS}  | base64 -w0)'"}' | tee -a /tmp/awscli.log
 jq -n --arg jqarg1 $(aws ${AWS_CLI_COMMANDS}  | base64 -w0) '{ "awscliout" : $jqarg1 }'
--- a/modules/util/awscli/variables.tf
+++ b/modules/util/awscli/variables.tf
@ -1,15 +1,18 @@
 variable "aws_cli_commands" {
  type        = string
 }
 variable access_key {
  type = string
 }
-variable secret_key {
+variable "access_key" {
-  type = string
+  type      = string
  sensitive = true
 }
-variable session_token {
+variable "secret_key" {
-  type = string
+  type      = string
  sensitive = true
 }
 variable "session_token" {
  type      = string
  sensitive = true
 }