terraform.aws-baseline-infra/modules/util/terraform-aws-cli/scripts/awsWithAssumeRole.sh

#!/usr/bin/env sh

# Validate required commands
if ! [ -x "$(command -v aws)" ]; then
  echo 'Error: aws is not installed.' >&2
  exit 1
fi
if ! [ -x "$(command -v jq)" ]; then
  echo 'Error: jq is not installed.' >&2
  exit 1
fi

# Get the query
TERRAFORM_QUERY=$(jq -Mc .)

# Extract the query attributes
AWS_CLI_COMMANDS=$(echo "${TERRAFORM_QUERY}" | jq -r '.aws_cli_commands')
AWS_CLI_QUERY=$(echo "${TERRAFORM_QUERY}" | jq -r '.aws_cli_query')
OUTPUT_FILE=$(echo "${TERRAFORM_QUERY}" | jq -r '.output_file')
ASSUME_ROLE_ARN=$(echo "${TERRAFORM_QUERY}" | jq -r '.assume_role_arn')
ROLE_SESSION_NAME=$(echo "${TERRAFORM_QUERY}" | jq -r '.role_session_name')
DEBUG_LOG_FILENAME=$(echo "${TERRAFORM_QUERY}" | jq -r '.debug_log_filename')

# Do we need to assume a role?
if [ -n "${ASSUME_ROLE_ARN}" ]; then
  TEMP_ROLE=$(aws sts assume-role --output json --role-arn "${ASSUME_ROLE_ARN}" --role-session-name "${ROLE_SESSION_NAME:-AssumingRole}")
  export AWS_ACCESS_KEY_ID=$(echo "${TEMP_ROLE}" | jq -r '.Credentials.AccessKeyId')
  export AWS_SECRET_ACCESS_KEY=$(echo "${TEMP_ROLE}" | jq -r '.Credentials.SecretAccessKey')
  export AWS_SESSION_TOKEN=$(echo "${TEMP_ROLE}" | jq -r '.Credentials.SessionToken')
fi

# Do we have a query?
if [ -n "${AWS_CLI_QUERY}" ]; then
  AWS_CLI_QUERY_PARAM="--query '${AWS_CLI_QUERY}'"
fi

# Do we want to be debug?
export AWS_DEBUG_OPTION=""
if [ -n "${DEBUG_LOG_FILENAME}" ]; then
  AWS_DEBUG_OPTION="--debug 2>${DEBUG_LOG_FILENAME}"
  mkdir -p "$(dirname ${DEBUG_LOG_FILENAME})"
fi

# Make sure output file directory exists
mkdir -p "$(dirname ${OUTPUT_FILE})"

# Make sure output file does not exist
rm -f "${OUTPUT_FILE}"

# Disable any assigned pager
export AWS_PAGER=""

# Configure adaptive retry mode
# export AWS_RETRY_MODE=adaptive
export AWS_RETRY_MODE=standard
export AWS_MAX_ATTEMPTS=3

# Run the AWS_CLI command, exiting with a non zero exit code if required.
if ! eval "aws ${AWS_CLI_COMMANDS} ${AWS_CLI_QUERY_PARAM:-} --output json ${AWS_DEBUG_OPTION}" >"${OUTPUT_FILE}" ; then
  echo "Error: aws failed."
  exit 1
fi

# All is good.
echo '{"output_file":"'"${OUTPUT_FILE}"'"}'