Ejemplos de resource_workspace_required en Python

Ejemplo n.º 1

Archivo: avm-create-bitbucket.py Proyecto: tlz-pmr/terraform-aws-avm

def lambda_handler(event, context):
    repo_name = None
    account_Id = event["AccountId"]
    account_info = avm_common.get_account_details(account_Id)
    account_details = account_info["org_details"]
    #pp.pprint(account_details)
    baseline_details = json.loads(account_details["baseline_details"])
    account_type  = account_details["accountType"]

    baseline_repo = baseline_details["git"]

    repo_name = baseline_repo.split("/")[-1].replace(".git","")
    print(repo_name)
    ## Might want to make this a global variable
    vended_baselines_project = avm_common.get_param("vended_baselines_project")
    #project = "tlz-vb"
    #pp.pprint(project.upper())

    git = gitMgr()
    template = git.get_baseline_template_repo(repo_name)
    print(template)
    # Create baseline repo
    git.fork_repo(template,vended_baselines_project.upper(),repo_name)

    #print(account_details)
    try:
        account_request = json.loads(account_details["account_request"])
        environment_type = account_request["intEnvironment"].lower()
    except Exception:
        environment_type = "null"

    user_managed_roles = avm_common.get_delegated_user_managed_roles()
    group_list = avm_common.generate_okta_group_names(account_Id, account_type, environment_type, account_details["alias"].lower())
    
    for group in group_list:
        for role in user_managed_roles:
            if group.endswith(role):
                print(f"Group to be granted permissions to Bitbucket baseline repo: {group}")
                git.create_group(group)
                git.grant_repository_access(vended_baselines_project.upper(), repo_name, group, get_repository_access_for_role(role, "baseline"))
                # TODO: Add merge check restriction

    if avm_common.resource_workspace_required(account_type):
        # Create an additional repo for the application and sandbox
        # app-repo template
        app_details = json.loads(account_details["app_details"])
        print("App details")
        print(app_details)
        app_repo = app_details["git"]
        repo_name = app_repo.split("/")[-1].replace(".git","")
        print(repo_name)
        vended_applications_project = avm_common.get_param("vended_applications_project")
        template = f"{account_type.lower()}-resources"
        git.fork_repo(template,vended_applications_project.upper(),repo_name)

        for group in group_list:
            for role in user_managed_roles:
                if group.endswith(role):
                    print(f"Group to be granted permissions to Bitbucket resource repo: {group}")
                    git.grant_repository_access(vended_applications_project.upper(), repo_name, group, get_repository_access_for_role(role, "resource"))

Ejemplo n.º 2

Archivo: git-repo-create.py Proyecto: provisioning-gvt/terraform-aws-avm

def lambda_handler(event, context):
    repo_name = None
    account_id = event["AccountId"]
    account_info = avm_common.get_account_details(account_id)
    account_details = account_info["org_details"]
    #pprint.pprint(account_details)
    #pprint.pprint(account_info)
    baseline_details = json.loads(account_details["baseline_details"])
    account_type = account_details["accountType"]

    baseline_repo = baseline_details["git"]

    repo_name = baseline_repo.split("/")[-1].replace(".git", "")

    ## Might want to make this a global variable
    vended_baselines_project = avm_common.get_param("vended_baselines_project")
    #print(f"vended_baselines_project: {vended_baselines_project}")
    #print(f"baseline_repo: {baseline_repo}")
    git = gitMgr()
    # template = git.get_baseline_template_repo(account_type)
    template = git.get_baseline_template_repo(repo_name)
    print(f"Template: {template}")
    print(f"Repo to create : {repo_name}")

    #git.list_all_repos()
    # Create baseline repo
    git.clone_repo(vended_baselines_project, repo_name, template, account_id,
                   account_info)

    if avm_common.resource_workspace_required(account_type):
        # Create an additional repo for the application and sandbox
        # app-repo template
        app_details = json.loads(account_details["app_details"])
        print("App details")
        print(app_details)
        app_repo = app_details["git"]
        repo_name = app_repo.split("/")[-1].replace(".git", "")
        vended_applications_project = avm_common.get_param(
            "vended_applications_project")
        apptemplate = f"{account_type.lower()}-resources"
        #print(f"vended_applications_project: {vended_applications_project}")
        #print(f"template: {apptemplate}")
        #print(f"app_repo: {app_repo}")
        #print(f"repo_name: {repo_name}")
        git.clone_repo(vended_applications_project, repo_name, apptemplate,
                       account_id, account_info)

Ejemplo n.º 3

Archivo: avm-tfe-workspaces.py Proyecto: tlz-pmr/terraform-aws-avm

def handler_inner(event, context):
    account_id = event["AccountId"]
    # Retrieve secrets from AWS Secrets Manager
    aws_secrets = avm_common.get_secret("tfe_aws_keys")
    # Look these single values up directly:
    tfe_key = avm_common.get_secret("terraform")["terraform"]
    vcs_oauth_token = avm_common.get_secret("vcs_oauth_token")["oauth_token"]

    # Get workspace name from dynamodb from event.accountId
    # Grab account details
    account_info = avm_common.get_account_details(account_id)
    #pp.pprint(account_info)
    account_details = account_info["org_details"]
    request_details = account_info["request_details"]
    #print(account_details)

    # Defines both repository names from account_details data
    baseline_details = json.loads(account_details["baseline_details"])
    account_request = json.loads(account_details["account_request"])
    print(baseline_details)
    baseline_repo_concat = "/".join(
        baseline_details["git"].split('/')[3:]).replace('.git', '')
    ws_name = baseline_details["tfe_workspace"]
    # instantiates workspace creation for baseline & application workspaces
    workspace_id = create_workspace(ws_name, tfe_key, vcs_oauth_token,
                                    baseline_repo_concat)
    if not workspace_id:
        return None
    #workspace_id = get_workspace(ws_name, tfe_key)

    # okta variables
    okta_account_type = account_details["accountType"].lower()

    try:
        account_request = json.loads(account_details["account_request"])
        environment_type = account_request["intEnvironment"].lower()
        okta_account_type = f"{okta_account_type}_{environment_type}"
    except Exception:
        environment_type = "NA"

    primary_region, secondary_region = avm_common.get_regions(account_id)
    azs_primary, azs_secondary = avm_common.az_map_by_region(primary_region)

    okta_config = avm_common.get_secret("okta")

    okta_app_id_index = {
        "core": okta_config["COR_LINK_ID"],
        "sandbox": okta_config["SBX_LINK_ID"],
        "application_npd": okta_config["NPD_LINK_ID"],
        "application_prd": okta_config["PRD_LINK_ID"]
    }

    okta_url = okta_config["url"].replace("https://", "")
    okta_prefix = "aws" + avm_common.get_short_account_code(
        okta_account_type, environment_type)

    tfe_host_name = avm_common.get_param("tfe_api_url").replace(
        "https://", "").replace("/api/v2", "")
    workspace_vars = [{
        "key": "AWS_ACCESS_KEY_ID",
        "value": aws_secrets["AWS_ACCESS_KEY_ID"],
        "category": "env",
        "sensitive": False,
        "hcl": False
    }, {
        "key": "AWS_SECRET_ACCESS_KEY",
        "value": aws_secrets["AWS_SECRET_ACCESS_KEY"],
        "category": "env",
        "sensitive": True,
        "hcl": False
    }, {
        "key": "account_id",
        "value": account_id,
        "category": "terraform",
        "sensitive": False,
        "hcl": False
    }, {
        "key": "repo_name",
        "value": baseline_repo_concat,
        "category": "terraform",
        "sensitive": False,
        "hcl": False
    }, {
        "key": "name",
        "value": account_details["name"].lower(),
        "category": "terraform",
        "sensitive": False,
        "hcl": False
    }, {
        "key": "account_type",
        "value": account_details["accountType"].lower(),
        "category": "terraform",
        "sensitive": False,
        "hcl": False
    }, {
        "key": "account_org",
        "value": account_details["org_name"].lower(),
        "category": "terraform",
        "sensitive": False,
        "hcl": False
    }, {
        "key": "owner",
        "value": account_details["email"],
        "category": "terraform",
        "sensitive": False,
        "hcl": False
    }, {
        "key": "environment",
        "value": account_request["env"].lower(),
        "category": "terraform",
        "sensitive": True,
        "hcl": False
    }, {
        "key": "int_environment",
        "value": environment_type,
        "category": "terraform",
        "sensitive": False,
        "hcl": False
    }, {
        "key": "cidr_primary",
        "value": request_details["primaryVpcCidr"],
        "category": "terraform",
        "sensitive": False,
        "hcl": False
    }, {
        "key": "cidr_secondary",
        "value": request_details["secondaryVpcCidr"],
        "category": "terraform",
        "sensitive": False,
        "hcl": False
    }, {
        "key": "region_primary",
        "value": primary_region,
        "category": "terraform",
        "sensitive": False,
        "hcl": False
    }, {
        "key": "region_secondary",
        "value": secondary_region,
        "category": "terraform",
        "sensitive": False,
        "hcl": False
    }, {
        "key": "azs_primary",
        "value": azs_primary,
        "category": "terraform",
        "sensitive": False,
        "hcl": True
    }, {
        "key": "azs_secondary",
        "value": azs_secondary,
        "category": "terraform",
        "sensitive": False,
        "hcl": True
    }, {
        "key": "okta_provider_domain",
        "value": okta_url,
        "category": "terraform",
        "sensitive": False,
        "hcl": False
    }, {
        "key": "okta_app_id",
        "value": okta_app_id_index[okta_account_type],
        "category": "terraform",
        "sensitive": False,
        "hcl": False
    }, {
        "key": "tfe_org_name",
        "value": avm_common.get_param("tfe_org_name"),
        "category": "terraform",
        "sensitive": True,
        "hcl": False
    }, {
        "key": "tfe_avm_workspace_name",
        "value": avm_common.get_param("avm_workspace_name"),
        "category": "terraform",
        "sensitive": True,
        "hcl": False
    }, {
        "key": "tfe_host_name",
        "value": tfe_host_name,
        "category": "terraform",
        "sensitive": True,
        "hcl": False
    }, {
        "key": "tfe_core_logging_workspace_name",
        "value": avm_common.get_param("logging_workspace_name"),
        "category": "terraform",
        "sensitive": True,
        "hcl": False
    }, {
        "key": "master_payer_org_id",
        "value": avm_common.get_param("master_payer_org_id"),
        "category": "terraform",
        "sensitive": True,
        "hcl": False
    }, {
        "key": "master_payer_account",
        "value": avm_common.get_param("master_payer_account"),
        "category": "terraform",
        "sensitive": True,
        "hcl": False
    }, {
        "key": "core_security_account",
        "value": avm_common.get_param("core_security_account"),
        "category": "terraform",
        "sensitive": True,
        "hcl": False
    }, {
        "key":
        "tlz_org_account_access_role",
        "value":
        avm_common.get_param("tlz_org_account_access_role"),
        "category":
        "terraform",
        "sensitive":
        True,
        "hcl":
        False
    }, {
        "key": "role_name",
        "value": avm_common.get_param("tlz_admin_role"),
        "category": "terraform",
        "sensitive": True,
        "hcl": False
    }, {
        "key": "okta_token",
        "value": okta_config["token"],
        "category": "terraform",
        "sensitive": True,
        "hcl": False
    }]

    for var in workspace_vars:
        print(f"Attaching the var {var['key']}")
        response = attach_vars_to_workspace(ws_name, tfe_key, var["key"],
                                            var["value"], var["category"],
                                            var["sensitive"], var["hcl"])

    # Make teams with the same name as the Okta role names and assign them privileges to the baseline and resources workspaces.
    # This will be reused in the resources workspace block later.
    user_teams_to_assign = avm_common.get_delegated_user_managed_roles()
    group_list = avm_common.generate_okta_group_names(
        account_id, okta_account_type, environment_type,
        account_details["alias"].lower())

    for team in group_list:
        for role in user_teams_to_assign:
            if team.endswith(role):
                # Try to find it first:
                team_id = get_team(tfe_key, team)
                # Otherwise, create it:
                if not team_id:
                    team_id = create_team_for_org(tfe_key, team)

                assign_team_to_workspace(
                    tfe_key, team_id, workspace_id,
                    get_workspace_access_for_role(role, "baseline"))

    print(baseline_repo_concat)

    # Add network_account
    core_network_account = avm_common.get_param("core_network_account")
    if core_network_account != None:
        if account_details["accountType"].lower() in [
                "application"
        ] or (account_details["accountType"].lower() == "core" and
              account_request["account_name"].lower() == "shared_services"):
            attach_vars_to_workspace(ws_name, tfe_key, "core_network_account",
                                     core_network_account, "terraform", False,
                                     False)

    if avm_common.resource_workspace_required(account_details["accountType"]):
        app_details = json.loads(account_details["app_details"])
        app_repo_concat = "/".join(app_details["git"].split('/')[4:]).replace(
            '.git', '')
        baseline_workspace_name = ws_name
        ws_name = app_details["tfe_workspace"]
        create_workspace(ws_name, tfe_key, vcs_oauth_token, app_repo_concat)
        workspace_id = get_workspace(ws_name, tfe_key)
        print(app_repo_concat)
        workspace_vars = [{
            "key": "tfe_host_name",
            "value": tfe_host_name,
            "category": "terraform",
            "sensitive": True,
            "hcl": False
        }, {
            "key": "tfe_org_name",
            "value": avm_common.get_param("tfe_org_name"),
            "category": "terraform",
            "sensitive": True,
            "hcl": False
        }, {
            "key": "name",
            "value": account_details["name"].lower(),
            "category": "terraform",
            "sensitive": False,
            "hcl": False
        }, {
            "key": "owner",
            "value": account_details["email"],
            "category": "terraform",
            "sensitive": False,
            "hcl": False
        }, {
            "key": "environment",
            "value": account_request["env"].lower(),
            "category": "terraform",
            "sensitive": True,
            "hcl": False
        }, {
            "key": "baseline_workspace_name",
            "value": baseline_workspace_name,
            "category": "terraform",
            "sensitive": True,
            "hcl": False
        }, {
            "key": "region_primary",
            "value": primary_region,
            "category": "terraform",
            "sensitive": False,
            "hcl": False
        }, {
            "key": "region_secondary",
            "value": secondary_region,
            "category": "terraform",
            "sensitive": False,
            "hcl": False
        }, {
            "key": "baseline_workspace_name",
            "value": baseline_workspace_name,
            "category": "terraform",
            "sensitive": True,
            "hcl": False
        }, {
            "key":
            "tlz_org_account_access_role",
            "value":
            avm_common.get_param("tlz_org_account_access_role"),
            "category":
            "terraform",
            "sensitive":
            True,
            "hcl":
            False
        }, {
            "key": "role_name",
            "value": avm_common.get_param("tlz_admin_role"),
            "category": "terraform",
            "sensitive": True,
            "hcl": False
        }]

        for var in workspace_vars:
            print(f"Attaching the var {var['key']}")
            response = attach_vars_to_workspace(ws_name, tfe_key, var["key"],
                                                var["value"], var["category"],
                                                var["sensitive"], var["hcl"])

        # Assign the teams (already created in the baseline block) to this workspace as well.
        for team in group_list:
            for role in user_teams_to_assign:
                if team.endswith(role):
                    # Get the team ID--it was made in the baseline already.
                    team_id = get_team(tfe_key, team)
                    assign_team_to_workspace(
                        tfe_key, team_id, workspace_id,
                        get_workspace_access_for_role(role, "resource"))

    elif account_details["accountType"].lower() == "core" and account_request[
            "account_name"].lower() == "shared_services":
        workspace_vars = [{
            "key": "primary_zone_name",
            "value": avm_common.get_param("primary_zone_name"),
            "category": "terraform",
            "sensitive": False,
            "hcl": False
        }]

        for var in workspace_vars:
            print(f"Attaching the var {var['key']}")
            response = attach_vars_to_workspace(ws_name, tfe_key, var["key"],
                                                var["value"], var["category"],
                                                var["sensitive"], var["hcl"])

Ejemplo n.º 4

Archivo: avm-master.py Proyecto: tlz-pmr/terraform-aws-avm

def lambda_handler_inner(event, context):
    master_account = avm_common.get_param("master_payer_account")
    master_role =  avm_common.get_param("tlz_admin_role")
    org_account_access_role = avm_common.get_param("tlz_org_account_access_role")
    #print("Received event: " + json.dumps(event, indent=2))
    master_role_arn = f"arn:aws:iam::{master_account}:role/{org_account_access_role}"
    session_local = avm_common.aws_session()
    current_account = session_local.client('sts').get_caller_identity().get('Account')
    session_regular = avm_common.aws_session(role=master_role_arn)

    account_request = {}
    insert_event = [i for i in event["Records"] if i["eventName"] == "INSERT"]
    if not len(insert_event):
        print("ERROR: No account to create")
        return

    newImage = insert_event[0]["dynamodb"]["NewImage"]
    account_request["email"] =  newImage["id"]["S"]
    account_request["account_name"] = newImage["appName"]["S"]
    account_request["accountType"] = newImage["accountType"]["S"]
    account_request["accountPrefix"] = newImage["accountPrefix"]["S"]

    account_request["lob"] = newImage["lob"]["S"]
    if account_request["accountType"].lower() != "application":
        account_request["lob"] = account_request["accountType"].title()
    account_request["env"] = newImage["envType"]["S"]

    # CloudOps interal variable definition that will be used in certain areas where only prd, npd, sbx or dev are needed
    if (account_request["env"] == "stg" or account_request["env"] == "qa" or account_request["env"] == "dev"):
        account_request["intEnvironment"] = "npd"
    elif (account_request["env"] == "pre-prod" or account_request["env"] == "prd"):
        account_request["intEnvironment"] = "prd"

    print(account_request)
    orgMan = awsOrgManager(session_regular,current_account,master_account,master_role,org_account_access_role)
    account = orgMan.create_account(account_request)
    # By now account should have been created
    if account:
        target_ou = "Sandbox"
        # Move the account the target organizational_unit
        if account_request["accountType"].lower() != "application":
            target_ou = account_request["accountType"].title()
        else:
            if "lob" in account_request.keys():
                if account_request["lob"]:
                    target_ou = account_request["lob"]

        orgMan.move_account(account["id"],target_ou)
        acc = orgMan._client.describe_account(AccountId=account["id"])

    # update account with additional details
    account["account_request"] = json.dumps(account_request,default=defaultencode)
    alias = orgMan.get_account_alias(account_request["accountType"],account_request["account_name"],account_request["lob"], account_request["env"], account_request["accountPrefix"] )
    account["alias"]  = alias
    account["accountType"]  = account_request["accountType"]
    org = account_request["lob"].title()
    git_url = avm_common.get_param("tlz_git_url")
    print(git_url)
    vended_applications_project = avm_common.get_param("vended_applications_project")
    vended_baselines_project = avm_common.get_param("vended_baselines_project")
    if avm_common.resource_workspace_required(account_request["accountType"]):
        account["app_details"]  = json.dumps({'git' : f'{git_url}/{vended_applications_project}/{alias}.git', 'tfe_workspace': f'{alias}-resources'})
        account["baseline_details"]  = json.dumps({'git' : f'{git_url}/{vended_baselines_project}/{alias}.git', 'tfe_workspace': f'{alias}-baseline'})
    else:
        account["baseline_details"]  = json.dumps({'git' : f'{git_url}/{vended_baselines_project}/{alias}.git', 'tfe_workspace': f'{alias}'})

    print(account)
    orgMan.ingest_data(session_local,account)
    additional_info = {}
    additional_info["alias"] = alias
    additional_info["account_type"] = account_request["accountType"]
    additional_info["org_name"] = account_request["lob"]
    additional_info["owner"] = newImage["responsible"]["S"]
    additional_info["environment"] = account_request["env"]
    additional_info["intEnvironment"] = account_request["env"]
    additional_info["primaryVpcCidr"] = newImage["primaryVpcCidr"]["S"]
    additional_info["secondaryVpcCidr"] = newImage["secondaryVpcCidr"]["S"]
    #for k in newImage.keys():
    #    additional_info[k] = newImage[k]["S"]
    #additional_info["account"] = account
    orgMan.update_org_account_access_role(account["id"])
    print("About to call the automation document")
    orgMan.start_pipeline(session_local, account["id"], additional_info)