def update_tfe_workspaces(self,keys, secret_name, account_id): print("Update TFE workspaces with new keys") tfe_key = avm_common.get_secret("terraform") tfe_api_token = tfe_key['terraform'] headers = { 'authorization': "Bearer " + tfe_api_token, 'content-type': "application/vnd.api+json", } tfe_workspaces = self.get_tfe_workspaces(account_id) for workspace_name in tfe_workspaces: workspace_id = self.get_workspace_id(workspace_name, headers) self.remove_workspace_vars(workspace_name, headers) self.create_tfe_variables(workspace_id, headers, keys["AccessKeyId"], keys["SecretAccessKey"])
def add_account_to_redlock(account_id): redlock = avm_common.get_secret("redlock") result = avm_common.get_account_details(account_id) account_alias = f"{result['org_details']['name']}" if result['request_details']: if "subAccountType" in result['request_details'].keys(): account_alias += f"-{result['request_details']['subAccountType']}" body = {"username": redlock["user"], "password": redlock["password"]} header = {'Content-Type': 'application/json'} r = requests.post(f'{redlock["rest_api_url"]}/login', headers=header, data=json.dumps(body)) if r.status_code == requests.codes.ok: resp = json.loads(r.text) token = resp["token"] account_payload = { "accountId": account_id, "enabled": True, "externalId": extract_externalid(account_id), "groupIds": [redlock["group_id"]], "name": f"{account_alias}-{account_id}", "roleArn": f"arn:aws:iam::{account_id}:role/tlz_redlock_read_only" } headers = {"x-redlock-auth": token, "Content-Type": "application/json"} addaccount_r = requests.post(f'{redlock["rest_api_url"]}/cloud/aws', headers=headers, data=json.dumps(account_payload)) else: body = f"{r.json()}" sub = "ERROR: Unable to add account {account_id} to redlock" func = "redlock-addaccount" sns_topic = avm_common.get_param("sns_topic_arn") avm_common.send_pipeline_notification(account_id, sns_topic, func, sub, body)
def lambda_handler_inner(event, context): print(event) account_id = event["AccountId"] # Retrieve secrets from AWS Secrets Manager tfe_key = avm_common.get_secret("terraform") headers = { 'Authorization': "Bearer " + tfe_key['terraform'], 'Content-Type': "application/vnd.api+json", } #print(token) # Get the workspace ID using the provided workspace name workspace_name = get_workspace_name(account_id) print(workspace_name) workspace_id = get_workspace(headers,workspace_name) print(workspace_id) # Serialize the JSON payload with the workspace ID payload = create_json( workspace_id ) #print(payload) # Trigger a terraform plan run_id = create_run( headers, payload ) print(f"Run id : {run_id}") retry_count = 6 sleep_between_retry_attempts = 30 # Check run for readiness and apply if so for i in range(retry_count): run_status = get_run_status(headers, run_id ) print(f"Run status [{i}] : {run_status}") if run_status == 'planned': apply_run( headers,run_id ) break elif run_status == 'errored': print("The changes have failed") raise Exception(f'TFE plan failed for workspace: {workspace_name}') break elif run_status == 'planned_and_finished': print("It appears that no changes were required") return 200 time.sleep(sleep_between_retry_attempts) # Allow some time for the apply to finish then verify final state of run for i in range(retry_count): run_status = get_run_status( headers,run_id ) print(f"Attempt {i} : {run_status}") if run_status == 'applied': print("Changes successfully applied") return 200 elif run_status == 'planned_and_finished': print("It appears that no changes were required") return 200 elif run_status == 'errored': print("The changes have failed") raise Exception(f'TFE apply failed for workspace: {workspace_name}') #return -1 elif run_status == 'planned': raise Exception(f'TFE plan failed for workspace: {workspace_name}') #return -1 time.sleep(sleep_between_retry_attempts) print("The changes are taking too long to execute and will require manual review")
def handler_inner(event, context): account_id = event["AccountId"] # Retrieve secrets from AWS Secrets Manager aws_secrets = avm_common.get_secret("tfe_aws_keys") # Look these single values up directly: tfe_key = avm_common.get_secret("terraform")["terraform"] vcs_oauth_token = avm_common.get_secret("vcs_oauth_token")["oauth_token"] # Get workspace name from dynamodb from event.accountId # Grab account details account_info = avm_common.get_account_details(account_id) #pp.pprint(account_info) account_details = account_info["org_details"] request_details = account_info["request_details"] #print(account_details) # Defines both repository names from account_details data baseline_details = json.loads(account_details["baseline_details"]) account_request = json.loads(account_details["account_request"]) print(baseline_details) baseline_repo_concat = "/".join( baseline_details["git"].split('/')[3:]).replace('.git', '') ws_name = baseline_details["tfe_workspace"] # instantiates workspace creation for baseline & application workspaces workspace_id = create_workspace(ws_name, tfe_key, vcs_oauth_token, baseline_repo_concat) if not workspace_id: return None #workspace_id = get_workspace(ws_name, tfe_key) # okta variables okta_account_type = account_details["accountType"].lower() try: account_request = json.loads(account_details["account_request"]) environment_type = account_request["intEnvironment"].lower() okta_account_type = f"{okta_account_type}_{environment_type}" except Exception: environment_type = "NA" primary_region, secondary_region = avm_common.get_regions(account_id) azs_primary, azs_secondary = avm_common.az_map_by_region(primary_region) okta_config = avm_common.get_secret("okta") okta_app_id_index = { "core": okta_config["COR_LINK_ID"], "sandbox": okta_config["SBX_LINK_ID"], "application_npd": okta_config["NPD_LINK_ID"], "application_prd": okta_config["PRD_LINK_ID"] } okta_url = okta_config["url"].replace("https://", "") okta_prefix = "aws" + avm_common.get_short_account_code( okta_account_type, environment_type) tfe_host_name = avm_common.get_param("tfe_api_url").replace( "https://", "").replace("/api/v2", "") workspace_vars = [{ "key": "AWS_ACCESS_KEY_ID", "value": aws_secrets["AWS_ACCESS_KEY_ID"], "category": "env", "sensitive": False, "hcl": False }, { "key": "AWS_SECRET_ACCESS_KEY", "value": aws_secrets["AWS_SECRET_ACCESS_KEY"], "category": "env", "sensitive": True, "hcl": False }, { "key": "account_id", "value": account_id, "category": "terraform", "sensitive": False, "hcl": False }, { "key": "repo_name", "value": baseline_repo_concat, "category": "terraform", "sensitive": False, "hcl": False }, { "key": "name", "value": account_details["name"].lower(), "category": "terraform", "sensitive": False, "hcl": False }, { "key": "account_type", "value": account_details["accountType"].lower(), "category": "terraform", "sensitive": False, "hcl": False }, { "key": "account_org", "value": account_details["org_name"].lower(), "category": "terraform", "sensitive": False, "hcl": False }, { "key": "owner", "value": account_details["email"], "category": "terraform", "sensitive": False, "hcl": False }, { "key": "environment", "value": account_request["env"].lower(), "category": "terraform", "sensitive": True, "hcl": False }, { "key": "int_environment", "value": environment_type, "category": "terraform", "sensitive": False, "hcl": False }, { "key": "cidr_primary", "value": request_details["primaryVpcCidr"], "category": "terraform", "sensitive": False, "hcl": False }, { "key": "cidr_secondary", "value": request_details["secondaryVpcCidr"], "category": "terraform", "sensitive": False, "hcl": False }, { "key": "region_primary", "value": primary_region, "category": "terraform", "sensitive": False, "hcl": False }, { "key": "region_secondary", "value": secondary_region, "category": "terraform", "sensitive": False, "hcl": False }, { "key": "azs_primary", "value": azs_primary, "category": "terraform", "sensitive": False, "hcl": True }, { "key": "azs_secondary", "value": azs_secondary, "category": "terraform", "sensitive": False, "hcl": True }, { "key": "okta_provider_domain", "value": okta_url, "category": "terraform", "sensitive": False, "hcl": False }, { "key": "okta_app_id", "value": okta_app_id_index[okta_account_type], "category": "terraform", "sensitive": False, "hcl": False }, { "key": "tfe_org_name", "value": avm_common.get_param("tfe_org_name"), "category": "terraform", "sensitive": True, "hcl": False }, { "key": "tfe_avm_workspace_name", "value": avm_common.get_param("avm_workspace_name"), "category": "terraform", "sensitive": True, "hcl": False }, { "key": "tfe_host_name", "value": tfe_host_name, "category": "terraform", "sensitive": True, "hcl": False }, { "key": "tfe_core_logging_workspace_name", "value": avm_common.get_param("logging_workspace_name"), "category": "terraform", "sensitive": True, "hcl": False }, { "key": "master_payer_org_id", "value": avm_common.get_param("master_payer_org_id"), "category": "terraform", "sensitive": True, "hcl": False }, { "key": "master_payer_account", "value": avm_common.get_param("master_payer_account"), "category": "terraform", "sensitive": True, "hcl": False }, { "key": "core_security_account", "value": avm_common.get_param("core_security_account"), "category": "terraform", "sensitive": True, "hcl": False }, { "key": "tlz_org_account_access_role", "value": avm_common.get_param("tlz_org_account_access_role"), "category": "terraform", "sensitive": True, "hcl": False }, { "key": "role_name", "value": avm_common.get_param("tlz_admin_role"), "category": "terraform", "sensitive": True, "hcl": False }, { "key": "okta_token", "value": okta_config["token"], "category": "terraform", "sensitive": True, "hcl": False }] for var in workspace_vars: print(f"Attaching the var {var['key']}") response = attach_vars_to_workspace(ws_name, tfe_key, var["key"], var["value"], var["category"], var["sensitive"], var["hcl"]) # Make teams with the same name as the Okta role names and assign them privileges to the baseline and resources workspaces. # This will be reused in the resources workspace block later. user_teams_to_assign = avm_common.get_delegated_user_managed_roles() group_list = avm_common.generate_okta_group_names( account_id, okta_account_type, environment_type, account_details["alias"].lower()) for team in group_list: for role in user_teams_to_assign: if team.endswith(role): # Try to find it first: team_id = get_team(tfe_key, team) # Otherwise, create it: if not team_id: team_id = create_team_for_org(tfe_key, team) assign_team_to_workspace( tfe_key, team_id, workspace_id, get_workspace_access_for_role(role, "baseline")) print(baseline_repo_concat) # Add network_account core_network_account = avm_common.get_param("core_network_account") if core_network_account != None: if account_details["accountType"].lower() in [ "application" ] or (account_details["accountType"].lower() == "core" and account_request["account_name"].lower() == "shared_services"): attach_vars_to_workspace(ws_name, tfe_key, "core_network_account", core_network_account, "terraform", False, False) if avm_common.resource_workspace_required(account_details["accountType"]): app_details = json.loads(account_details["app_details"]) app_repo_concat = "/".join(app_details["git"].split('/')[4:]).replace( '.git', '') baseline_workspace_name = ws_name ws_name = app_details["tfe_workspace"] create_workspace(ws_name, tfe_key, vcs_oauth_token, app_repo_concat) workspace_id = get_workspace(ws_name, tfe_key) print(app_repo_concat) workspace_vars = [{ "key": "tfe_host_name", "value": tfe_host_name, "category": "terraform", "sensitive": True, "hcl": False }, { "key": "tfe_org_name", "value": avm_common.get_param("tfe_org_name"), "category": "terraform", "sensitive": True, "hcl": False }, { "key": "name", "value": account_details["name"].lower(), "category": "terraform", "sensitive": False, "hcl": False }, { "key": "owner", "value": account_details["email"], "category": "terraform", "sensitive": False, "hcl": False }, { "key": "environment", "value": account_request["env"].lower(), "category": "terraform", "sensitive": True, "hcl": False }, { "key": "baseline_workspace_name", "value": baseline_workspace_name, "category": "terraform", "sensitive": True, "hcl": False }, { "key": "region_primary", "value": primary_region, "category": "terraform", "sensitive": False, "hcl": False }, { "key": "region_secondary", "value": secondary_region, "category": "terraform", "sensitive": False, "hcl": False }, { "key": "baseline_workspace_name", "value": baseline_workspace_name, "category": "terraform", "sensitive": True, "hcl": False }, { "key": "tlz_org_account_access_role", "value": avm_common.get_param("tlz_org_account_access_role"), "category": "terraform", "sensitive": True, "hcl": False }, { "key": "role_name", "value": avm_common.get_param("tlz_admin_role"), "category": "terraform", "sensitive": True, "hcl": False }] for var in workspace_vars: print(f"Attaching the var {var['key']}") response = attach_vars_to_workspace(ws_name, tfe_key, var["key"], var["value"], var["category"], var["sensitive"], var["hcl"]) # Assign the teams (already created in the baseline block) to this workspace as well. for team in group_list: for role in user_teams_to_assign: if team.endswith(role): # Get the team ID--it was made in the baseline already. team_id = get_team(tfe_key, team) assign_team_to_workspace( tfe_key, team_id, workspace_id, get_workspace_access_for_role(role, "resource")) elif account_details["accountType"].lower() == "core" and account_request[ "account_name"].lower() == "shared_services": workspace_vars = [{ "key": "primary_zone_name", "value": avm_common.get_param("primary_zone_name"), "category": "terraform", "sensitive": False, "hcl": False }] for var in workspace_vars: print(f"Attaching the var {var['key']}") response = attach_vars_to_workspace(ws_name, tfe_key, var["key"], var["value"], var["category"], var["sensitive"], var["hcl"])
def get_token(self): return avm_common.get_secret("bitbucket")
def get_token(self): return avm_common.get_secret("vcs")
import boto3 import base64 from botocore.exceptions import ClientError import json import avm_common import requests from http import HTTPStatus okta_config = avm_common.get_secret("okta") url = okta_config["url"] # Checks if Group already exists def get_group_id(group_name, secret): print(f"Checking group {group_name}") headers = { "Accept": "application/json", "Content-Type": "application/json", "Authorization": "SSWS " + secret } # check if group already exists response = requests.get(url + "/api/v1/groups", headers=headers) response = json.loads(response.text) for group in response: if (group["profile"]["name"] == group_name): #print(group) print(group_name + " already exists") return group["id"] print(group_name + " does not exist. Creating.") return None