def lambda_handler(event, context): repo_name = None account_Id = event["AccountId"] account_info = avm_common.get_account_details(account_Id) account_details = account_info["org_details"] #pp.pprint(account_details) baseline_details = json.loads(account_details["baseline_details"]) account_type = account_details["accountType"] baseline_repo = baseline_details["git"] repo_name = baseline_repo.split("/")[-1].replace(".git","") print(repo_name) ## Might want to make this a global variable vended_baselines_project = avm_common.get_param("vended_baselines_project") #project = "tlz-vb" #pp.pprint(project.upper()) git = gitMgr() template = git.get_baseline_template_repo(repo_name) print(template) # Create baseline repo git.fork_repo(template,vended_baselines_project.upper(),repo_name) #print(account_details) try: account_request = json.loads(account_details["account_request"]) environment_type = account_request["intEnvironment"].lower() except Exception: environment_type = "null" user_managed_roles = avm_common.get_delegated_user_managed_roles() group_list = avm_common.generate_okta_group_names(account_Id, account_type, environment_type, account_details["alias"].lower()) for group in group_list: for role in user_managed_roles: if group.endswith(role): print(f"Group to be granted permissions to Bitbucket baseline repo: {group}") git.create_group(group) git.grant_repository_access(vended_baselines_project.upper(), repo_name, group, get_repository_access_for_role(role, "baseline")) # TODO: Add merge check restriction if avm_common.resource_workspace_required(account_type): # Create an additional repo for the application and sandbox # app-repo template app_details = json.loads(account_details["app_details"]) print("App details") print(app_details) app_repo = app_details["git"] repo_name = app_repo.split("/")[-1].replace(".git","") print(repo_name) vended_applications_project = avm_common.get_param("vended_applications_project") template = f"{account_type.lower()}-resources" git.fork_repo(template,vended_applications_project.upper(),repo_name) for group in group_list: for role in user_managed_roles: if group.endswith(role): print(f"Group to be granted permissions to Bitbucket resource repo: {group}") git.grant_repository_access(vended_applications_project.upper(), repo_name, group, get_repository_access_for_role(role, "resource"))
def lambda_handler(event, context): repo_name = None account_id = event["AccountId"] account_info = avm_common.get_account_details(account_id) account_details = account_info["org_details"] #pprint.pprint(account_details) #pprint.pprint(account_info) baseline_details = json.loads(account_details["baseline_details"]) account_type = account_details["accountType"] baseline_repo = baseline_details["git"] repo_name = baseline_repo.split("/")[-1].replace(".git", "") ## Might want to make this a global variable vended_baselines_project = avm_common.get_param("vended_baselines_project") #print(f"vended_baselines_project: {vended_baselines_project}") #print(f"baseline_repo: {baseline_repo}") git = gitMgr() # template = git.get_baseline_template_repo(account_type) template = git.get_baseline_template_repo(repo_name) print(f"Template: {template}") print(f"Repo to create : {repo_name}") #git.list_all_repos() # Create baseline repo git.clone_repo(vended_baselines_project, repo_name, template, account_id, account_info) if avm_common.resource_workspace_required(account_type): # Create an additional repo for the application and sandbox # app-repo template app_details = json.loads(account_details["app_details"]) print("App details") print(app_details) app_repo = app_details["git"] repo_name = app_repo.split("/")[-1].replace(".git", "") vended_applications_project = avm_common.get_param( "vended_applications_project") apptemplate = f"{account_type.lower()}-resources" #print(f"vended_applications_project: {vended_applications_project}") #print(f"template: {apptemplate}") #print(f"app_repo: {app_repo}") #print(f"repo_name: {repo_name}") git.clone_repo(vended_applications_project, repo_name, apptemplate, account_id, account_info)
def handler_inner(event, context): account_id = event["AccountId"] # Retrieve secrets from AWS Secrets Manager aws_secrets = avm_common.get_secret("tfe_aws_keys") # Look these single values up directly: tfe_key = avm_common.get_secret("terraform")["terraform"] vcs_oauth_token = avm_common.get_secret("vcs_oauth_token")["oauth_token"] # Get workspace name from dynamodb from event.accountId # Grab account details account_info = avm_common.get_account_details(account_id) #pp.pprint(account_info) account_details = account_info["org_details"] request_details = account_info["request_details"] #print(account_details) # Defines both repository names from account_details data baseline_details = json.loads(account_details["baseline_details"]) account_request = json.loads(account_details["account_request"]) print(baseline_details) baseline_repo_concat = "/".join( baseline_details["git"].split('/')[3:]).replace('.git', '') ws_name = baseline_details["tfe_workspace"] # instantiates workspace creation for baseline & application workspaces workspace_id = create_workspace(ws_name, tfe_key, vcs_oauth_token, baseline_repo_concat) if not workspace_id: return None #workspace_id = get_workspace(ws_name, tfe_key) # okta variables okta_account_type = account_details["accountType"].lower() try: account_request = json.loads(account_details["account_request"]) environment_type = account_request["intEnvironment"].lower() okta_account_type = f"{okta_account_type}_{environment_type}" except Exception: environment_type = "NA" primary_region, secondary_region = avm_common.get_regions(account_id) azs_primary, azs_secondary = avm_common.az_map_by_region(primary_region) okta_config = avm_common.get_secret("okta") okta_app_id_index = { "core": okta_config["COR_LINK_ID"], "sandbox": okta_config["SBX_LINK_ID"], "application_npd": okta_config["NPD_LINK_ID"], "application_prd": okta_config["PRD_LINK_ID"] } okta_url = okta_config["url"].replace("https://", "") okta_prefix = "aws" + avm_common.get_short_account_code( okta_account_type, environment_type) tfe_host_name = avm_common.get_param("tfe_api_url").replace( "https://", "").replace("/api/v2", "") workspace_vars = [{ "key": "AWS_ACCESS_KEY_ID", "value": aws_secrets["AWS_ACCESS_KEY_ID"], "category": "env", "sensitive": False, "hcl": False }, { "key": "AWS_SECRET_ACCESS_KEY", "value": aws_secrets["AWS_SECRET_ACCESS_KEY"], "category": "env", "sensitive": True, "hcl": False }, { "key": "account_id", "value": account_id, "category": "terraform", "sensitive": False, "hcl": False }, { "key": "repo_name", "value": baseline_repo_concat, "category": "terraform", "sensitive": False, "hcl": False }, { "key": "name", "value": account_details["name"].lower(), "category": "terraform", "sensitive": False, "hcl": False }, { "key": "account_type", "value": account_details["accountType"].lower(), "category": "terraform", "sensitive": False, "hcl": False }, { "key": "account_org", "value": account_details["org_name"].lower(), "category": "terraform", "sensitive": False, "hcl": False }, { "key": "owner", "value": account_details["email"], "category": "terraform", "sensitive": False, "hcl": False }, { "key": "environment", "value": account_request["env"].lower(), "category": "terraform", "sensitive": True, "hcl": False }, { "key": "int_environment", "value": environment_type, "category": "terraform", "sensitive": False, "hcl": False }, { "key": "cidr_primary", "value": request_details["primaryVpcCidr"], "category": "terraform", "sensitive": False, "hcl": False }, { "key": "cidr_secondary", "value": request_details["secondaryVpcCidr"], "category": "terraform", "sensitive": False, "hcl": False }, { "key": "region_primary", "value": primary_region, "category": "terraform", "sensitive": False, "hcl": False }, { "key": "region_secondary", "value": secondary_region, "category": "terraform", "sensitive": False, "hcl": False }, { "key": "azs_primary", "value": azs_primary, "category": "terraform", "sensitive": False, "hcl": True }, { "key": "azs_secondary", "value": azs_secondary, "category": "terraform", "sensitive": False, "hcl": True }, { "key": "okta_provider_domain", "value": okta_url, "category": "terraform", "sensitive": False, "hcl": False }, { "key": "okta_app_id", "value": okta_app_id_index[okta_account_type], "category": "terraform", "sensitive": False, "hcl": False }, { "key": "tfe_org_name", "value": avm_common.get_param("tfe_org_name"), "category": "terraform", "sensitive": True, "hcl": False }, { "key": "tfe_avm_workspace_name", "value": avm_common.get_param("avm_workspace_name"), "category": "terraform", "sensitive": True, "hcl": False }, { "key": "tfe_host_name", "value": tfe_host_name, "category": "terraform", "sensitive": True, "hcl": False }, { "key": "tfe_core_logging_workspace_name", "value": avm_common.get_param("logging_workspace_name"), "category": "terraform", "sensitive": True, "hcl": False }, { "key": "master_payer_org_id", "value": avm_common.get_param("master_payer_org_id"), "category": "terraform", "sensitive": True, "hcl": False }, { "key": "master_payer_account", "value": avm_common.get_param("master_payer_account"), "category": "terraform", "sensitive": True, "hcl": False }, { "key": "core_security_account", "value": avm_common.get_param("core_security_account"), "category": "terraform", "sensitive": True, "hcl": False }, { "key": "tlz_org_account_access_role", "value": avm_common.get_param("tlz_org_account_access_role"), "category": "terraform", "sensitive": True, "hcl": False }, { "key": "role_name", "value": avm_common.get_param("tlz_admin_role"), "category": "terraform", "sensitive": True, "hcl": False }, { "key": "okta_token", "value": okta_config["token"], "category": "terraform", "sensitive": True, "hcl": False }] for var in workspace_vars: print(f"Attaching the var {var['key']}") response = attach_vars_to_workspace(ws_name, tfe_key, var["key"], var["value"], var["category"], var["sensitive"], var["hcl"]) # Make teams with the same name as the Okta role names and assign them privileges to the baseline and resources workspaces. # This will be reused in the resources workspace block later. user_teams_to_assign = avm_common.get_delegated_user_managed_roles() group_list = avm_common.generate_okta_group_names( account_id, okta_account_type, environment_type, account_details["alias"].lower()) for team in group_list: for role in user_teams_to_assign: if team.endswith(role): # Try to find it first: team_id = get_team(tfe_key, team) # Otherwise, create it: if not team_id: team_id = create_team_for_org(tfe_key, team) assign_team_to_workspace( tfe_key, team_id, workspace_id, get_workspace_access_for_role(role, "baseline")) print(baseline_repo_concat) # Add network_account core_network_account = avm_common.get_param("core_network_account") if core_network_account != None: if account_details["accountType"].lower() in [ "application" ] or (account_details["accountType"].lower() == "core" and account_request["account_name"].lower() == "shared_services"): attach_vars_to_workspace(ws_name, tfe_key, "core_network_account", core_network_account, "terraform", False, False) if avm_common.resource_workspace_required(account_details["accountType"]): app_details = json.loads(account_details["app_details"]) app_repo_concat = "/".join(app_details["git"].split('/')[4:]).replace( '.git', '') baseline_workspace_name = ws_name ws_name = app_details["tfe_workspace"] create_workspace(ws_name, tfe_key, vcs_oauth_token, app_repo_concat) workspace_id = get_workspace(ws_name, tfe_key) print(app_repo_concat) workspace_vars = [{ "key": "tfe_host_name", "value": tfe_host_name, "category": "terraform", "sensitive": True, "hcl": False }, { "key": "tfe_org_name", "value": avm_common.get_param("tfe_org_name"), "category": "terraform", "sensitive": True, "hcl": False }, { "key": "name", "value": account_details["name"].lower(), "category": "terraform", "sensitive": False, "hcl": False }, { "key": "owner", "value": account_details["email"], "category": "terraform", "sensitive": False, "hcl": False }, { "key": "environment", "value": account_request["env"].lower(), "category": "terraform", "sensitive": True, "hcl": False }, { "key": "baseline_workspace_name", "value": baseline_workspace_name, "category": "terraform", "sensitive": True, "hcl": False }, { "key": "region_primary", "value": primary_region, "category": "terraform", "sensitive": False, "hcl": False }, { "key": "region_secondary", "value": secondary_region, "category": "terraform", "sensitive": False, "hcl": False }, { "key": "baseline_workspace_name", "value": baseline_workspace_name, "category": "terraform", "sensitive": True, "hcl": False }, { "key": "tlz_org_account_access_role", "value": avm_common.get_param("tlz_org_account_access_role"), "category": "terraform", "sensitive": True, "hcl": False }, { "key": "role_name", "value": avm_common.get_param("tlz_admin_role"), "category": "terraform", "sensitive": True, "hcl": False }] for var in workspace_vars: print(f"Attaching the var {var['key']}") response = attach_vars_to_workspace(ws_name, tfe_key, var["key"], var["value"], var["category"], var["sensitive"], var["hcl"]) # Assign the teams (already created in the baseline block) to this workspace as well. for team in group_list: for role in user_teams_to_assign: if team.endswith(role): # Get the team ID--it was made in the baseline already. team_id = get_team(tfe_key, team) assign_team_to_workspace( tfe_key, team_id, workspace_id, get_workspace_access_for_role(role, "resource")) elif account_details["accountType"].lower() == "core" and account_request[ "account_name"].lower() == "shared_services": workspace_vars = [{ "key": "primary_zone_name", "value": avm_common.get_param("primary_zone_name"), "category": "terraform", "sensitive": False, "hcl": False }] for var in workspace_vars: print(f"Attaching the var {var['key']}") response = attach_vars_to_workspace(ws_name, tfe_key, var["key"], var["value"], var["category"], var["sensitive"], var["hcl"])
def lambda_handler_inner(event, context): master_account = avm_common.get_param("master_payer_account") master_role = avm_common.get_param("tlz_admin_role") org_account_access_role = avm_common.get_param("tlz_org_account_access_role") #print("Received event: " + json.dumps(event, indent=2)) master_role_arn = f"arn:aws:iam::{master_account}:role/{org_account_access_role}" session_local = avm_common.aws_session() current_account = session_local.client('sts').get_caller_identity().get('Account') session_regular = avm_common.aws_session(role=master_role_arn) account_request = {} insert_event = [i for i in event["Records"] if i["eventName"] == "INSERT"] if not len(insert_event): print("ERROR: No account to create") return newImage = insert_event[0]["dynamodb"]["NewImage"] account_request["email"] = newImage["id"]["S"] account_request["account_name"] = newImage["appName"]["S"] account_request["accountType"] = newImage["accountType"]["S"] account_request["accountPrefix"] = newImage["accountPrefix"]["S"] account_request["lob"] = newImage["lob"]["S"] if account_request["accountType"].lower() != "application": account_request["lob"] = account_request["accountType"].title() account_request["env"] = newImage["envType"]["S"] # CloudOps interal variable definition that will be used in certain areas where only prd, npd, sbx or dev are needed if (account_request["env"] == "stg" or account_request["env"] == "qa" or account_request["env"] == "dev"): account_request["intEnvironment"] = "npd" elif (account_request["env"] == "pre-prod" or account_request["env"] == "prd"): account_request["intEnvironment"] = "prd" print(account_request) orgMan = awsOrgManager(session_regular,current_account,master_account,master_role,org_account_access_role) account = orgMan.create_account(account_request) # By now account should have been created if account: target_ou = "Sandbox" # Move the account the target organizational_unit if account_request["accountType"].lower() != "application": target_ou = account_request["accountType"].title() else: if "lob" in account_request.keys(): if account_request["lob"]: target_ou = account_request["lob"] orgMan.move_account(account["id"],target_ou) acc = orgMan._client.describe_account(AccountId=account["id"]) # update account with additional details account["account_request"] = json.dumps(account_request,default=defaultencode) alias = orgMan.get_account_alias(account_request["accountType"],account_request["account_name"],account_request["lob"], account_request["env"], account_request["accountPrefix"] ) account["alias"] = alias account["accountType"] = account_request["accountType"] org = account_request["lob"].title() git_url = avm_common.get_param("tlz_git_url") print(git_url) vended_applications_project = avm_common.get_param("vended_applications_project") vended_baselines_project = avm_common.get_param("vended_baselines_project") if avm_common.resource_workspace_required(account_request["accountType"]): account["app_details"] = json.dumps({'git' : f'{git_url}/{vended_applications_project}/{alias}.git', 'tfe_workspace': f'{alias}-resources'}) account["baseline_details"] = json.dumps({'git' : f'{git_url}/{vended_baselines_project}/{alias}.git', 'tfe_workspace': f'{alias}-baseline'}) else: account["baseline_details"] = json.dumps({'git' : f'{git_url}/{vended_baselines_project}/{alias}.git', 'tfe_workspace': f'{alias}'}) print(account) orgMan.ingest_data(session_local,account) additional_info = {} additional_info["alias"] = alias additional_info["account_type"] = account_request["accountType"] additional_info["org_name"] = account_request["lob"] additional_info["owner"] = newImage["responsible"]["S"] additional_info["environment"] = account_request["env"] additional_info["intEnvironment"] = account_request["env"] additional_info["primaryVpcCidr"] = newImage["primaryVpcCidr"]["S"] additional_info["secondaryVpcCidr"] = newImage["secondaryVpcCidr"]["S"] #for k in newImage.keys(): # additional_info[k] = newImage[k]["S"] #additional_info["account"] = account orgMan.update_org_account_access_role(account["id"]) print("About to call the automation document") orgMan.start_pipeline(session_local, account["id"], additional_info)