def update_tfe_workspaces(self,keys, secret_name, account_id):
print("Update TFE workspaces with new keys")
tfe_key = avm_common.get_secret("terraform")
tfe_api_token = tfe_key['terraform']
headers = {
'authorization': "Bearer " + tfe_api_token,
'content-type': "application/vnd.api+json",
}
tfe_workspaces = self.get_tfe_workspaces(account_id)
for workspace_name in tfe_workspaces:
workspace_id = self.get_workspace_id(workspace_name, headers)
self.remove_workspace_vars(workspace_name, headers)
self.create_tfe_variables(workspace_id, headers, keys["AccessKeyId"], keys["SecretAccessKey"])
def add_account_to_redlock(account_id):
redlock = avm_common.get_secret("redlock")
result = avm_common.get_account_details(account_id)
account_alias = f"{result['org_details']['name']}"
if result['request_details']:
if "subAccountType" in result['request_details'].keys():
account_alias += f"-{result['request_details']['subAccountType']}"
body = {"username": redlock["user"], "password": redlock["password"]}
header = {'Content-Type': 'application/json'}
r = requests.post(f'{redlock["rest_api_url"]}/login',
headers=header,
data=json.dumps(body))
if r.status_code == requests.codes.ok:
resp = json.loads(r.text)
token = resp["token"]
account_payload = {
"accountId": account_id,
"enabled": True,
"externalId": extract_externalid(account_id),
"groupIds": [redlock["group_id"]],
"name": f"{account_alias}-{account_id}",
"roleArn": f"arn:aws:iam::{account_id}:role/tlz_redlock_read_only"
}
headers = {"x-redlock-auth": token, "Content-Type": "application/json"}
addaccount_r = requests.post(f'{redlock["rest_api_url"]}/cloud/aws',
headers=headers,
data=json.dumps(account_payload))
else:
body = f"{r.json()}"
sub = "ERROR: Unable to add account {account_id} to redlock"
func = "redlock-addaccount"
sns_topic = avm_common.get_param("sns_topic_arn")
avm_common.send_pipeline_notification(account_id, sns_topic, func, sub,
body)
def lambda_handler_inner(event, context):
print(event)
account_id = event["AccountId"]
# Retrieve secrets from AWS Secrets Manager
tfe_key = avm_common.get_secret("terraform")
headers = {
'Authorization': "Bearer " + tfe_key['terraform'],
'Content-Type': "application/vnd.api+json",
}
#print(token)
# Get the workspace ID using the provided workspace name
workspace_name = get_workspace_name(account_id)
print(workspace_name)
workspace_id = get_workspace(headers,workspace_name)
print(workspace_id)
# Serialize the JSON payload with the workspace ID
payload = create_json( workspace_id )
#print(payload)
# Trigger a terraform plan
run_id = create_run( headers, payload )
print(f"Run id : {run_id}")
retry_count = 6
sleep_between_retry_attempts = 30
# Check run for readiness and apply if so
for i in range(retry_count):
run_status = get_run_status(headers, run_id )
print(f"Run status [{i}] : {run_status}")
if run_status == 'planned':
apply_run( headers,run_id )
break
elif run_status == 'errored':
print("The changes have failed")
raise Exception(f'TFE plan failed for workspace: {workspace_name}')
break
elif run_status == 'planned_and_finished':
print("It appears that no changes were required")
return 200
time.sleep(sleep_between_retry_attempts)
# Allow some time for the apply to finish then verify final state of run
for i in range(retry_count):
run_status = get_run_status( headers,run_id )
print(f"Attempt {i} : {run_status}")
if run_status == 'applied':
print("Changes successfully applied")
return 200
elif run_status == 'planned_and_finished':
print("It appears that no changes were required")
return 200
elif run_status == 'errored':
print("The changes have failed")
raise Exception(f'TFE apply failed for workspace: {workspace_name}')
#return -1
elif run_status == 'planned':
raise Exception(f'TFE plan failed for workspace: {workspace_name}')
#return -1
time.sleep(sleep_between_retry_attempts)
print("The changes are taking too long to execute and will require manual review")
def handler_inner(event, context):
account_id = event["AccountId"]
# Retrieve secrets from AWS Secrets Manager
aws_secrets = avm_common.get_secret("tfe_aws_keys")
# Look these single values up directly:
tfe_key = avm_common.get_secret("terraform")["terraform"]
vcs_oauth_token = avm_common.get_secret("vcs_oauth_token")["oauth_token"]
# Get workspace name from dynamodb from event.accountId
# Grab account details
account_info = avm_common.get_account_details(account_id)
#pp.pprint(account_info)
account_details = account_info["org_details"]
request_details = account_info["request_details"]
#print(account_details)
# Defines both repository names from account_details data
baseline_details = json.loads(account_details["baseline_details"])
account_request = json.loads(account_details["account_request"])
print(baseline_details)
baseline_repo_concat = "/".join(
baseline_details["git"].split('/')[3:]).replace('.git', '')
ws_name = baseline_details["tfe_workspace"]
# instantiates workspace creation for baseline & application workspaces
workspace_id = create_workspace(ws_name, tfe_key, vcs_oauth_token,
baseline_repo_concat)
if not workspace_id:
return None
#workspace_id = get_workspace(ws_name, tfe_key)
# okta variables
okta_account_type = account_details["accountType"].lower()
try:
account_request = json.loads(account_details["account_request"])
environment_type = account_request["intEnvironment"].lower()
okta_account_type = f"{okta_account_type}_{environment_type}"
except Exception:
environment_type = "NA"
primary_region, secondary_region = avm_common.get_regions(account_id)
azs_primary, azs_secondary = avm_common.az_map_by_region(primary_region)
okta_config = avm_common.get_secret("okta")
okta_app_id_index = {
"core": okta_config["COR_LINK_ID"],
"sandbox": okta_config["SBX_LINK_ID"],
"application_npd": okta_config["NPD_LINK_ID"],
"application_prd": okta_config["PRD_LINK_ID"]
}
okta_url = okta_config["url"].replace("https://", "")
okta_prefix = "aws" + avm_common.get_short_account_code(
okta_account_type, environment_type)
tfe_host_name = avm_common.get_param("tfe_api_url").replace(
"https://", "").replace("/api/v2", "")
workspace_vars = [{
"key": "AWS_ACCESS_KEY_ID",
"value": aws_secrets["AWS_ACCESS_KEY_ID"],
"category": "env",
"sensitive": False,
"hcl": False
}, {
"key": "AWS_SECRET_ACCESS_KEY",
"value": aws_secrets["AWS_SECRET_ACCESS_KEY"],
"category": "env",
"sensitive": True,
"hcl": False
}, {
"key": "account_id",
"value": account_id,
"category": "terraform",
"sensitive": False,
"hcl": False
}, {
"key": "repo_name",
"value": baseline_repo_concat,
"category": "terraform",
"sensitive": False,
"hcl": False
}, {
"key": "name",
"value": account_details["name"].lower(),
"category": "terraform",
"sensitive": False,
"hcl": False
}, {
"key": "account_type",
"value": account_details["accountType"].lower(),
"category": "terraform",
"sensitive": False,
"hcl": False
}, {
"key": "account_org",
"value": account_details["org_name"].lower(),
"category": "terraform",
"sensitive": False,
"hcl": False
}, {
"key": "owner",
"value": account_details["email"],
"category": "terraform",
"sensitive": False,
"hcl": False
}, {
"key": "environment",
"value": account_request["env"].lower(),
"category": "terraform",
"sensitive": True,
"hcl": False
}, {
"key": "int_environment",
"value": environment_type,
"category": "terraform",
"sensitive": False,
"hcl": False
}, {
"key": "cidr_primary",
"value": request_details["primaryVpcCidr"],
"category": "terraform",
"sensitive": False,
"hcl": False
}, {
"key": "cidr_secondary",
"value": request_details["secondaryVpcCidr"],
"category": "terraform",
"sensitive": False,
"hcl": False
}, {
"key": "region_primary",
"value": primary_region,
"category": "terraform",
"sensitive": False,
"hcl": False
}, {
"key": "region_secondary",
"value": secondary_region,
"category": "terraform",
"sensitive": False,
"hcl": False
}, {
"key": "azs_primary",
"value": azs_primary,
"category": "terraform",
"sensitive": False,
"hcl": True
}, {
"key": "azs_secondary",
"value": azs_secondary,
"category": "terraform",
"sensitive": False,
"hcl": True
}, {
"key": "okta_provider_domain",
"value": okta_url,
"category": "terraform",
"sensitive": False,
"hcl": False
}, {
"key": "okta_app_id",
"value": okta_app_id_index[okta_account_type],
"category": "terraform",
"sensitive": False,
"hcl": False
}, {
"key": "tfe_org_name",
"value": avm_common.get_param("tfe_org_name"),
"category": "terraform",
"sensitive": True,
"hcl": False
}, {
"key": "tfe_avm_workspace_name",
"value": avm_common.get_param("avm_workspace_name"),
"category": "terraform",
"sensitive": True,
"hcl": False
}, {
"key": "tfe_host_name",
"value": tfe_host_name,
"category": "terraform",
"sensitive": True,
"hcl": False
}, {
"key": "tfe_core_logging_workspace_name",
"value": avm_common.get_param("logging_workspace_name"),
"category": "terraform",
"sensitive": True,
"hcl": False
}, {
"key": "master_payer_org_id",
"value": avm_common.get_param("master_payer_org_id"),
"category": "terraform",
"sensitive": True,
"hcl": False
}, {
"key": "master_payer_account",
"value": avm_common.get_param("master_payer_account"),
"category": "terraform",
"sensitive": True,
"hcl": False
}, {
"key": "core_security_account",
"value": avm_common.get_param("core_security_account"),
"category": "terraform",
"sensitive": True,
"hcl": False
}, {
"key":
"tlz_org_account_access_role",
"value":
avm_common.get_param("tlz_org_account_access_role"),
"category":
"terraform",
"sensitive":
True,
"hcl":
False
}, {
"key": "role_name",
"value": avm_common.get_param("tlz_admin_role"),
"category": "terraform",
"sensitive": True,
"hcl": False
}, {
"key": "okta_token",
"value": okta_config["token"],
"category": "terraform",
"sensitive": True,
"hcl": False
}]
for var in workspace_vars:
print(f"Attaching the var {var['key']}")
response = attach_vars_to_workspace(ws_name, tfe_key, var["key"],
var["value"], var["category"],
var["sensitive"], var["hcl"])
# Make teams with the same name as the Okta role names and assign them privileges to the baseline and resources workspaces.
# This will be reused in the resources workspace block later.
user_teams_to_assign = avm_common.get_delegated_user_managed_roles()
group_list = avm_common.generate_okta_group_names(
account_id, okta_account_type, environment_type,
account_details["alias"].lower())
for team in group_list:
for role in user_teams_to_assign:
if team.endswith(role):
# Try to find it first:
team_id = get_team(tfe_key, team)
# Otherwise, create it:
if not team_id:
team_id = create_team_for_org(tfe_key, team)
assign_team_to_workspace(
tfe_key, team_id, workspace_id,
get_workspace_access_for_role(role, "baseline"))
print(baseline_repo_concat)
# Add network_account
core_network_account = avm_common.get_param("core_network_account")
if core_network_account != None:
if account_details["accountType"].lower() in [
"application"
] or (account_details["accountType"].lower() == "core" and
account_request["account_name"].lower() == "shared_services"):
attach_vars_to_workspace(ws_name, tfe_key, "core_network_account",
core_network_account, "terraform", False,
False)
if avm_common.resource_workspace_required(account_details["accountType"]):
app_details = json.loads(account_details["app_details"])
app_repo_concat = "/".join(app_details["git"].split('/')[4:]).replace(
'.git', '')
baseline_workspace_name = ws_name
ws_name = app_details["tfe_workspace"]
create_workspace(ws_name, tfe_key, vcs_oauth_token, app_repo_concat)
workspace_id = get_workspace(ws_name, tfe_key)
print(app_repo_concat)
workspace_vars = [{
"key": "tfe_host_name",
"value": tfe_host_name,
"category": "terraform",
"sensitive": True,
"hcl": False
}, {
"key": "tfe_org_name",
"value": avm_common.get_param("tfe_org_name"),
"category": "terraform",
"sensitive": True,
"hcl": False
}, {
"key": "name",
"value": account_details["name"].lower(),
"category": "terraform",
"sensitive": False,
"hcl": False
}, {
"key": "owner",
"value": account_details["email"],
"category": "terraform",
"sensitive": False,
"hcl": False
}, {
"key": "environment",
"value": account_request["env"].lower(),
"category": "terraform",
"sensitive": True,
"hcl": False
}, {
"key": "baseline_workspace_name",
"value": baseline_workspace_name,
"category": "terraform",
"sensitive": True,
"hcl": False
}, {
"key": "region_primary",
"value": primary_region,
"category": "terraform",
"sensitive": False,
"hcl": False
}, {
"key": "region_secondary",
"value": secondary_region,
"category": "terraform",
"sensitive": False,
"hcl": False
}, {
"key": "baseline_workspace_name",
"value": baseline_workspace_name,
"category": "terraform",
"sensitive": True,
"hcl": False
}, {
"key":
"tlz_org_account_access_role",
"value":
avm_common.get_param("tlz_org_account_access_role"),
"category":
"terraform",
"sensitive":
True,
"hcl":
False
}, {
"key": "role_name",
"value": avm_common.get_param("tlz_admin_role"),
"category": "terraform",
"sensitive": True,
"hcl": False
}]
for var in workspace_vars:
print(f"Attaching the var {var['key']}")
response = attach_vars_to_workspace(ws_name, tfe_key, var["key"],
var["value"], var["category"],
var["sensitive"], var["hcl"])
# Assign the teams (already created in the baseline block) to this workspace as well.
for team in group_list:
for role in user_teams_to_assign:
if team.endswith(role):
# Get the team ID--it was made in the baseline already.
team_id = get_team(tfe_key, team)
assign_team_to_workspace(
tfe_key, team_id, workspace_id,
get_workspace_access_for_role(role, "resource"))
elif account_details["accountType"].lower() == "core" and account_request[
"account_name"].lower() == "shared_services":
workspace_vars = [{
"key": "primary_zone_name",
"value": avm_common.get_param("primary_zone_name"),
"category": "terraform",
"sensitive": False,
"hcl": False
}]
for var in workspace_vars:
print(f"Attaching the var {var['key']}")
response = attach_vars_to_workspace(ws_name, tfe_key, var["key"],
var["value"], var["category"],
var["sensitive"], var["hcl"])
def get_token(self):
return avm_common.get_secret("bitbucket")
def get_token(self):
return avm_common.get_secret("vcs")
import boto3
import base64
from botocore.exceptions import ClientError
import json
import avm_common
import requests
from http import HTTPStatus
okta_config = avm_common.get_secret("okta")
url = okta_config["url"]
# Checks if Group already exists
def get_group_id(group_name, secret):
print(f"Checking group {group_name}")
headers = {
"Accept": "application/json",
"Content-Type": "application/json",
"Authorization": "SSWS " + secret
}
# check if group already exists
response = requests.get(url + "/api/v1/groups", headers=headers)
response = json.loads(response.text)
for group in response:
if (group["profile"]["name"] == group_name):
#print(group)
print(group_name + " already exists")
return group["id"]
print(group_name + " does not exist. Creating.")
return None
