From 407cf0947101a7173e4c2a2bde066b8978ae25cc Mon Sep 17 00:00:00 2001 From: vsnyc Date: Wed, 18 Oct 2023 16:00:29 -0400 Subject: [PATCH 1/4] Updated default value for QSS3BucketName in templates --- templates/main.template.yaml | 4 ++-- templates/server.template.yaml | 2 +- templates/uipath-robot.template.yaml | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/templates/main.template.yaml b/templates/main.template.yaml index 3715a0b..1ecd054 100644 --- a/templates/main.template.yaml +++ b/templates/main.template.yaml @@ -230,7 +230,7 @@ Parameters: uppercase letters, and hyphens, but do not start or end with a hyphen (-). See https://aws-quickstart.github.io/option1.html. Type: String - Default: aws-ia-us-east-1 + Default: aws-ia QSS3BucketRegion: Default: us-east-1 Description: >- @@ -256,7 +256,7 @@ Parameters: Conditions: UsingDefaultBucket: !Equals - !Ref QSS3BucketName - - aws-ia-us-east-1 + - aws-ia Resources: NetworkStack: Type: 'AWS::CloudFormation::Stack' diff --git a/templates/server.template.yaml b/templates/server.template.yaml index 1945a53..09017a0 100644 --- a/templates/server.template.yaml +++ b/templates/server.template.yaml @@ -61,7 +61,7 @@ Parameters: Conditions: UsingDefaultBucket: !Equals - !Ref QSS3BucketName - - aws-ia-us-east-1 + - aws-ia Resources: RobotIAMRole: Type: 'AWS::IAM::Role' diff --git a/templates/uipath-robot.template.yaml b/templates/uipath-robot.template.yaml index dc7b5c6..4e1b238 100644 --- a/templates/uipath-robot.template.yaml +++ b/templates/uipath-robot.template.yaml @@ -162,7 +162,7 @@ Parameters: uppercase letters, and hyphens, but do not start or end with a hyphen (-). See https://aws-quickstart.github.io/option1.html. Type: String - Default: aws-ia-us-east-1 + Default: aws-ia QSS3BucketRegion: Default: us-east-1 Description: >- @@ -188,7 +188,7 @@ Parameters: Conditions: UsingDefaultBucket: !Equals - !Ref QSS3BucketName - - aws-ia-us-east-1 + - aws-ia Resources: LambdaRoleStack: Type: 'AWS::CloudFormation::Stack' From e8abae09c483a43e80695dc1ad01dc7cc4882883 Mon Sep 17 00:00:00 2001 From: vsnyc Date: Mon, 12 Feb 2024 12:09:23 -0500 Subject: [PATCH 2/4] Updating submodules --- submodules/cfn-ps-aws-vpc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/submodules/cfn-ps-aws-vpc b/submodules/cfn-ps-aws-vpc index 5e14469..573c69f 160000 --- a/submodules/cfn-ps-aws-vpc +++ b/submodules/cfn-ps-aws-vpc @@ -1 +1 @@ -Subproject commit 5e1446917af2851e43b154297aa601403d535799 +Subproject commit 573c69f0a5e465596cace10fb629c246acd124ad From a69f523c23050c9e5c5698ac01bc8a064364fe59 Mon Sep 17 00:00:00 2001 From: vsnyc Date: Mon, 12 Feb 2024 12:09:29 -0500 Subject: [PATCH 3/4] Synced publication stage from project type --- .project_automation/publication/Dockerfile | 5 +- .../publication/assets/.taskcat_publish.yml | 8 +++ .../publication/assets/cred_helper.py | 72 +++++++++++++++++++ .project_automation/publication/s3_publish.sh | 22 +----- 4 files changed, 86 insertions(+), 21 deletions(-) create mode 100644 .project_automation/publication/assets/cred_helper.py diff --git a/.project_automation/publication/Dockerfile b/.project_automation/publication/Dockerfile index 8f71360..5294774 100644 --- a/.project_automation/publication/Dockerfile +++ b/.project_automation/publication/Dockerfile @@ -1,3 +1,6 @@ FROM public.ecr.aws/codebuild/amazonlinux2-x86_64-standard:4.0 RUN yum install -y yum-utils && yum-config-manager --add-repo https://cli.github.com/packages/rpm/gh-cli.repo && yum install -y gh -RUN pip install copier taskcat yq jq awscli cfn-flip \ No newline at end of file +RUN pip install taskcat yq jq awscli +RUN pip3 install 'copier==8.3.0' +RUN pip install 'cfn-lint==0.83.2' +RUN pip install bump2version \ No newline at end of file diff --git a/.project_automation/publication/assets/.taskcat_publish.yml b/.project_automation/publication/assets/.taskcat_publish.yml index 353dd03..8ffd750 100644 --- a/.project_automation/publication/assets/.taskcat_publish.yml +++ b/.project_automation/publication/assets/.taskcat_publish.yml @@ -6,6 +6,10 @@ general: ap-southeast-3: ap-southeast-3-profile eu-south-1: eu-south-1-profile me-south-1: me-south-1-profile + cn-north-1: china-profile + cn-northwest-1: china-profile + us-gov-east-1: us-govcloud-profile + us-gov-west-1: us-govcloud-profile project: s3_regional_buckets: true s3_bucket: aws-ia @@ -32,5 +36,9 @@ project: - ca-central-1 - eu-central-1 - eu-north-1 + - cn-north-1 + - cn-northwest-1 + - us-gov-east-1 + - us-gov-west-1 tests: test1: {} \ No newline at end of file diff --git a/.project_automation/publication/assets/cred_helper.py b/.project_automation/publication/assets/cred_helper.py new file mode 100644 index 0000000..c01d761 --- /dev/null +++ b/.project_automation/publication/assets/cred_helper.py @@ -0,0 +1,72 @@ +#!/usr/bin/env python3 +import boto3 +import json +import sys +import argparse + +# https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sourcing-external.html + +def _transform_creds(result, ak, sk): + AK = result[ak] + SAK = result[sk] + transformed_creds = { + "Version": 1, + "AccessKeyId": AK, + "SecretAccessKey": SAK + } + return transformed_creds + +def fetch_creds(region_name, secret_name, ak, sk, pr): + ssm = boto3.Session(profile_name=pr).client('secretsmanager', region_name=region_name) + value = ssm.get_secret_value(SecretId=secret_name) + value = json.loads(value["SecretString"]) + return _transform_creds(value, ak, sk) + +if __name__ == "__main__": + parser = argparse.ArgumentParser( + prog="cred_helper.py", + description="Snags creds from Secrets manager for use in an AWS profile. Leveraging botocore builtins.", + ) + parser.add_argument( + "--region", + type=str, + help="region name. otherwise use the default.", + required=True + ) + parser.add_argument( + "--secret-name", + type=str, + help="secret name to fetch", + required=True + ) + parser.add_argument( + "--access-key-index", + type=str, + help="secret name to fetch", + required=True + ) + parser.add_argument( + "--secret-access-key-index", + type=str, + help="secret name to fetch", + required=True + ) + parser.add_argument( + "--secret-profile", + type=str, + help="profile to use when fetching the secret", + required=False, + default="default" + ) + args = parser.parse_args() + try: + parsed_creds = fetch_creds( + args.region, + args.secret_name, + args.access_key_index, + args.secret_access_key_index, + args.secret_profile + ) + json.dump(parsed_creds, sys.stdout, indent=2) + except: + raise diff --git a/.project_automation/publication/s3_publish.sh b/.project_automation/publication/s3_publish.sh index 6921d16..d92eeb4 100755 --- a/.project_automation/publication/s3_publish.sh +++ b/.project_automation/publication/s3_publish.sh @@ -62,24 +62,6 @@ cat "${automation_scripts_path}tmp.yml" aws sts get-caller-identity --debug +chmod 755 ${project_root}/.project_automation/publication/assets/cred_helper.py # push to regional S3 buckets -export TASKCAT_PROJECT_S3_REGIONAL_BUCKETS=true; taskcat -d upload -p ${project_root} -c "${automation_scripts_path}tmp.yml" - -PUBLICATIONS_ASSETS_BUCKET=$(aws ssm get-parameter --region us-east-1 --name PUBLICATIONS_ASSETS_BUCKET --with-decryption | jq -r '.Parameter|.Value') - -upload_assets_to_ssm(){ - cd ${project_root} - APP_MGR_MANIFEST=${project_root}/manifests/app-manager/app-manager-manifest.yaml - if [[ -f "$APP_MGR_MANIFEST" ]]; then - aws s3 cp --region us-east-1 s3://${PUBLICATIONS_ASSETS_BUCKET}/template_to_ssm_doc_pusher.py ${project_root}/.project_automation/publication/assets/ - PUBLISH_SSM_DOC_ACCOUNT_ID=$(aws ssm get-parameter --region us-east-1 --name PUBLISH_SSM_DOC_ACCOUNT_ID --with-decryption | jq -r '.Parameter|.Value') - version_suffix=$(date "+%Y-%m-%d-%H-%M-%S") - regions=$(aws ec2 describe-regions --region us-east-1 --output text | cut -f4) - aws sts get-caller-identity - for region in ${regions}; do - python ${project_root}/.project_automation/publication/assets/template_to_ssm_doc_pusher.py -a ${PUBLISH_SSM_DOC_ACCOUNT_ID} -f ${project_root}/manifests/app-manager/app-manager-manifest.yaml -r ${region} -v ${version_suffix} -d true - done - fi -} - -upload_assets_to_ssm \ No newline at end of file +export TASKCAT_PROJECT_S3_REGIONAL_BUCKETS=true; taskcat -d upload -p ${project_root} -c "${automation_scripts_path}tmp.yml" \ No newline at end of file From 20c0de9b5d43a96a879d24c18243973b5113d0ea Mon Sep 17 00:00:00 2001 From: vsnyc Date: Mon, 12 Feb 2024 12:34:04 -0500 Subject: [PATCH 4/4] Updating submodule URLs --- .gitmodules | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitmodules b/.gitmodules index a08c94d..dccbd09 100644 --- a/.gitmodules +++ b/.gitmodules @@ -3,5 +3,5 @@ url = https://github.com/aws-ia/aws-ia-documentation-base-common.git [submodule "submodules/cfn-ps-aws-vpc"] path = submodules/cfn-ps-aws-vpc - url = git@github.com:aws-ia/cfn-ps-aws-vpc.git + url = https://github.com/aws-ia/cfn-ps-aws-vpc.git branch = main