add a wrapper to ensure AWS credentials are fresh

ID

62004fe

date

2022-12-17 09:40:29+00:00

author

Alex Chan <alex@alexwlchan.net>

parent

8beeb1a

message

add a wrapper to ensure AWS credentials are fresh

changed files

4 files, 43 additions

_ensure_aws_credentials_are_fresh
tfa
tfi
tfp

Changed files

_ensure_aws_credentials_are_fresh (0) → _ensure_aws_credentials_are_fresh (1118)

diff --git a/_ensure_aws_credentials_are_fresh b/_ensure_aws_credentials_are_fresh
new file mode 100755
index 0000000..c4d379b
--- /dev/null
+++ b/_ensure_aws_credentials_are_fresh
@@ -0,0 +1,37 @@
+#!/usr/bin/env bash
+# To get AWS credentials, I use aws-azure-login, which use Azure SSO
+# to get temporary credentials.
+# See https://github.com/wellcomecollection/platform-infrastructure/blob/main/accounts/docs/cli-credentials.md
+#
+# This script runs in front of a couple of wrappers that require AWS access
+# (e.g. tfi, tfp) to ensure that I have fresh credentials, which saves me
+# trying something which will obviously fail, refreshing creds, then trying
+# a second time. Everything goes a little smoother!
+
+set -o errexit
+set -o nounset
+
+function get_aws_credentials_expiry_timestamp() {
+  timestamp=$(
+    grep aws_expiration ~/.aws/credentials \
+      | tr '=' ' ' \
+      | awk '{print $2}'
+  )
+
+  unix_timestamp=$(python3 -c "
+from datetime import *
+d = datetime.strptime('$timestamp', '%Y-%m-%dT%H:%M:%S.%fZ')
+print(int(d.timestamp()))
+  ")
+
+  echo "$unix_timestamp"
+}
+
+EXPIRY_TIMESTAMP=$(get_aws_credentials_expiry_timestamp)
+CURRENT_TIMESTAMP=$(date +%s)
+
+if (( CURRENT_TIMESTAMP - 100 >= EXPIRY_TIMESTAMP ))
+then
+  echo "AWS credentials have expired, auto-refreshing..."
+  aws-azure-login --no-prompt
+fi

tfa (1519) → tfa (1554)

diff --git a/tfa b/tfa
index b236368..db571e5 100755
--- a/tfa
+++ b/tfa
@@ -32,6 +32,8 @@
 #
 # which doesn't make any sense!
 #
+_ensure_aws_credentials_are_fresh
+
 if [[ "$@" == "-refresh-only" ]]
 then
   if [[ -f run_terraform.sh ]]

tfi (583) → tfi (618)

diff --git a/tfi b/tfi
index 9be234f..a58e5c5 100755
--- a/tfi
+++ b/tfi
@@ -12,6 +12,8 @@
 set -o errexit
 set -o nounset
 
+_ensure_aws_credentials_are_fresh
+
 if [[ -f run_terraform.sh ]]
 then
   ./run_terraform.sh init "$@"

tfp (592) → tfp (627)

diff --git a/tfp b/tfp
index fe98fe3..996f258 100755
--- a/tfp
+++ b/tfp
@@ -9,6 +9,8 @@
 #
 # This is an alias for "terraform plan".
 
+_ensure_aws_credentials_are_fresh
+
 if [[ -f run_terraform.sh ]]
 then
   ./run_terraform.sh plan -out=terraform.plan "$@"