From 713a783a3ddc219462fafbdae41c99a454d61d83 Mon Sep 17 00:00:00 2001 From: Luke Ashe-Browne Date: Fri, 5 May 2017 16:45:05 +0100 Subject: [PATCH 01/17] adding env vars template and ignore entry --- .envrc.tpl | 17 +++++++++++++++++ .gitignore | 2 ++ 2 files changed, 19 insertions(+) create mode 100644 .envrc.tpl diff --git a/.envrc.tpl b/.envrc.tpl new file mode 100644 index 0000000..7faa7bc --- /dev/null +++ b/.envrc.tpl @@ -0,0 +1,17 @@ + +# Essential for LABDigital approach, set this + +export AWS_PROFILE=bp-pip-dev + +#if this is set, provider in io.tf will use this value instead of AWS_PROFILE + +#this is because terraform doesn't refer to the config, only credentials, so it can't see any keys since there are none for bp-pip-dev, only for bp-root, +#and it does not see the source_profile or role_arn values in config. +export AWS_SOURCE_PROFILE=bp-root + +export AWS_REGION=eu-west-1 +export AWS_DEFAULT_REGION=$AWS_REGION +export CLUSTER_NAME=bp-pip-dev +export ETCD_IPS=10.0.10.10 +HYPERKUBE_TAG ?= v1.5.1_coreos.0 +#export HYPERKUBE_TAG=v1.6.0_coreos.0 \ No newline at end of file diff --git a/.gitignore b/.gitignore index 31cc7c3..d768cb2 100644 --- a/.gitignore +++ b/.gitignore @@ -14,3 +14,5 @@ terraform.tfvars templates *.bak + +.direnv From 9e6b14f264e582c303023a3b82d3f4f0a8463c4e Mon Sep 17 00:00:00 2001 From: Luke Ashe-Browne Date: Fri, 5 May 2017 17:41:10 +0100 Subject: [PATCH 02/17] didnt use correct ignore for envrc --- .gitignore | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitignore b/.gitignore index d768cb2..39da0bf 100644 --- a/.gitignore +++ b/.gitignore @@ -15,4 +15,4 @@ terraform.tfvars templates *.bak -.direnv +.envrc From 9a5bb412d16a138a69d5f6ef719d4441536a6b27 Mon Sep 17 00:00:00 2001 From: Luke Ashe-Browne Date: Fri, 5 May 2017 17:41:34 +0100 Subject: [PATCH 03/17] annonymise the values in envrc.tpl --- .envrc.tpl | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/.envrc.tpl b/.envrc.tpl index 7faa7bc..f720c57 100644 --- a/.envrc.tpl +++ b/.envrc.tpl @@ -1,17 +1,21 @@ -# Essential for LABDigital approach, set this +# If you use direnv, rename this file to .envrc, +# this is so you can driving config for tack and aws using env vars -export AWS_PROFILE=bp-pip-dev +export AWS_PROFILE=env-account #if this is set, provider in io.tf will use this value instead of AWS_PROFILE -#this is because terraform doesn't refer to the config, only credentials, so it can't see any keys since there are none for bp-pip-dev, only for bp-root, -#and it does not see the source_profile or role_arn values in config. -export AWS_SOURCE_PROFILE=bp-root +# Uncomment the AWS_SOURCE_PROFILE export to use a delegate account, eg aws organisations. +# This is because terraform doesn't refer to the config, only credentials, so it can't +# see any keys for a delegate account since the parent account profile is used to login +# there are none for a subaccount, you need to point at a config with source_profile or +# role_arn values. + +#export AWS_SOURCE_PROFILE=root-acc export AWS_REGION=eu-west-1 export AWS_DEFAULT_REGION=$AWS_REGION -export CLUSTER_NAME=bp-pip-dev +export CLUSTER_NAME=xxxxxx export ETCD_IPS=10.0.10.10 -HYPERKUBE_TAG ?= v1.5.1_coreos.0 -#export HYPERKUBE_TAG=v1.6.0_coreos.0 \ No newline at end of file +export HYPERKUBE_TAG ?= v1.5.1_coreos.0 From 094b8e80986ccf53b87c7306cff81d95e7f7f2a1 Mon Sep 17 00:00:00 2001 From: Luke Ashe-Browne Date: Fri, 5 May 2017 19:07:17 +0100 Subject: [PATCH 04/17] Add lines to init-variables to add AWS delegate accounts (consolidated billing aka. Organisations) --- scripts/init-variables | 28 +++++++++++++++++++++++++--- 1 file changed, 25 insertions(+), 3 deletions(-) diff --git a/scripts/init-variables b/scripts/init-variables index f10c0e9..6de1270 100755 --- a/scripts/init-variables +++ b/scripts/init-variables @@ -27,9 +27,8 @@ COREOS_AMI_ID=`curl -s \ $(printf "http://%s.release.core-os.net/amd64-usr/current/coreos_production_ami_%s_%s.txt" \ $COREOS_CHANNEL $COREOS_VM_TYPE $AWS_REGION)` -AWS_ACCOUNT_ID=`aws iam get-user --output json \ - | awk '/arn:aws:/{print $2}' \ - | grep -Eo '[[:digit:]]{12}'` +#this is a more direct method to get account id rather than get-user +AWS_ACCOUNT_ID=`aws sts get-caller-identity|jq --raw-output '.Account'` AWS_REGION_AZS=`aws ec2 describe-availability-zones --region ${AWS_REGION} --output json \ | jq --raw-output '.AvailabilityZones | map(.ZoneName) | .[]' \ @@ -41,6 +40,29 @@ cat < terraform.tfvars # Generated by scripts/init-variables.sh aws = { account-id = "${AWS_ACCOUNT_ID}" +EOF + +if [[ ! -z $AWS_PROFILE ]];then + if [[ ! -z $AWS_SOURCE_PROFILE ]];then + cat <> terraform.tfvars + profile = "${AWS_SOURCE_PROFILE}" +EOF + + else + cat <> terraform.tfvars + profile = "${AWS_PROFILE}" +EOF + fi +fi + +if AWS_ASSUME_ROLE_ARN=$(aws configure get role_arn); then + cat <> terraform.tfvars + role_arn = "${AWS_ASSUME_ROLE_ARN}" +EOF + +fi + +cat <> terraform.tfvars azs = "${AWS_REGION_AZS}" key-name = "${AWS_EC2_KEY_NAME}" region = "${AWS_REGION}" From e5acdc8c0062e7e582cd9a42a1858f7b7c80c75d Mon Sep 17 00:00:00 2001 From: Luke Ashe-Browne Date: Fri, 5 May 2017 19:29:12 +0100 Subject: [PATCH 05/17] shellcheck bash best practices --- scripts/init-variables | 47 +++++++++++++++++++++--------------------- 1 file changed, 24 insertions(+), 23 deletions(-) diff --git a/scripts/init-variables b/scripts/init-variables index 6de1270..f4b88c4 100755 --- a/scripts/init-variables +++ b/scripts/init-variables @@ -3,37 +3,38 @@ CDIR=$(dirname "${BASH_SOURCE}") set -x +CIDR_ALLOW_SSH=$("${CDIR}"/myip) -echo $AWS_REGION -echo $COREOS_CHANNEL -echo $COREOS_VM_TYPE -echo $AWS_EC2_KEY_NAME -echo $INTERNAL_TLD -echo $CLUSTER_NAME -CIDR_ALLOW_SSH=`$CDIR/myip` -echo $CIDR_VPC -echo $CIDR_PODS -echo $CIDR_SERVICE_CLUSTER -echo $K8S_SERVICE_IP -echo $K8S_DNS_IP -echo $ETCD_IPS -echo $HYPERKUBE_IMAGE -echo $HYPERKUBE_TAG -echo $PKI_IP +echo "$AWS_REGION" +echo "$COREOS_CHANNEL" +echo "$COREOS_VM_TYPE" +echo "$AWS_EC2_KEY_NAME" +echo "$INTERNAL_TLD" +echo "$CLUSTER_NAME" +echo "$CIDR_ALLOW_SSH" +echo "$CIDR_VPC" +echo "$CIDR_PODS" +echo "$CIDR_SERVICE_CLUSTER" +echo "$K8S_SERVICE_IP" +echo "$K8S_DNS_IP" +echo "$ETCD_IPS" +echo "$HYPERKUBE_IMAGE" +echo "$HYPERKUBE_TAG" +echo "$PKI_IP" set +x -COREOS_AMI_ID=`curl -s \ - $(printf "http://%s.release.core-os.net/amd64-usr/current/coreos_production_ami_%s_%s.txt" \ - $COREOS_CHANNEL $COREOS_VM_TYPE $AWS_REGION)` - +COREOS_AMI_ID="$(curl -s \ + "$(printf "http://%s.release.core-os.net/amd64-usr/current/coreos_production_ami_%s_%s.txt" \ + "$COREOS_CHANNEL" "$COREOS_VM_TYPE" "$AWS_REGION")")" + #this is a more direct method to get account id rather than get-user -AWS_ACCOUNT_ID=`aws sts get-caller-identity|jq --raw-output '.Account'` +AWS_ACCOUNT_ID=$(aws sts get-caller-identity|jq --raw-output '.Account') -AWS_REGION_AZS=`aws ec2 describe-availability-zones --region ${AWS_REGION} --output json \ +AWS_REGION_AZS=$(aws ec2 describe-availability-zones --region "${AWS_REGION}" --output json \ | jq --raw-output '.AvailabilityZones | map(.ZoneName) | .[]' \ | xargs \ - | sed -e 's/ /,/g'` + | sed -e 's/ /,/g') cat < terraform.tfvars From beb204ce40dd1271bbb1cc55c168349d1741038f Mon Sep 17 00:00:00 2001 From: Luke Ashe-Browne Date: Fri, 5 May 2017 20:50:43 +0100 Subject: [PATCH 06/17] try using command parenthesis to generate aws provider --- scripts/init-variables | 50 +++++++++++++++++++----------------------- 1 file changed, 23 insertions(+), 27 deletions(-) diff --git a/scripts/init-variables b/scripts/init-variables index f4b88c4..dae635a 100755 --- a/scripts/init-variables +++ b/scripts/init-variables @@ -1,6 +1,6 @@ #!/bin/bash -e -CDIR=$(dirname "${BASH_SOURCE}") +CDIR=$(dirname "${BASH_SOURCE[0]}") set -x CIDR_ALLOW_SSH=$("${CDIR}"/myip) @@ -24,6 +24,8 @@ echo "$PKI_IP" set +x + + COREOS_AMI_ID="$(curl -s \ "$(printf "http://%s.release.core-os.net/amd64-usr/current/coreos_production_ami_%s_%s.txt" \ "$COREOS_CHANNEL" "$COREOS_VM_TYPE" "$AWS_REGION")")" @@ -36,38 +38,32 @@ AWS_REGION_AZS=$(aws ec2 describe-availability-zones --region "${AWS_REGION}" -- | xargs \ | sed -e 's/ /,/g') - -cat < terraform.tfvars -# Generated by scripts/init-variables.sh +#generate aws{} provider hsl block +AWS_PROVIDER="$( echo "# Generated by scripts/init-variables.sh aws = { - account-id = "${AWS_ACCOUNT_ID}" -EOF - -if [[ ! -z $AWS_PROFILE ]];then - if [[ ! -z $AWS_SOURCE_PROFILE ]];then - cat <> terraform.tfvars - profile = "${AWS_SOURCE_PROFILE}" -EOF + account-id = \"${AWS_ACCOUNT_ID}\""; - else - cat <> terraform.tfvars - profile = "${AWS_PROFILE}" -EOF + if [[ ! -z $AWS_PROFILE ]];then + if [[ ! -z $AWS_SOURCE_PROFILE ]];then + echo " profile = \"${AWS_SOURCE_PROFILE}\""; + else + echo " profile = \"${AWS_PROFILE}\""; + fi + fi + if AWS_ASSUME_ROLE_ARN=$(aws configure get role_arn); then + echo " role_arn = \"${AWS_ASSUME_ROLE_ARN}\"" fi -fi -if AWS_ASSUME_ROLE_ARN=$(aws configure get role_arn); then - cat <> terraform.tfvars - role_arn = "${AWS_ASSUME_ROLE_ARN}" -EOF + echo " azs = \"${AWS_REGION_AZS}\" + key-name = \"${AWS_EC2_KEY_NAME}\" + region = \"${AWS_REGION}\" +}"; + +)"; -fi cat <> terraform.tfvars - azs = "${AWS_REGION_AZS}" - key-name = "${AWS_EC2_KEY_NAME}" - region = "${AWS_REGION}" -} +${AWS_PROVIDER} cidr = { allow-ssh = "${CIDR_ALLOW_SSH}" pods = "${CIDR_PODS}" @@ -91,6 +87,6 @@ pki-ip = "${PKI_IP}" s3-bucket = "${AWS_ACCOUNT_ID}-${CLUSTER_NAME}-${AWS_REGION}" etcd-ips = "$ETCD_IPS" EOF - + if [ -f ./vpc-existing.tfvars ]; then cat ./vpc-existing.tfvars >>terraform.tfvars ; fi cat terraform.tfvars From ce59a6870f8d74747a5277b9d0ad8d85f8a07b01 Mon Sep 17 00:00:00 2001 From: Luke Ashe-Browne Date: Fri, 5 May 2017 21:35:08 +0100 Subject: [PATCH 07/17] add profile and assume_role role_arn to io.tf provider aws block --- io.tf | 9 ++++++++- scripts/init-variables | 2 +- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/io.tf b/io.tf index 55a982e..0ef27ff 100644 --- a/io.tf +++ b/io.tf @@ -1,4 +1,11 @@ -provider "aws" { region = "${ var.aws["region"] }" } +provider "aws" { + region = "${ var.aws["region"] }" + profile = "${ var.aws["profile"] }" + assume_role { + role_arn ="${ var.aws["role_arn"] }" + } +} + # variables variable "aws" { diff --git a/scripts/init-variables b/scripts/init-variables index dae635a..0582ff2 100755 --- a/scripts/init-variables +++ b/scripts/init-variables @@ -57,7 +57,7 @@ aws = { echo " azs = \"${AWS_REGION_AZS}\" key-name = \"${AWS_EC2_KEY_NAME}\" region = \"${AWS_REGION}\" -}"; +}" )"; From 5ea7af8dc629219af6f975470be2f003562ff7a2 Mon Sep 17 00:00:00 2001 From: Jono Wells Date: Mon, 8 May 2017 03:38:34 -0700 Subject: [PATCH 08/17] retry cfssl/info sniff up failure (#167) --- scripts/create-admin-certificate | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/scripts/create-admin-certificate b/scripts/create-admin-certificate index 14cd597..dcb88e3 100755 --- a/scripts/create-admin-certificate +++ b/scripts/create-admin-certificate @@ -24,10 +24,10 @@ function finish { } trap finish EXIT -# test cfssl connection +# test cfssl connection -- retry until up # -sleep 5.2 && curl -d '{"label":"primary"}' http://localhost:8888/api/v1/cfssl/info - +until printf "." && curl -d '{"label":"primary"}' http://localhost:8888/api/v1/cfssl/info &>/dev/null +do sleep 2.5; done; echo "✓ function csr { cat < Date: Tue, 9 May 2017 12:41:08 +0100 Subject: [PATCH 09/17] fix envrc tempate HYPERKUBE_TAG assignment --- .envrc.tpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.envrc.tpl b/.envrc.tpl index f720c57..5e4d6cb 100644 --- a/.envrc.tpl +++ b/.envrc.tpl @@ -18,4 +18,4 @@ export AWS_REGION=eu-west-1 export AWS_DEFAULT_REGION=$AWS_REGION export CLUSTER_NAME=xxxxxx export ETCD_IPS=10.0.10.10 -export HYPERKUBE_TAG ?= v1.5.1_coreos.0 +export HYPERKUBE_TAG=v1.5.1_coreos.0 From 8fe1274d9604bb4cda89fafe68e31cb9bfa5648e Mon Sep 17 00:00:00 2001 From: Luke Ashe-Browne Date: Fri, 5 May 2017 16:45:05 +0100 Subject: [PATCH 10/17] adding env vars template and ignore entry --- .envrc.tpl | 17 +++++++++++++++++ .gitignore | 2 ++ 2 files changed, 19 insertions(+) create mode 100644 .envrc.tpl diff --git a/.envrc.tpl b/.envrc.tpl new file mode 100644 index 0000000..7faa7bc --- /dev/null +++ b/.envrc.tpl @@ -0,0 +1,17 @@ + +# Essential for LABDigital approach, set this + +export AWS_PROFILE=bp-pip-dev + +#if this is set, provider in io.tf will use this value instead of AWS_PROFILE + +#this is because terraform doesn't refer to the config, only credentials, so it can't see any keys since there are none for bp-pip-dev, only for bp-root, +#and it does not see the source_profile or role_arn values in config. +export AWS_SOURCE_PROFILE=bp-root + +export AWS_REGION=eu-west-1 +export AWS_DEFAULT_REGION=$AWS_REGION +export CLUSTER_NAME=bp-pip-dev +export ETCD_IPS=10.0.10.10 +HYPERKUBE_TAG ?= v1.5.1_coreos.0 +#export HYPERKUBE_TAG=v1.6.0_coreos.0 \ No newline at end of file diff --git a/.gitignore b/.gitignore index 31cc7c3..d768cb2 100644 --- a/.gitignore +++ b/.gitignore @@ -14,3 +14,5 @@ terraform.tfvars templates *.bak + +.direnv From 6a2da034667fc4c27be17fdacd6552dd0e78b0bf Mon Sep 17 00:00:00 2001 From: Luke Ashe-Browne Date: Fri, 5 May 2017 17:41:10 +0100 Subject: [PATCH 11/17] didnt use correct ignore for envrc --- .gitignore | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitignore b/.gitignore index d768cb2..39da0bf 100644 --- a/.gitignore +++ b/.gitignore @@ -15,4 +15,4 @@ terraform.tfvars templates *.bak -.direnv +.envrc From 30548c59d23fad49693ff2f8577f39a370349040 Mon Sep 17 00:00:00 2001 From: Luke Ashe-Browne Date: Fri, 5 May 2017 17:41:34 +0100 Subject: [PATCH 12/17] annonymise the values in envrc.tpl --- .envrc.tpl | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/.envrc.tpl b/.envrc.tpl index 7faa7bc..f720c57 100644 --- a/.envrc.tpl +++ b/.envrc.tpl @@ -1,17 +1,21 @@ -# Essential for LABDigital approach, set this +# If you use direnv, rename this file to .envrc, +# this is so you can driving config for tack and aws using env vars -export AWS_PROFILE=bp-pip-dev +export AWS_PROFILE=env-account #if this is set, provider in io.tf will use this value instead of AWS_PROFILE -#this is because terraform doesn't refer to the config, only credentials, so it can't see any keys since there are none for bp-pip-dev, only for bp-root, -#and it does not see the source_profile or role_arn values in config. -export AWS_SOURCE_PROFILE=bp-root +# Uncomment the AWS_SOURCE_PROFILE export to use a delegate account, eg aws organisations. +# This is because terraform doesn't refer to the config, only credentials, so it can't +# see any keys for a delegate account since the parent account profile is used to login +# there are none for a subaccount, you need to point at a config with source_profile or +# role_arn values. + +#export AWS_SOURCE_PROFILE=root-acc export AWS_REGION=eu-west-1 export AWS_DEFAULT_REGION=$AWS_REGION -export CLUSTER_NAME=bp-pip-dev +export CLUSTER_NAME=xxxxxx export ETCD_IPS=10.0.10.10 -HYPERKUBE_TAG ?= v1.5.1_coreos.0 -#export HYPERKUBE_TAG=v1.6.0_coreos.0 \ No newline at end of file +export HYPERKUBE_TAG ?= v1.5.1_coreos.0 From 603da294910ff0db1ff6f64c362a41dc7de0bce4 Mon Sep 17 00:00:00 2001 From: Luke Ashe-Browne Date: Fri, 5 May 2017 19:07:17 +0100 Subject: [PATCH 13/17] Add lines to init-variables to add AWS delegate accounts (consolidated billing aka. Organisations) --- scripts/init-variables | 28 +++++++++++++++++++++++++--- 1 file changed, 25 insertions(+), 3 deletions(-) diff --git a/scripts/init-variables b/scripts/init-variables index f10c0e9..6de1270 100755 --- a/scripts/init-variables +++ b/scripts/init-variables @@ -27,9 +27,8 @@ COREOS_AMI_ID=`curl -s \ $(printf "http://%s.release.core-os.net/amd64-usr/current/coreos_production_ami_%s_%s.txt" \ $COREOS_CHANNEL $COREOS_VM_TYPE $AWS_REGION)` -AWS_ACCOUNT_ID=`aws iam get-user --output json \ - | awk '/arn:aws:/{print $2}' \ - | grep -Eo '[[:digit:]]{12}'` +#this is a more direct method to get account id rather than get-user +AWS_ACCOUNT_ID=`aws sts get-caller-identity|jq --raw-output '.Account'` AWS_REGION_AZS=`aws ec2 describe-availability-zones --region ${AWS_REGION} --output json \ | jq --raw-output '.AvailabilityZones | map(.ZoneName) | .[]' \ @@ -41,6 +40,29 @@ cat < terraform.tfvars # Generated by scripts/init-variables.sh aws = { account-id = "${AWS_ACCOUNT_ID}" +EOF + +if [[ ! -z $AWS_PROFILE ]];then + if [[ ! -z $AWS_SOURCE_PROFILE ]];then + cat <> terraform.tfvars + profile = "${AWS_SOURCE_PROFILE}" +EOF + + else + cat <> terraform.tfvars + profile = "${AWS_PROFILE}" +EOF + fi +fi + +if AWS_ASSUME_ROLE_ARN=$(aws configure get role_arn); then + cat <> terraform.tfvars + role_arn = "${AWS_ASSUME_ROLE_ARN}" +EOF + +fi + +cat <> terraform.tfvars azs = "${AWS_REGION_AZS}" key-name = "${AWS_EC2_KEY_NAME}" region = "${AWS_REGION}" From bfb335c0a5f758ac53a894407dacaaddfa470a46 Mon Sep 17 00:00:00 2001 From: Luke Ashe-Browne Date: Fri, 5 May 2017 19:29:12 +0100 Subject: [PATCH 14/17] shellcheck bash best practices --- scripts/init-variables | 47 +++++++++++++++++++++--------------------- 1 file changed, 24 insertions(+), 23 deletions(-) diff --git a/scripts/init-variables b/scripts/init-variables index 6de1270..f4b88c4 100755 --- a/scripts/init-variables +++ b/scripts/init-variables @@ -3,37 +3,38 @@ CDIR=$(dirname "${BASH_SOURCE}") set -x +CIDR_ALLOW_SSH=$("${CDIR}"/myip) -echo $AWS_REGION -echo $COREOS_CHANNEL -echo $COREOS_VM_TYPE -echo $AWS_EC2_KEY_NAME -echo $INTERNAL_TLD -echo $CLUSTER_NAME -CIDR_ALLOW_SSH=`$CDIR/myip` -echo $CIDR_VPC -echo $CIDR_PODS -echo $CIDR_SERVICE_CLUSTER -echo $K8S_SERVICE_IP -echo $K8S_DNS_IP -echo $ETCD_IPS -echo $HYPERKUBE_IMAGE -echo $HYPERKUBE_TAG -echo $PKI_IP +echo "$AWS_REGION" +echo "$COREOS_CHANNEL" +echo "$COREOS_VM_TYPE" +echo "$AWS_EC2_KEY_NAME" +echo "$INTERNAL_TLD" +echo "$CLUSTER_NAME" +echo "$CIDR_ALLOW_SSH" +echo "$CIDR_VPC" +echo "$CIDR_PODS" +echo "$CIDR_SERVICE_CLUSTER" +echo "$K8S_SERVICE_IP" +echo "$K8S_DNS_IP" +echo "$ETCD_IPS" +echo "$HYPERKUBE_IMAGE" +echo "$HYPERKUBE_TAG" +echo "$PKI_IP" set +x -COREOS_AMI_ID=`curl -s \ - $(printf "http://%s.release.core-os.net/amd64-usr/current/coreos_production_ami_%s_%s.txt" \ - $COREOS_CHANNEL $COREOS_VM_TYPE $AWS_REGION)` - +COREOS_AMI_ID="$(curl -s \ + "$(printf "http://%s.release.core-os.net/amd64-usr/current/coreos_production_ami_%s_%s.txt" \ + "$COREOS_CHANNEL" "$COREOS_VM_TYPE" "$AWS_REGION")")" + #this is a more direct method to get account id rather than get-user -AWS_ACCOUNT_ID=`aws sts get-caller-identity|jq --raw-output '.Account'` +AWS_ACCOUNT_ID=$(aws sts get-caller-identity|jq --raw-output '.Account') -AWS_REGION_AZS=`aws ec2 describe-availability-zones --region ${AWS_REGION} --output json \ +AWS_REGION_AZS=$(aws ec2 describe-availability-zones --region "${AWS_REGION}" --output json \ | jq --raw-output '.AvailabilityZones | map(.ZoneName) | .[]' \ | xargs \ - | sed -e 's/ /,/g'` + | sed -e 's/ /,/g') cat < terraform.tfvars From 4f6e61c09d198b515999a9c35af093351d7b3d25 Mon Sep 17 00:00:00 2001 From: Luke Ashe-Browne Date: Fri, 5 May 2017 20:50:43 +0100 Subject: [PATCH 15/17] try using command parenthesis to generate aws provider --- scripts/init-variables | 50 +++++++++++++++++++----------------------- 1 file changed, 23 insertions(+), 27 deletions(-) diff --git a/scripts/init-variables b/scripts/init-variables index f4b88c4..dae635a 100755 --- a/scripts/init-variables +++ b/scripts/init-variables @@ -1,6 +1,6 @@ #!/bin/bash -e -CDIR=$(dirname "${BASH_SOURCE}") +CDIR=$(dirname "${BASH_SOURCE[0]}") set -x CIDR_ALLOW_SSH=$("${CDIR}"/myip) @@ -24,6 +24,8 @@ echo "$PKI_IP" set +x + + COREOS_AMI_ID="$(curl -s \ "$(printf "http://%s.release.core-os.net/amd64-usr/current/coreos_production_ami_%s_%s.txt" \ "$COREOS_CHANNEL" "$COREOS_VM_TYPE" "$AWS_REGION")")" @@ -36,38 +38,32 @@ AWS_REGION_AZS=$(aws ec2 describe-availability-zones --region "${AWS_REGION}" -- | xargs \ | sed -e 's/ /,/g') - -cat < terraform.tfvars -# Generated by scripts/init-variables.sh +#generate aws{} provider hsl block +AWS_PROVIDER="$( echo "# Generated by scripts/init-variables.sh aws = { - account-id = "${AWS_ACCOUNT_ID}" -EOF - -if [[ ! -z $AWS_PROFILE ]];then - if [[ ! -z $AWS_SOURCE_PROFILE ]];then - cat <> terraform.tfvars - profile = "${AWS_SOURCE_PROFILE}" -EOF + account-id = \"${AWS_ACCOUNT_ID}\""; - else - cat <> terraform.tfvars - profile = "${AWS_PROFILE}" -EOF + if [[ ! -z $AWS_PROFILE ]];then + if [[ ! -z $AWS_SOURCE_PROFILE ]];then + echo " profile = \"${AWS_SOURCE_PROFILE}\""; + else + echo " profile = \"${AWS_PROFILE}\""; + fi + fi + if AWS_ASSUME_ROLE_ARN=$(aws configure get role_arn); then + echo " role_arn = \"${AWS_ASSUME_ROLE_ARN}\"" fi -fi -if AWS_ASSUME_ROLE_ARN=$(aws configure get role_arn); then - cat <> terraform.tfvars - role_arn = "${AWS_ASSUME_ROLE_ARN}" -EOF + echo " azs = \"${AWS_REGION_AZS}\" + key-name = \"${AWS_EC2_KEY_NAME}\" + region = \"${AWS_REGION}\" +}"; + +)"; -fi cat <> terraform.tfvars - azs = "${AWS_REGION_AZS}" - key-name = "${AWS_EC2_KEY_NAME}" - region = "${AWS_REGION}" -} +${AWS_PROVIDER} cidr = { allow-ssh = "${CIDR_ALLOW_SSH}" pods = "${CIDR_PODS}" @@ -91,6 +87,6 @@ pki-ip = "${PKI_IP}" s3-bucket = "${AWS_ACCOUNT_ID}-${CLUSTER_NAME}-${AWS_REGION}" etcd-ips = "$ETCD_IPS" EOF - + if [ -f ./vpc-existing.tfvars ]; then cat ./vpc-existing.tfvars >>terraform.tfvars ; fi cat terraform.tfvars From d32be04bf08cb83144bc3542a0e2b27d5509cc9e Mon Sep 17 00:00:00 2001 From: Luke Ashe-Browne Date: Fri, 5 May 2017 21:35:08 +0100 Subject: [PATCH 16/17] add profile and assume_role role_arn to io.tf provider aws block --- io.tf | 9 ++++++++- scripts/init-variables | 2 +- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/io.tf b/io.tf index 55a982e..0ef27ff 100644 --- a/io.tf +++ b/io.tf @@ -1,4 +1,11 @@ -provider "aws" { region = "${ var.aws["region"] }" } +provider "aws" { + region = "${ var.aws["region"] }" + profile = "${ var.aws["profile"] }" + assume_role { + role_arn ="${ var.aws["role_arn"] }" + } +} + # variables variable "aws" { diff --git a/scripts/init-variables b/scripts/init-variables index dae635a..0582ff2 100755 --- a/scripts/init-variables +++ b/scripts/init-variables @@ -57,7 +57,7 @@ aws = { echo " azs = \"${AWS_REGION_AZS}\" key-name = \"${AWS_EC2_KEY_NAME}\" region = \"${AWS_REGION}\" -}"; +}" )"; From 4f585b9b38e73b0093c7961c8d63425b7edc6e0e Mon Sep 17 00:00:00 2001 From: Luke Ashe-Browne Date: Tue, 9 May 2017 12:41:08 +0100 Subject: [PATCH 17/17] fix envrc tempate HYPERKUBE_TAG assignment --- .envrc.tpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.envrc.tpl b/.envrc.tpl index f720c57..5e4d6cb 100644 --- a/.envrc.tpl +++ b/.envrc.tpl @@ -18,4 +18,4 @@ export AWS_REGION=eu-west-1 export AWS_DEFAULT_REGION=$AWS_REGION export CLUSTER_NAME=xxxxxx export ETCD_IPS=10.0.10.10 -export HYPERKUBE_TAG ?= v1.5.1_coreos.0 +export HYPERKUBE_TAG=v1.5.1_coreos.0