kz8s · lukeab · May 5, 2017 · May 5, 2017 · May 5, 2017 · May 5, 2017
diff --git a/.envrc.tpl b/.envrc.tpl
@@ -0,0 +1,21 @@
+
+# If you use direnv, rename this file to .envrc, 
+# this is so you can driving config for tack and aws using env vars
+
+export AWS_PROFILE=env-account
+
+#if this is set, provider in io.tf will use this value instead of AWS_PROFILE
+
+# Uncomment the AWS_SOURCE_PROFILE export to use a delegate account, eg aws organisations. 
+# This is because terraform doesn't refer to the config, only credentials, so it can't 
+# see any keys for a delegate account since the parent account profile is used to login
+# there are none for a subaccount, you need to point at a config with  source_profile or 
+# role_arn values.
+
+#export AWS_SOURCE_PROFILE=root-acc
+
+export AWS_REGION=eu-west-1
+export AWS_DEFAULT_REGION=$AWS_REGION
+export CLUSTER_NAME=xxxxxx
+export ETCD_IPS=10.0.10.10
+export HYPERKUBE_TAG=v1.5.1_coreos.0
diff --git a/.gitignore b/.gitignore
@@ -14,3 +14,5 @@ terraform.tfvars
 
 templates
 *.bak
+
+.envrc
diff --git a/io.tf b/io.tf
@@ -1,4 +1,11 @@
-provider "aws" { region = "${ var.aws["region"] }" }
+provider "aws" { 
+  region = "${ var.aws["region"] }"
+  profile = "${ var.aws["profile"] }"
+  assume_role {
+    role_arn ="${ var.aws["role_arn"] }"
+  }
+}
+
 
 # variables
 variable "aws" {

diff --git a/scripts/create-admin-certificate b/scripts/create-admin-certificate
@@ -24,10 +24,10 @@ function finish {
 }
 trap finish EXIT
 
-# test cfssl connection
+# test cfssl connection -- retry until up
 #
-sleep 5.2 && curl -d '{"label":"primary"}' http://localhost:8888/api/v1/cfssl/info
-
+until printf "." && curl -d '{"label":"primary"}' http://localhost:8888/api/v1/cfssl/info &>/dev/null
+do sleep 2.5; done; echo "✓
 
 function csr {
   cat <<EOF

diff --git a/scripts/init-variables b/scripts/init-variables
@@ -1,50 +1,69 @@
 #!/bin/bash -e
 
-CDIR=$(dirname "${BASH_SOURCE}")
+CDIR=$(dirname "${BASH_SOURCE[0]}")
 
 set -x
+CIDR_ALLOW_SSH=$("${CDIR}"/myip)
 
-echo $AWS_REGION
-echo $COREOS_CHANNEL
-echo $COREOS_VM_TYPE
-echo $AWS_EC2_KEY_NAME
-echo $INTERNAL_TLD
-echo $CLUSTER_NAME
-CIDR_ALLOW_SSH=`$CDIR/myip`
-echo $CIDR_VPC
-echo $CIDR_PODS
-echo $CIDR_SERVICE_CLUSTER
-echo $K8S_SERVICE_IP
-echo $K8S_DNS_IP
-echo $ETCD_IPS
-echo $HYPERKUBE_IMAGE
-echo $HYPERKUBE_TAG
-echo $PKI_IP
+echo "$AWS_REGION"
+echo "$COREOS_CHANNEL"
+echo "$COREOS_VM_TYPE"
+echo "$AWS_EC2_KEY_NAME"
+echo "$INTERNAL_TLD"
+echo "$CLUSTER_NAME"
+echo "$CIDR_ALLOW_SSH"
+echo "$CIDR_VPC"
+echo "$CIDR_PODS"
+echo "$CIDR_SERVICE_CLUSTER"
+echo "$K8S_SERVICE_IP"
+echo "$K8S_DNS_IP"
+echo "$ETCD_IPS"
+echo "$HYPERKUBE_IMAGE"
+echo "$HYPERKUBE_TAG"
+echo "$PKI_IP"
 
 set +x
 
-COREOS_AMI_ID=`curl -s \
-  $(printf "http://%s.release.core-os.net/amd64-usr/current/coreos_production_ami_%s_%s.txt" \
-    $COREOS_CHANNEL $COREOS_VM_TYPE $AWS_REGION)`
 
-AWS_ACCOUNT_ID=`aws iam get-user --output json \
-	| awk '/arn:aws:/{print $2}' \
-	| grep -Eo '[[:digit:]]{12}'`
 
-AWS_REGION_AZS=`aws ec2 describe-availability-zones --region ${AWS_REGION} --output json \
+COREOS_AMI_ID="$(curl -s \
+  "$(printf "http://%s.release.core-os.net/amd64-usr/current/coreos_production_ami_%s_%s.txt" \
+    "$COREOS_CHANNEL" "$COREOS_VM_TYPE" "$AWS_REGION")")"
+
+#this is a more direct method to get account id rather than get-user
+AWS_ACCOUNT_ID=$(aws sts get-caller-identity|jq --raw-output '.Account')
+
+AWS_REGION_AZS=$(aws ec2 describe-availability-zones --region "${AWS_REGION}" --output json \
   | jq --raw-output '.AvailabilityZones | map(.ZoneName) | .[]' \
   | xargs \
-  | sed -e 's/ /,/g'`
-
+  | sed -e 's/ /,/g')
 
-cat <<EOF > terraform.tfvars
-# Generated by scripts/init-variables.sh
+#generate aws{} provider hsl block
+AWS_PROVIDER="$( echo "# Generated by scripts/init-variables.sh
 aws = {
-  account-id = "${AWS_ACCOUNT_ID}"
-  azs = "${AWS_REGION_AZS}"
-  key-name = "${AWS_EC2_KEY_NAME}"
-  region = "${AWS_REGION}"
-}
+  account-id = \"${AWS_ACCOUNT_ID}\"";
+
+  if [[ ! -z $AWS_PROFILE ]];then
+    if [[ ! -z $AWS_SOURCE_PROFILE ]];then
+      echo "  profile = \"${AWS_SOURCE_PROFILE}\"";
+    else
+      echo "  profile = \"${AWS_PROFILE}\"";
+    fi
+  fi
+  if AWS_ASSUME_ROLE_ARN=$(aws configure get role_arn); then
+    echo "  role_arn = \"${AWS_ASSUME_ROLE_ARN}\""
+  fi
+
+  echo "  azs = \"${AWS_REGION_AZS}\"
+  key-name = \"${AWS_EC2_KEY_NAME}\"
+  region = \"${AWS_REGION}\"
+}"
+
+)";
+
+
+cat <<EOF >> terraform.tfvars
+${AWS_PROVIDER}
 cidr = {
   allow-ssh = "${CIDR_ALLOW_SSH}"
   pods = "${CIDR_PODS}"
@@ -68,6 +87,6 @@ pki-ip = "${PKI_IP}"
 s3-bucket = "${AWS_ACCOUNT_ID}-${CLUSTER_NAME}-${AWS_REGION}"
 etcd-ips = "$ETCD_IPS"
 EOF
-
+ 
 if [ -f ./vpc-existing.tfvars ]; then cat ./vpc-existing.tfvars >>terraform.tfvars ; fi
 cat terraform.tfvars
Original file line number	Diff line number	Diff line change
Expand Up		@@ -14,3 +14,5 @@ terraform.tfvars

		templates
		*.bak

		.envrc