From 6963e9ae12c2968ef0c1fb9b2023712cded281e5 Mon Sep 17 00:00:00 2001 From: Maksim Horbul Date: Thu, 1 Jul 2021 00:31:14 -0700 Subject: [PATCH 1/6] null_resource should not allowed to use variables otehr than self, count and each in destroy command --- main.tf | 22 +++++++++++++++------- 1 file changed, 15 insertions(+), 7 deletions(-) diff --git a/main.tf b/main.tf index 9252df4..cd21d2f 100644 --- a/main.tf +++ b/main.tf @@ -18,40 +18,48 @@ variable "role" { variable "dependency_ids" { description = "IDs or ARNs of any resources that are a dependency of the resource created by this module." - type = "list" + type = list(string) default = [] } data "aws_caller_identity" "id" {} locals { - account_id = "${var.account_id == 0 ? data.aws_caller_identity.id.account_id : var.account_id}" + account_id = var.account_id == 0 ? data.aws_caller_identity.id.account_id : var.account_id assume_role_cmd = "source ${path.module}/assume_role.sh ${local.account_id} ${var.role}" } resource "null_resource" "cli_resource" { + triggers = { + role = var.role + cmd = var.cmd + destroy_cmd = var.destroy_cmd + assume_role_cmd = local.assume_role_cmd + } provisioner "local-exec" { when = "create" - command = "/bin/bash -c '${var.role == 0 ? "" : "${local.assume_role_cmd} && "}${var.cmd}'" + command = "/bin/bash -c '${self.triggers.role == 0 ? "" : "${self.triggers.assume_role_cmd} && "}${self.triggers.cmd}'" } provisioner "local-exec" { when = "destroy" - command = "/bin/bash -c '${var.role == 0 ? "" : "${local.assume_role_cmd} && "}${var.destroy_cmd}'" + command = "/bin/bash -c '${self.triggers.role == 0 ? "" : "${self.triggers.assume_role_cmd} && "}${self.triggers.destroy_cmd}'" } # By depending on the null_resource, the cli resource effectively depends on the existance # of the resources identified by the ids provided via the dependency_ids list variable. - depends_on = ["null_resource.dependencies"] + depends_on = [ + null_resource.dependencies + ] } resource "null_resource" "dependencies" { triggers = { - dependencies = "${join(",", var.dependency_ids)}" + dependencies = join(",", var.dependency_ids) } } output "id" { description = "The ID of the null_resource used to provison the resource via cli. Useful for creating dependencies between cli resources" - value = "${null_resource.cli_resource.id}" + value = null_resource.cli_resource.id } From 96cf5699b3c75bbcd2ecfcde7190ab970c836c48 Mon Sep 17 00:00:00 2001 From: Maksim Horbul Date: Thu, 1 Jul 2021 14:39:38 -0700 Subject: [PATCH 2/6] fix variable types and allow to pass empty commands without faling resource --- main.tf | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/main.tf b/main.tf index cd21d2f..bff1225 100644 --- a/main.tf +++ b/main.tf @@ -1,19 +1,24 @@ variable "cmd" { + type = string description = "The command used to create the resource." } variable "destroy_cmd" { + type = string description = "The command used to destroy the resource." + default = "true" } variable "account_id" { + type = string description = "The account that holds the role to assume in. Will use providers account by default" - default = "0" + default = "" } variable "role" { + type = string description = "The role to assume in order to run the cli command." - default = "0" + default = "" } variable "dependency_ids" { @@ -25,7 +30,7 @@ variable "dependency_ids" { data "aws_caller_identity" "id" {} locals { - account_id = var.account_id == 0 ? data.aws_caller_identity.id.account_id : var.account_id + account_id = var.account_id == "" ? data.aws_caller_identity.id.account_id : var.account_id assume_role_cmd = "source ${path.module}/assume_role.sh ${local.account_id} ${var.role}" } @@ -37,13 +42,13 @@ resource "null_resource" "cli_resource" { assume_role_cmd = local.assume_role_cmd } provisioner "local-exec" { - when = "create" - command = "/bin/bash -c '${self.triggers.role == 0 ? "" : "${self.triggers.assume_role_cmd} && "}${self.triggers.cmd}'" + when = create + command = "/bin/bash -c '${self.triggers.role == "" ? "" : "${self.triggers.assume_role_cmd} && "}${self.triggers.cmd == "" ? "true" : self.triggers.cmd}'" } provisioner "local-exec" { - when = "destroy" - command = "/bin/bash -c '${self.triggers.role == 0 ? "" : "${self.triggers.assume_role_cmd} && "}${self.triggers.destroy_cmd}'" + when = destroy + command = "/bin/bash -c '${self.triggers.role == "" ? "" : "${self.triggers.assume_role_cmd} && "}${self.triggers.destroy_cmd == "" ? "true" : self.triggers.destroy_cmd}'" } # By depending on the null_resource, the cli resource effectively depends on the existance From 58eb192550ea3e31accd228f53d37769458c7cbc Mon Sep 17 00:00:00 2001 From: Maksim Horbul Date: Wed, 2 Mar 2022 23:17:05 -0500 Subject: [PATCH 3/6] add required provider --- versions.tf | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 versions.tf diff --git a/versions.tf b/versions.tf new file mode 100644 index 0000000..3ac1878 --- /dev/null +++ b/versions.tf @@ -0,0 +1,8 @@ +terraform { + required_providers { + null = { + source = "hashicorp/null" + version ~> "3.1" + } + } +} From 2982b71046ea9b625e7a1e55916431f586eccb75 Mon Sep 17 00:00:00 2001 From: Maksim Horbul Date: Thu, 3 Mar 2022 10:04:29 -0500 Subject: [PATCH 4/6] fix version --- versions.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/versions.tf b/versions.tf index 3ac1878..bc7a146 100644 --- a/versions.tf +++ b/versions.tf @@ -2,7 +2,7 @@ terraform { required_providers { null = { source = "hashicorp/null" - version ~> "3.1" + version = "~> 3.1" } } } From fe19b52c1af0549151ca18eab5d5ae3f64bfa349 Mon Sep 17 00:00:00 2001 From: Igor Mishchuk Date: Thu, 4 May 2023 16:01:04 +0300 Subject: [PATCH 5/6] Update assume_role.sh --- assume_role.sh | 27 ++++++++++++++------------- 1 file changed, 14 insertions(+), 13 deletions(-) diff --git a/assume_role.sh b/assume_role.sh index 3eb02c6..38ac471 100644 --- a/assume_role.sh +++ b/assume_role.sh @@ -4,19 +4,20 @@ then exit 1 fi -ACCOUNT="$1" -ROLE="$2" +# ACCOUNT="$1" +# ROLE="$2" -role_session_name=`cat /proc/sys/kernel/random/uuid 2>/dev/null || date | cksum | cut -d " " -f 1` -aws_creds=$(aws sts assume-role --role-arn arn:aws:iam::${ACCOUNT}:role/$ROLE --role-session-name $role_session_name --duration-seconds 3600 --output json) +# role_session_name=`cat /proc/sys/kernel/random/uuid 2>/dev/null || date | cksum | cut -d " " -f 1` +# aws_creds=$(aws sts assume-role --role-arn arn:aws:iam::${ACCOUNT}:role/$ROLE --role-session-name $role_session_name --duration-seconds 3600 --output json) -if [ "$?" -ne 0 ] -then - exit 1 -fi +# if [ "$?" -ne 0 ] +# then +# exit 1 +# fi -export AWS_ACCESS_KEY_ID=$(echo "${aws_creds}" | grep AccessKeyId | awk -F'"' '{print $4}' ) -export AWS_SECRET_ACCESS_KEY=$(echo "${aws_creds}" | grep SecretAccessKey | awk -F'"' '{print $4}' ) -export AWS_SESSION_TOKEN=$(echo "${aws_creds}" | grep SessionToken | awk -F'"' '{print $4}' ) -export AWS_SECURITY_TOKEN=$(echo "${aws_creds}" | grep SessionToken | awk -F'"' '{print $4}' ) -echo "session '$role_session_name' valid for 60 minutes" +# export AWS_ACCESS_KEY_ID=$(echo "${aws_creds}" | grep AccessKeyId | awk -F'"' '{print $4}' ) +# export AWS_SECRET_ACCESS_KEY=$(echo "${aws_creds}" | grep SecretAccessKey | awk -F'"' '{print $4}' ) +# export AWS_SESSION_TOKEN=$(echo "${aws_creds}" | grep SessionToken | awk -F'"' '{print $4}' ) +# export AWS_SECURITY_TOKEN=$(echo "${aws_creds}" | grep SessionToken | awk -F'"' '{print $4}' ) +# echo "session '$role_session_name' valid for 60 minutes" +echo "Not needed" From c1f58de88c4fd8047022695aba450f5dd910564d Mon Sep 17 00:00:00 2001 From: Igor Mishchuk Date: Thu, 4 May 2023 17:32:14 +0300 Subject: [PATCH 6/6] Update assume_role.sh --- assume_role.sh | 27 +++++++++++++-------------- 1 file changed, 13 insertions(+), 14 deletions(-) diff --git a/assume_role.sh b/assume_role.sh index 38ac471..3eb02c6 100644 --- a/assume_role.sh +++ b/assume_role.sh @@ -4,20 +4,19 @@ then exit 1 fi -# ACCOUNT="$1" -# ROLE="$2" +ACCOUNT="$1" +ROLE="$2" -# role_session_name=`cat /proc/sys/kernel/random/uuid 2>/dev/null || date | cksum | cut -d " " -f 1` -# aws_creds=$(aws sts assume-role --role-arn arn:aws:iam::${ACCOUNT}:role/$ROLE --role-session-name $role_session_name --duration-seconds 3600 --output json) +role_session_name=`cat /proc/sys/kernel/random/uuid 2>/dev/null || date | cksum | cut -d " " -f 1` +aws_creds=$(aws sts assume-role --role-arn arn:aws:iam::${ACCOUNT}:role/$ROLE --role-session-name $role_session_name --duration-seconds 3600 --output json) -# if [ "$?" -ne 0 ] -# then -# exit 1 -# fi +if [ "$?" -ne 0 ] +then + exit 1 +fi -# export AWS_ACCESS_KEY_ID=$(echo "${aws_creds}" | grep AccessKeyId | awk -F'"' '{print $4}' ) -# export AWS_SECRET_ACCESS_KEY=$(echo "${aws_creds}" | grep SecretAccessKey | awk -F'"' '{print $4}' ) -# export AWS_SESSION_TOKEN=$(echo "${aws_creds}" | grep SessionToken | awk -F'"' '{print $4}' ) -# export AWS_SECURITY_TOKEN=$(echo "${aws_creds}" | grep SessionToken | awk -F'"' '{print $4}' ) -# echo "session '$role_session_name' valid for 60 minutes" -echo "Not needed" +export AWS_ACCESS_KEY_ID=$(echo "${aws_creds}" | grep AccessKeyId | awk -F'"' '{print $4}' ) +export AWS_SECRET_ACCESS_KEY=$(echo "${aws_creds}" | grep SecretAccessKey | awk -F'"' '{print $4}' ) +export AWS_SESSION_TOKEN=$(echo "${aws_creds}" | grep SessionToken | awk -F'"' '{print $4}' ) +export AWS_SECURITY_TOKEN=$(echo "${aws_creds}" | grep SessionToken | awk -F'"' '{print $4}' ) +echo "session '$role_session_name' valid for 60 minutes"