Skip to content

Instantly share code, notes, and snippets.

View drAlberT's full-sized avatar

Emiliano 'AlberT' Gabrielli drAlberT

View GitHub Profile
@drAlberT
drAlberT / gist:5b48511ec4b891ccd88b1104e84229fe
Created February 26, 2023 17:14 — forked from v-rosa/gist:aa9c8afd44d66c3a81b9920a1bc90e42
Use private GitHub hosted terraform modules with AFT v1.5.1

I'll try to share my approach to use private GitHub hosted terraform modules with AFT v1.5.1. It relies on GH App to create ephemeral tokens during Global Customization stage which will share with the target account so it can be used during Account Customization stage.

Relates to: aws-ia/terraform-aws-control_tower_account_factory#42

Pre-requirements:

  • Create a GH APP:
    • Permissions: allow the clone of repositories
    • Set to a restricted list of terraform modules repos
  • Create parameter store entries for GH_APP pem, id and installation_id under AFT_MGT account
#!/usr/bin/env bash
USER=${1?specify the user}
PROFILE=${AWS_PROFILE:-$2}
ACCOUNT_ID=${ACCOUNT_ID:-$3}
set -ue -o pipefail
echo -n "Enter MFA code for arn:aws:iam::${ACCOUNT_ID}:mfa/${USER}: "
read MFA_CODE
@drAlberT
drAlberT / aws-cli-saml-auth.sh
Last active July 14, 2019 23:31
AWS CloudFormation
#!/bin/bash
# A shell script to help getting SAML credentials into `~/.aws/credentials`
# Login URL https://sts.asdasd.com/adfs/ls/idpinitiatedsignon.aspx?loginToRp=urn:amazon:webservices
LSE_AWS_ACCOUNT=0123456789
LSE_AWS_ROLE="asdasdasd-role"
LSE_AWS_PROFILE="asdasd-saml"
LSE_SAML_PROVIDER="STS.ASDASD.COM"
LSE_SAML_RESPONSE="PHNhbWxwOlJlc3 [..] vbnNlPg=="
@drAlberT
drAlberT / post-checkout
Last active February 11, 2019 09:34
Automatically update git sub-modules
#!/usr/bin/env bash
#
# Quick script to automatically update git submodules on checkout.
# Save it in the repo `.git/hooks` dir and make it executable
#echo "post-checkout hook: '$1' '$2' '$3'"
oldRef=$1
newRef=$2
@drAlberT
drAlberT / AWS-IAM-enforce-mfa.policy.json
Created September 7, 2018 14:44
AWS IAM :: Enforce MFA both on Console and CLI
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAllUsersToListAccountAliases",
"Effect": "Allow",
"Action": [
"iam:ListAccountAliases"
],
"Resource": [
@drAlberT
drAlberT / ansible-role-test.sh
Created February 7, 2018 17:46 — forked from geerlingguy/ansible-role-test.sh
Ansible Role Test Shim Script
#!/bin/bash
#
# Ansible role test shim.
#
# Usage: [OPTIONS] ./tests/test.sh
# - distro: a supported Docker distro version (default = "centos7")
# - playbook: a playbook in the tests directory (default = "test.yml")
# - cleanup: whether to remove the Docker container (default = true)
# - container_id: the --name to set for the container (default = timestamp)
# - test_idempotence: whether to test playbook's idempotence (default = true)
@drAlberT
drAlberT / role_arn_to_session.py
Created January 24, 2018 17:53 — forked from gene1wood/role_arn_to_session.py
Simple python function to assume an AWS IAM Role from a role ARN and return a boto3 session object
import boto3
def role_arn_to_session(**args):
"""
Usage :
session = role_arn_to_session(
RoleArn='arn:aws:iam::012345678901:role/example-role',
RoleSessionName='ExampleSessionName')
client = session.client('sqs')
"""
import requests
import json
import datetime, time
NEWRELIC_API_KEY = "YOUR_KEY_HERE"
HOURS_TO_KEEP = 6
HEADERS = {"X-Api-Key": NEWRELIC_API_KEY}
@drAlberT
drAlberT / nginx_change_default_server.sh
Last active November 7, 2017 17:24
AWS user_data snippets collection
#!/usr/bin/env bash
CONF_DIR="/etc/nginx/sites-enabled"
OLD_DEFAULT="default"
NEW_DEFAULT="api"
# remove old default
sed -i'' -e 's/\s*default_server\s*//' "${CONF_DIR}/${OLD_DEFAULT}"
# set new default
@drAlberT
drAlberT / lambdaAMIBackups.py
Created November 3, 2017 12:18 — forked from bkozora/lambdaAMIBackups.py
AWS Lambda AMI Backups
# Automated AMI Backups
#
# @author Robert Kozora <bobby@kozora.me>
#
# This script will search for all instances having a tag with "Backup" or "backup"
# on it. As soon as we have the instances list, we loop through each instance
# and create an AMI of it. Also, it will look for a "Retention" tag key which
# will be used as a retention policy number in days. If there is no tag with
# that name, it will use a 7 days default value for each AMI.
#