Created
August 31, 2016 14:28
-
-
Save marknca/fe7ceda8883179e02e0f646760dd4ed5 to your computer and use it in GitHub Desktop.
Automate connecting Deep Security to an AWS account
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# create-iam-cloudaccount dsmuser dsmFQDNorIP connectorName newAwsUserToCreate (TenantID if needed) | |
if [[ $1 == *"help"* ]] | |
then | |
echo -e "## usage:\n## create-iam-cloudaccount <managerUsername> <managerUrl:port> Amazon <newAwsUserToCreate>\n" | |
echo -e "## example to create User and Cloud account on a DeepSecurity Manager:\n" | |
echo -e "## create-iam-cloudaccount administrator dsm.example.local:443 Amazon DsmSyncUser" | |
echo -e "## example to create User and Cloud account in DSaaS\n" | |
echo -e "## create-iam-cloudaccount administrator app.deepsecurity.trendmicro.com:443 DsmSyncUser CustomerTenant\n" | |
exit 0 | |
fi | |
command -v aws >/dev/null 2>&1 || { echo >&2 "This script requires AWS CLI. Please install AWS CLI before proceeding."; exit 1; } | |
if [ ! -f ~/.aws/credentials ] | |
then | |
echo "please run aws configure to store credentials before using this script" | |
exit 1 | |
fi | |
username=$1 | |
DSMFQDN=$2 | |
AWSKEYS= | |
tempDSSID= | |
read -sr -p $'Password: ' password | |
echo " " | |
# Remove regions you don't want from this list | |
REGIONS=(useast1 uswest1 uswest2 euwest1 apsoutheast1 apsoutheast2 apnortheast1 saeast1 eucentral1) | |
# map aws regions to dsm region keys | |
useast1=amazon.cloud.region.key.1 | |
uswest2=amazon.cloud.region.key.2 | |
uswest1=amazon.cloud.region.key.3 | |
euwest1=amazon.cloud.region.key.4 | |
apsoutheast1=amazon.cloud.region.key.5 | |
apnortheast1=amazon.cloud.region.key.6 | |
saeast1=amazon.cloud.region.key.7 | |
apsoutheast2=amazon.cloud.region.key.8 | |
eucentral1=amazon.cloud.region.key.9 | |
#apnortheast2=amazon.cloud.region.key.12 | |
# map aws regions to ec2 endpoints | |
useast1ep=ec2.us-east-1.amazonaws.com | |
uswest2ep=ec2.us-west-2.amazonaws.com | |
uswest1ep=ec2.us-west-1.amazonaws.com | |
euwest1ep=ec2.eu-west-1.amazonaws.com | |
apsoutheast1ep=ec2.ap-southeast-1.amazonaws.com | |
apnortheast1ep=ec2.ap-northeast-1.amazonaws.com | |
saeast1ep=ec2.sa-east-1.amazonaws.com | |
apsoutheast2ep=ec2.ap-southeast-2.amazonaws.com | |
eucentral1ep=ec2.eu-central-1.amazonaws.com | |
#apnortheast2ep=ec2.ap-northeast-2.amazonaws.com | |
echo "#####Creating user" | |
aws iam create-user --user-name $4 | |
echo "#####Putting user policy" | |
aws iam put-user-policy --user-name $4 --policy-name DSMUserRole --policy-document '{"Statement" : [{"Effect" : "Allow","Action" : ["ec2:DescribeInstances","ec2:DescribeImages","ec2:DescribeTags"],"Resource" : "*"}]}' | |
echo "#####Creating accesskeys" | |
AWSKEYS=($(aws iam create-access-key --user-name $4 --query 'AccessKey.[AccessKeyId,SecretAccessKey]' --output text)) | |
echo "#####Login to DSM" | |
#tempDSSID=$(curl -ks -H "Content-Type: application/json" -X POST "https://$DSMFQDN/rest/authentication/login/primary" -d "{"dsCredentials":{"userName":"$username","password":"$password"}}") | |
if [[ -z $5 ]] | |
then | |
tempDSSID=`curl -ks -H "Content-Type: application/json" -X POST "https://${DSMFQDN}/rest/authentication/login/primary" -d '{"dsCredentials":{"userName":"'${1}'","password":"'${password}'"}}'` | |
else | |
tempDSSID=`curl -ks -H "Content-Type: application/json" -X POST "https://${DSMFQDN}/rest/authentication/login" -d '{"dsCredentials":{"userName":"'${1}'","password":"'${password}'","tenantName":"'${5}'"}}'` | |
fi | |
echo "#####Looping through regions to create connectors" | |
for region in "${REGIONS[@]}" | |
do | |
echo "##### creating connector for $region region" | |
curl -ks -H "Content-Type: application/json" "Accept: application/json" -X POST "https://$DSMFQDN/rest/cloudaccounts" -d '{"createCloudAccountRequest":{"cloudAccountElement":{"accessKey":"'${AWSKEYS[0]}'","cloudRegion":"'${!region}'","cloudType":"AMAZON","name":"'$3$region'","secretKey":"'${AWSKEYS[1]}'","endpoint":"'${!endpoint}'","azureCertificate":"-"},"sessionId":"'$tempDSSID'"}}' | |
done | |
curl -k -X DELETE https://$DSMFQDN/rest/authentication/logout?sID=$tempDSSID | |
unset AWSKEYS | |
unset tempDSSID | |
unset username | |
unset password |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Posting on behalf of the Deep Security team since GitHub doesn't supported Org gists...yet.