scottw/terraform-aws-assume-role.mk

## terraform-aws-assume-role.mk
## purpose:
##
## create a Terrform override file containing temporary role
## credentials generated from an account protected with MFA.
##
## usage:
##
##   $ make credentials aws_override.tf PROFILE=my-profile TOKEN_CODE=123456
##   $ terraform apply
##
PROFILE           :=
TOKEN_CODE        :=
DURATION          := 900
ROLE_SESSION_NAME := terraform-$(PROFILE)
ROLE_ARN          := $(shell aws configure get role_arn --profile $(PROFILE) 2>/dev/null)
MFA_SERIAL_ARN    := $(shell aws configure get mfa_serial --profile $(PROFILE) 2>/dev/null)
CREDENTIALS       := .credentials.json

.PHONY: assert-% credentials

assert-profile:    VAR = PROFILE
assert-profile:    assert-var-profile

assert-token-code: VAR = TOKEN_CODE
assert-token-code: assert-var-token-code

assert-role-arn:   VAR = ROLE_ARN
assert-role-arn:   assert-var-role-arn

assert-mfa-serial: VAR = MFA_SERIAL_ARN
assert-mfa-serial: assert-var-mfa-serial

assert-var-%:
	@if [[ "z" == "z$($(VAR))" ]]; then \
		echo "Variable $(VAR) is not set"; \
		exit 1; \
	fi

## https://www.terraform.io/docs/providers/aws/index.html
## http://blog.sinica.me/aws_multi_account_with_terraform.html
credentials: assert-token-code assert-profile assert-role-arn
	aws sts assume-role \
	--role-session-name $(ROLE_SESSION_NAME) \
	--role-arn          $(ROLE_ARN) \
	--serial-number     $(MFA_SERIAL_ARN) \
	--token-code        $(TOKEN_CODE) \
	--duration          $(DURATION) \
	--output json > $(CREDENTIALS)

## https://www.terraform.io/docs/configuration/override.html
aws_override.tf: export AWS_ACCESS_KEY_ID     := $(shell jq -r .Credentials.AccessKeyId $(CREDENTIALS))
aws_override.tf: export AWS_SECRET_ACCESS_KEY := $(shell jq -r .Credentials.SecretAccessKey $(CREDENTIALS))
aws_override.tf: export AWS_SESSION_TOKEN     := $(shell jq -r .Credentials.SessionToken $(CREDENTIALS))
aws_override.tf: $(CREDENTIALS)
	sed -e 's|@@AWS_ACCESS_KEY_ID@@|$(AWS_ACCESS_KEY_ID)|g' \
	    -e 's|@@AWS_SECRET_ACCESS_KEY@@|$(AWS_SECRET_ACCESS_KEY)|g' \
	    -e 's|@@AWS_SESSION_TOKEN@@|$(AWS_SESSION_TOKEN)|g' < provider-aws.tmpl > $@
	## purpose:
	##
	## create a Terrform override file containing temporary role
	## credentials generated from an account protected with MFA.
	##
	## usage:
	##
	## $ make credentials aws_override.tf PROFILE=my-profile TOKEN_CODE=123456
	## $ terraform apply
	##
	PROFILE :=
	TOKEN_CODE :=
	DURATION := 900
	ROLE_SESSION_NAME := terraform-$(PROFILE)
	ROLE_ARN := $(shell aws configure get role_arn --profile $(PROFILE) 2>/dev/null)
	MFA_SERIAL_ARN := $(shell aws configure get mfa_serial --profile $(PROFILE) 2>/dev/null)
	CREDENTIALS := .credentials.json

	.PHONY: assert-% credentials

	assert-profile: VAR = PROFILE
	assert-profile: assert-var-profile

	assert-token-code: VAR = TOKEN_CODE
	assert-token-code: assert-var-token-code

	assert-role-arn: VAR = ROLE_ARN
	assert-role-arn: assert-var-role-arn

	assert-mfa-serial: VAR = MFA_SERIAL_ARN
	assert-mfa-serial: assert-var-mfa-serial

	assert-var-%:
	@if [[ "z" == "z$($(VAR))" ]]; then \
	echo "Variable $(VAR) is not set"; \
	exit 1; \
	fi

	## https://www.terraform.io/docs/providers/aws/index.html
	## http://blog.sinica.me/aws_multi_account_with_terraform.html
	credentials: assert-token-code assert-profile assert-role-arn
	aws sts assume-role \
	--role-session-name $(ROLE_SESSION_NAME) \
	--role-arn $(ROLE_ARN) \
	--serial-number $(MFA_SERIAL_ARN) \
	--token-code $(TOKEN_CODE) \
	--duration $(DURATION) \
	--output json > $(CREDENTIALS)

	## https://www.terraform.io/docs/configuration/override.html
	aws_override.tf: export AWS_ACCESS_KEY_ID := $(shell jq -r .Credentials.AccessKeyId $(CREDENTIALS))
	aws_override.tf: export AWS_SECRET_ACCESS_KEY := $(shell jq -r .Credentials.SecretAccessKey $(CREDENTIALS))
	aws_override.tf: export AWS_SESSION_TOKEN := $(shell jq -r .Credentials.SessionToken $(CREDENTIALS))
	aws_override.tf: $(CREDENTIALS)
	sed -e 's\|@@AWS_ACCESS_KEY_ID@@\|$(AWS_ACCESS_KEY_ID)\|g' \
	-e 's\|@@AWS_SECRET_ACCESS_KEY@@\|$(AWS_SECRET_ACCESS_KEY)\|g' \
	-e 's\|@@AWS_SESSION_TOKEN@@\|$(AWS_SESSION_TOKEN)\|g' < provider-aws.tmpl > $@