Skip to content

Commit 14115e4

Browse files
author
Zahi Ben Shabat
committed
workshop updates
1 parent c2be98b commit 14115e4

File tree

2 files changed

+274
-0
lines changed

2 files changed

+274
-0
lines changed

Makefile

+8
Original file line numberDiff line numberDiff line change
@@ -17,6 +17,8 @@ install: verify-env
1717
@$(MAKE) backstage-install 2>&1 | tee -a $(LOGFILE)
1818
@echo -e "\nBootstrapping CDK\n====================" 2>&1 | tee -a $(LOGFILE)
1919
@$(MAKE) cdk-bootstrap 2>&1 | tee -a $(LOGFILE)
20+
@echo -e "\nSetting Secrets\n====================" 2>&1 | tee -a $(LOGFILE)
21+
@$(MAKE) set-secrets 2>&1 | tee -a $(LOGFILE)
2022
@echo -e "\nDeploying the OPA platform\n====================" 2>&1 | tee -a $(LOGFILE)
2123
@$(MAKE) deploy-platform 2>&1 | tee -a $(LOGFILE)
2224
@echo -e "\nUpdating configuration with platform values\n====================" 2>&1 | tee -a $(LOGFILE)
@@ -43,6 +45,12 @@ ifndef AWS_DEFAULT_REGION
4345
$(error AWS_DEFAULT_REGION is undefined. Please ensure this is set in the config/.env file)
4446
endif
4547

48+
set-secrets:
49+
./build-script/secure-secrets-creation.sh
50+
51+
delete-secrets:
52+
./build-script/secure-secrets-creation.sh "delete"
53+
4654
set-gitlab-token-env-var:
4755
./build-script/set-gitlab-token.sh
4856

build-script/secure-secrets-creation.sh

+266
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,266 @@
1+
#!/usr/bin/env bash
2+
3+
# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
4+
5+
# We cannot use IaC to populate secrets since the value of the secret would be exposed.
6+
# Instead, this script uses the AWS CLI to create secrets where the values come from environment variables
7+
# and the values of the secrets are not exposed anywhere.
8+
9+
# This script can perform a create/update action or a deletion of secrets. The default mode
10+
# is create/update. To enable deletion mode, pass "delete" as the first argument to this script.
11+
12+
# This script should be called (in create/update mode) before the opa-platform IaC is deployed.
13+
14+
scriptDir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
15+
source $scriptDir/helpers.sh
16+
17+
confirm_aws_account
18+
19+
cd $scriptDir
20+
21+
# BEGIN GITHUB SECRET ------------------------------------------------------------------------
22+
23+
if [[ ! -z "$GITHUB_SECRET_NAME" ]]; then
24+
if [[ "$1" == "delete" ]]; then
25+
echo -e "\nDeleting $GITHUB_SECRET_NAME"
26+
aws secretsmanager delete-secret --secret-id $GITHUB_SECRET_NAME --force-delete-without-recovery --no-cli-pager
27+
else
28+
echo -e "\nCreating/Updating GitHub $GITHUB_SECRET_NAME secret...\n"
29+
30+
# Validation of required settings
31+
if [[ -z "$GITHUB_TOKEN" ]]; then
32+
echo_error "GITHUB_TOKEN must be set" >&2;
33+
exit 1
34+
fi
35+
36+
echo "{\"username\": \"opa-admin\", \"apiToken\": \"$GITHUB_TOKEN\", \"password\": \"\"}" > $scriptDir/tempSecretToCreate.json
37+
38+
if cmdOutput=$(aws secretsmanager describe-secret --secret-id $GITHUB_SECRET_NAME 2> /dev/null); then
39+
echo "Updating existing secret:"
40+
aws secretsmanager put-secret-value --secret-id $GITHUB_SECRET_NAME --secret-string file://tempSecretToCreate.json
41+
else
42+
echo "Creating new secret:"
43+
aws secretsmanager create-secret --name $GITHUB_SECRET_NAME \
44+
--description "OPA GitHub connection info" \
45+
--secret-string file://tempSecretToCreate.json
46+
fi
47+
48+
if [ $? -eq 0 ]; then
49+
echo_ok "Successfully set GitHub $GITHUB_SECRET_NAME secret"
50+
else
51+
echo_error "failed to set GitHub Cloud $GITHUB_SECRET_NAME secret" >&2;
52+
exit 1
53+
fi
54+
55+
rm $scriptDir/tempSecretToCreate.json
56+
57+
echo ""
58+
fi
59+
60+
else
61+
echo_warn "Skipping GitHub secret"
62+
fi
63+
64+
# END GITHUB SECRET --------------------------------------------------------------------------
65+
66+
# BEGIN GITLAB SECRET ------------------------------------------------------------------------
67+
68+
if [[ ! -z "$GITLAB_SECRET_NAME" ]]; then
69+
if [[ "$1" == "delete" ]]; then
70+
echo -e "\nDeleting $GITLAB_SECRET_NAME"
71+
aws secretsmanager delete-secret --secret-id $GITLAB_SECRET_NAME --force-delete-without-recovery --no-cli-pager
72+
else
73+
echo -e "\nCreating/Updating GitLab $GITLAB_SECRET_NAME secret...\n"
74+
75+
echo "{\"username\": \"opa-admin\", \"apiToken\": \"\", \"password\": \"\", \"runnerRegistrationToken\": \"\", \"runnerId\": \"\"}" > $scriptDir/tempSecretToCreate.json
76+
77+
if cmdOutput=$(aws secretsmanager describe-secret --secret-id $GITLAB_SECRET_NAME 2> /dev/null); then
78+
echo "Updating existing secret:"
79+
aws secretsmanager put-secret-value --secret-id $GITLAB_SECRET_NAME --secret-string file://tempSecretToCreate.json
80+
else
81+
echo "Creating new secret:"
82+
aws secretsmanager create-secret --name $GITLAB_SECRET_NAME \
83+
--description "OPA GitLab connection info" \
84+
--secret-string file://tempSecretToCreate.json
85+
fi
86+
87+
if [ $? -eq 0 ]; then
88+
echo_ok "Successfully set GitLab $GITLAB_SECRET_NAME secret"
89+
else
90+
echo_error "failed to set GitLab Cloud $GITLAB_SECRET_NAME secret" >&2;
91+
exit 1
92+
fi
93+
94+
rm $scriptDir/tempSecretToCreate.json
95+
96+
echo ""
97+
fi
98+
99+
else
100+
echo_warn "Skipping GitLab secret"
101+
fi
102+
103+
# END GITLAB SECRET --------------------------------------------------------------------------
104+
105+
# BEGIN HARNESS SECRET ------------------------------------------------------------------------
106+
107+
if [[ ! -z "$HARNESS_ACCESS_TOKEN" ]]; then
108+
export HARNESS_SECRET_NAME="$OPA_PREFIX-admin-harness-secrets"
109+
110+
if [[ "$1" == "delete" ]]; then
111+
echo -e "\nDeleting $HARNESS_ACCESS_TOKEN"
112+
aws secretsmanager delete-secret --secret-id $HARNESS_SECRET_NAME --force-delete-without-recovery --no-cli-pager
113+
else
114+
echo -e "\nCreating/Updating Harness $HARNESS_SECRET_NAME secret...\n"
115+
116+
# Validation of required settings
117+
if [[ -z "$HARNESS_ACCOUNT_NUMBER" ]]; then
118+
echo_error "HARNESS_ACCOUNT_NUMBER must be set" >&2;
119+
exit 1
120+
fi
121+
122+
echo "{\"accountNumber\": \"$HARNESS_ACCOUNT_NUMBER\", \"token\": \"$HARNESS_ACCESS_TOKEN\"}" > $scriptDir/tempSecretToCreate.json
123+
124+
if cmdOutput=$(aws secretsmanager describe-secret --secret-id $HARNESS_SECRET_NAME 2> /dev/null); then
125+
echo "Updating existing secret:"
126+
aws secretsmanager put-secret-value --secret-id $HARNESS_SECRET_NAME --secret-string file://tempSecretToCreate.json
127+
else
128+
echo "Creating new secret:"
129+
aws secretsmanager create-secret --name $HARNESS_SECRET_NAME \
130+
--description "OPA Harness CICD connection info" \
131+
--secret-string file://tempSecretToCreate.json
132+
fi
133+
134+
if [ $? -eq 0 ]; then
135+
echo_ok "Successfully set Harness $HARNESS_SECRET_NAME secret"
136+
else
137+
echo_error "failed to set Harness $HARNESS_SECRET_NAME secret" >&2;
138+
exit 1
139+
fi
140+
141+
rm $scriptDir/tempSecretToCreate.json
142+
143+
echo ""
144+
fi
145+
146+
else
147+
echo_warn "Skipping Harness secret"
148+
fi
149+
150+
# END HARNESS SECRET --------------------------------------------------------------------------
151+
152+
# BEGIN TERRAFORM CLOUD SECRET ------------------------------------------------------------------------
153+
154+
if [[ ! -z "$TERRAFORM_CLOUD_TOKEN" ]]; then
155+
export TERRAFORM_CLOUD_SECRET_NAME="$OPA_PREFIX-admin-terraform-cloud-secrets"
156+
157+
if [[ "$1" == "delete" ]]; then
158+
echo -e "\nDeleting $TERRAFORM_CLOUD_TOKEN"
159+
aws secretsmanager delete-secret --secret-id $TERRAFORM_CLOUD_SECRET_NAME --force-delete-without-recovery --no-cli-pager
160+
else
161+
echo -e "\nCreating/Updating Terraform Cloud $TERRAFORM_CLOUD_SECRET_NAME secret...\n"
162+
163+
# Validation of required settings
164+
if [[ -z "$TERRAFORM_CLOUD_ORGANIZATION" ]]; then
165+
echo_error "TERRAFORM_CLOUD_ORGANIZATION must be set" >&2;
166+
exit 1
167+
fi
168+
if [[ -z "$TERRAFORM_CLOUD_HOSTNAME" ]]; then
169+
export TERRAFORM_CLOUD_HOSTNAME="app.terraform.io" # use default value
170+
fi
171+
172+
echo "{\"hostname\": \"$TERRAFORM_CLOUD_HOSTNAME\", \"organization\": \"$TERRAFORM_CLOUD_ORGANIZATION\", \"token\": \"$TERRAFORM_CLOUD_TOKEN\"}" > $scriptDir/tempSecretToCreate.json
173+
174+
if cmdOutput=$(aws secretsmanager describe-secret --secret-id $TERRAFORM_CLOUD_SECRET_NAME 2> /dev/null); then
175+
echo "Updating existing secret:"
176+
aws secretsmanager put-secret-value --secret-id $TERRAFORM_CLOUD_SECRET_NAME --secret-string file://tempSecretToCreate.json
177+
else
178+
echo "Creating new secret:"
179+
aws secretsmanager create-secret --name $TERRAFORM_CLOUD_SECRET_NAME \
180+
--description "OPA Terraform cloud connection info" \
181+
--secret-string file://tempSecretToCreate.json
182+
fi
183+
184+
if [ $? -eq 0 ]; then
185+
echo_ok "Successfully set Terraform Cloud $TERRAFORM_CLOUD_SECRET_NAME secret"
186+
else
187+
echo_error "failed to set Terraform Cloud $TERRAFORM_CLOUD_SECRET_NAME secret" >&2;
188+
exit 1
189+
fi
190+
191+
rm $scriptDir/tempSecretToCreate.json
192+
193+
echo ""
194+
fi
195+
196+
else
197+
echo_warn "Skipping Terraform Cloud secret"
198+
fi
199+
200+
# END TERRAFORM CLOUD SECRET --------------------------------------------------------------------------
201+
202+
# BEGIN OKTA IDENTITY PROVIDER SECRET ------------------------------------------------------------------------
203+
204+
if [[ ! -z "$OKTA_SECRET_NAME" ]]; then
205+
if [[ "$1" == "delete" ]]; then
206+
echo -e "\nDeleting $OKTA_SECRET_NAME"
207+
aws secretsmanager delete-secret --secret-id $OKTA_SECRET_NAME --force-delete-without-recovery --no-cli-pager
208+
else
209+
echo -e "\nCreating/Updating OKTA IDP $OKTA_SECRET_NAME secret...\n"
210+
211+
# Validation of required settings
212+
if [[ -z "$OKTA_API_TOKEN" ]]; then
213+
echo_error "OKTA_API_TOKEN must be set" >&2;
214+
exit 1
215+
fi
216+
if [[ -z "$OKTA_AUDIENCE" ]]; then
217+
echo_error "OKTA_AUDIENCE must be set" >&2;
218+
exit 1
219+
fi
220+
if [[ -z "$OKTA_CLIENT_ID" ]]; then
221+
echo_error "OKTA_CLIENT_ID must be set" >&2;
222+
exit 1
223+
fi
224+
if [[ -z "$OKTA_CLIENT_SECRET" ]]; then
225+
echo_error "OKTA_CLIENT_SECRET must be set" >&2;
226+
exit 1
227+
fi
228+
229+
# Check optional settings
230+
if [[ "$OKTA_AUTH_SERVER_ID" == "blank" ]]; then
231+
OKTA_AUTH_SERVER_ID=""
232+
fi
233+
if [[ "$OKTA_IDP" == "blank" ]]; then
234+
OKTA_IDP=""
235+
fi
236+
237+
echo "{\"clientId\": \"$OKTA_CLIENT_ID\", \"clientSecret\": \"$OKTA_CLIENT_SECRET\", \"audience\": \"$OKTA_AUDIENCE\", \"authServerId\": \"$OKTA_AUTH_SERVER_ID\", \"idp\": \"$OKTA_IDP\", \"apiToken\": \"$OKTA_API_TOKEN\"}" > $scriptDir/tempSecretToCreate.json
238+
239+
if cmdOutput=$(aws secretsmanager describe-secret --secret-id $OKTA_SECRET_NAME 2> /dev/null); then
240+
echo "Updating existing secret:"
241+
aws secretsmanager put-secret-value --secret-id $OKTA_SECRET_NAME --secret-string file://tempSecretToCreate.json
242+
else
243+
echo "Creating new secret:"
244+
aws secretsmanager create-secret --name $OKTA_SECRET_NAME \
245+
--description "OPA OKTA IDP connection info" \
246+
--secret-string file://tempSecretToCreate.json
247+
fi
248+
249+
if [ $? -eq 0 ]; then
250+
echo_ok "Successfully set OKTA IDP $OKTA_SECRET_NAME secret"
251+
else
252+
echo_error "failed to set OKTA IDP $OKTA_SECRET_NAME secret" >&2;
253+
exit 1
254+
fi
255+
256+
rm $scriptDir/tempSecretToCreate.json
257+
258+
echo ""
259+
fi
260+
261+
else
262+
echo_warn "Skipping OKTA IDP secret"
263+
fi
264+
265+
cd - > /dev/null
266+
echo ""

0 commit comments

Comments
 (0)