generate output from new aws_info structure

terraform-modules · Aug 15, 2019 · 4615b63 · 4615b63
1 parent bbfcfce
commit 4615b63
Showing 1 changed file with 92 additions and 0 deletions.
diff --git a/audit-output-creds.sh b/audit-output-creds.sh
@@ -0,0 +1,92 @@
+#!/bin/bash
+
+# creates a file in /tmp/{scan_user}.{account}.{date}.txt
+
+if [ -r $HOME/.tf-control ]
+then
+  source $HOME/.tf-control
+fi
+
+if [ -z $TERRAFORM ]
+then
+  TERRAFORM=$TFCOMMAND
+fi
+if [ -z $TERRAFORM ]
+then
+  TERRAFORM="terraform"
+fi
+
+DATE=$(date +%Y%m%d)
+S_ACCOUNT=$($TERRAFORM output caller_account_id)
+#S_USER=$($TERRAFORM output scan_user)
+S_FILE="/tmp/${S_USER}.${S_ACCOUNT}.$DATE.txt"
+
+AWS_INFO=$($TERRAFORM output -json aws_info)
+count=$(echo $AWS_INFO | jq -c 'keys' | sed -e 's/\[//' -e 's/\]//')
+scount=0
+while [ $scount -le $count ]
+do
+  i=$scount
+  declare -A info
+  for item in user aws_access_key_id aws_secret_access_key
+  do
+    info[$item]=$(echo $AWS_INFO | jq -c ".[$i].$item" | sed -e 's/"//g')
+#    echo "item=$item value=${info[$item]}"
+  done
+  S_USER=${info["user"]}
+  S_FILE="/tmp/${S_USER}.${S_ACCOUNT}.$DATE.txt"
+  info["aws_secret_access_key"]=$(echo ${info["aws_secret_access_key"]} | base64 --decode | ( gpg --batch --decrypt 2> /dev/null) )
+
+  echo "# file=$S_FILE" > $S_FILE
+  echo "# account=$S_ACCOUNT" >> $S_FILE
+  echo "# date=$DATE" >> $S_FILE
+  echo "# user=$S_USER" >> $S_FILE
+  for item in aws_access_key_id aws_secret_access_key
+  do
+    echo "${item}=${info[$item]}" >> $S_FILE
+  done
+  echo "" >> $S_FILE
+
+  ls -al $S_FILE
+  cat $S_FILE
+
+  scount=$(( $scount + 1 ))
+done
+
+# in script form
+#echo "# file=$S_FILE" > $S_FILE
+#echo "# account=$S_ACCOUNT" >> $S_FILE
+#echo "# date=$DATE" >> $S_FILE
+#echo "scan_user=$S_USER" >> $S_FILE
+#( echo -n "scan_aws_access_key_id="; $TERRAFORM output scan_aws_access_key_id ) >> $S_FILE
+#( echo -n "scan_aws_secret_access_key="; $TERRAFORM output scan_aws_secret_access_key | base64 --decode | ( gpg --batch --decrypt 2> /dev/null) ; echo "" ) >> $S_FILE
+#echo "" >> $S_FILE
+#
+#cat $S_FILE
+
+
+## #service_profile=$($TERRAFORM output service_profile)
+## service_profile=""
+## profile=$($TERRAFORM output profile)
+## username=$($TERRAFORM output scan_user)
+## echo ""
+## if [ ! -z $service_profile ]
+## then
+##   echo "# test new access key after inserting above into $HOME/.aws/credentials in [$service_profile]"
+##   echo "aws --profile $service_profile iam list-access-keys --user-name $username"
+## else
+##   echo "# test new access key after inserting above into $HOME/.aws/credentials in [$profile]"
+##   echo "aws --profile $profile iam list-access-keys --user-name $username"
+## fi
+## 
+## old_access_key=$($TERRAFORM output aws_access_key_id_prev|sed -e 's/^.*=//')
+## if [ ! -z $old_access_key ]
+## then
+##   echo ""
+##   echo "# dissable old access key"
+##   echo "aws --profile $profile iam update-access-key --user-name $username --access-key-id $old_access_key --status Inactive"
+##   echo ""
+##   echo "# delete old access key (only necessary if haven't rotated twice)"
+##   echo "# aws --profile $profile iam delete-access-key --user-name $username --access-key-id $old_access_key"
+## fi
+##