From 4615b63124cca418c603d8e695982b9a8fa04e0a Mon Sep 17 00:00:00 2001 From: Don Badrak Date: Thu, 15 Aug 2019 11:02:41 -0400 Subject: [PATCH] generate output from new aws_info structure --- audit-output-creds.sh | 92 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 92 insertions(+) create mode 100755 audit-output-creds.sh diff --git a/audit-output-creds.sh b/audit-output-creds.sh new file mode 100755 index 0000000..9fa78b6 --- /dev/null +++ b/audit-output-creds.sh @@ -0,0 +1,92 @@ +#!/bin/bash + +# creates a file in /tmp/{scan_user}.{account}.{date}.txt + +if [ -r $HOME/.tf-control ] +then + source $HOME/.tf-control +fi + +if [ -z $TERRAFORM ] +then + TERRAFORM=$TFCOMMAND +fi +if [ -z $TERRAFORM ] +then + TERRAFORM="terraform" +fi + +DATE=$(date +%Y%m%d) +S_ACCOUNT=$($TERRAFORM output caller_account_id) +#S_USER=$($TERRAFORM output scan_user) +S_FILE="/tmp/${S_USER}.${S_ACCOUNT}.$DATE.txt" + +AWS_INFO=$($TERRAFORM output -json aws_info) +count=$(echo $AWS_INFO | jq -c 'keys' | sed -e 's/\[//' -e 's/\]//') +scount=0 +while [ $scount -le $count ] +do + i=$scount + declare -A info + for item in user aws_access_key_id aws_secret_access_key + do + info[$item]=$(echo $AWS_INFO | jq -c ".[$i].$item" | sed -e 's/"//g') +# echo "item=$item value=${info[$item]}" + done + S_USER=${info["user"]} + S_FILE="/tmp/${S_USER}.${S_ACCOUNT}.$DATE.txt" + info["aws_secret_access_key"]=$(echo ${info["aws_secret_access_key"]} | base64 --decode | ( gpg --batch --decrypt 2> /dev/null) ) + + echo "# file=$S_FILE" > $S_FILE + echo "# account=$S_ACCOUNT" >> $S_FILE + echo "# date=$DATE" >> $S_FILE + echo "# user=$S_USER" >> $S_FILE + for item in aws_access_key_id aws_secret_access_key + do + echo "${item}=${info[$item]}" >> $S_FILE + done + echo "" >> $S_FILE + + ls -al $S_FILE + cat $S_FILE + + scount=$(( $scount + 1 )) +done + +# in script form +#echo "# file=$S_FILE" > $S_FILE +#echo "# account=$S_ACCOUNT" >> $S_FILE +#echo "# date=$DATE" >> $S_FILE +#echo "scan_user=$S_USER" >> $S_FILE +#( echo -n "scan_aws_access_key_id="; $TERRAFORM output scan_aws_access_key_id ) >> $S_FILE +#( echo -n "scan_aws_secret_access_key="; $TERRAFORM output scan_aws_secret_access_key | base64 --decode | ( gpg --batch --decrypt 2> /dev/null) ; echo "" ) >> $S_FILE +#echo "" >> $S_FILE +# +#cat $S_FILE + + +## #service_profile=$($TERRAFORM output service_profile) +## service_profile="" +## profile=$($TERRAFORM output profile) +## username=$($TERRAFORM output scan_user) +## echo "" +## if [ ! -z $service_profile ] +## then +## echo "# test new access key after inserting above into $HOME/.aws/credentials in [$service_profile]" +## echo "aws --profile $service_profile iam list-access-keys --user-name $username" +## else +## echo "# test new access key after inserting above into $HOME/.aws/credentials in [$profile]" +## echo "aws --profile $profile iam list-access-keys --user-name $username" +## fi +## +## old_access_key=$($TERRAFORM output aws_access_key_id_prev|sed -e 's/^.*=//') +## if [ ! -z $old_access_key ] +## then +## echo "" +## echo "# dissable old access key" +## echo "aws --profile $profile iam update-access-key --user-name $username --access-key-id $old_access_key --status Inactive" +## echo "" +## echo "# delete old access key (only necessary if haven't rotated twice)" +## echo "# aws --profile $profile iam delete-access-key --user-name $username --access-key-id $old_access_key" +## fi +##