## purpose: ## ## create a Terrform override file containing temporary role ## credentials generated from an account protected with MFA. ## ## usage: ## ## $ make credentials aws_override.tf PROFILE=my-profile TOKEN_CODE=123456 ## $ terraform apply ## PROFILE := TOKEN_CODE := DURATION := 900 ROLE_SESSION_NAME := terraform-$(PROFILE) ROLE_ARN := $(shell aws configure get role_arn --profile $(PROFILE) 2>/dev/null) MFA_SERIAL_ARN := $(shell aws configure get mfa_serial --profile $(PROFILE) 2>/dev/null) CREDENTIALS := .credentials.json .PHONY: assert-% credentials assert-profile: VAR = PROFILE assert-profile: assert-var-profile assert-token-code: VAR = TOKEN_CODE assert-token-code: assert-var-token-code assert-role-arn: VAR = ROLE_ARN assert-role-arn: assert-var-role-arn assert-mfa-serial: VAR = MFA_SERIAL_ARN assert-mfa-serial: assert-var-mfa-serial assert-var-%: @if [[ "z" == "z$($(VAR))" ]]; then \ echo "Variable $(VAR) is not set"; \ exit 1; \ fi ## https://www.terraform.io/docs/providers/aws/index.html ## http://blog.sinica.me/aws_multi_account_with_terraform.html credentials: assert-token-code assert-profile assert-role-arn aws sts assume-role \ --role-session-name $(ROLE_SESSION_NAME) \ --role-arn $(ROLE_ARN) \ --serial-number $(MFA_SERIAL_ARN) \ --token-code $(TOKEN_CODE) \ --duration $(DURATION) \ --output json > $(CREDENTIALS) ## https://www.terraform.io/docs/configuration/override.html aws_override.tf: export AWS_ACCESS_KEY_ID := $(shell jq -r .Credentials.AccessKeyId $(CREDENTIALS)) aws_override.tf: export AWS_SECRET_ACCESS_KEY := $(shell jq -r .Credentials.SecretAccessKey $(CREDENTIALS)) aws_override.tf: export AWS_SESSION_TOKEN := $(shell jq -r .Credentials.SessionToken $(CREDENTIALS)) aws_override.tf: $(CREDENTIALS) sed -e 's|@@AWS_ACCESS_KEY_ID@@|$(AWS_ACCESS_KEY_ID)|g' \ -e 's|@@AWS_SECRET_ACCESS_KEY@@|$(AWS_SECRET_ACCESS_KEY)|g' \ -e 's|@@AWS_SESSION_TOKEN@@|$(AWS_SESSION_TOKEN)|g' < provider-aws.tmpl > $@