initial commit

2026-02-13 15:44:24 +08:00
parent 66be8224f4
commit 09ce4c881a
570 changed files with 61807 additions and 0 deletions
@@ -0,0 +1,30 @@
+# assume_role module
+This module uses awscli, calls sts and obtain temp credentials for role switching. Returns the temp credential as a map.
+
+## System requirements
+* awscli
+* jq
+
+## Inputs
+| variable          | type   | required | description                                                                |
+|:------------------|--------|----------|----------------------------------------------------------------------------|
+| account_id        | string | yes      | target aws account id                                                      |
+| role_name         | string | yes      | target role name                                                           |
+| role_session_name | string | no       | session name, useful for tracing logs in cloudtrail. defaults to tf_awscli |
+
+## Outputs
+| variable        | type          | sensitive | description             |
+|-----------------|---------------|-----------|-------------------------|
+| temp_credential | map of string | yes       | json output from awscli |
+
+```json
+{
+    "AccessKeyId": "111",
+    "SecretAccessKey": "222",
+    "SessionToken": "333",
+    "Expiration": "2023-07-01T10:19:47+00:00"
+}
+```
+
+# References
+This module is based on https://registry.terraform.io/modules/digitickets/cli/aws/latest
@@ -0,0 +1,26 @@
+#!/usr/bin/env bash
+
+# tell bash to exit if any subcommand fails
+set -eo pipefail
+
+# Validate required commands
+if ! [ -x "$(command -v aws)" ]; then
+  echo 'Error: aws is not installed.' >&2
+  exit 1
+fi
+if ! [ -x "$(command -v jq)" ]; then
+  echo 'Error: jq is not installed.' >&2
+  exit 1
+fi
+
+# Get the query
+TERRAFORM_QUERY=$(jq -Mc .)
+
+# Extract the query attributes
+ASSUME_ROLE_ARN=$(echo "${TERRAFORM_QUERY}" | jq -r '.assume_role_arn')
+ROLE_SESSION_NAME=$(echo "${TERRAFORM_QUERY}" | jq -r '.role_session_name')
+
+aws sts assume-role --output json \
+--role-arn "${ASSUME_ROLE_ARN}" \
+--role-session-name "${ROLE_SESSION_NAME}" \
+--query Credentials
@@ -0,0 +1,12 @@
+data "external" "awscli" {
+  program = [format("%s/assumeRole.sh", path.module)]
+  query = {
+    assume_role_arn   = "arn:aws:iam::${var.account_id}:role/${var.role_name}"
+    role_session_name = var.role_session_name
+  }
+}
+
+output temp_credential {
+  value = data.external.awscli.result
+  sensitive = true
+}
@@ -0,0 +1,13 @@
+variable "role_session_name" {
+  description = "The role session name"
+  type        = string
+  default     = "tf_awscli"
+}
+
+variable account_id {
+  type = string
+}
+
+variable role_name {
+  type = string
+}