initial commit

modules/util/awscli/README.md

@@ -0,0 +1,56 @@
+# awscli module
+This module executes awscli and returns the output.
+
+# input variables
+Set the temp credentials if role switching is needed. Otherwise, leave them alone.
+
+| variable         | type    | required | description                         |
+|------------------|---------|----------|-------------------------------------|
+| access_key       | string  | no       | for role switching                  |
+| secret_key       | string  | no       | for role switching                  |
+| session_token    | string  | no       | for role switching                  |
+| aws_cli_commands | string  | yes      | command and parameters after `aws`  |
+
+# output variable
+Normally terraform only produces a simple map of string in output. To work
+around this, awscli outout are base64 encoded. The output variable is then
+base64decoded back to the original text.
+
+| variable      | type   | description        |
+|:--------------|:-------|:-------------------|
+| awscli_output | string | output from awscli |
+
+## Usage example
+```hcl
+module "awscli_exec" {
+  source = "../../modules/util/awscli"
+
+  access_key       = module.as_role.temp_credential.AccessKeyId
+  secret_key       = module.as_role.temp_credential.SecretAccessKey
+  session_token    = module.as_role.temp_credential.SessionToken
+  aws_cli_commands = "ec2 describe-instances --query Reservations[].Instances[].InstanceId"
+}
+
+output awscli_output {
+  value = module.awscli_exec.awscliout
+}
+```
+
+Output
+```
+Outputs:
+
+awscli_output = [
+  "i-0cd5e682bc68dbcd2",
+  "i-050d4adeafaa53cd0",
+  "i-008328e9dfb56b883",
+  "i-0634c5ef3528a7b6f",
+  "i-0dc9009c249f3e3bd",
+  "i-08034d509751ff058",
+  "i-0bdd375df2b78a620",
+  "i-0655d2b3716b1383e",
+]
+```
+
+# References
+This module is based on https://registry.terraform.io/modules/digitickets/cli/aws/latest

modules/util/awscli/main.tf

@@ -0,0 +1,14 @@
+data "external" "awscli_program" {
+  program = [format("%s/run_awscli.sh", path.module)]
+  query = {
+    access_key       = var.access_key
+    secret_key       = var.secret_key
+    session_token    = var.session_token
+    aws_cli_commands = var.aws_cli_commands
+  }
+}
+
+# decode encapsulated string back to original
+output awscliout {
+  value = jsondecode(base64decode(data.external.awscli_program.result.awscliout))
+}

modules/util/awscli/run_awscli.sh

@@ -0,0 +1,36 @@
+#!/usr/bin/env bash
+
+# tell bash to exit if any subcommand fails
+set -eo pipefail
+
+# Validate required commands
+if ! [ -x "$(command -v aws)" ]; then
+  echo 'Error: aws is not installed.' >&2
+  exit 1
+fi
+if ! [ -x "$(command -v jq)" ]; then
+  echo 'Error: jq is not installed.' >&2
+  exit 1
+fi
+
+# Process inputs
+TERRAFORM_QUERY=$(jq -Mc .)
+AWS_CLI_COMMANDS=$(echo "${TERRAFORM_QUERY}" | jq -r '.aws_cli_commands')
+access_key=$(echo "${TERRAFORM_QUERY}" | jq -r '.access_key')
+secret_key=$(echo "${TERRAFORM_QUERY}" | jq -r '.secret_key')
+session_token=$(echo "${TERRAFORM_QUERY}" | jq -r '.session_token')
+
+# Set temp credentials if provided
+if [ -n "${access_key}" ]; then
+  export AWS_ACCESS_KEY_ID=$access_key
+  export AWS_SECRET_ACCESS_KEY=$secret_key
+  export AWS_SESSION_TOKEN=$session_token
+fi
+
+# awscli options
+export AWS_PAGER="" # disable pager
+export AWS_RETRY_MODE=standard # adaptive causes throttling, use standard for now
+export AWS_MAX_ATTEMPTS=3 # default is 2
+
+# Run the awscli command, encapsulate output in base64
+jq -n --arg jqarg1 "$(aws ${AWS_CLI_COMMANDS})" '{ "awscliout" : $jqarg1 | @base64 }'

modules/util/awscli/variables.tf

@@ -0,0 +1,18 @@
+variable "aws_cli_commands" {
+  type = string
+}
+
+variable "access_key" {
+  type      = string
+  sensitive = true
+}
+
+variable "secret_key" {
+  type      = string
+  sensitive = true
+}
+
+variable "session_token" {
+  type      = string
+  sensitive = true
+}