Browse Source

update aws rotation

master
Markus Bergholz 4 months ago
parent
commit
c0abb38106
4 changed files with 61 additions and 29 deletions
  1. +13
    -0
      ansible/password_iteration.yml
  2. +8
    -8
      ansible/profile_iteration.yml
  3. +40
    -0
      ansible/rotate_aws.yml
  4. +0
    -21
      ansible/rotate_aws_keys.yml

+ 13
- 0
ansible/password_iteration.yml View File

@@ -0,0 +1,13 @@
- name: update profile
debug:
var: item.profile
when: item.password is defined

- name: update iam password
iam:
iam_type: user
profile: "{{ item.profile }}"
name: "{{ item.user }}"
state: present
password: "{{ item.password }}"
when: item.password is defined

+ 8
- 8
ansible/profile_iteration.yml View File

@@ -1,14 +1,14 @@
- name: create new credentials, remove current and replace them in ~/.aws/credentials
- name: update profile "{{ item.profile }}"
block:
- name: Get the current caller identity facts
aws_caller_info:
profile: "{{ item }}"
profile: "{{ item.profile }}"
register: caller_facts

- name: read current credentials
set_fact:
current_access_key: "{{ lookup('ini', 'aws_access_key_id section=' + item + ' file=~/.aws/credentials') }}"
current_secret_key: "{{ lookup('ini', 'aws_secret_access_key section=' + item + ' file=~/.aws/credentials') }}"
current_access_key: "{{ lookup('ini', 'aws_access_key_id section=' + item.profile + ' file=~/.aws/credentials') }}"
current_secret_key: "{{ lookup('ini', 'aws_secret_access_key section=' + item.profile + ' file=~/.aws/credentials') }}"
username: "{{ caller_facts.arn.split('/')[1] }}"

- name: create new iam credentials
@@ -18,7 +18,7 @@
state: update
access_key_state: create
key_count: 2
profile: "{{ item }}"
profile: "{{ item.profile }}"
register: new_credentials

- name: delete old credentials
@@ -28,13 +28,13 @@
state: update
access_key_state: remove
access_key_ids: "{{ current_access_key }}"
profile: "{{ item }}"
profile: "{{ item.profile }}"
key_count: 1

- name: update secret access key credentials file
ini_file:
path: ~/.aws/credentials
section: "{{ item }}"
section: "{{ item.profile }}"
option: aws_secret_access_key
value: "{{ new_credentials.created_keys[0].secret_access_key }}"
mode: '0600'
@@ -43,7 +43,7 @@
- name: update access key credentials file
ini_file:
path: ~/.aws/credentials
section: "{{ item }}"
section: "{{ item.profile }}"
option: aws_access_key_id
value: "{{ new_credentials.created_keys[0].access_key_id }}"
mode: '0600'


+ 40
- 0
ansible/rotate_aws.yml View File

@@ -0,0 +1,40 @@
---
- hosts: localhost
connection: local
gather_facts: False

vars:
NC_TOKEN: "{{ lookup('env', 'NC_TOKEN') }}"
AWS_USERNAME: "{{ lookup('env', 'AWS_USERNAME') }}"
POC_AWS_USERNAME: "{{ lookup('env', 'POC_AWS_USERNAME') }}"
PROFILES:
- profile: test
password: "{{ lookup('nextcloud_passwords', 'aws test' , host='home.osuv.de', user='m', api_token=NC_TOKEN) }}"
user: "{{ AWS_USERNAME }}"
- profile: prod
password: "{{ lookup('nextcloud_passwords', 'aws prod' , host='home.osuv.de', user='m', api_token=NC_TOKEN) }}"
user: "{{ AWS_USERNAME }}"
- profile: connectdev
password: "{{ lookup('nextcloud_passwords', 'aws connect test' , host='home.osuv.de', user='m', api_token=NC_TOKEN) }}"
user: "{{ AWS_USERNAME }}"
- profile: connectprod
password: "{{ lookup('nextcloud_passwords', 'aws connect prod' , host='home.osuv.de', user='m', api_token=NC_TOKEN) }}"
user: "{{ AWS_USERNAME }}"
- profile: connectpoc
password: "{{ lookup('nextcloud_passwords', 'aws connect poc' , host='home.osuv.de', user='m', api_token=NC_TOKEN) }}"
user: "{{ POC_AWS_USERNAME }}"
- profile: datalake_test
password: "{{ lookup('nextcloud_passwords', 'aws datalake test' , host='home.osuv.de', user='m', api_token=NC_TOKEN) }}"
user: "{{ AWS_USERNAME }}"
- profile: datalake_prod
password: "{{ lookup('nextcloud_passwords', 'aws connect prod' , host='home.osuv.de', user='m', api_token=NC_TOKEN) }}"
user: "{{ AWS_USERNAME }}"
- profile: pl


tasks:
- include: profile_iteration.yml
with_items: "{{ PROFILES }}"

- include: password_iteration.yml
with_items: "{{ PROFILES }}"

+ 0
- 21
ansible/rotate_aws_keys.yml View File

@@ -1,21 +0,0 @@
---
- hosts: localhost
connection: local
gather_facts: False

vars:
PROFILES:
- test
- prod
- connectdev
- connectprod
- connectpoc
- datalake_test
- datalake_prod
- vpn
- pl


tasks:
- include: profile_iteration.yml
with_items: "{{ PROFILES }}"

Loading…
Cancel
Save