Skip to content

Instantly share code, notes, and snippets.

@markjacksonfishing

markjacksonfishing/gist:589c4152bf36acf0772861efb6bf4fe2

Last active July 2, 2024 18:16
Show Gist options
  • Save markjacksonfishing/589c4152bf36acf0772861efb6bf4fe2 to your computer and use it in GitHub Desktop.
Save markjacksonfishing/589c4152bf36acf0772861efb6bf4fe2 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
gistfile1.txt
#!/bin/bash
# Variables - Please update these variables with your actual values
BACKSTAGE_ACCOUNT_ID="1111111111"
EKS_ACCOUNT_ID="2222222222"
EKS_CLUSTER_NAME="EKS-secure-coding-cluster"
BACKSTAGE_ROLE_NAME="Backstage"
CA_KEY="<CA_KEY>"
REGION="us-east-1"
AWS_PROFILE_BACKSTAGE="backstage-profile"
AWS_PROFILE_EKS="eks-profile"
LOG_FILE="setup_eks_backstage.log"
# Logging function
log() {
echo "$(date '+%Y-%m-%d %H:%M:%S') $1" | tee -a $LOG_FILE
}
# Error handling function
error_exit() {
log "ERROR: $1"
exit 1
}
# Debug function to display current configuration status
debug() {
log "Starting debug..."
log "Checking AWS CLI profiles..."
if ! aws configure list-profiles | grep -q "$AWS_PROFILE_BACKSTAGE"; then
log "AWS profile for Backstage ($AWS_PROFILE_BACKSTAGE) not found."
else
log "AWS profile for Backstage ($AWS_PROFILE_BACKSTAGE) found."
fi
if ! aws configure list-profiles | grep -q "$AWS_PROFILE_EKS"; then
log "AWS profile for EKS ($AWS_PROFILE_EKS) not found."
else
log "AWS profile for EKS ($AWS_PROFILE_EKS) found."
fi
log "Checking IAM role in EKS account..."
role_exists=$(aws iam get-role --role-name $BACKSTAGE_ROLE_NAME --profile $AWS_PROFILE_EKS 2>&1)
if echo "$role_exists" | grep -q 'NoSuchEntity'; then
log "IAM role $BACKSTAGE_ROLE_NAME does not exist in EKS account."
else
log "IAM role $BACKSTAGE_ROLE_NAME exists in EKS account."
fi
log "Checking Kubernetes RBAC..."
if ! kubectl get clusterrolebinding backstage-binding > /dev/null 2>&1; then
log "ClusterRoleBinding backstage-binding does not exist."
else
log "ClusterRoleBinding backstage-binding exists."
fi
if ! kubectl get clusterrole backstage-role > /dev/null 2>&1; then
log "ClusterRole backstage-role does not exist."
else
log "ClusterRole backstage-role exists."
fi
log "Checking aws-auth config map..."
aws_auth_map_roles=$(kubectl get configmap -n kube-system aws-auth -o yaml | grep "arn:aws:iam::$BACKSTAGE_ACCOUNT_ID:role/$BACKSTAGE_ROLE_NAME")
if [ -z "$aws_auth_map_roles" ]; then
log "aws-auth config map does not have the required role mapping."
else
log "aws-auth config map has the required role mapping."
fi
log "Checking ServiceAccount permissions..."
if ! kubectl auth can-i --as=system:serviceaccount:fccs-ng-infra-backstage-prod:fcc-ng-infra-backstage-k8s-sa --list > /dev/null 2>&1; then
log "ServiceAccount fcc-ng-infra-backstage-k8s-sa may not have the correct permissions."
else
log "ServiceAccount fcc-ng-infra-backstage-k8s-sa has the correct permissions."
fi
log "Debug completed."
}
# Function to prompt user for fixing issues
prompt_fix() {
log "Prompting user for fixes..."
if ! aws configure list-profiles | grep -q "$AWS_PROFILE_BACKSTAGE"; then
echo "AWS profile for Backstage ($AWS_PROFILE_BACKSTAGE) not found. Do you want to configure it? (y/n)"
read -r response
if [[ "$response" == "y" ]]; then
aws configure --profile $AWS_PROFILE_BACKSTAGE || error_exit "Failed to configure Backstage AWS profile."
else
error_exit "Backstage AWS profile configuration required."
fi
fi
if ! aws configure list-profiles | grep -q "$AWS_PROFILE_EKS"; then
echo "AWS profile for EKS ($AWS_PROFILE_EKS) not found. Do you want to configure it? (y/n)"
read -r response
if [[ "$response" == "y" ]]; then
aws configure --profile $AWS_PROFILE_EKS || error_exit "Failed to configure EKS AWS profile."
else
error_exit "EKS AWS profile configuration required."
fi
fi
role_exists=$(aws iam get-role --role-name $BACKSTAGE_ROLE_NAME --profile $AWS_PROFILE_EKS 2>&1)
if echo "$role_exists" | grep -q 'NoSuchEntity'; then
echo "IAM role $BACKSTAGE_ROLE_NAME does not exist in EKS account. Do you want to create it? (y/n)"
read -r response
if [[ "$response" == "y" ]]; then
cat > trust-policy.json <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::$BACKSTAGE_ACCOUNT_ID:role/$BACKSTAGE_ROLE_NAME"
},
"Action": "sts:AssumeRole"
}
]
}
EOF
aws iam create-role --role-name $BACKSTAGE_ROLE_NAME --assume-role-policy-document file://trust-policy.json --profile $AWS_PROFILE_EKS || error_exit "Failed to create IAM role."
aws iam attach-role-policy --role-name $BACKSTAGE_ROLE_NAME --policy-arn arn:aws:iam::aws:policy/AmazonEKSClusterPolicy --profile $AWS_PROFILE_EKS || error_exit "Failed to attach policy to IAM role."
log "IAM role created and policy attached successfully."
else
error_exit "IAM role creation required."
fi
fi
if ! kubectl get clusterrolebinding backstage-binding > /dev/null 2>&1; then
echo "ClusterRoleBinding backstage-binding does not exist. Do you want to create it? (y/n)"
read -r response
if [[ "$response" == "y" ]]; then
cat > rbac.yaml <<EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: backstage-role
rules:
- apiGroups: [""]
resources: ["pods", "services", "namespaces"]
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: backstage-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: backstage-role
subjects:
- kind: User
name: arn:aws:iam::$BACKSTAGE_ACCOUNT_ID:role/$BACKSTAGE_ROLE_NAME
apiGroup: rbac.authorization.k8s.io
EOF
kubectl apply -f rbac.yaml || error_exit "Failed to apply Kubernetes RBAC."
log "Kubernetes RBAC created successfully."
else
error_exit "Kubernetes RBAC creation required."
fi
fi
aws_auth_map_roles=$(kubectl get configmap -n kube-system aws-auth -o yaml | grep "arn:aws:iam::$BACKSTAGE_ACCOUNT_ID:role/$BACKSTAGE_ROLE_NAME")
if [ -z "$aws_auth_map_roles" ]; then
echo "aws-auth config map does not have the required role mapping. Do you want to update it? (y/n)"
read -r response
if [[ "$response" == "y" ]]; then
kubectl get configmap -n kube-system aws-auth -o yaml > aws-auth.yaml
cat >> aws-auth.yaml <<EOF
mapRoles: |
- rolearn: arn:aws:iam::$BACKSTAGE_ACCOUNT_ID:role/$BACKSTAGE_ROLE_NAME
username: backstage-user
groups:
- system:masters
EOF
kubectl apply -f aws-auth.yaml || error_exit "Failed to update aws-auth config map."
log "aws-auth config map updated successfully."
else
error_exit "aws-auth config map update required."
fi
fi
if ! kubectl auth can-i --as=system:serviceaccount:fccs-ng-infra-backstage-prod:fcc-ng-infra-backstage-k8s-sa --list > /dev/null 2>&1; then
echo "ServiceAccount fcc-ng-infra-backstage-k8s-sa may not have the correct permissions. Do you want to update the permissions? (y/n)"
read -r response
if [[ "$response" == "y" ]]; then
log "Please manually check and update the permissions for the ServiceAccount as necessary."
# Manual step for user to ensure correct permissions
else
error_exit "ServiceAccount permission update required."
fi
fi
log "Fixes applied successfully."
}
# Run debug first
debug
# Prompt user for fixes if issues are found
echo "Do you want to apply fixes for the detected issues? (y/n)"
read -r response
if [[ "$response" == "y" ]]; then
prompt_fix
else
log "No fixes applied. Exiting."
fi
# Step 5: Test Access with kubectl
log "Testing access with kubectl..."
TOKEN=$(aws eks get-token --cluster-name $EKS_CLUSTER_NAME --profile $AWS_PROFILE_BACKSTAGE --region $REGION --query 'status.token' --output text)
kubectl --server=https://$EKS_CLUSTER_NAME.$REGION.eks.amazonaws.com/ \
--certificate-authority=<(echo "$CA_KEY" | base64 --decode) \
--token=$TOKEN \
get namespaces || error_exit "Failed to get namespaces. Please check the configuration."
log "Access test successful. Setup completed."
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment