Simplified aws assume role

Author: robertnovac1

azure/new_pipelines/aws-assume-role-new-int.yml

@@ -0,0 +1,70 @@
+parameters:
+  - name: 'role'
+    type: string
+  - name: 'profile'
+    type: string
+    default: ''
+  - name: 'aws_account_id'
+    type: string
+
+steps:
+    - template: "azure/components/aws-clean-config.yml@common"
+
+    - bash: |
+        set -e
+        echo "##vso[task.setvariable variable=ROLE]${{ parameters.role }}"
+        echo "##vso[task.setvariable variable=AWS_ACCOUNT_ID]${{ parameters.aws_account_id }}"
+      displayName: get imms role name
+    - bash: |
+        set -e
+        aws_role="$(ROLE)"
+        echo "assume role: '${aws_role}'"
+        echo "account_id: $(AWS_ACCOUNT_ID)" 
+        
+        aws_role="arn:aws:iam::${account_id}:role/${aws_role}"
+        echo "AWS role: $aws_role"
+  
+        echo "Check if role exists"
+        # iam synchronisation issues can take a few to make the role appear
+        for i in {1..15}; do
+          if aws iam get-role --role-name ${aws_role} > /dev/null; then
+            echo role exists
+            sleep 2
+            break
+          fi
+          echo waiting for role ...
+          sleep 2
+        done
+        account_id="$(aws sts get-caller-identity --query Account --output text)"
+        aws_role="arn:aws:iam::${account_id}:role/${aws_role}"
+       
+        cp ~/.aws/config.default ~/.aws/config
+        tmp_file="$(Agent.TempDirectory)/.aws.tmp.creds.json"
+        # add some backoff to allow for eventual consistency of IAM
+        for i in {2..4};
+        do
+            if aws sts assume-role --role-arn "${aws_role}" --role-session-name build-assume-role > ${tmp_file}; then
+                echo assumed role
+                assumed_role="yes"
+                break
+            fi
+            let "sleep_for=$i*10";
+            sleep $sleep_for
+        done
+        if [[ "${assumed_role}" != "yes" ]]; then
+            echo "assume role failed"
+            exit -1
+        fi
+        echo "aws_access_key_id = $(jq -r .Credentials.AccessKeyId ${tmp_file})" >> ~/.aws/config
+        echo "aws_secret_access_key = $(jq -r .Credentials.SecretAccessKey ${tmp_file})" >> ~/.aws/config
+        echo "aws_session_token = $(jq -r .Credentials.SessionToken ${tmp_file})" >> ~/.aws/config
+        expiry=$(jq -r .Credentials.Expiration ${tmp_file})
+        echo "##vso[task.setvariable variable=ASSUME_ROLE_EXPIRY;]$expiry"
+        rm ${tmp_file}
+        profile="${{ parameters.profile }}"
+        if [[ ! -z "${profile}" ]]; then
+          echo as profile ${profile}
+          sed -i "s#\[default\]#\[profile ${profile}\]#" ~/.aws/config
+        fi
+      displayName: assume role
+      condition: and(succeeded(), ne(variables['ROLE'], ''))

azure/new_pipelines/deploy-int-job.yml

@@ -37,16 +37,16 @@ steps:
     displayName: Setup pytests
     condition: always()
 
-  - template: ./aws-assume-role.yml
+  - template: ./aws-assume-role-new-int.yml
     parameters:
       role: "auto-ops"
-      profile: "apim-dev"
-      aws_account: ${{ parameters.aws_account_type }}
+      profile: "apim-dev" # centralise 
+      aws_account_id: "084828561157"
 
   - bash: |
       set -e
       if ! [[ $APIGEE_ENVIRONMENT =~ .*-*sandbox ]]; then
-        export AWS_PROFILE=apim-dev
+        export AWS_PROFILE=apim-dev 
         aws_account_no="$(aws sts get-caller-identity --query Account --output text)"
 
         service_name=$(FULLY_QUALIFIED_SERVICE_NAME)
@@ -121,13 +121,15 @@ steps:
       fi
     displayName: Wait for API to be available
     workingDirectory: "$(Pipeline.Workspace)/s/$(SERVICE_NAME)/$(SERVICE_ARTIFACT_NAME)"
+    condition: eq(1, 2)
 
   - bash: |
       pyenv install -s 3.10.8
       pyenv install -s 3.11.11
       pyenv global 3.10.8
       python --version
     displayName: Install python 3.10 and 3.11
+    condition: eq(1, 2)
 
   - bash: |
       set -e
@@ -224,3 +226,4 @@ steps:
     inputs:
       testResultsFiles: '$(Pipeline.Workspace)/s/$(SERVICE_NAME)/$(SERVICE_ARTIFACT_NAME)/tests/test-report.xml'
       failTaskOnFailedTests: true
+    condition: eq(1, 2)