[NDR-316] Added Makefile entry and improved error handling

tim-knight-nhs · tim-knight-nhs · commit 782000054eaf · 2025-11-27T15:08:29.000Z
diff --git a/makefile b/makefile
@@ -4,7 +4,7 @@ help: ## This help message
 	@grep -E --no-filename '^[a-zA-Z-]+:.*?## .*$$' $(MAKEFILE_LIST) | sort | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-42s\033[0m %s\n", $$1, $$2}'
 
 .PHONY: Install
-install:	## Run NPM install 
+install:	## Run NPM install
 	cd ./infrastructure && npm install
 
 # Formatting
@@ -33,3 +33,23 @@ init-bootstrap: ## Run Bootstrap terraform
 .PHONY: apply-bootstrap
 apply-bootstrap:	## Apply Bootstrap terraform
 	cd ./bootstrap && terraform apply
+
+
+# Export current github role permissions
+# Pass in an aliases variable containing account IDs you need to mask.
+# e.g. make export-dev-github-role aliases="123456789012=account 555555555555=other_account"
+.PHONY: export-dev-github-role
+export-dev-github-role:
+	python ./scripts/export_role_policies.py dev github-actions-dev-role ${aliases}
+
+.PHONY: export-pre-prod-github-role
+export-pre-prod-github-role:
+	python ./scripts/export_role_policies.py pre-prod Github-Actions-pre-prod-role ${aliases}
+
+.PHONY: export-prod-github-role
+export-prod-github-role:
+	python ./scripts/export_role_policies.py prod github-access-role ${aliases}
+
+.PHONY: export-test-github-role
+export-test-github-role:
+	python ./scripts/export_role_policies.py test github-action-role ${aliases}
diff --git a/scripts/export_role_policies.py b/scripts/export_role_policies.py
@@ -7,6 +7,9 @@
 Sensitive account IDs can be found/replaced with aliases using the command line arguments.
 The replaced values will be in the format ${alias}.
 
+Prerequisite:
+  You must be logged in to an active SSO session.
+
 Usage:
   scripts/python export_role_policies.py <environment> <role_name> [<find>=<replace> ...]
 
@@ -24,9 +27,16 @@
 
 def list_role_policies(client, role_name: str) -> list:
     inline_policies = []
-    paginator = client.get_paginator('list_role_policies')
-    for page in paginator.paginate(RoleName=role_name):
-        inline_policies.extend(page['PolicyNames'])
+    try:
+        paginator = client.get_paginator('list_role_policies')
+        for page in paginator.paginate(RoleName=role_name):
+            inline_policies.extend(page['PolicyNames'])
+    except client.exceptions.UnauthorizedSSOTokenError as err:
+        print(f"A valid SSO session is required.\n{err}\n", file=sys.stderr)
+        sys.exit(2)
+    except client.exceptions.NoSuchEntityException as err:
+        print(f"{err}\nAre you using the correct AWS Profile?", file=sys.stderr)
+        sys.exit(2)
     return inline_policies
 
 
