Initial commit

Author: markpeek

LICENSE

@@ -0,0 +1,23 @@
+Copyright (c) 2017, Mark Peek <mark@peek.org>
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+* Redistributions of source code must retain the above copyright notice, this
+  list of conditions and the following disclaimer.
+
+* Redistributions in binary form must reproduce the above copyright notice,
+  this list of conditions and the following disclaimer in the documentation
+  and/or other materials provided with the distribution.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

README.md

@@ -0,0 +1,37 @@
+# AWSAdminAccess
+
+In a lot of organizations there is a master AWS account and then
+other accounts are added via consolidated billing. To better manage
+the assets it is usually good to add a AdministratorAccess role to
+the sub-account to allow the master account to monitor and control
+costs on the sub-accounts. AWSAdminAccess provides a quick and easy
+way to setup a trust policy for the AdministratorAccess.
+
+## Running AWSAdminAccess
+
+Download a binary for your system from the Releases page. You will
+need to know the role name you want to create and the account number
+of the master account.
+
+```
+AWSAdminAccess -r MasterAccountAccess -a 123456789012
+```
+
+## Building
+
+To build the binaries it is preferable to use a docker build environment for
+consistency. First build the docker buildn environment:
+
+```
+docker build -f build/Dockerfile-buildenv -t cloudtools:AWSAdminAccess-buildenv .
+```
+
+Next install the vendor package using glide:
+```
+glide install
+```
+
+And then build the binaries:
+```
+docker run -v `pwd`:/go/src/github.com/cloudtools/AWSAdminAccess -t cloudtools:AWSAdminAccess-buildenv bash -x build/build.sh
+```

build/Dockerfile-buildenv

@@ -0,0 +1,21 @@
+FROM vmware/photon:latest
+MAINTAINER Mark Peek <mark@peek.org>
+LABEL Description="Photon environment" Vendor="Cloudtools"
+
+ENV GOLANG_VERSION 1.8.1
+ENV GOLANG_BIN_URL https://storage.googleapis.com/golang/go$GOLANG_VERSION.linux-amd64.tar.gz
+ENV GOLANG_BIN_SHA256 a579ab19d5237e263254f1eac5352efcf1d70b9dacadb6d6bb12b0911ede8994
+
+RUN tdnf makecache
+RUN tdnf install -y git gzip tar && \
+    tdnf clean all
+
+RUN curl -s -o golang.tar.gz "$GOLANG_BIN_URL" && \
+    echo "$GOLANG_BIN_SHA256  golang.tar.gz" | sha256sum -c - && \
+    tar -C /usr/local -xzf golang.tar.gz && \
+    rm -f golang.tar.gz
+
+ENV GOPATH /go
+ENV PATH $GOPATH/bin:/usr/local/go/bin:$PATH
+RUN mkdir -p $GOPATH/src/github.com/cloudtools/AWSAdminAccess
+WORKDIR $GOPATH/src/github.com/cloudtools/AWSAdminAccess

build/build.sh

@@ -0,0 +1,10 @@
+#!/bin/bash
+
+ARCHITECTURES=amd64
+OPERATING_SYSTEMS="linux darwin"
+for GOARCH in $ARCHITECTURES; do
+    for GOOS in $OPERATING_SYSTEMS; do
+        GOOS=$GOOS GOARCH=$GOARCH go build -o AWSAdminAccess-$GOOS-$GOARCH
+        gzip -f AWSAdminAccess-$GOOS-$GOARCH
+    done
+done

glide.lock

@@ -0,0 +1,8 @@
+package: github.com/markpeek/AWSAdminAccess
+import:
+- package: github.com/aws/aws-sdk-go
+  version: ^1.8.11
+  subpackages:
+  - aws
+  - aws/session
+  - service/iam

glide.yaml

@@ -0,0 +1,90 @@
+package main
+
+import (
+	"flag"
+	"fmt"
+	"os"
+
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/aws/session"
+	"github.com/aws/aws-sdk-go/service/iam"
+)
+
+var policyArn = "arn:aws:iam::aws:policy/AdministratorAccess"
+var assumeRoleDocument = `{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": "arn:aws:iam::%s:root"
+      },
+      "Action": "sts:AssumeRole"
+    }
+  ]
+}`
+
+func main() {
+	var account, role string
+
+	flag.StringVar(&account, "a", "", "Account to trust")
+	flag.StringVar(&role, "r", "", "Role name to create")
+	flag.Parse()
+
+	if account == "" {
+		fmt.Printf("Must specify account option\n")
+		os.Exit(0)
+	}
+
+	if role == "" {
+		fmt.Printf("Must specify role name option\n")
+		os.Exit(0)
+	}
+
+	sess := session.Must(session.NewSession())
+	svc := iam.New(sess)
+
+	// First see if the role already exists
+	params := &iam.GetRoleInput{
+		RoleName: aws.String(role),
+	}
+	_, err := svc.GetRole(params)
+	if err == nil {
+		fmt.Printf("Role %s already exists\n", role)
+		os.Exit(0)
+	}
+
+	// Make sure the policy exists before creating the role
+	policyParams := &iam.GetPolicyInput{
+		PolicyArn: aws.String(policyArn),
+	}
+	_, err = svc.GetPolicy(policyParams)
+	if err != nil {
+		fmt.Printf("Policy %s does not exist: %v\n", policyArn, err)
+		os.Exit(0)
+	}
+
+	// Create the role with a trust policy document
+	assumeRoleString := fmt.Sprintf(assumeRoleDocument, account)
+	roleParams := &iam.CreateRoleInput{
+		AssumeRolePolicyDocument: aws.String(assumeRoleString),
+		RoleName:                 aws.String(role),
+	}
+	roleOutput, err := svc.CreateRole(roleParams)
+	if err != nil {
+		fmt.Printf("Cannot create role %s\n", err)
+		os.Exit(0)
+	}
+
+	// Attach the role policy onto the role
+	_, err = svc.AttachRolePolicy(&iam.AttachRolePolicyInput{
+		PolicyArn: aws.String(policyArn),
+		RoleName:  aws.String(role),
+	})
+	if err != nil {
+		fmt.Printf("AttachRolePolicy failed: %v\n", err)
+		os.Exit(0)
+	}
+
+	fmt.Printf("Role %s created - ARN: %s\n", role, *roleOutput.Role.Arn)
+}