Skip to content
This repository was archived by the owner on Nov 8, 2021. It is now read-only.

Commit 4d26a8f

Browse files
michaelwittigmichaelwittig
committed
adjusted documentation and showcase to new install script
1 parent e5e8d3c commit 4d26a8f

File tree

2 files changed

+75
-7
lines changed

2 files changed

+75
-7
lines changed

README.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -44,7 +44,7 @@ A picture is worth a thousand words:
4444
1. Click the **Upload SSH public key** button at the bottom of the page
4545
1. Paste your public SSH key into the text-area and click the **Upload SSH public key** button to save
4646
1. Attach the IAM permissions defined in `iam_ssh_policy.json` to the EC2 instances (by creating an IAM role and an Instance Profile)
47-
1. Run the `install.sh` script as `root` on the EC2 instances
47+
1. Run the `install.sh` script as `root` on the EC2 instances. Run `install.sh -h` for help.
4848
1. Connect to your EC2 instances now using `ssh $Username@$PublicName` with `$Username` being your IAM user, and `$PublicName` being your server's name or IP address
4949

5050
## IAM user names and Linux user names

showcase.yaml

Lines changed: 74 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -118,6 +118,62 @@ Resources:
118118
content: !Sub |
119119
#!/bin/bash -e
120120
121+
show_help() {
122+
cat << EOF
123+
Usage: ${0##*/} [-hv] [-a ARN] [-i GROUP,GROUP,...] [-l GROUP,GROUP,...] [-s GROUP]
124+
Install import_users.sh and authorized_key_commands.
125+
126+
-h display this help and exit
127+
-v verbose mode.
128+
129+
-a arn AssumeRole ARN to get users from another AWS account
130+
-i group,group Comma seperated list of IAM groups that should have ssh access
131+
-l group,group Comma seperated list of UNIX groups to add the users to
132+
-s group IAM group that should have sudo access. use ##ALL## if all users need it
133+
134+
135+
EOF
136+
}
137+
138+
IAM_GROUPS=""
139+
SUDO_GROUP=""
140+
LOCAL_GROUPS=""
141+
ASSUME_ROLE=""
142+
143+
while getopts :hva:i:l:s: opt
144+
do
145+
case $opt in
146+
h)
147+
show_help
148+
exit 0
149+
;;
150+
i)
151+
IAM_GROUPS="$OPTARG"
152+
;;
153+
s)
154+
SUDO_GROUP="$OPTARG"
155+
;;
156+
l)
157+
LOCAL_GROUPS="$OPTARG"
158+
;;
159+
v)
160+
set -x
161+
;;
162+
a)
163+
ASSUME_ROLE="$OPTARG"
164+
;;
165+
\?)
166+
echo "Invalid option: -$OPTARG" >&2
167+
show_help
168+
exit 1
169+
;;
170+
:)
171+
echo "Option -$OPTARG requires an argument." >&2
172+
show_help
173+
exit 1
174+
esac
175+
done
176+
121177
tmpdir=$(mktemp -d)
122178
123179
cd "$tmpdir"
@@ -133,24 +189,36 @@ Resources:
133189
# changing GROUPNAMES to a comma seperated list of IAM groups you want to sync.
134190
# You can specify 1 or more groups, comma seperated, without spaces.
135191
# If you leave it blank, all IAM users will be synced.
136-
#sudo sed -i 's/IAM_AUTHORIZED_GROUPS=""/IAM_AUTHORIZED_GROUPS="GROUPNAMES"/' /opt/import_users.sh
192+
if [ "${IAM_GROUPS}" != "" ]
193+
then
194+
sed -i "s/IAM_AUTHORIZED_GROUPS=\"\"/IAM_AUTHORIZED_GROUPS=\"${IAM_GROUPS}\"/" /opt/import_users.sh
195+
fi
137196
138197
# To control which users are given sudo privileges, uncomment the line below
139198
# changing GROUPNAME to either the name of the IAM group for sudo users, or
140199
# to ##ALL## to give all users sudo access. If you leave it blank, no users will
141200
# be given sudo access.
142-
#sudo sed -i 's/SUDOERSGROUP=""/SUDOERSGROUP="GROUPNAME"/' /opt/import_users.sh
201+
if [ "${SUDO_GROUP}" != "" ]
202+
then
203+
sed -i "s/SUDOERSGROUP=\"\"/SUDOERSGROUP=\"${SUDO_GROUP}\"/" /opt/import_users.sh
204+
fi
143205
144206
# To control which local groups a user will get, uncomment the line belong
145207
# changing GROUPNAMES to a comma seperated list of local UNIX groups.
146208
# If you live it blank, this setting will be ignored
147-
#sudo sed -i 's/LOCAL_GROUPS=""/LOCAL_GROUPS="GROUPNAMES"/' /opt/import_users.sh
209+
if [ "${LOCAL_GROUPS}" != "" ]
210+
then
211+
sed -i "s/LOCAL_GROUPS=\"\"/LOCAL_GROUPS=\"${LOCAL_GROUPS}\"/" /opt/import_users.sh
212+
fi
148213
149214
# If your IAM users are in another AWS account, put the AssumeRole ARN here.
150215
# replace the word ASSUMEROLEARN with the full arn. eg 'arn:aws:iam::$accountid:role/$role'
151216
# See docs/multiawsaccount.md on how to make this work
152-
sudo sed -i 's/ASSUMEROLE=""/ASSUMEROLE="${AssumeRole}"/' /opt/import_users.sh
153-
sudo sed -i 's/ASSUMEROLE=""/ASSUMEROLE="${AssumeRole}"/' /opt/authorized_keys_command.sh
217+
if [ "${ASSUME_ROLE}" != "" ]
218+
then
219+
sed -i "s/ASSUMEROLE=\"\"/ASSUMEROLE=\"${ASSUME_ROLE}\"/" /opt/import_users.sh
220+
sed -i "s/ASSUMEROLE=\"\"/ASSUMEROLE=\"${ASSUME_ROLE}\"/" /opt/authorized_keys_command.sh
221+
fi
154222
155223
sed -i 's:#AuthorizedKeysCommand none:AuthorizedKeysCommand /opt/authorized_keys_command.sh:g' /etc/ssh/sshd_config
156224
sed -i 's:#AuthorizedKeysCommandUser nobody:AuthorizedKeysCommandUser nobody:g' /etc/ssh/sshd_config
@@ -166,7 +234,7 @@ Resources:
166234
group: root
167235
commands:
168236
a_install:
169-
command: './install.sh'
237+
command: !Sub './install.sh -a ${AssumeRole}'
170238
cwd: '/opt'
171239
services:
172240
sysvinit:

0 commit comments

Comments
 (0)