Add support for EC2 Tags (#74)

sistemi-etime · michaelwittig · commit 97bae1538f97 · 2017-07-28T13:24:51.000+02:00
* Add support to EC2 Tags
diff --git a/README.md b/README.md
@@ -62,7 +62,8 @@ A picture is worth a thousand words:
    5. Paste your public SSH key into the text-area and click the **Upload SSH public key** button to save
 2. Attach the IAM permissions defined in `iam_ssh_policy.json` to the EC2 instances (by creating an IAM role and an Instance Profile)
 3. Run the `install.sh` script as `root` on the EC2 instances. Run `install.sh -h` for help.
-4. Connect to your EC2 instances now using `ssh $Username@$PublicName` with `$Username` being your IAM user, and `$PublicName` being your server's name or IP address
+4. The configuration file is placed into `/etc/aws-ec2-ssh.conf`
+5. Connect to your EC2 instances now using `ssh $Username@$PublicName` with `$Username` being your IAM user, and `$PublicName` being your server's name or IP address
 
 ## IAM user names and Linux user names
 
@@ -92,8 +93,10 @@ one or more of the following lines:
 
 ```
 ASSUMEROLE="IAM-role-arn"                      # IAM Role ARN for multi account. See below for more info
-IAM_AUTHORIZED_GROUPS="GROUPNAMES"             # Comma seperated list of IAM groups to import
+IAM_AUTHORIZED_GROUPS="GROUPNAMES"             # Comma separated list of IAM groups to import
 SUDOERS_GROUPS="GROUPNAMES"                    # Comma seperated list of IAM groups that should have sudo access
+IAM_AUTHORIZED_GROUPS_TAG="KeyTag"             # Key Tag of EC2 that contains a Comma separated list of IAM groups to import - IAM_AUTHORIZED_GROUPS_TAG will override IAM_AUTHORIZED_GROUPS, you can use only one of them 
+SUDOERS_GROUPS_TAG="KeyTag"                    # Key Tag of EC2 that contains a Comma separated list of IAM groups that should have sudo access - SUDOERS_GROUPS_TAG will override SUDOERS_GROUPS, you can use only one of them
 SUDOERSGROUP="GROUPNAME"                       # Deprecated! IAM group that should have sudo access. Please use SUDOERS_GROUPS as this variable will be removed in future release.
 LOCAL_MARKER_GROUP="iam-synced-users"          # Dedicated UNIX group to mark imported users. Used for deleting removed IAM users
 LOCAL_GROUPS="GROUPNAMES"                      # Comma seperated list of UNIX groups to add the users in
diff --git a/iam_ssh_policy.json b/iam_ssh_policy.json
@@ -22,6 +22,16 @@
       "Resource": [
         "arn:aws:iam::<YOUR_USERS_ACCOUNT_ID_HERE>:user/*"
       ]
+    },
+    {
+        "Sid": "Stmt1500475854000",
+        "Effect": "Allow",
+        "Action": [
+            "ec2:DescribeTags"
+        ],
+        "Resource": [
+            "*"
+        ]
     }
   ]
 }
diff --git a/import_users.sh b/import_users.sh
@@ -44,6 +44,11 @@ fi
 # Possibility to provide custom useradd arguments
 : ${USERADD_ARGS:="--create-home --shell /bin/bash"}
 
+# Initizalize INSTANCE and REGION variables
+INSTANCE_ID=$(curl -s http://instance-data//latest/meta-data/instance-id)
+REGION=$(curl -s http://instance-data//latest/dynamic/instance-identity/document | jq -r .region)
+
+
 function log() {
     /usr/bin/logger -i -p auth.info -t aws-ec2-ssh "$@"
 }
@@ -66,6 +71,20 @@ function setup_aws_credentials() {
     fi
 }
 
+# Get list of iam groups from tag
+function get_iam_groups_from_tag() {
+    if [ "${IAM_AUTHORIZED_GROUPS_TAG}" ]
+    then
+        IAM_AUTHORIZED_GROUPS=$(\
+            aws ec2 describe-tags \
+            --filters "Name=resource-id,Values=$INSTANCE_ID" "Name=key,Values=$IAM_AUTHORIZED_GROUPS_TAG" \
+            --region=$REGION \
+            --output=json \
+            | jq -r .Tags[0].Value \
+        )
+    fi
+}
+
 # Get all IAM users (optionally limited by IAM groups)
 function get_iam_users() {
     local group
@@ -102,6 +121,20 @@ function get_local_users() {
         | sed "s/,/ /g"
 }
 
+# Get list of IAM groups marked with sudo access from tag
+function get_sudoers_groups_from_tag() {
+    if [ "${SUDOERS_GROUPS_TAG}" ]
+    then
+        SUDOERS_GROUPS=$(\
+            aws ec2 describe-tags \
+            --filters "Name=resource-id,Values=$INSTANCE_ID" "Name=key,Values=$SUDOERS_GROUPS_TAG" \
+            --region=$REGION \
+            --output=json \
+            | jq -r .Tags[0].Value \
+        )
+    fi
+}
+
 # Get IAM users of the groups marked with sudo access
 function get_sudoers_users() {
     local group
@@ -211,6 +244,10 @@ function sync_accounts() {
     local removed_users
     local user
 
+    # init group and sudoers from tags
+    get_iam_groups_from_tag
+    get_sudoers_groups_from_tag
+
     iam_users=$(get_clean_iam_users | sort | uniq)
     sudo_users=$(get_clean_sudoers_users | sort | uniq)
     local_users=$(get_local_users | sort | uniq)

Original file line number	Diff line number	Diff line change
`@@ -22,6 +22,16 @@`
`22`	`22`	`"Resource": [`
`23`	`23`	`"arn:aws:iam::<YOUR_USERS_ACCOUNT_ID_HERE>:user/*"`
`24`	`24`	`]`
	`25`	`+ },`
	`26`	`+ {`
	`27`	`+ "Sid": "Stmt1500475854000",`
	`28`	`+ "Effect": "Allow",`
	`29`	`+ "Action": [`
	`30`	`+ "ec2:DescribeTags"`
	`31`	`+ ],`
	`32`	`+ "Resource": [`
	`33`	`+ "*"`
	`34`	`+ ]`
`25`	`35`	`}`
`26`	`36`	`]`
`27`	`37`	`}`