IOPZ-1445 Make create-k8s-chained-sessions.sh idempotent #11
Conversation
| @@ -8,7 +8,6 @@ | |||
|
|
|||
| # global variables | |||
| declare PROFILE_ID | |||
| declare CHAINED_SESSION_IDS="name,id\n" | |||
There was a problem hiding this comment.
I don't think we ever used this output so I removed it.
There was a problem hiding this comment.
I'm fine with removing it if you want, but I will say I put this in here as a convenience output to transpose specific session ids to my .zshenv so I can more easily start specific sessions. That might be references in panopedia as something you can do as well
There was a problem hiding this comment.
I double checked panopedia and couldn't find any references to this in the active pages we have, so we should be fine there
| @@ -20,37 +19,53 @@ declare REGION='us-east-1' | |||
| function createLeappSession { | |||
| parent_session_name=$1 | |||
| chained_session_name="chained-from-${parent_session_name}" | |||
| echo "starting session for ${parent_session_name} to get role arn" | |||
| # this has funky piping because `--filter` is a fuzzy lookup and `panorama-k8s-playground` fuzzy matches `panorama-k8s-playground-2` as the first result | |||
There was a problem hiding this comment.
I learned in school-supplies that you can use regex anchors (e.g. ^ and $) in --filter, so I moved this to a helper function and used that instead of sort | sed | awk.
JacobEvelyn
force-pushed
the
IOPZ-1445/idempotent-leapp-setup
branch
3 times, most recently
from
6238f1e to
b24e855
Compare
There was a problem hiding this comment.
I ran the script initially with my full setup and it correctly did not attempt to create any new chained sessions.
However, I deleted all my chained sessions and ran the script and it no longer creates new chained sessions. I get the following output for each account
looking for existing session chained-from-panorama-k8s-playground
no existing session found; starting session for panorama-k8s-playground to get role arn
› Error: No sessions found
Unable to locate credentials. You can configure credentials by running "aws configure".
› Error: No sessions found
creating new profile
› Error: Profile already exists
creating new session
When the script completed, I checked leapp and had no chained sessions still.
The final test I ran was to delete all the profiles and re-run the script to get a full (I think) blank slate run. This correctly created each profile, but again did not successfully create sessions.
I believe the reason it fails now is because we had Security squad add additional SSO roles to each k8s account (PanoramaK8sEngineeringDefault and EmergencyOnly were added in addition to the existing AWSAdministratorAccess). Unfortunately, Leapp doesn't allow filtering by multiple columns so I think we will need to continue doing some form of grepping to get the leapp profile with the appropriate role. Another option could be to restructure the session names to guarantee uniqueness, but I'm not sure how that syncing works so we'd have to figure that out, or ask security squad/#leapp-discussion for some assistance.
| @@ -61,8 +76,5 @@ PARENT_SESSION_NAMES="panorama-k8s-playground panorama-k8s-playground-2 panorama | |||
|
|
|||
| for session in $PARENT_SESSION_NAMES | |||
There was a problem hiding this comment.
Could you remove panorama-k8s-integration from the PARENT_SESSION_NAMES array as part of this? that env no longer exists.
| } | ||
|
|
||
| # function to create a leapp profile to associate with the chained k8s sessions | ||
| # stores the new profile id in PROFILE_ID | ||
| function createLeappProfile { | ||
| # The ^ and $ in the session filter are regex anchors to ensure we don't |
There was a problem hiding this comment.
This comment mentions the reg-ex anchors, but I don't see them used in the code directly below it within this function. Could that either be added into profile_name or the comment moved directly above the PROFILE_ID assignment? Not sure if it's a huge deal, it might just be confusing because I'm looking at it in the diff with the removed code as well...
| @@ -8,7 +8,6 @@ | |||
|
|
|||
| # global variables | |||
| declare PROFILE_ID | |||
| declare CHAINED_SESSION_IDS="name,id\n" | |||
There was a problem hiding this comment.
I double checked panopedia and couldn't find any references to this in the active pages we have, so we should be fine there
Pat-Ayres
force-pushed
the
IOPZ-1445/idempotent-leapp-setup
branch
from
be8481a to
0863048
Compare
Pat-Ayres
dismissed
their stale review
I have now contributed changes per my review
Pat-Ayres
force-pushed
the
IOPZ-1445/idempotent-leapp-setup
branch
from
3019979 to
662e671
Compare
create-k8s-chained-sessions.sh
Outdated
| # Do not run this script more than once without resetting your Leapp | ||
| # instance beforehand. |
There was a problem hiding this comment.
Does this warning still apply now that this is idempotent?
| # stop the leapp session | ||
| leapp session stop --sessionId $parent_session_id | ||
| parent_role_name=$2 | ||
| chained_role_name=$3 |
There was a problem hiding this comment.
Can this argument be added to the documentation list above the function?
| # check if the parent session exists for the role. We do this because | ||
| # regular developers won't have the AWSAdministratorAccess role, so we | ||
| # don't want to create a chained session for them. | ||
| parent_session_id=$(leappSessionId "$parent_session_name" "$parent_role_name") | ||
| if [[ -z "${parent_session_id}" ]]; then |
There was a problem hiding this comment.
What's the relationship between the parent session and the AWSAdministratrAccess role?
Are the non-admin sessions not chained, meaning only admins would ever need to run this?
There was a problem hiding this comment.
Regular developers will have the parent session for PanoramaK8sDefaultEngineering role, AWSAdministratorAccess is an example of a case where the parent doesn't exist, so we just skip it.
There was a problem hiding this comment.
Ah is it just to avoid erroring out when folks without access to that role run the script?
| PROFILE_ID=$(leapp profile list --columns=ID --filter="Profile Name=${profile_name}" --no-header) | ||
| profile_id=$(leapp profile list -x --output json --filter="Profile Name=^${profile_name}$" | jq -r '.[].id') | ||
| if [[ -n "${profile_id}" ]]; then | ||
| echo "${profile_id}" |
There was a problem hiding this comment.
Does this just output a UUID? I'm wondering if it would be clearer if it was something like:
echo "Profile ${profile_name} already exists with id: ${profile_id}"There was a problem hiding this comment.
It doesn't actually output anything, echo is used here to return the value of the existing profile id from the function so we can use it in the session creation.
This commit makes the `create-k8s-chained-sessions.sh` script idempotent (it no longer breaks or behaves weirdly if some or all chained sessions already exist). In addition, it tidies up some aspects of the script, removes unnecessary output, and makes improvements so the script now passes the ShellCheck linter. fixed a bug in leapp filtering now that there are multiple sso sessions with the same name per account. Also updated the script to create chained sessions for each of the k8s developer "profiles" we have i.e. "reader", "writer", and "admin" depending on what base sso roles the user has. fixed bugs in profile lookup. Removed integration env refactored profile creation cleaned up log output
Pat-Ayres
force-pushed
the
IOPZ-1445/idempotent-leapp-setup
branch
from
5247990 to
d39a6ec
Compare
This commit makes the
create-k8s-chained-sessions.shscript idempotent (it no longer breaks or behaves weirdly if some or all chained sessions already exist). In addition, it tidies up some aspects of the script, removes unnecessary output, and makes improvements so the script now passes the ShellCheck linter.