-
Notifications
You must be signed in to change notification settings - Fork 3
Expand file tree
/
Copy pathtasks
More file actions
executable file
·435 lines (376 loc) · 13 KB
/
tasks
File metadata and controls
executable file
·435 lines (376 loc) · 13 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
#!/usr/bin/env bash
set -Eeo pipefail
export AWS_DEFAULT_REGION=eu-west-2
NHS_SERVICE=deductions-infra
DEDUCTIONS_INFRA_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"
function check_env {
if [[ -z "${NHS_ENVIRONMENT}" ]]; then
echo "Must set NHS_ENVIRONMENT"
exit 1
fi
}
function tf_init {
check_env
cd "${DEDUCTIONS_INFRA_DIR}/terraform/"
terraform init -reconfigure \
-backend-config key="${NHS_SERVICE}-${NHS_ENVIRONMENT}/terraform.tfstate" \
-backend-config bucket="prm-deductions-${NHS_ENVIRONMENT}-terraform-state" \
-backend-config dynamodb_table="prm-deductions-${NHS_ENVIRONMENT}-terraform-table" \
-backend-config region=${AWS_DEFAULT_REGION}
}
function configure_tf_plan_filename {
certs=$1
if [[ "${certs}" == "true" ]]; then
export TF_PLAN_FILENAME="certs_deployment.tfplan"
else
export TF_PLAN_FILENAME="deployment.tfplan"
fi
}
function _get_aws_ssm_secret {
secret_id=$1
json=$(aws ssm get-parameter --with-decryption --region "eu-west-2" --name $secret_id)
if [ $? != 0 ]; then
>&2 echo "Failed to obtain AWS secret from SSM: $secret_id"
exit $EXIT_CODE_GENERAL_FAILURE
fi
echo $json | jq -r ".Parameter.Value"
}
function tf_plan {
check_env
operation=$1
certs=$2
TARGET=""
cd "${DEDUCTIONS_INFRA_DIR}/terraform/"
if [[ "${certs}" == "true" ]]; then
TARGET="-target=module.deductions-private.aws_acm_certificate.mq-admin-cert"
fi
configure_tf_plan_filename $certs
aws_account_arn=$(aws sts get-caller-identity | jq -r .Arn)
if [[ $aws_account_arn =~ "gocd_agent-prod" || $aws_account_arn =~ "Deployer" ]]; then
COMMON_ACCOUNT_ROLE="CiToEnvLinker"
else
COMMON_ACCOUNT_ROLE="CiReadOnly"
fi
echo "Instructing terraform to assume ${COMMON_ACCOUNT_ROLE} role for cross account actions"
COMMON_ACCOUNT_ID=$(_get_aws_ssm_secret "/repo/ci/user-input/external/aws-account-id")
tf_init
terraform get # modules
if [[ "${operation}" == "create" ]]; then
terraform plan -var common_account_id=${COMMON_ACCOUNT_ID} -var common_account_role=${COMMON_ACCOUNT_ROLE} -var-file=${NHS_ENVIRONMENT}.tfvars $TARGET -out="${TF_PLAN_FILENAME}"
elif [[ "${operation}" == "destroy" ]]; then
terraform plan -var common_account_id=${COMMON_ACCOUNT_ID} -var common_account_role=${COMMON_ACCOUNT_ROLE} -var-file=${NHS_ENVIRONMENT}.tfvars -out="${TF_PLAN_FILENAME}" -destroy
else
echo "Unknown operation (should be create or destroy), got: ${operation}"
exit 1
fi
}
function tf_apply {
check_env
certs=$1
configure_tf_plan_filename $certs
tf_init
terraform get # modules
terraform apply $TF_PLAN_FILENAME
terraform output -json > tf-out.json
}
function tf_init_cross_account {
check_env
[ $NHS_ENVIRONMENT == "ci" ] && bucket_env_infix="" || bucket_env_infix="$NHS_ENVIRONMENT-"
cd "${DEDUCTIONS_INFRA_DIR}/terraform-cross-account/"
terraform init -reconfigure \
-backend-config key="${NHS_SERVICE}-cross-account-${NHS_ENVIRONMENT}/terraform.tfstate" \
-backend-config bucket="prm-deductions-${bucket_env_infix}terraform-state" \
-backend-config dynamodb_table="prm-deductions-${bucket_env_infix}terraform-table" \
-backend-config region=${AWS_DEFAULT_REGION}
}
function tf_plan_cross_account {
check_env
operation=$1
tf_init_cross_account
terraform get # modules
if [[ "${operation}" == "create" ]]; then
terraform plan -out="nhs_deployment_cross_account.tfplan" -var-file=${NHS_ENVIRONMENT}.tfvars
elif [[ "${operation}" == "destroy" ]]; then
terraform plan -out="nhs_deployment_cross_account.tfplan" -var-file=${NHS_ENVIRONMENT}.tfvars -destroy
else
echo "Unknown operation (should be create or destroy), got: ${operation}"
exit 1
fi
}
function tf_apply_cross_account {
check_env
tf_init_cross_account
terraform get # modules
terraform apply nhs_deployment_cross_account.tfplan
}
function tf_init_dashboard {
check_env
[ $NHS_ENVIRONMENT == "ci" ] && bucket_env_infix="" || bucket_env_infix="$NHS_ENVIRONMENT-"
cd "${DEDUCTIONS_INFRA_DIR}/terraform-dashboard/"
terraform init -reconfigure \
-backend-config key="${NHS_SERVICE}-dashboard-${NHS_ENVIRONMENT}/terraform.tfstate" \
-backend-config bucket="prm-deductions-${bucket_env_infix}terraform-state" \
-backend-config dynamodb_table="prm-deductions-${bucket_env_infix}terraform-table" \
-backend-config region=${AWS_DEFAULT_REGION}
}
function tf_plan_dashboard {
check_env
operation=$1
tf_init_dashboard
terraform get # modules
if [[ "${operation}" == "create" ]]; then
terraform plan -out="${NHS_ENVIRONMENT}-dashboard.tfplan" -var-file=${NHS_ENVIRONMENT}.tfvars
elif [[ "${operation}" == "destroy" ]]; then
terraform plan -out="${NHS_ENVIRONMENT}-dashboard.tfplan" -var-file=${NHS_ENVIRONMENT}.tfvars -destroy
else
echo "Unknown operation (should be create or destroy), got: ${operation}"
exit 1
fi
}
function tf_apply_dashboard {
check_env
tf_init_dashboard
terraform get # modules
terraform apply ${NHS_ENVIRONMENT}-dashboard.tfplan
}
# Before running this function, ensure the AWS credentials have been exported in your terminal for your environment
# These can be retrieved from the AWS console in your browser
# export AWS_ACCESS_KEY_ID=""
# export AWS_SECRET_ACCESS_KEY=""
# export AWS_SESSION_TOKEN=""
function generate_new_vpn_certs {
if [[ -z $1 ]]; then
echo "Environment value required (e.g. ./tasks generate_new_vpn_certs dev)"
exit 1
fi
if [[ ! -d "easy-rsa" ]]; then
git clone https://github.com/OpenVPN/easy-rsa.git
fi
env="$1"
# If running on Linux, convert the line endings of the easyrsa script
if [[ "$OSTYPE" == "linux-gnu"* ]]; then
dos2unix easy-rsa/easyrsa3/easyrsa
fi
cd easy-rsa/easyrsa3
echo yes | ./easyrsa init-pki
cd pki
echo "$(_get_aws_ssm_secret "/repo/user-input/vpn-ca-crt")" > ca.crt
echo "$(_get_aws_ssm_secret "/repo/user-input/vpn-ca-key")" > private/ca.key
echo "$(_get_aws_ssm_secret "/repo/user-input/vpn-ca-serial")" > serial
touch index.txt
touch index.txt.attr
mkdir -p certs_by_serial
mkdir -p issued
cd ..
./easyrsa build-server-full $env.vpn.patient-deductions.nhs.uk nopass
}
function generate_vpn_ca {
if [[ ! -d "easy-rsa" ]]; then
git clone https://github.com/OpenVPN/easy-rsa.git
fi
cd easy-rsa/easyrsa3
./easyrsa init-pki
EASYRSA_BATCH=true EASYRSA_REQ_CN="vpn.patient-deductions.nhs.uk" ./easyrsa build-ca nopass
create_secret_ssm_param "/repo/user-input/vpn-ca-crt" "$(cat pki/ca.crt)"
create_secret_ssm_param "/repo/user-input/vpn-ca-key" "$(cat pki/private/ca.key)"
create_secret_ssm_param "/repo/user-input/vpn-ca-serial" "$(cat pki/serial)"
}
function generate_vpn_server_crt {
check_env
crt_id="${NHS_ENVIRONMENT}.vpn.patient-deductions.nhs.uk"
existing_crt="$(aws acm list-certificates | jq -r --arg crt_id "$crt_id" '.CertificateSummaryList[] | select(.DomainName==$crt_id)')"
if [[ -z $existing_crt ]]; then
echo "No actively issued certificate found. Attempting to create and import new certificate."
setup_vpn_ca
./easyrsa build-server-full $crt_id nopass
aws acm import-certificate --certificate fileb://pki/issued/$crt_id.crt --private-key fileb://pki/private/$crt_id.key --certificate-chain fileb://pki/ca.crt
else
echo "Server certificate $crt_id already exists"
fi
}
function revoke_vpn_client_crt {
check_env
if [[ -z $1 ]]; then
echo "Username required"
exit 1
fi
username="$1"
user_cert=$NHS_ENVIRONMENT.$username.crt
setup_vpn_ca
cd ../..
if [[ -f ./utils/$user_cert ]]; then
echo "Client key file present. Revoking access"
mv ./utils/$user_cert ./easy-rsa/easyrsa3/pki/issued/$user_cert
cd ./easy-rsa/easyrsa3
echo yes | ./easyrsa revoke $NHS_ENVIRONMENT.$username
./easyrsa gen-crl
client_vpn_endpoint_id=$(_get_aws_ssm_secret "/repo/${NHS_ENVIRONMENT}/output/prm-deductions-infra/client-vpn-endpoint-id")
aws ec2 import-client-vpn-client-certificate-revocation-list --certificate-revocation-list file://pki/crl.pem --client-vpn-endpoint-id $client_vpn_endpoint_id --region $AWS_DEFAULT_REGION
echo "VPN Access Revoked for ${username} in ${NHS_ENVIRONMENT}"
else
echo "No Client key file found in utils. Please add certificate to be revoked"
fi
}
function generate_vpn_client_crt {
check_env
if [[ -z $1 ]]; then
echo "Username required"
exit 1
fi
username="$1"
crt_id="$username.vpn.patient-deductions.nhs.uk"
setup_vpn_ca
if [[ ! -f pki/private/$crt_id.key ]]; then
echo "Client key file not present. Generating now."
./easyrsa build-client-full $crt_id nopass
fi
client_crt="$(cat pki/issued/$crt_id.crt)"
client_key="$(cat pki/private/$crt_id.key)"
client_vpn_endpoint_id=$(_get_aws_ssm_secret "/repo/${NHS_ENVIRONMENT}/output/prm-deductions-infra/client-vpn-endpoint-id")
config="$(aws ec2 export-client-vpn-client-configuration --client-vpn-endpoint-id $client_vpn_endpoint_id | jq -r ".ClientConfiguration")"
cd ../..
dirname="client-config"
mkdir -p $dirname
cd $dirname
filename="${NHS_ENVIRONMENT}.$username.ovpn"
echo "$config" > $filename
echo -e "<cert>\n$client_crt\n</cert>\n" >> $filename
echo -e "<key>\n$client_key\n</key>\n" >> $filename
echo "$username VPN client configuration file created in $dirname directory"
}
function create_secret_ssm_param {
secret_id="$1"
value="$2"
set +e
aws ssm get-parameter --region $AWS_DEFAULT_REGION --name $secret_id | jq -r ".Parameter.Value" > /dev/null
if [[ $? == 0 ]]; then
echo "Secret at $secret_id already exists"
else
set -e
echo "Secret does not exists. Creating $secret_id"
aws ssm put-parameter \
--region $AWS_DEFAULT_REGION \
--name $secret_id \
--type SecureString \
--overwrite \
--value "$value"
fi
}
function generate_secret_ssm_param {
value=$(openssl rand -base64 24 | tr -d "/@\'+")
create_secret_ssm_param $1 $value
}
function generate_username_ssm_param {
set +e
value=$(< /dev/urandom tr -dc a-z | head -c12)
set -e
create_secret_ssm_param "$1" "$value"
}
function create_ssm_param {
value_id="$1"
value="$2"
set +e
aws ssm get-parameter --region $AWS_DEFAULT_REGION --name $value_id | jq -r ".Parameter.Value"
if [[ $? == 0 ]]; then
echo "Value at $value_id already exists"
else
set -e
echo "Value does not exists. Creating $value_id"
aws ssm put-parameter \
--region $AWS_DEFAULT_REGION \
--name $value_id \
--type String \
--overwrite \
--value "$value"
fi
}
function build_lambda {
lambda_name=$1
build_dir=notification-lambda/build/$lambda_name
rm -rf $build_dir
mkdir -p $build_dir
cp notification-lambda/$lambda_name/*.py $build_dir
pushd $build_dir
zip -r -X ../$lambda_name.zip .
popd
}
function build_generate_cost_report_lambda {
cd lambdas/generate-cost-report-lambda
build_dir=build/
rm -rf build
python3 -m pip install --target $build_dir -r requirements.txt
cp main.py configuration.py cost-report-configuration.yml $build_dir
pushd $build_dir
zip -r -q -m -X ../build/generate-cost-report-lambda.zip .
popd
cd ..
}
function build_lambdas {
build_generate_cost_report_lambda
}
command="$1"
case "${command}" in
build_lambdas)
build_lambdas
;;
create_secrets)
# Needs to run only once, when adding new environment
check_env
_assume_environment_role $NHS_ENVIRONMENT
generate_username_ssm_param "/repo/${NHS_ENVIRONMENT}/user-input/mq-admin-username"
generate_secret_ssm_param "/repo/${NHS_ENVIRONMENT}/user-input/mq-admin-password"
generate_username_ssm_param "/repo/${NHS_ENVIRONMENT}/user-input/mq-app-username"
generate_secret_ssm_param "/repo/${NHS_ENVIRONMENT}/user-input/mq-app-password"
;;
generate_vpn_ca)
generate_vpn_ca
;;
generate_new_vpn_certs)
generate_new_vpn_certs "$2"
;;
test_keys)
cd key-rotation-and-generation
npm install
npm run test
;;
generate_service_keys)
check_env
_assume_environment_role $NHS_ENVIRONMENT
cd key-rotation-and-generation
npm install
npm run generate:service-api-keys ;;
copy_parameters)
check_env
_assume_environment_role $NHS_ENVIRONMENT
./rename-migrations/copy-parameters-to-new-name.sh repo-to-gp ehr-out-service
;;
generate_user_keys)
check_env
_assume_environment_role $NHS_ENVIRONMENT
cd key-rotation-and-generation
npm install
npm run generate:user-api-keys
;;
rotate_service_keys)
check_env
_assume_environment_role $NHS_ENVIRONMENT
cd key-rotation-and-generation
npm install
npm run rotate:service-api-keys ;;
rotate_user_keys)
check_env
_assume_environment_role $NHS_ENVIRONMENT
cd key-rotation-and-generation
npm install
npm run rotate:user-api-keys ;;
get_value_metrics)
check_env
_assume_environment_role $NHS_ENVIRONMENT
./value-metrics/query-continuity-service-counts.sh $2
;;
*)
echo "Invalid command: '${command}'"
exit 1
;;
esac
set +e