-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathdeploy_child_stackset_role.py
103 lines (82 loc) · 3.85 KB
/
deploy_child_stackset_role.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
import boto3
from stack_set_helpers import helpers, cfn_helpers, iam_helpers, org_helpers
import multiprocessing
from multiprocessing import Process
import logging
Helpers = helpers.Helpers()
Cfn_helpers = cfn_helpers.CfnHelpers()
Iam_helpers = iam_helpers.IamHelpers()
Org_helpers = org_helpers.Organization_Helpers()
def delete(child_session, stack_name, AdministratorAccountId, failed_accounts, account):
"""
Clean out existing roles if needed
:param child_session:
:param stack_name:
:param AdministratorAccountId:
:param failed_accounts:
:param account:
:return:
"""
try:
# TODO Check whether this role exists in a cfn stack
# TODO if the role exists, check if the trust relationship is correct
cfn = child_session.client('cloudformation')
response = cfn.delete_stack(StackName=stack_name)
response = cfn.delete_stack(StackName='cfn-stack-set-role')
if Iam_helpers.check_iam_role_exists(child_session,
'AWSCloudFormationStackSetExecutionRole'):
print(f"Found AWSCloudFormationStackSetExecutionRole")
except Exception as e:
print(e)
failed_accounts.append(account)
return
def deploy(child_session, stack_name, AdministratorAccountId, failed_accounts, account):
try:
# TODO Check whether this role exists in a cfn stack
# TODO if the role exists, check if the trust relationship is correct
if Iam_helpers.check_iam_role_exists(child_session,
'AWSCloudFormationStackSetExecutionRole') and not Cfn_helpers.cfn_check_stack_exists(
child_session, stack_name):
msg = 'AWSCloudFormationStackSetExecutionRoleQS role exists in child account, but is managed outside aws-cfn-stack-sets, free to continue, assuming Admin Role has access to child accounts'
print(msg)
return msg
response = Cfn_helpers. \
create_update_stack(child_session,
dict(StackName=stack_name,
TemplateBody=Helpers.file_to_string('templates/AWSCloudFormationStackSetExecutionRole.yml'),
#TemplateURL='https://s3.amazonaws.com/cloudformation-stackset-sample-templates-us-east-1/AWSCloudFormationStackSetExecutionRole.yml',
Parameters=Cfn_helpers.dict_to_cfn_parameters(
{'AdministratorAccountId': AdministratorAccountId})
)
)
print(response)
response = Cfn_helpers.stack_complete(child_session, stack_name)
except Exception as e:
print(e)
failed_accounts.append(account)
return
def main():
multiprocessing.log_to_stderr()
logger = multiprocessing.get_logger()
logger.setLevel(logging.INFO)
org_session = boto3.session.Session(profile_name='orgmaster')
org_accounts = Org_helpers.get_org_accounts(org_session)
shared_session = boto3.session.Session()
sts = shared_session.client('sts')
AdministratorAccountId = sts.get_caller_identity()['Account']
print(f"AdministratorAccountId: {AdministratorAccountId}")
procs = []
global failed_accounts
failed_accounts = []
stack_name = 'AWSCloudFormationStackSetExecutionRole'
for account in org_accounts:
child_session = Helpers.get_child_session(account, 'OrganizationAccountAccessRole', org_session)
proc = Process(target=deploy, args=(child_session, stack_name, AdministratorAccountId, failed_accounts, account))
procs.append(proc)
proc.start()
for proc in procs:
proc.join()
#delete(child_session, stack_name, AdministratorAccountId, failed_accounts, account)
return
if __name__ == '__main__':
main()