Kinnaird McQuade kmcquade

Keybase proof

I hereby claim:

I am kmcquade on github.
I am kmcquade (https://keybase.io/kmcquade) on keybase.
I have a public key whose fingerprint is C50D 6568 07A1 84AA 1C91 AD99 CB96 8886 7C80 622E

To claim this, I am signing this object:

List:

export-aws-creds.py
- Simple script that parses the ~/.aws/credentials file and creates the export command needed for pumping your AWS creds to command line

aws-secrets-send.sh and aws-secrets-get.sh

Used for grabbing secrets from S3 encrypted at the object level with KMS.
Easy to copy + paste or include in your repo when you have to use Ec2 userdata + IAM roles to download KMS-encrypted objects from S3
Based on this github repo but without the built-in options to create buckets and keys. This limits the capabilities of the script in a good way.

vault_aws_auth

These are python 2 and 3 snippets showing how to generate headers to authenticate with HashiCorp's Vault using the AWS authentication method. There's also a Ruby implementation which uses version 3 of the AWS SDK for Ruby.

The python scripts look for credentials in the default boto3 locations; if you need to supply custom credentials (such as from an AssumeRole call), you would use the botocore.session.set_credentials method before calling create_client.

CloudFormation -> Terraform Import Helpers

I wrote these scripts to help faciliate batch import of our CloudFormation templates into Terraform Configuration.

region-batch.sh

This script is a light wrapper around batch.sh. It simply iterates over the list of regions provided, exports expected variables, creates required directories, and calls batch.sh.

BASE_DIR=/path/to/dir EXCLUDE_REGEX="(some-stack-production|some-stack-staging)" ./region-batch.sh us-east-1 us-west-1

	#!/usr/bin/env bash

	# License: MIT - https://opensource.org/licenses/MIT

	#
	# Usage:
	#
	# Encrypt a file:
	# kms-vault encrypt My-Key-Alias some-file-i-want-encrypted.txt > topsecret.asc
	#

	resource "aws_iam_policy" "terraform_create_policy" {
	name = "terraform_create_policy"
	path = "/"
	policy = "${data.aws_iam_policy_document.terraform_create_policy.json}"
	}

	data "aws_iam_policy_document" "terraform_create_policy" {
	statement {
	sid = "1"
	actions = [

	# To install:
	# sudo cat grow-root.service > /etc/systemd/system/grow-root.service
	# sudo systemctl daemon-reload
	# sudo systemctl enable -f grow-root.service
	#
	# Start (auto disables after first successful expansion):
	# sudo systemctl start grow-root.service
	#
	# Debugging:
	# sudo systemctl status grow-root.service

	#/bin/bash
	trap exit INT
	INSTANCES=$( aws ec2 describe-instances --query 'Reservations[].Instances[].InstanceId[]' \| sed -e 's/\[//g' -e 's/\]//g')
	SUM=0
	echo $INSTANCES
	for i in $( echo $INSTANCES \| sed -e 's/"//g' -e 's/,//g' -e 's/\[//g' -e 's/\]//g' ) ;do
	echo "---------------------------$i-------------------------------\n"
	aws ec2 describe-instances --instance-ids $i --query 'Reservations[].Instances[].Tags[?Key==`Name`].Value' --output text
	aws ec2 describe-instance-attribute --instance-id $( echo $i \| sed -e 's/"//g' -e 's/,//' -e 's/\[//g' -e 's/\]//g' ) --attribute userData \
	\| jq '.UserData.Value' \| sed 's/"//g' \| base64 --decode

	apiVersion: extensions/v1beta1
	kind: PodSecurityPolicy
	metadata:
	name: restricted
	annotations:
	seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
	apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
	seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default'
	apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
	spec:

	rm -rf /var/lib/cloud/instance && rm -rf /var/lib/cloud/instances/* && rm -rf /var/lib/cloud/sem/*
	cloud-init init && cloud-init modules --mode config && cloud-init modules --mode final