gistfile1.txt

#!/bin/bash

# Variables - Please update these variables with your actual values
BACKSTAGE_ACCOUNT_ID="1111111111"
EKS_ACCOUNT_ID="2222222222"
EKS_CLUSTER_NAME="EKS-secure-coding-cluster"
BACKSTAGE_ROLE_NAME="Backstage"
CA_KEY="<CA_KEY>"
REGION="us-east-1"
AWS_PROFILE_BACKSTAGE="backstage-profile"
AWS_PROFILE_EKS="eks-profile"
LOG_FILE="setup_eks_backstage.log"

# Logging function
log() {
    echo "$(date '+%Y-%m-%d %H:%M:%S') $1" | tee -a $LOG_FILE
}

# Error handling function
error_exit() {
    log "ERROR: $1"
    exit 1
}

# Step 1: Check AWS CLI Profiles
log "Checking AWS CLI profiles..."
if ! aws configure list-profiles | grep -q "$AWS_PROFILE_BACKSTAGE"; then
    log "AWS profile for Backstage ($AWS_PROFILE_BACKSTAGE) not found. Please configure it."
    echo "Do you want to configure the Backstage AWS profile now? (y/n)"
    read -r response
    if [[ "$response" == "y" ]]; then
        aws configure --profile $AWS_PROFILE_BACKSTAGE || error_exit "Failed to configure Backstage AWS profile."
    else
        error_exit "Backstage AWS profile configuration required."
    fi
fi

if ! aws configure list-profiles | grep -q "$AWS_PROFILE_EKS"; then
    log "AWS profile for EKS ($AWS_PROFILE_EKS) not found. Please configure it."
    echo "Do you want to configure the EKS AWS profile now? (y/n)"
    read -r response
    if [[ "$response" == "y" ]]; then
        aws configure --profile $AWS_PROFILE_EKS || error_exit "Failed to configure EKS AWS profile."
    else
        error_exit "EKS AWS profile configuration required."
    fi
fi
log "AWS CLI profiles verified."

# Step 2: Check IAM Role and Trust Policy in EKS Account
log "Checking IAM role and trust policy in EKS account..."
role_exists=$(aws iam get-role --role-name $BACKSTAGE_ROLE_NAME --profile $AWS_PROFILE_EKS 2>&1)
if echo "$role_exists" | grep -q 'NoSuchEntity'; then
    log "IAM role $BACKSTAGE_ROLE_NAME does not exist in EKS account."
    echo "IAM role $BACKSTAGE_ROLE_NAME does not exist in EKS account. Do you want to create it? (y/n)"
    read -r response
    if [[ "$response" == "y" ]]; then
        cat > trust-policy.json <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::$BACKSTAGE_ACCOUNT_ID:role/$BACKSTAGE_ROLE_NAME"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
EOF
        aws iam create-role --role-name $BACKSTAGE_ROLE_NAME --assume-role-policy-document file://trust-policy.json --profile $AWS_PROFILE_EKS || error_exit "Failed to create IAM role."
        aws iam attach-role-policy --role-name $BACKSTAGE_ROLE_NAME --policy-arn arn:aws:iam::aws:policy/AmazonEKSClusterPolicy --profile $AWS_PROFILE_EKS || error_exit "Failed to attach policy to IAM role."
        log "IAM role created and policy attached successfully."
    else
        error_exit "IAM role creation required."
    fi
else
    log "IAM role $BACKSTAGE_ROLE_NAME exists in EKS account."
fi

# Step 3: Check Kubernetes RBAC
log "Checking Kubernetes RBAC..."
kubectl get clusterrolebinding backstage-binding > /dev/null 2>&1
if [ $? -ne 0 ]; then
    log "Kubernetes RBAC for Backstage does not exist."
    echo "Kubernetes RBAC for Backstage does not exist. Do you want to create it? (y/n)"
    read -r response
    if [[ "$response" == "y" ]]; then
        cat > rbac.yaml <<EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: backstage-role
rules:
- apiGroups: [""]
  resources: ["pods", "services", "namespaces"]
  verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: backstage-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: backstage-role
subjects:
- kind: User
  name: arn:aws:iam::$BACKSTAGE_ACCOUNT_ID:role/$BACKSTAGE_ROLE_NAME
  apiGroup: rbac.authorization.k8s.io
EOF
        kubectl apply -f rbac.yaml || error_exit "Failed to apply Kubernetes RBAC."
        log "Kubernetes RBAC created successfully."
    else
        error_exit "Kubernetes RBAC creation required."
    fi
else
    log "Kubernetes RBAC for Backstage exists."
fi

# Step 4: Check aws-auth ConfigMap
log "Checking aws-auth config map..."
aws_auth_map_roles=$(kubectl get configmap -n kube-system aws-auth -o yaml | grep "arn:aws:iam::$BACKSTAGE_ACCOUNT_ID:role/$BACKSTAGE_ROLE_NAME")
if [ -z "$aws_auth_map_roles" ]; then
    log "aws-auth config map does not have the required role mapping."
    echo "aws-auth config map does not have the required role mapping. Do you want to update it? (y/n)"
    read -r response
    if [[ "$response" == "y" ]]; then
        kubectl get configmap -n kube-system aws-auth -o yaml > aws-auth.yaml
        cat >> aws-auth.yaml <<EOF
mapRoles: |
  - rolearn: arn:aws:iam::$BACKSTAGE_ACCOUNT_ID:role/$BACKSTAGE_ROLE_NAME
    username: backstage-user
    groups:
      - system:masters
EOF
        kubectl apply -f aws-auth.yaml || error_exit "Failed to update aws-auth config map."
        log "aws-auth config map updated successfully."
    else
        error_exit "aws-auth config map update required."
    fi
else
    log "aws-auth config map has the required role mapping."
fi

# Step 5: Test Access with kubectl
log "Testing access with kubectl..."
TOKEN=$(aws eks get-token --cluster-name $EKS_CLUSTER_NAME --profile $AWS_PROFILE_BACKSTAGE --region $REGION --query 'status.token' --output text)

kubectl --server=https://$EKS_CLUSTER_NAME.$REGION.eks.amazonaws.com/ \
  --certificate-authority=<(echo "$CA_KEY" | base64 --decode) \
  --token=$TOKEN \
  get namespaces || error_exit "Failed to get namespaces. Please check the configuration."

log "Access test successful. Setup completed."