scottw · December 15, 2016 18:37
diff --git a/terraform-aws-assume-role.mk b/terraform-aws-assume-role.mk
 ## purpose:
 ##
 ## create a Terrform override file containing temporary role
 ## credentials generated from an account protected with MFA.
 ##
 ## usage:
 ##
 ##   $ make credentials aws_override.tf PROFILE=my-profile TOKEN_CODE=123456
 ##   $ terraform apply
 ##
 PROFILE           :=
 TOKEN_CODE        :=
 DURATION          := 900
 ROLE_SESSION_NAME := terraform-$(PROFILE)
 ROLE_ARN          := $(shell aws configure get role_arn --profile $(PROFILE) 2>/dev/null)
 MFA_SERIAL_ARN    := $(shell aws configure get mfa_serial --profile $(PROFILE) 2>/dev/null)
 CREDENTIALS       := .credentials.json

 .PHONY: assert-% credentials

 assert-profile:    VAR = PROFILE
 assert-profile:    assert-var-profile

 assert-token-code: VAR = TOKEN_CODE
 assert-token-code: assert-var-token-code

 assert-role-arn:   VAR = ROLE_ARN
 assert-role-arn:   assert-var-role-arn

 assert-mfa-serial: VAR = MFA_SERIAL_ARN
 assert-mfa-serial: assert-var-mfa-serial

 assert-var-%:
 	@if [[ "z" == "z$($(VAR))" ]]; then \
 		echo "Variable $(VAR) is not set"; \
 		exit 1; \
 	fi

 ## https://www.terraform.io/docs/providers/aws/index.html
 ## http://blog.sinica.me/aws_multi_account_with_terraform.html
 credentials: assert-token-code assert-profile assert-role-arn
 	aws sts assume-role \
 	--role-session-name $(ROLE_SESSION_NAME) \
 	--role-arn          $(ROLE_ARN) \
 	--serial-number     $(MFA_SERIAL_ARN) \
 	--token-code        $(TOKEN_CODE) \
 	--duration          $(DURATION) \
 	--output json > $(CREDENTIALS)

 ## https://www.terraform.io/docs/configuration/override.html
 aws_override.tf: export AWS_ACCESS_KEY_ID     := $(shell jq -r .Credentials.AccessKeyId $(CREDENTIALS))
 aws_override.tf: export AWS_SECRET_ACCESS_KEY := $(shell jq -r .Credentials.SecretAccessKey $(CREDENTIALS))
 aws_override.tf: export AWS_SESSION_TOKEN     := $(shell jq -r .Credentials.SessionToken $(CREDENTIALS))
 aws_override.tf: $(CREDENTIALS)
 	sed -e 's|@@AWS_ACCESS_KEY_ID@@|$(AWS_ACCESS_KEY_ID)|g' \
 	    -e 's|@@AWS_SECRET_ACCESS_KEY@@|$(AWS_SECRET_ACCESS_KEY)|g' \
 	    -e 's|@@AWS_SESSION_TOKEN@@|$(AWS_SESSION_TOKEN)|g' < provider-aws.tmpl > $@
	## purpose:
	##
	## create a Terrform override file containing temporary role
	## credentials generated from an account protected with MFA.
	##
	## usage:
	##
	## $ make credentials aws_override.tf PROFILE=my-profile TOKEN_CODE=123456
	## $ terraform apply
	##
	PROFILE :=
	TOKEN_CODE :=
	DURATION := 900
	ROLE_SESSION_NAME := terraform-$(PROFILE)
	ROLE_ARN := $(shell aws configure get role_arn --profile $(PROFILE) 2>/dev/null)
	MFA_SERIAL_ARN := $(shell aws configure get mfa_serial --profile $(PROFILE) 2>/dev/null)
	CREDENTIALS := .credentials.json

	.PHONY: assert-% credentials

	assert-profile: VAR = PROFILE
	assert-profile: assert-var-profile

	assert-token-code: VAR = TOKEN_CODE
	assert-token-code: assert-var-token-code

	assert-role-arn: VAR = ROLE_ARN
	assert-role-arn: assert-var-role-arn

	assert-mfa-serial: VAR = MFA_SERIAL_ARN
	assert-mfa-serial: assert-var-mfa-serial

	assert-var-%:
	@if [[ "z" == "z$($(VAR))" ]]; then \
	echo "Variable $(VAR) is not set"; \
	exit 1; \
	fi

	## https://www.terraform.io/docs/providers/aws/index.html
	## http://blog.sinica.me/aws_multi_account_with_terraform.html
	credentials: assert-token-code assert-profile assert-role-arn
	aws sts assume-role \
	--role-session-name $(ROLE_SESSION_NAME) \
	--role-arn $(ROLE_ARN) \
	--serial-number $(MFA_SERIAL_ARN) \
	--token-code $(TOKEN_CODE) \
	--duration $(DURATION) \
	--output json > $(CREDENTIALS)

	## https://www.terraform.io/docs/configuration/override.html
	aws_override.tf: export AWS_ACCESS_KEY_ID := $(shell jq -r .Credentials.AccessKeyId $(CREDENTIALS))
	aws_override.tf: export AWS_SECRET_ACCESS_KEY := $(shell jq -r .Credentials.SecretAccessKey $(CREDENTIALS))
	aws_override.tf: export AWS_SESSION_TOKEN := $(shell jq -r .Credentials.SessionToken $(CREDENTIALS))
	aws_override.tf: $(CREDENTIALS)
	sed -e 's\|@@AWS_ACCESS_KEY_ID@@\|$(AWS_ACCESS_KEY_ID)\|g' \
	-e 's\|@@AWS_SECRET_ACCESS_KEY@@\|$(AWS_SECRET_ACCESS_KEY)\|g' \
	-e 's\|@@AWS_SESSION_TOKEN@@\|$(AWS_SESSION_TOKEN)\|g' < provider-aws.tmpl > $@