The gen3 cloud-automation bash scripts simplify and standardize common devops tasks on a gen3 commons.
Install the gen3 scripts on a system like this:
-
Install prerequisites, so that they are in the bash environment's runtime PATH
-
git clone https://github.com/uc-cdis/cloud-automation.git
-
add the following block to your ~/.bashrc script
export GEN3_HOME=~/"Path/To/cloud-automation"
if [ -f "${GEN3_HOME}/gen3/gen3setup.sh" ]; then
source "${GEN3_HOME}/gen3/gen3setup.sh"
fi
- open a new shell
- setup AWS profiles for each account that you interact with in ~/.aws/credentials and ~/.aws/config - https://docs.aws.amazon.com/cli/latest/userguide/cli-multiple-profiles.html
gen3 [flags] command [command options]
gen3 [flags] command
- --dryrun
- --verbose
ex:$ gen3 workon accountname vpcname
ex:$ gen3 --dryrun refresh
Show this README.
You can also run gen3 COMMAND help
for most commands:
ex: $ gen3 tfapply help
gen3 tfapply:
Run 'terraform apply' in the current workspace, and backup config.tfvars, backend.tfvars, and README.md.
A typical command line is:
terraform apply plan.terraform
More examples and use cases can be found on the gen3 help docs
ex:$ gen3 workon cdistest plaxplanetv1
Enter (and initialize if necessary) a local workspace for working with the terraform resources under the AWS account
accessible using the admin credentials
under the aws-profile-name profile in ~/.aws/credentials
.
See tf_files/README.md for more details.
Generalization of gen3 aws ...
just below,
so gen3 arun aws arg1 arg2 ...
is equivalent to
gen3 aws arg1 arg2 ...
Run the aws
command with the given arguments after setting the
environment to conform to the active workspace's ~/.aws/config
profile -
acquiring temporary credentials as necessary.
For example - gen3 workon cdistest devplanetv1
with the following
configuration prompts the user for an MFA token, acquire a token
for the role_arn
specified by the cdistest
profile, and cache the
token (and auto renew when it expires):
[profile cdistest]
output = json
region = us-east-1
role_arn = arn:aws:iam::707767160287:role/csoc_adminvm
role_session_name = gen3-reuben
source_profile = csoc
mfa_serial = arn:aws:iam::433568766270:mfa/reuben-csoc
[profile csoc]
mfa_serial = arn:aws:iam::433568766270:mfa/reuben-csoc
# AWS_PROFILE=csoc aws sts get-session-token --serial-number arn:aws:iam::433568766270:mfa/reuben-csoc --token-code XXXX
Similarly, gen3 workon csoc cdistest_adminvm
with the above profile
prompts the user for an MFA token, then acquire and cache credentials.
Finally, gen3 workon cdistest devplanetv1
with the following configuration
also acquires a token for the specified role, but uses credentials
from the EC2 metadata service to assume the role rather than
look for csoc
credentials in ~/.aws/credentials
.
[profile cdistest]
output = json
region = us-east-1
role_arn = arn:aws:iam::707767160287:role/csoc_adminvm
role_session_name = gen3-reuben
credential_source = Ec2InsanceMetadata
List the variables associated with the current gen3 workspace - ex:
$ gen3 status
GEN3_PROFILE=cdistest
GEN3_WORKSPACE=planxplanetv1
GEN3_WORKDIR=/home/reuben/.local/share/gen3/cdistest/planxplanetv1
GEN3_HOME=/home/reuben/Code/PlanX/cloud-automation
GEN3_S3_BUCKET=cdis-state-ac23212121-gen3
AWS_PROFILE=cdistest
List workspaces that have been worked on locally, and workspaces saved to S3 if for a given PROFILE - ex:
$ gen3 ls
local workspaces under /home/reuben/.local/share/gen3
cdistest gen3test
cdistest planxplanetv1
$ gen3 ls cdistest
cdistest profile workspaces under s3://cdis-state-ac707767160287-gen3
PRE devplanetv1/
PRE gen3test_databucket/
PRE qaplanetv1/
PRE raryav1/
PRE reuben_databucket/
PRE vpcoctettest/
cdistest profile workspaces under legacy path s3://cdis-terraform-state.account-707767160287.gen3
PRE fauziv1/
PRE planxplanet_user/
local workspaces under /home/reuben/.local/share/gen3
cdistest devplanetv1
ex:$ gen3 refresh
Backup the local .tfvars files in the current workspace, and replace them with copies from s3 if available. You'll usually want to refresh your workspace when you return to it after some time away.
ex:$ gen3 cd workspace
ex:$ gen3 cd home
ex:$ gen3 cd # defaults to workspace
This is just a little shortcut to 'cd' the shell to $GEN3_HOME or $GEN3_WORKDIR
Note: defaults to workspace if not home
gen3 tfplan
Just a little wrapper around 'terraform plan' that passes the required flags, and bails out if the generated plan deletes AWS resources unless -f is given.
Apply the last plan from gen3 tfplan
, and perform supporting tasks:
- backup tf config variable files to S3
- auto-generate entries for ~/.ssh/config if not already present
- rsync the terraform generated _output/ scripts to the k8s provisioner
Test suite with mocks that work for local unit testing.
Test suite assumes AWS and terraform access.
Open a bash shell on the cluster in an awshelper
container: gen3 devterm
The devterm
command can also pass a command to the bash shell (bash -c
) - ex:
gen3 devterm "nslookup fence-service"