aws-account-broker

command module
v0.0.0-...-9adfaef Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 4, 2018 License: CC0-1.0 Imports: 19 Imported by: 0

README

AWS Account Service Broker CircleCI

This is an API that creates AWS (sub)accounts in an Organization. The broker conforms to the Open Service Broker API, so is compatible with Cloud Foundry, OpenShift, and Kubernetes.

The use case: you offer one of these platforms, with service brokers for specific databases, etc. Those service brokers will have limitations in the ways the underlying services can be configured, which is fine/desirable in many cases. For those cases where more flexibility is needed, though, this broker offers a trap door for users to get self-service access to full AWS accounts. Since those accounts are under the same Organization, they can be centrally configured with any needed policies, etc.

Setup

  1. Install system dependencies.

    1. Go
    2. Dep
    3. SQLite - Proof of concept testing is using SQLite3 for persistence

  2. Clone the repository.

    export GOPATH=~/go # or whatever go workspace you prefer
mkdir -p $GOPATH/src/github.com/GSA
cd $GOPATH/src/github.com/GSA
git clone https://github.com/GSA/aws-account-broker.git
cd aws-account-broker

  3. Install Go package dependencies.

    dep ensure

  4. Compile the broker.

    go build

  5. Setup the database with Proof-of-Concept data.

    sqlite3 aws-account-broker.db < poc_data.sql

  6. Alternatively, you can inialize the database with just the schema with no data.

    sqlite3 aws-account-broker.db < schema.sql

  7. Change any settings in the config.toml file. See comments in file for instructions.

  8. You can override the database settings using a DATABASE_URL environment variable. (Note: Only tested with sqlite3).

    export DATABASE_URL="sqlite3:/tmp/alt_database.db"

  9. Pick a base email.

    • Email addresses for AWS accounts need to be unique, so BASE_EMAIL (below) will be turned into something+<ID>@some.com. This works in GMail, at the very least - you may need to confirm with your mail provider.

  10. Run the broker.

    [email protected] ./aws-account-broker -user=<a username> -pass=<a password>

  11. Confirm it's running and responding to requests. From another terminal, run:

    curl --user user:pass -H "X-Broker-API-Version: 2.13" http://localhost:8080/v2/catalog

    Make sure to use the user and pass that you specified in the run command above.

  12. To create an account (also known as Provisioning):

    curl "http://user:pass@localhost:8080/v2/service_instances/<INSTANCE_ID>?accepts_incomplete=true" -d '{
  "service_id": "aws-account-broker",
  "plan_id": "IGNORED",
  "organization_guid": "IGNORED",
  "space_guid": "IGNORED"
}' -X PUT -H "X-Broker-API-Version: 2.13" -H "Content-Type: application/json"

    Note that the INSTANCE_ID needs to be unique value for all the accounts in your Organization, as it's used to produce the unique email. The command also contains some dummy parameters - marked as IGNORED - which are required by the API spec but not yet used.

Development
  1. make edits
  2. build and run
go build
[email protected] ./aws-account-broker -user=<a username> -pass=<a password>
  1. CONTROL+C, then go back to 1
Deploy to Cloud.gov

  1. Initialize the database; For proof-of-concept testing, initialize with the poc_data.sql file, otherwise use the schema.sql file.

    sqlite3 aws-account-broker.db < poc_data.sql

  2. Log in to Cloud.gov and setup the command line. See documentation

  3. For now, target your sandbox

    cf target -o <ORG> -s <SPACE>

  4. Push the app. Note: The app will fail because required environment variables are not set yet.

    cf push --random-route aws-account-broker

  5. Set the environment variables from the command line or Cloud.gov dashboard. environment variables:

    cf set-env aws-account-broker BASE_EMAIL ${BASE_EMAIL}
cf set-env aws-account-broker BROKER_USER ${BROKER_USER}
cf set-env aws-account-broker BROKER_PASSWORD ${BROKER_PASSWORD}
cf set-env aws-account-broker AWS_ACCESS_KEY_ID ${AWS_ACCESS_KEY_ID}
cf set-env aws-account-broker AWS_SECRET_ACCESS_KEY ${AWS_SECRET_ACCESS_KEY}

  6. Restage the application

    cf restage aws-account-broker

  7. Get the random route

    broker_url=$(cf app aws-account-broker | grep routes: | awk '{print $2}')

  8. Check the service catalog

    curl -u ${BROKER_USER}:${BROKER_PASSWORD} -H "X-Broker-API-Version: 2.13" https://${broker_url}/v2/catalog

  9. Check last operation

    curl -u ${BROKER_USER}:${BROKER_PASSWORD} -H "X-Broker-API-Version: 2.13" https://${broker_url}/v2/service_instances/gsa-devsecops-test4/last_operation

  10. Register the broker

    cf create-service-broker aws-account-broker  \
${BROKER_USER} ${BROKER_PASSWORD} https://${broker_url} \
--space-scoped

  11. Display the broker in marketplace

    cf marketplace -s aws-broker

  12. Create an AWS account.

    cf create-service aws-account devsecops gsa-devsecops-test<#>

  13. Check the status of the service

    cf services gsa-devsecops-test<#>

Documentation

The Go Gopher

There is no documentation for this package.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.
JackTT - Gopher 🇻🇳