forked from opengovsg/postmangovsg
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathconnect-rds.sh
executable file
·156 lines (132 loc) · 4.18 KB
/
connect-rds.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
#!/bin/bash
# This helper script does the following:
# 1. Generate temporary AWS session credentials with MFA
# 2. Send local SSH key to jumphost in order to create an SSH tunnel with EC2 instance connect
# 3. Generate RDS auth token
# 4. Create SSH tunnel to RDS instance through jumphost using SSH keys sent in step 2
ARGS=$@
CONFIG_FILE=""
MFA_ARN=""
MFA_TOKEN=""
SSH_PUBLIC_KEY=""
show_help() {
echo "usage: connect-rds.sh [CONFIG_FILE_PATH] [MFA_ARN] [SSH_PRIVATE_KEY] [SSH_PUBLIC_KEY]"
echo
echo "Arguments:"
echo " CONFIG_FILE_PATH - path to config file with connection variables"
echo " MFA_ARN - ARN for MFA device. Can be retrieved from AWS Console > My Security Credentials."
echo " SSH_PRIVATE_KEY - SSH private key to use for connecting to the jumphost. Can be generated with ssh-keygen."
echo " SSH_PUBLIC_KEY - Optional SSH public key to use for connecting to the jumphost. Can be generated with ssh-keygen."
echo
}
parse_args() {
if [ "$#" -lt 3 ] || [ "$#" -gt 4 ]; then
show_help
echo "Invalid number of arguments."
exit 1
fi
CONFIG_FILE=$1
MFA_ARN=$2
SSH_PRIVATE_KEY=$3
SSH_PUBLIC_KEY=$4
if [ ! -f "$CONFIG_FILE" ]; then
show_help
echo "Config file ($CONFIG_FILE) does not exists"
exit 1
fi
if [ ! -f "$SSH_PRIVATE_KEY" ]; then
show_help
echo "SSH private key ($SSH_PRIVATE_KEY) does not exists"
exit 1
fi
}
check_aws_configured() {
# This file should exist after running aws configure
if [ ! -f "$HOME/.aws/credentials" ]; then
echo "You have not configured your AWS CLI. Run 'aws configure' and try again."
exit 1
fi
}
prompt_mfa_token() {
while [ "$MFA_TOKEN" == "" ]; do
read -p 'Enter your MFA token: ' MFA_TOKEN
done
}
safe_eval_config_line() {
# Basic validation to check that line matches the format KEY=VALUE before evaluating it.
MATCH=$(echo $1 | grep -E "^[^ ]*=[^ ]+$")
if [ -z $MATCH ]; then
echo "Invalid line in configuration file: $1"
exit 1
else
eval $MATCH
fi
}
load_config_file() {
while IFS= read -r line; do
safe_eval_config_line $line
done < $CONFIG_FILE
safe_eval_config_line $line
}
generate_aws_session_credentials() {
CREDENTIALS=$(aws sts get-session-token --serial-number $MFA_ARN --token-code $MFA_TOKEN --output text)
if [ $? -ne 0 ]; then
echo "Failed to get AWS session token"
exit 1
fi
# Set the AWS creds for this current shell
export AWS_ACCESS_KEY_ID=$(echo $CREDENTIALS | cut -f2 -d ' ')
export AWS_SECRET_ACCESS_KEY=$(echo $CREDENTIALS | cut -f4 -d ' ')
export AWS_SESSION_TOKEN=$(echo $CREDENTIALS | cut -f5 -d ' ')
}
send_ssh_key() {
# Check that public key is provided only if we are using EC2 Instance Connect
if [ -z "$SSH_PUBLIC_KEY" ]; then
show_help
echo "Please provide your SSH public key to be used for EC2 instance connect."
exit 1
elif [ ! -f "$SSH_PUBLIC_KEY" ]; then
show_help
echo "SSH public key ($SSH_PUBLIC_KEY) does not exists"
exit 1
fi
OUTPUT=$(aws ec2-instance-connect send-ssh-public-key \
--output text \
--instance-id $JUMPHOST_INSTANCE_ID \
--availability-zone $JUMPHOST_REGION \
--instance-os-user $JUMPHOST_USER \
--ssh-public-key "file://$SSH_PUBLIC_KEY")
if [ $? -ne 0 ]; then
echo "Failed to send SSH key to EC2 instance"
exit 1
fi
}
start_rds_ssh_tunnel() {
RDS_PASSWORD=$(aws rds generate-db-auth-token \
--hostname $RDS_HOST \
--port $RDS_PORT \
--region $RDS_REGION \
--username $RDS_USER)
echo
echo "Created SSH tunnel to RDS instance. Connect using the following credentials:"
echo " * host: localhost"
echo " * port: 15432"
echo " * username: $RDS_USER"
echo " * password: $RDS_PASSWORD"
echo
echo "Press (Ctrl-C) to close the tunnel"
ssh -N -L 15432:$RDS_HOST:$RDS_PORT $JUMPHOST_USER@$JUMPHOST_HOST -i $SSH_PRIVATE_KEY
}
# Main
parse_args $ARGS
check_aws_configured
prompt_mfa_token
load_config_file
echo "Loaded config file located at $CONFIG_FILE"
generate_aws_session_credentials
echo "Generated AWS session credentials"
if [ ! -z "$USE_EC2_INSTANCE_CONNECT" ]; then
send_ssh_key
echo "Sent SSH key ($SSH_PUBLIC_KEY) to jumphost using EC2 instance connect"
fi
start_rds_ssh_tunnel