initial commit

.copier-answers.yml

@@ -0,0 +1,6 @@
+# This file is auto-generated, changes will be overwritten
+_commit: v0.1.4
+_src_path: /task/77fa2a16-4212-11ee-a686-b6ba09e3d2c1/projecttype
+starting_version: v0.0.0
+version_file: VERSION
+

.gitignore

@@ -0,0 +1,162 @@
+functional-test-output.sarif
+static-test-output.sarif
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[cod]
+*$py.class
+
+# C extensions
+*.so
+
+# Distribution / packaging
+.Python
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+share/python-wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+MANIFEST
+
+# PyInstaller
+#  Usually these files are written by a python script from a template
+#  before PyInstaller builds the exe, so as to inject date/other infos into it.
+*.manifest
+*.spec
+
+# Installer logs
+pip-log.txt
+pip-delete-this-directory.txt
+
+# Unit test / coverage reports
+htmlcov/
+.tox/
+.nox/
+.coverage
+.coverage.*
+.cache
+nosetests.xml
+coverage.xml
+*.cover
+*.py,cover
+.hypothesis/
+.pytest_cache/
+cover/
+
+# Translations
+*.mo
+*.pot
+
+# Django stuff:
+*.log
+local_settings.py
+db.sqlite3
+db.sqlite3-journal
+
+# Flask stuff:
+instance/
+.webassets-cache
+
+# Scrapy stuff:
+.scrapy
+
+# Sphinx documentation
+docs/_build/
+
+# PyBuilder
+.pybuilder/
+target/
+
+# Jupyter Notebook
+.ipynb_checkpoints
+
+# IPython
+profile_default/
+ipython_config.py
+
+# pyenv
+#   For a library or package, you might want to ignore these files since the code is
+#   intended to run in multiple environments; otherwise, check them in:
+# .python-version
+
+# pipenv
+#   According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control.
+#   However, in case of collaboration, if having platform-specific dependencies or dependencies
+#   having no cross-platform support, pipenv may install dependencies that don't work, or not
+#   install all needed dependencies.
+#Pipfile.lock
+
+# poetry
+#   Similar to Pipfile.lock, it is generally recommended to include poetry.lock in version control.
+#   This is especially recommended for binary packages to ensure reproducibility, and is more
+#   commonly ignored for libraries.
+#   https://python-poetry.org/docs/basic-usage/#commit-your-poetrylock-file-to-version-control
+#poetry.lock
+
+# pdm
+#   Similar to Pipfile.lock, it is generally recommended to include pdm.lock in version control.
+#pdm.lock
+#   pdm stores project-wide configurations in .pdm.toml, but it is recommended to not include it
+#   in version control.
+#   https://pdm.fming.dev/#use-with-ide
+.pdm.toml
+
+# PEP 582; used by e.g. github.com/David-OConnor/pyflow and github.com/pdm-project/pdm
+__pypackages__/
+
+# Celery stuff
+celerybeat-schedule
+celerybeat.pid
+
+# SageMath parsed files
+*.sage.py
+
+# Environments
+.env
+.venv
+env/
+venv/
+ENV/
+env.bak/
+venv.bak/
+
+# Spyder project settings
+.spyderproject
+.spyproject
+
+# Rope project settings
+.ropeproject
+
+# mkdocs documentation
+/site
+
+# mypy
+.mypy_cache/
+.dmypy.json
+dmypy.json
+
+# Pyre type checker
+.pyre/
+
+# pytype static type analyzer
+.pytype/
+
+# Cython debug symbols
+cython_debug/
+
+# PyCharm
+#  JetBrains specific template is maintained in a separate JetBrains.gitignore that can
+#  be found at https://github.com/github/gitignore/blob/main/Global/JetBrains.gitignore
+#  and can be added to the global gitignore or merged into this file.  For a more nuclear
+#  option (not recommended) you can uncomment the following to ignore the entire idea folder.
+#.idea/

.gitmodules

@@ -0,0 +1,3 @@
+[submodule "docs/boilerplate"]
+	path = docs/boilerplate
+	url = https://github.com/aws-ia/aws-ia-documentation-base-common.git

.project_automation/deprecation/entrypoint.sh

@@ -0,0 +1,6 @@
+#!/bin/bash -ex
+
+## NOTE: paths may differ when running in a managed task. To ensure behavior is consistent between
+# managed and local tasks always use these variables for the project and project type path
+PROJECT_PATH=${BASE_PATH}/project
+PROJECT_TYPE_PATH=${BASE_PATH}/projecttype

.project_automation/deprovision/entrypoint.sh

@@ -0,0 +1,6 @@
+#!/bin/bash -ex
+
+## NOTE: paths may differ when running in a managed task. To ensure behavior is consistent between
+# managed and local tasks always use these variables for the project and project type path
+PROJECT_PATH=${BASE_PATH}/project
+PROJECT_TYPE_PATH=${BASE_PATH}/projecttype

.project_automation/functional_tests/Dockerfile

@@ -0,0 +1,4 @@
+FROM public.ecr.aws/codebuild/amazonlinux2-x86_64-standard:4.0
+RUN pip install taskcat yq
+RUN yum install -y yum-utils && yum-config-manager --add-repo https://cli.github.com/packages/rpm/gh-cli.repo && yum install -y gh
+RUN gem install asciidoctor

.project_automation/functional_tests/entrypoint.sh

@@ -0,0 +1,66 @@
+#!/bin/bash -ex
+
+## NOTE: paths may differ when running in a managed task. To ensure behavior is consistent between
+# managed and local tasks always use these variables for the project and project type path
+PROJECT_PATH=${BASE_PATH}/project
+PROJECT_TYPE_PATH=${BASE_PATH}/projecttype
+
+printf '\nFunctional test...\n'
+
+DOCS_BRANCH="html-guide"
+## Check if docs/ files are modified?
+git fetch
+git branch
+DIFF_OUTPUT=$(git diff HEAD..origin/main)
+## If docs are modified, render updated index.html file and
+## create a PR with index.html file.
+if echo "${DIFF_OUTPUT}" | grep "^diff --git a/docs/"; then
+    printf '\nChanges detected in the /docs files. \n'
+    #--- Github pages site generation ---#
+    asciidoctor --version
+    # Generate guide - filename -> index.html
+    asciidoctor --base-dir docs/ --backend=html5 -o ../index.html -w --doctype=book -a toc2 -a production_build docs/boilerplate/index_deployment_guide.adoc
+    ## Create PR with index.html file
+    CURRENT_BRANCH=$(git branch --show-current)
+    git checkout main
+    git checkout -b "${DOCS_BRANCH}"
+    git add index.html
+    git commit -m '(automated) rendered html deployment guide'
+    git push --set-upstream origin "${DOCS_BRANCH}"
+    gh pr create --title 'Generated deployment guide' --body "_This is an automated PR with rendered html file for the deployment guide. Please review it before merge_"
+else
+    printf '\nNo changes detected in the /docs files. \n'
+fi  
+
+##----------------------------------------------------
+## Download taskcat overrides from AWS Secrets Manager
+## ---------------------------------------------------
+## Create a 'secret' of type plaintext in AWS Secrets Manager
+## and add taskcat override file contents to it.
+## Provide secret name to 'secret_name' parameter below and
+## the AWS region where you secret is stored to 'aws_region'.
+
+# set defaults
+secret_name=$(cat .taskcat.yml | yq -r '.project|.name')
+secret_name=${secret_name}-override
+secret_region="us-east-1"
+# If overrides secret exists, retrieve the secret value as a JSON string
+set +e
+overrides=$(aws secretsmanager get-secret-value --secret-id $secret_name --query SecretString --output text --region $secret_region)
+# convert the JSON string to YAML and save it to a file
+if [ "$?" -eq 0 ]; then
+  echo "$overrides" > .taskcat_overrides.yml
+fi
+set -e
+##----------------------------------------------------
+
+# set taskcat general config
+cat << EOF > ~/.taskcat.yml
+general:
+  s3_regional_buckets: true
+EOF
+
+# Run taskcat tests
+REGIONS=$(aws ec2 describe-regions --region us-east-1 | yq -r '.Regions|.[]|.RegionName')
+CSV_REGIONS=$(echo $REGIONS | tr ' ' ',')
+taskcat test run  -r $CSV_REGIONS

.project_automation/init/noop.sh

@@ -0,0 +1,2 @@
+#!/bin/bash
+echo "Not Supported!"

.project_automation/provision/entrypoint.sh

@@ -0,0 +1,6 @@
+#!/bin/bash -ex
+
+## NOTE: paths may differ when running in a managed task. To ensure behavior is consistent between
+# managed and local tasks always use these variables for the project and project type path
+PROJECT_PATH=${BASE_PATH}/project
+PROJECT_TYPE_PATH=${BASE_PATH}/projecttype

.project_automation/publication/Dockerfile

@@ -0,0 +1,3 @@
+FROM public.ecr.aws/codebuild/amazonlinux2-x86_64-standard:4.0
+RUN yum install -y yum-utils && yum-config-manager --add-repo https://cli.github.com/packages/rpm/gh-cli.repo && yum install -y gh
+RUN pip install copier taskcat yq jq awscli cfn-flip

.project_automation/publication/assets/.taskcat_publish.yml

@@ -0,0 +1,44 @@
+general:
+  auth:
+    default: default-profile
+    af-south-1: af-south-1-profile
+    ap-east-1: ap-east-1-profile
+    ap-southeast-3: ap-southeast-3-profile
+    eu-south-1: eu-south-1-profile
+    me-south-1: me-south-1-profile
+    cn-north-1: china-profile
+    cn-northwest-1: china-profile
+    us-gov-east-1: us-govcloud-profile
+    us-gov-west-1: us-govcloud-profile
+project:
+  s3_regional_buckets: true
+  s3_bucket: aws-ia
+  regions:
+    - af-south-1
+    - ap-east-1
+    - ap-southeast-3
+    - eu-south-1
+    - me-south-1
+    - us-east-1
+    - us-east-2
+    - us-west-1
+    - us-west-2
+    - eu-west-1
+    - eu-west-2
+    - eu-west-3
+    - sa-east-1
+    - ap-northeast-1
+    - ap-northeast-2
+    - ap-northeast-3
+    - ap-south-1
+    - ap-southeast-1
+    - ap-southeast-2
+    - ca-central-1
+    - eu-central-1
+    - eu-north-1
+    - cn-north-1
+    - cn-northwest-1
+    - us-gov-east-1
+    - us-gov-west-1
+tests:
+  test1: {}

.project_automation/publication/assets/assume_role_regional_endpoint_wrapper.sh

@@ -0,0 +1,2 @@
+#!/bin/bash -ex
+aws sts assume-role --role-arn $1 --role-session-name 'wrapped-role' --external-id $2 --endpoint https://sts.us-east-2.amazonaws.com --region us-east-2 | jq '.Credentials + {"Version":1}'

.project_automation/publication/assets/cred_helper.py

@@ -0,0 +1,72 @@
+#!/usr/bin/env python3
+import boto3
+import json
+import sys
+import argparse
+
+# https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sourcing-external.html
+
+def _transform_creds(result, ak, sk):
+    AK = result[ak]
+    SAK = result[sk]
+    transformed_creds = {
+          "Version": 1,
+          "AccessKeyId": AK,
+          "SecretAccessKey": SAK
+    }
+    return transformed_creds
+
+def fetch_creds(region_name, secret_name, ak, sk, pr):
+    ssm = boto3.Session(profile_name=pr).client('secretsmanager', region_name=region_name)
+    value = ssm.get_secret_value(SecretId=secret_name)
+    value = json.loads(value["SecretString"])
+    return _transform_creds(value, ak, sk)
+
+if __name__ == "__main__":
+    parser = argparse.ArgumentParser(
+        prog="cred_helper.py",
+        description="Snags creds from Secrets manager for use in an AWS profile. Leveraging botocore builtins.",
+    )
+    parser.add_argument(
+            "--region",
+        type=str,
+        help="region name. otherwise use the default.",
+        required=True
+    )
+    parser.add_argument(
+        "--secret-name",
+        type=str,
+        help="secret name to fetch",
+        required=True
+    )
+    parser.add_argument(
+        "--access-key-index",
+        type=str,
+        help="secret name to fetch",
+        required=True
+    )
+    parser.add_argument(
+        "--secret-access-key-index",
+        type=str,
+        help="secret name to fetch",
+        required=True
+    )
+    parser.add_argument(
+        "--secret-profile",
+        type=str,
+        help="profile to use when fetching the secret",
+        required=False,
+        default="default"
+    )
+    args = parser.parse_args()
+    try:
+        parsed_creds = fetch_creds(
+            args.region,
+            args.secret_name,
+            args.access_key_index,
+            args.secret_access_key_index,
+            args.secret_profile
+        )
+        json.dump(parsed_creds, sys.stdout, indent=2)
+    except:
+        raise