Skip to content

Commit

Permalink
SECZ-1477: Fix chained sessions for prod db access
Browse files Browse the repository at this point in the history
  • Loading branch information
Anne Mirasol committed May 15, 2024
1 parent b958012 commit dc3d6e2
Showing 1 changed file with 32 additions and 6 deletions.
38 changes: 32 additions & 6 deletions create-chained-sessions.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,23 @@ function createLeappSession {
fi
}

function deleteLeappSession {
environment_name=$1
service_name=$2
iam_role_scope=$3
persona_name=$4
iam_role_name="${iam_role_scope}-${persona_name}"

session_name="${service_name}-${environment_name}-${persona_name}"
session_id=$(leappSessionId "$session_name" "$iam_role_name")

if [[ -n "${session_id}" ]]; then
green_echo "deleting session ${session_name}"

leapp session delete --sessionId "$session_id" > /dev/null 2> >(logStdErr)
fi
}

# @return the Leapp session ID of the session whose name is the first argument
# to this function, if one exists.
function leappSessionId {
Expand Down Expand Up @@ -102,10 +119,19 @@ do
createLeappSession "$env" "k8s" "PanoramaK8sDSAR" "panorama" "data-science-tester"

createLeappSession "$env" "DBs" "AWSAdministratorAccess" "rds" "admin"
createLeappSession "$env" "DBs" "PanoramaDBsEngineeringDefault" "panorama" "dev-writer"
createLeappSession "$env" "DBs" "PanoramaDBsEngineeringDefault" "panorama" "dev-reader"
done

# session names from Leapp for production only
createLeappSession "production" "DBs" "PanoramaDBsProdAccess" "panorama" "dev-writer"
createLeappSession "production" "DBs" "PanoramaDBsProdAccess" "panorama" "dev-reader"
if [[ "$env" == "production" ]]; then
# This session was previously created with the "PanoramaDBsEngineeringDefault" role.
# We delete any existing session to make sure we are creating one with the correct role.
deleteLeappSession "$env" "DBs" "panorama" "dev-writer"
createLeappSession "$env" "DBs" "PanoramaDBsProdAccess" "panorama" "dev-writer"

# This session was previously created with the "PanoramaDBsEngineeringDefault" role.
# We delete any existing session to make sure we are creating one with the correct role.
deleteLeappSession "$env" "DBs" "panorama" "dev-reader"
createLeappSession "$env" "DBs" "PanoramaDBsProdAccess" "panorama" "dev-reader"
else
createLeappSession "$env" "DBs" "PanoramaDBsEngineeringDefault" "panorama" "dev-writer"
createLeappSession "$env" "DBs" "PanoramaDBsEngineeringDefault" "panorama" "dev-reader"
fi
done

0 comments on commit dc3d6e2

Please sign in to comment.