github.com/openshift/installer@v1.4.17/scripts/maintenance/tag-aws.sh (about) 1 #!/usr/bin/env bash 2 3 usage() { 4 cat <<EOF 5 6 $(basename "$0") tags AWS resources with 'expirationDate: some-date-string', 7 defaulting to tomorrow's date, and excludes all resources tagged with 8 tag keys/values specified in an 'exclude' file. Requires that 'podman' is 9 installed. 10 11 AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environmental variables must be set. 12 13 Options: 14 15 --force Override user input prompts. Useful for automation. 16 17 --grafiti-version Either the semver release version, ex. v0.1.1, or sha commit 18 hash of a grafiti image hosted in quay.io. 19 20 --aws-region The AWS region you wish to query for taggable resources. This 21 flag is optional if AWS_REGION is set. You can also set a 22 default region for the default profile in your ~/.aws 23 configuration files, although for this you must have the 'aws' 24 command installed). 25 26 --config-file A grafiti configuration file. See an example at 27 https://github.com/coreos/grafiti/blob/master/config.toml. 28 29 --exclude-file A file containing a JSON array of Key/Value pair objects. 30 31 --start-hour Integer hour to start looking at CloudTrail logs. Defaults to 8. 32 33 --end-hour Integer hour to end looking at CloudTrail logs. Defaults to 1. 34 35 --date-override (optional) Date of the format YYYY-MM-DD that overrides the 36 default tag value of tomorrow's date. This script tags resources 37 with 'expirationDate: some-date-string', where some-date-string 38 is replaced with either tomorrow's date or date-override. 39 40 --dry-run (optional) If set, grafiti will only do a dry run, i.e. not tag 41 any resources. 42 43 EOF 44 } 45 46 force= 47 version= 48 region= 49 config_file= 50 exclude_file= 51 date_string= 52 start_hour=8 53 end_hour=1 54 dry_run= 55 56 while [ $# -gt 0 ]; do 57 case $1 in 58 --help) 59 usage 60 exit 61 ;; 62 --force) 63 force=true 64 ;; 65 --grafiti-version) 66 version="${2:-}" 67 shift 68 ;; 69 --aws-region) 70 region="${2:-}" 71 shift 72 ;; 73 --config-file) 74 config_file="${2:-}" 75 shift 76 ;; 77 --exclude-file) 78 exclude_file="${2:-}" 79 shift 80 ;; 81 --start-hour) 82 start_hour="${2:-}" 83 shift 84 ;; 85 --end-hour) 86 end_hour="${2:-}" 87 shift 88 ;; 89 --date-override) 90 date_string="\\\"${2:-}\\\"" 91 shift 92 ;; 93 --dry-run) 94 dry_run="$1" 95 ;; 96 *) 97 echo "Flag '$1' is not supported." >&2 98 exit 1 99 ;; 100 esac 101 shift 102 done 103 104 if ! command -V podman >/dev/null; then 105 echo "Missing required dependencies" >&2 106 exit 1 107 fi 108 109 if [ -z "$region" ]; then 110 if [ -n "$AWS_REGION" ]; then 111 region="${AWS_REGION:-}" 112 elif ! command -V aws >/dev/null; then 113 echo "Without the 'aws' command, you must set either --aws-region or \$AWS_REGION" >&2 114 exit 1 115 else 116 region="$(aws configure get region)" 117 if [ -z "$region" ]; then 118 echo "Must provide an AWS region, set the AWS_REGION, or set a region in your ~/.aws/config" >&2 119 exit 1 120 fi 121 fi 122 fi 123 124 if [ -z "$version" ]; then 125 echo "Grafiti image version required." >&2 126 exit 1 127 fi 128 129 if [ -z "$start_hour" ] || [ -z "$end_hour" ]; then 130 echo "Start hour and end hour must be specified." >&2 131 exit 1 132 fi 133 134 set -e 135 136 # Tag all resources present in CloudTrail over the specified time period with the 137 # today's date as default, or with the --date-override value. 138 # Format YYYY-MM-DD. 139 tmp_dir="$(readlink -m "$(mktemp -d tag-aws-XXXXXXXXXX)")" 140 trap 'rm -rf "$tmp_dir"; exit' EXIT 141 142 if [ -z "$date_string" ]; then 143 date_string='(now + 24*60*60|strftime(\"%Y-%m-%d\"))' 144 fi 145 146 # Configure grafiti to tag all resources created between START_HOUR and END_HOUR's 147 # ago 148 if [ -n "$config_file" ]; then 149 cat "$config_file" >"$tmp_dir/config.toml" 150 else 151 cat <<EOF >"$tmp_dir/config.toml" 152 endHour = -${end_hour} 153 startHour = -${start_hour} 154 includeEvent = false 155 tagPatterns = [ 156 "{expirationDate: ${date_string}}" 157 ] 158 EOF 159 fi 160 161 # Exclusion file prevents tagging of resources that already have tags with the key 162 # "expirationDate" 163 if [ -n "$exclude_file" ]; then 164 cat "$exclude_file" >"$tmp_dir/exclude" 165 else 166 echo '{"TagFilters":[{"Key":"expirationDate","Values":[]}]}' >"$tmp_dir/exclude" 167 fi 168 169 echo "Tagging resources with the following configuration:" 170 cat "$tmp_dir/config.toml" 171 172 if [ -n "$dry_run" ]; then 173 echo "Dry run flag set. Not tagging any resources." 174 fi 175 176 if [ ! $force ]; then 177 read -rp "Proceed tagging these resources? [y/N]: " yn 178 if [ "$yn" != "y" ]; then 179 echo "Aborting tagging and cleaning up." >&2 180 exit 1 181 fi 182 fi 183 184 trap 'podman stop grafiti-tagger; exit' EXIT 185 186 podman run -t --rm --name grafiti-tagger \ 187 -v "$tmp_dir":/tmp/config:z \ 188 -e AWS_ACCESS_KEY_ID="$AWS_ACCESS_KEY_ID" \ 189 -e AWS_SECRET_ACCESS_KEY="$AWS_SECRET_ACCESS_KEY" \ 190 -e AWS_SESSION_TOKEN="$AWS_SESSION_TOKEN" \ 191 -e AWS_REGION="$region" \ 192 -e CONFIG_FILE="/tmp/config/config.toml" \ 193 -e TAG_FILE="/tmp/config/exclude" \ 194 quay.io/coreos/grafiti:"${version}" \ 195 bash -c "grafiti --config \"\$CONFIG_FILE\" parse | \ 196 grafiti --config \"\$CONFIG_FILE\" filter --ignore-file \"\$TAG_FILE\" | \ 197 grafiti $dry_run --config \"\$CONFIG_FILE\" tag" 198 199 set +e