-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathtooling.sh
executable file
·261 lines (235 loc) · 7.61 KB
/
tooling.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
#! /bin/bash
# This is the tooling used by pdt
_aws_exports() {
AVAILABLE_PROFILES=$(grep -F '[profile' <~/.aws/config | sed -e 's/\[profile //g' -e 's/\]//g')
PS3='Profile selection: '
select AWS_PROFILE in $AVAILABLE_PROFILES; do
if [ -n "$AWS_PROFILE" ]; then break; fi
done
CONFIG_SNIPPET=$(grep -A 20 -F "[profile ${AWS_PROFILE}]" <~/.aws/config)
AWS_ACCOUNT_ID=$(echo "$CONFIG_SNIPPET" | grep -m 1 -F 'sso_account_id = ' | sed -e 's/sso_account_id = //g' -e 's/ *$//g')
AWS_REGION=$(echo "$CONFIG_SNIPPET" | grep -m 1 -F 'sso_region = ' | sed -e 's/sso_region = //g' -e 's/ *$//g')
echo "Exporting AWS_PROFILE as: $AWS_PROFILE"
export AWS_PROFILE
echo "Exporting AWS_ACCOUNT_ID as: $AWS_ACCOUNT_ID"
export AWS_REGION
echo "Exporting AWS_REGION as: $AWS_REGION"
export AWS_REGION
}
_verify_venv_active() {
if [ -z "${VIRTUAL_ENV}" ];
then echo "Activate the venv than try again";
return 1;
else
return 0
fi
}
_check_dir() {
if pwd | grep -q -E 'pet-diary$'; then
return 0
else
echo "It doesn't appear as though you are in the right directory, try navigating to the root of the project"
return 1
fi
}
aws-login() {
_aws_exports
echo "Logging into AWS CLI"
aws sso login
}
aws-add-test-profile() {
echo "Checking aws config for test profile"
TEST_PROFILE_HEADER='profile only-unit-tests!'
if [ ! -e ~/.aws/config ]; then
echo "There was no aws config file found at ~/.aws/config"
echo "If you have specified a different location for the config, then I trust you to fix this yourself"
return 1
elif [ -z "$(grep -o -F "$TEST_PROFILE_HEADER" <~/.aws/config)" ]; then
echo "Test profile not found, adding now"
cat "/aws-test-profile" >> ~/.aws/config
else
echo "Testing profile found already"
fi
}
_aws-force-config-and-test-profile() {
echo "Creating parent directory '~/.aws'"
mkdir ~/.aws
echo "Creating config file with test profile."
cat "aws-test-profile" >> ~/.aws/config
}
_delimit() {
echo "================================================================================"
echo
}
full-security-check() {
EXIT_STATUS=0
_verify_venv_active
echo -e "\tGenerating Security Report"
echo -e "\t\t$(date)"
_delimit
python-security-check || EXIT_STATUS="$?"
_delimit
_sam-security-check || EXIT_STATUS="$?"
_delimit
third-party-security-check || EXIT_STATUS="$?"
return "$EXIT_STATUS"
}
sam-check() {
_verify_venv_active
sam-validate-template
_sam-security-check
return "$?" # ensures function returns same code _sam-security-check exits with
}
sam-validate-template() {
# more info: https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-cli-command-reference-sam-validate.html
AWS_REGION='eu-west-2'
echo "Validating SAM template as if region is ${AWS_REGION}"
sam validate \
--region "$AWS_REGION" \
--lint \
--template-file "template.yaml"
}
_sam-security-check() {
echo "Checking SAM template for security faults with Checkov"
checkov \
--compact \
-f "template.yaml"
return "$?" # ensures function returns same code checkov exits with
}
basic-db-query() {
_verify_venv_active
_check_dir
python3 ./app/local_use/basic_queries.py
}
sam-deploy() {
echo "Creating Lambda packages"
make lambda_packages
echo "Deploying application into the '$AWS_REGION' region, using the '$AWS_PROFILE' profile"
sam deploy \
--stack-name pet-diary-stack \
--template "template.yaml" \
--region "$AWS_REGION" \
--profile "$AWS_PROFILE" \
--capabilities CAPABILITY_NAMED_IAM \
--resolve-s3
if [ "$?" != 0 ]; then
echo "Did you get an issue with reserved concurrency for the account going below 10?"
echo "Follow the instructions: https://docs.aws.amazon.com/servicequotas/latest/userguide/request-quota-increase.html"
fi
}
sam-destroy() {
echo "Tearing down application from the '$AWS_REGION' region, using the '$AWS_PROFILE' profile"
sam delete \
--stack-name pet-diary-stack \
--region "$AWS_REGION" \
--profile "$AWS_PROFILE" \
--s3-bucket pet-dairy-app
}
python-lint() {
_verify_venv_active
echo "linting Python"
flake8 \
--config tox.ini \
&& echo "No issues detected"
return "$?" # ensures function returns same code flake8 exits with
}
python-security-check() {
_verify_venv_active
_check_dir
echo "Checking app/ for Python security issues with Bandit"
bandit \
-x __pycache__ \
-r ./app/
return "$?" # ensures function returns same code bandit exits with
}
python-test() {
_verify_venv_active
_check_dir
pytest ./tests -vv
}
configure-venv() {
# Figure out if we're in the correct directory
echo "Checking current working directory."
CWD=$(pwd)
MATCH=$(echo "$CWD" | grep -E '.*pet-diary')
if [ -z "$MATCH" ]; then
echo "Wrong directory, please change to the root directory of the project."
return 1
fi
echo "Current working directory is: $CWD"
# Check for venv
echo "Checking for virtual environment."
if [ -d 'pet-diary-venv/' ]; then
echo "Virtual environment present."
else
echo "Creating virtual environment."
python3 -m venv pet-diary-venv
fi
echo "Activating virtual environment."
source ./pet-diary-venv/bin/activate
# Install requirements
echo "Updating pip, and installing dependancies."
python3 -m pip install --upgrade pip
pip install -r ./requirements.txt
# Check venv configuration
echo "Checking venv configuration"
if grep -q -F "$(tail -n 1 .env)" <./pet-diary-venv/bin/activate; then
echo "Looks like you're all set up"
else
echo "Amending pet-diary-venv/bin/activate"
sudo tee -a ./pet-diary-venv/bin/activate <.env 1>/dev/null
fi
# restart venv
echo "Restarting virtual environment"
source ./pet-diary-venv/bin/activate 1>/dev/null
echo "Complete, enjoy your new venv"
}
third-party-security-check () {
_verify_venv_active
_check_dir
echo "Scanning project for 3rd party dependency issues using Grype"
grype dir:'./' -q
return "$?" # ensures function returns same code grype exits with
}
install-anchore-security-tools () {
_verify_venv_active
echo "Checking for Grype"
if [ -n "$(which grype)" ]; then
echo "Grype install detected in $(which grype)"
echo "Looks like you're already set up"
else
echo "Installing Grype"
curl -# -L https://raw.githubusercontent.com/anchore/grype/main/install.sh | sudo sh -s -- -b /usr/local/bin
fi
}
coverage-python () {
_verify_venv_active
# For more information on test coverage see https://pytest-cov.readthedocs.io/en/latest/config.html
OPTION="$1"
case $OPTION in
"term")
pytest \
--cov-report term-missing \
--cov=app tests/
;;
"html")
pytest \
--cov-report html:coverage/ \
--cov=app tests/
xdg-open coverage/index.html &
;;
*)
echo "Invalid option."
echo "Options are html or term."
return 1
;;
esac
}
describe-deployment () {
aws cloudformation describe-stack-resources \
--stack-name pet-diary-stack \
| awk 'BEGIN { printf "%-40s %-20s %s\n", "Name", "Status", "Date" } /pet-diary/ { printf "%-40s %-20s %s\n", $2, $4, $8 }'
}
subscribe-to-sns-topic () {
python3 app/local_use/suscribe_to_sns_topic.py
}