forked from jericop/aws-secrets-manager-rotation-lambda
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathtest-rotate.sh
executable file
·97 lines (72 loc) · 3.5 KB
/
test-rotate.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
#!/bin/bash
set -euo pipefail
test_source_file=.current-test
if [[ -f $test_source_file ]]; then
source $test_source_file
fi
is_multi_user=${IS_MULTI_USER:-false}
db_image=${DB_IMAGE:-postgres}
engine=${DB_ENGINE:-postgres}
request_num=${REQUEST_NUM:-1}
new_password=${NEW_PASSWORD:-newpassword}
master_secret_name=${MASTER_SECRET_NAME:-}
master_secret_arn=${MASTER_SECRET_ARN:-}
user_secret_name=${USER_SECRET_NAME:-}
user_secret_arn=${USER_SECRET_ARN:-}
username=user1
if [[ "$is_multi_user" == "yes" || "$is_multi_user" == "true" ]]; then
username="${username}_clone"
fi
host=host.docker.internal
port=5432
dbname=postgres
# Put a new secrert version
client_request_token=request-$request_num-3bfd-6413-b3ul-7502bdla2941
user_secret_string_single_quote="{'engine': '$engine', 'host': '$host', 'port': $port, 'dbname': '$dbname', 'username': '$username', 'password': '$new_password', 'masterarn': '$master_secret_arn'}"
user_secret_string=$(echo $user_secret_string_single_quote | tr "'" '"')
# This initiates the rotation
aws secretsmanager put-secret-value \
--secret-id $user_secret_name \
--client-request-token $client_request_token \
--secret-string "$user_secret_string" \
--version-stages AWSPENDING
sleep 2
setSecret_event_single_quote="{'ClientRequestToken': '$client_request_token', 'SecretId': '$user_secret_arn', 'Step': 'setSecret'}"
setSecret_event=$(echo $setSecret_event_single_quote | tr "'" '"')
# This invokes the lambda that would have been triggered by the `put-secret-value` command above
status_code=$(curl "http://localhost:9000/2015-03-31/functions/function/invocations" -d "$setSecret_event" -o /dev/null -w "%{http_code}")
echo "lambda invocation status code=$status_code"
if [[ "$status_code" != "200" ]]; then
exit 1
fi
# Test with the new password
export PGPASSWORD="$NEW_PASSWORD"
# Attempt to log into the database with the
docker run --rm --env PGPASSWORD \
--network host --add-host=host.docker.internal:host-gateway \
--entrypoint psql $db_image \
-h host.docker.internal -p $port -U $username -d $dbname -c "SELECT 1"
previous_id=$(aws secretsmanager describe-secret --secret-id $user_secret_name | grep -B1 AWSPREVIOUS | grep -v AWSPREVIOUS | cut -d '"' -f 2 || echo "")
current_id=$(aws secretsmanager describe-secret --secret-id $user_secret_name | grep -B1 AWSCURRENT | grep -v AWSCURRENT | cut -d '"' -f 2)
pending_id=$(aws secretsmanager describe-secret --secret-id $user_secret_name | grep -B1 AWSPENDING | grep -v AWSPENDING | cut -d '"' -f 2)
remove_from_previous_id_arg="--remove-from-version-id $previous_id"
if [[ -z "$previous_id" ]]; then
remove_from_previous_id_arg=""
fi
aws secretsmanager update-secret-version-stage \
--secret-id $user_secret_name \
--version-stage AWSPREVIOUS \
--move-to-version-id $current_id $remove_from_previous_id_arg
aws secretsmanager update-secret-version-stage \
--secret-id $user_secret_name \
--version-stage AWSCURRENT \
--move-to-version-id $pending_id \
--remove-from-version-id $current_id
# Test with the current version returned from the secret (to confirm mock rotation above worked)
export PGPASSWORD="$(aws secretsmanager get-secret-value --secret-id $user_secret_name | jq -r .SecretString | jq -r .password)"
# Attempt to log into the database with the
docker run --rm --env PGPASSWORD \
--network host --add-host=host.docker.internal:host-gateway \
--entrypoint psql $db_image \
-h host.docker.internal -p $port -U $username -d $dbname -c "SELECT 1"
aws secretsmanager describe-secret --secret-id $user_secret_name