|
 |
5c52dd |
From 4bc84bccec88abcd9bd0b840532b23ed0934c0d4 Mon Sep 17 00:00:00 2001
|
|
|
5c52dd |
From: Jason McCloskey <jamscclo@amazon.com>
|
|
|
5c52dd |
Date: Mon, 10 Feb 2020 15:18:30 -0800
|
|
|
5c52dd |
Subject: [PATCH] Allow user to specify role with which to query/update route
|
|
|
5c52dd |
table
|
|
|
5c52dd |
|
|
|
5c52dd |
Allow user to specify role with which to query/update route table
|
|
|
5c52dd |
|
|
|
5c52dd |
Allow user to specify role with which to query/update route table
|
|
|
5c52dd |
---
|
|
|
5c52dd |
heartbeat/aws-vpc-move-ip | 40 +++++++++++++++++++++++++++++++++------
|
|
|
5c52dd |
1 file changed, 34 insertions(+), 6 deletions(-)
|
|
|
5c52dd |
|
|
|
5c52dd |
diff --git a/heartbeat/aws-vpc-move-ip b/heartbeat/aws-vpc-move-ip
|
|
|
5c52dd |
index b27d0bfcd..23eec18cc 100755
|
|
|
5c52dd |
--- a/heartbeat/aws-vpc-move-ip
|
|
|
5c52dd |
+++ b/heartbeat/aws-vpc-move-ip
|
|
|
5c52dd |
@@ -145,6 +145,24 @@ Enable enhanced monitoring using AWS API calls to check route table entry
|
|
|
5c52dd |
END
|
|
|
5c52dd |
}
|
|
|
5c52dd |
|
|
|
5c52dd |
+
|
|
|
5c52dd |
+execute_cmd_as_role(){
|
|
|
5c52dd |
+ cmd=$1
|
|
|
5c52dd |
+ role=$2
|
|
|
5c52dd |
+ output="$(aws sts assume-role --role-arn $role --role-session-name AWSCLI-RouteTableUpdate --profile $OCF_RESKEY_profile --output=text)"
|
|
|
5c52dd |
+ export AWS_ACCESS_KEY_ID="$(echo $output | awk -F" " '$4=="CREDENTIALS" {print $5}')"
|
|
|
5c52dd |
+ export AWS_SECRET_ACCESS_KEY="$(echo $output | awk -F" " '$4=="CREDENTIALS" {print $7}')"
|
|
|
5c52dd |
+ export AWS_SESSION_TOKEN="$(echo $output | awk -F" " '$4=="CREDENTIALS" {print $8}')"
|
|
|
5c52dd |
+
|
|
|
5c52dd |
+ #Execute command
|
|
|
5c52dd |
+ ocf_log debug "Assumed Role ${role}"
|
|
|
5c52dd |
+ ocf_log debug "$(aws sts get-caller-identity)"
|
|
|
5c52dd |
+ ocf_log debug "executing command: $cmd"
|
|
|
5c52dd |
+ response="$($cmd)"
|
|
|
5c52dd |
+ unset output AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN
|
|
|
5c52dd |
+ echo $response
|
|
|
5c52dd |
+}
|
|
|
5c52dd |
+
|
|
|
5c52dd |
ec2ip_set_address_param_compat(){
|
|
|
5c52dd |
# Include backward compatibility for the deprecated address parameter
|
|
|
5c52dd |
if [ -z "$OCF_RESKEY_ip" ] && [ -n "$OCF_RESKEY_address" ]; then
|
|
|
5c52dd |
@@ -177,9 +195,14 @@ ec2ip_monitor() {
|
|
|
5c52dd |
if ocf_is_true ${OCF_RESKEY_monapi} || [ "$__OCF_ACTION" = "start" ] || ocf_is_probe; then
|
|
|
5c52dd |
for rtb in $(echo $OCF_RESKEY_routing_table | sed -e 's/,/ /g'); do
|
|
|
5c52dd |
ocf_log info "monitor: check routing table (API call) - $rtb"
|
|
|
5c52dd |
- cmd="$OCF_RESKEY_awscli --profile $OCF_RESKEY_profile --output text ec2 describe-route-tables --route-table-ids $rtb --query RouteTables[*].Routes[?DestinationCidrBlock=='$OCF_RESKEY_ip/32'].InstanceId"
|
|
|
5c52dd |
- ocf_log debug "executing command: $cmd"
|
|
|
5c52dd |
- ROUTE_TO_INSTANCE="$($cmd)"
|
|
|
5c52dd |
+ if [[ -z "${OCF_RESKEY_routing_table_role}" ]]; then
|
|
|
5c52dd |
+ cmd="$OCF_RESKEY_awscli --profile $OCF_RESKEY_profile --output text ec2 describe-route-tables --route-table-ids $rtb --query RouteTables[*].Routes[?DestinationCidrBlock=='$OCF_RESKEY_ip/32'].InstanceId"
|
|
|
5c52dd |
+ ocf_log debug "executing command: $cmd"
|
|
|
5c52dd |
+ ROUTE_TO_INSTANCE="$($cmd)"
|
|
|
5c52dd |
+ else
|
|
|
5c52dd |
+ cmd="$OCF_RESKEY_awscli --output text ec2 describe-route-tables --route-table-ids $rtb --query RouteTables[*].Routes[?DestinationCidrBlock=='$OCF_RESKEY_ip/32'].InstanceId"
|
|
|
5c52dd |
+ ROUTE_TO_INSTANCE="$(execute_cmd_as_role "$cmd" $OCF_RESKEY_routing_table_role)"
|
|
|
5c52dd |
+ fi
|
|
|
5c52dd |
ocf_log debug "Overlay IP is currently routed to ${ROUTE_TO_INSTANCE}"
|
|
|
5c52dd |
if [ -z "$ROUTE_TO_INSTANCE" ]; then
|
|
|
5c52dd |
ROUTE_TO_INSTANCE="<unknown>"
|
|
|
5c52dd |
@@ -253,9 +276,14 @@ ec2ip_get_and_configure() {
|
|
|
5c52dd |
ocf_log debug "network interface id associated MAC address ${MAC_ADDR}: ${EC2_NETWORK_INTERFACE_ID}"
|
|
|
5c52dd |
|
|
|
5c52dd |
for rtb in $(echo $OCF_RESKEY_routing_table | sed -e 's/,/ /g'); do
|
|
|
5c52dd |
- cmd="$OCF_RESKEY_awscli --profile $OCF_RESKEY_profile --output text ec2 replace-route --route-table-id $rtb --destination-cidr-block ${OCF_RESKEY_ip}/32 --network-interface-id $EC2_NETWORK_INTERFACE_ID"
|
|
|
5c52dd |
- ocf_log debug "executing command: $cmd"
|
|
|
5c52dd |
- $cmd
|
|
|
5c52dd |
+ if [[ -z "${OCF_RESKEY_routing_table_role}" ]]; then
|
|
|
5c52dd |
+ cmd="$OCF_RESKEY_awscli --profile $OCF_RESKEY_profile --output text ec2 replace-route --route-table-id $rtb --destination-cidr-block ${OCF_RESKEY_ip}/32 --network-interface-id $EC2_NETWORK_INTERFACE_ID"
|
|
|
5c52dd |
+ ocf_log debug "executing command: $cmd"
|
|
|
5c52dd |
+ $cmd
|
|
|
5c52dd |
+ else
|
|
|
5c52dd |
+ cmd="$OCF_RESKEY_awscli --output text ec2 replace-route --route-table-id $rtb --destination-cidr-block ${OCF_RESKEY_ip}/32 --network-interface-id $EC2_NETWORK_INTERFACE_ID"
|
|
|
5c52dd |
+ update_response="$(execute_cmd_as_role "$cmd" $OCF_RESKEY_routing_table_role)"
|
|
|
5c52dd |
+ fi
|
|
|
5c52dd |
rc=$?
|
|
|
5c52dd |
if [ "$rc" != 0 ]; then
|
|
|
5c52dd |
ocf_log warn "command failed, rc: $rc"
|