Generic Changes to Migrate Scripts From My POC Code Base to the Container Code Base

ACM.389 A one time post of the kinds of changes I need to make to every script I migrate over

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

⚙️ Check out my series on Automating Cybersecurity Metrics | Code.

🔒 Related Stories: AWS Security | Secure Code | Container Security

💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

In the last post, I explained how to track the user, rolen ame they assumed, and script they ran in CloudFormation using my deployment container running on an EC2 instance in CloudTrail.

Using Session Names to Log Who Deployed What in CloudTrail

ACM.388 Refactoring my test script that will ultimately be used in EC2 Instances to run deployment jobs

medium.com

In this post, I am going to explain the types of changes I need to make to transfer the code from my old code base to the new codebase. I need to make these changes for just about every resource I copy over so I’m not going to write that all down — but here’s a one time overview of the changes I’m making.

TLDR;

Migrate files to resources directory under the appropriate category and type and rename: [resource]_functions.sh, [resource].yaml
Migrate existing deploy script to new deploy directory and rename to [type]_name.sh
One resource per deployment file.
Include profile and region parameters at the top of the deploy file.
Fix all file paths in source commands
Fix comments
Change cals to validate_param to validate_var
Fix parameters passe to deploy_stack
Remove any hardcoded profiles
Add region to all commands that are regional
Change template outputs to return ARN or ID for output with same name as the resource name

I’m transferring over my Organizational Unit code in the example below:

Migrate files

I have three files I need to transfer over.

The generic CloudFormation template for this resource type:

OU.yaml > /awsdeploy/resources/organizations/organizationalunit/organizationalunit.yaml

The functions file related to this resource:

ou_functions.sh > /awsdeploy/resources/organizations/organizationalunit/organizationalunit_functions.sh

The file that deploys a resource with resource specific parameters:

deploy_root_ous.sh > /awsdeploy/deploy/rootadminrole/organizationalunit_governance.sh

File name changes

Note that I’m making sure all the file names are consistent with the resource type name and standard naming throughout my code base.

Also note that I changed the order of the words in the last file name. That way if I have multiple of the same type of resources in a deployment folder they are grouped together when the file are in alphabetical order.

In addition I moved “deploy” from the name because it seems extraneous since everything is in a “deploy” parent folder.

More test file changes

I also changed the test deployment file to request the username (mfa device name) and cleaned up my if statements so it’s hopefully easier to read and update.

Changes to deployment script

Here’s the original code in my deployment script:

I’m going to change this so the root user only deploys the Governance OU to align with my deployment script name and resource.

Recall that every script run by our container requires a region and a profile to be passed in because it uses those when it runs the script.

I add two parameters:

I fix the sourced file path.

So here’s what a typical deployment script in the deployment folder will look like, with whatever parameters that specific resource requires.

Changes to functions file

I tweak the functions file to match the new parameter validation function anywhere validate_params was called previously to fix an issue I wrote about in an earlier post.

I correct the sourced file paths as I did above.

I remove the hardcoded profile as this is set in the parent file that is called to execute the script.

I have to update comments everywhere to match the new file structure and make any necessary changes to the description name.

I also have to rearrange the deploy_stack parameters to pass in the following parameters — note that the last two are optional. If not passed in the template name equals the resourcetype variable.

Template changes

I need to change the outputs so the name of the resource returns either the ARN or resource ID. If both are present the resource will return whichever is used most via the name and provide the alternate output with ID or Arn at the end.

I will have to make those changes to just about every deployment script, and I’m going to have one resource per deployment script. As explained in the last script this makes it easier to tell who’s deploying what by logging it to CloudTrail in the session name.

I’ll show you how to change those together later hopefully into a larger script that spans resources if all goes according to plan.

Follow for updates.

About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab

Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation

Follow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab

Summarize