#!/usr/bin/env bash set -euo pipefail set -x SCRIPTPATH="$( cd "$(dirname "$0")" ; pwd -P )" ACCOUNT_ID=$(aws sts get-caller-identity | jq -r '.Account') DEFAULT_VPC_ID="$(aws ec2 describe-vpcs --filters "Name=is-default,Values=true" | jq -r '.Vpcs[0] .VpcId')" SUBNET_ID="$(aws ec2 describe-subnets --filters "Name=vpc-id,Values=${DEFAULT_VPC_ID}" | jq -r '.Subnets[0] .SubnetId')" ROLE_NAME="CDKSyncer" POLICY_ARN="arn:aws:iam::${ACCOUNT_ID}:policy/CDKSyncer" SSM_MANAGED_POLICY_ARN="arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore" for instance_id in $(aws ec2 describe-instances --filters "Name=instance-state-name,Values=running" "Name=tag:Name,Values=${ROLE_NAME}" | jq -r '.Reservations[] .Instances[] .InstanceId'); do aws ec2 terminate-instances --instance-ids ${instance_id} done TRUST_POLICY_FILE="/tmp/trustpolicy.json" POLICY_FILE="/tmp/policy.json" cat << EOF > "${TRUST_POLICY_FILE}" { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "ec2.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } EOF cat << EOF > "${POLICY_FILE}" { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloudformation:*" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ssm:GetParameter", "ssm:PutParameter" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "iam:GetRole" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "sts:AssumeRole" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "ec2:TerminateInstances" ], "Resource": [ "*" ] } ] } EOF if aws iam get-role --role-name "${ROLE_NAME}"; then aws iam remove-role-from-instance-profile --instance-profile-name "${ROLE_NAME}" --role-name "${ROLE_NAME}" || : aws iam delete-instance-profile --instance-profile-name "${ROLE_NAME}" || : aws iam detach-role-policy --role-name "${ROLE_NAME}" --policy-arn "${POLICY_ARN}" || : aws iam detach-role-policy --role-name "${ROLE_NAME}" --policy-arn "${SSM_MANAGED_POLICY_ARN}" || : aws iam delete-policy --policy-arn "${POLICY_ARN}" || : aws iam delete-role --role-name "${ROLE_NAME}" || : fi aws iam create-role --role-name "${ROLE_NAME}" --assume-role-policy-document "file://${TRUST_POLICY_FILE}" aws iam create-policy --policy-name "${ROLE_NAME}" --policy-document "file://${POLICY_FILE}" aws iam attach-role-policy --role-name "${ROLE_NAME}" --policy-arn "${POLICY_ARN}" aws iam attach-role-policy --role-name "${ROLE_NAME}" --policy-arn "${SSM_MANAGED_POLICY_ARN}" aws iam create-instance-profile --instance-profile-name "${ROLE_NAME}" aws iam add-role-to-instance-profile --instance-profile-name "${ROLE_NAME}" --role-name "${ROLE_NAME}" sleep 10 aws ec2 run-instances \ --image-id resolve:ssm:/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2 \ --instance-type t3.medium \ --count 1 \ --subnet-id "${SUBNET_ID}" \ --user-data "file://${SCRIPTPATH}/sync-cluster" \ --iam-instance-profile "{\"Name\": \"${ROLE_NAME}\"}" \ --tag-specifications "ResourceType=instance,Tags=[{Key=Name,Value=${ROLE_NAME}}]" \ --metadata-options "HttpTokens=required,HttpEndpoint=enabled"