From a1186a2c1cb54c91aec29a144194ce653b6311c8 Mon Sep 17 00:00:00 2001
From: T31M <t31m@cyberstuff.me>
Date: Sun, 5 Jun 2022 10:26:10 +0200
Subject: [PATCH] feat: update ssm tunneling script

---
 fish/theme-t31m/functions/envAWS.fish      | 19 ++++++---
 fish/theme-t31m/functions/ssm_tunnel.fish  | 46 ++++++++++++++++++++--
 fish/theme-t31m/functions/t31m_prompt.fish |  1 -
 3 files changed, 57 insertions(+), 9 deletions(-)

diff --git a/fish/theme-t31m/functions/envAWS.fish b/fish/theme-t31m/functions/envAWS.fish
index 3448d5e..853fc1d 100644
--- a/fish/theme-t31m/functions/envAWS.fish
+++ b/fish/theme-t31m/functions/envAWS.fish
@@ -4,7 +4,7 @@
 set AWS_IAM_USER ""
 
 # TODO setup your aws-mfa credential keys in the credentials file
-# TODO replace "Administrator" Role with the actual role you want to assume.
+# TODO replace "PLACE_YOUR_ROLE_HERE" with the actual role you want to assume.
 
 # AWS Account details
 set DEV_ACCOUNT_ID ""
@@ -26,19 +26,19 @@ function envAWS --description 'switch to different aws account environments (-)
 	switch $argv[1]
 	case dev
 		echo "switching to /refreshing dev"
-		aws-mfa --assume-role arn:aws:iam::$DEV_ACCOUNT_ID:role/Administrator --duration 43200 --role-session-name $AWS_IAM_USER
+		aws-mfa --assume-role arn:aws:iam::$DEV_ACCOUNT_ID:role/PLACE_YOUR_ROLE_HERE --duration 43200 --role-session-name "$AWS_IAM_USER"
 		getAWSenv
 	case stg
 		echo "switching to /refreshing staging"
-		aws-mfa --assume-role arn:aws:iam::$STG_ACCOUNT_ID:role/Administrator --duration 43200 --role-session-name $AWS_IAM_USER
+		aws-mfa --assume-role arn:aws:iam::$STG_ACCOUNT_ID:role/PLACE_YOUR_ROLE_HERE --duration 43200 --role-session-name "$AWS_IAM_USER"
 		getAWSenv
 	case prod
 		echo "switching to /refreshing prod"
-		aws-mfa --assume-role arn:aws:iam::$PROD_ACCOUNT_ID:role/Administrator --duration 3600 --role-session-name $AWS_IAM_USER
+		aws-mfa --assume-role arn:aws:iam::$PROD_ACCOUNT_ID:role/PLACE_YOUR_ROLE_HERE --duration 3600 --role-session-name "$AWS_IAM_USER"
 		getAWSenv
 	case ops
 		echo "switching to /refreshing ops"
-		aws-mfa --assume-role arn:aws:iam::$OPS_ACCOUNT_ID:role/Administrator --duration 3600 --role-session-name $AWS_IAM_USER
+		aws-mfa --assume-role arn:aws:iam::$OPS_ACCOUNT_ID:role/PLACE_YOUR_ROLE_HERE --duration 3600 --role-session-name "$AWS_IAM_USER"
 		getAWSenv
 	case '*'
 		echo "Wrong / Invalid Environment provided"
@@ -67,3 +67,12 @@ function getAWSenv --description 'verify and set environment'
 		return 1
 	end
 end
+
+function getSecretAWS --description 'get & decrypt secrets from ssm parameter store via cli command if permissions are granted'
+    if test (count $argv) -lt 1
+        echo "Provide a Path to the Secret"
+        return
+    end
+
+    aws ssm get-parameter --name "$argv[1]" --with-decryption | jq .Parameter.Value -r
+end 
\ No newline at end of file
diff --git a/fish/theme-t31m/functions/ssm_tunnel.fish b/fish/theme-t31m/functions/ssm_tunnel.fish
index 9ceced1..9ee359a 100644
--- a/fish/theme-t31m/functions/ssm_tunnel.fish
+++ b/fish/theme-t31m/functions/ssm_tunnel.fish
@@ -1,4 +1,6 @@
-function ssm_tunnel --description 'access private AWS ressources via Bastion Host'
+# See: https://aws.amazon.com/about-aws/whats-new/2022/05/aws-systems-manager-support-port-forwarding-remote-hosts-using-session-manager/
+# And: https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-working-with-sessions-start.html#sessions-remote-port-forwarding
+function ssm_tunnel --description 'Access private AWS ressources via native SSM port forwarding through bastion'
 
     if test (count $argv) -lt 2
         echo "Provide an Host:Port Mapping & an Local Port"
@@ -12,7 +14,45 @@ function ssm_tunnel --description 'access private AWS ressources via Bastion Hos
 
     # Get bastion host ID using it's name
     set INSTANCE_ID (aws ec2 describe-instances \
-            --filter 'Name=tag:Name,Values=ops-infrastructure-bastion'\
+            --filter 'Name=tag:Name,Values=INSTANCE_NAME_HERE'\
+            --query "Reservations[].Instances[?State.Name == 'running'].InstanceId[]"\
+            --output text)
+   
+    # AWS Remote host i.e internal.s.twaice / dualstack.internal-stg-s-inter-9ov8h1o4saoa-793915940.eu-west-1.elb.amazonaws.com
+    set REMOTE_HOST (string split -f1 : $argv[1])
+    set REMOTE_PORT (string split -f2 : $argv[1])
+    # Local port to bind for forwarding
+    set LOCAL_PORT $argv[2]
+
+     # Seconds until forwarding session times out (6h max)
+    set TIMEOUT 21600
+
+    # Start tunnel session
+    echo "Starting Tunnel"
+    aws ssm start-session --target $INSTANCE_ID \
+    --document-name "AWS-StartPortForwardingSessionToRemoteHost" \
+    --parameters "host=[$REMOTE_HOST],portNumber=[$REMOTE_PORT],localPortNumber=[$LOCAL_PORT]"
+
+    echo "Tunneling Session Exited."
+end
+
+# This function is for Platform Admin / Infrastructure users only.
+# @TODO: It still utilized the old style of ssm tunneling -> needs c&p of new style as well
+function ssm_tunnel_admin --description 'access private AWS ressources via Bastion Host'
+
+    if test (count $argv) -lt 2
+        echo "Provide an Host:Port Mapping & an Local Port"
+        return
+    end
+
+    if [ "$env" != "ops" ]
+        echo "Switch to OPS ENV first"
+        return
+    end
+
+    # Get bastion host ID using it's name
+    set INSTANCE_ID (aws ec2 describe-instances \
+            --filter 'Name=tag:Name,Values=INSTANCE_NAME_HERE'\
             --query "Reservations[].Instances[?State.Name == 'running'].InstanceId[]"\
             --output text)
     
@@ -40,4 +80,4 @@ function ssm_tunnel --description 'access private AWS ressources via Bastion Hos
     # stop socat on the bastion
     aws ssm cancel-command --command-id $CMD_INVOC_ID
     echo "Command Cancelled Successfully."
-end
+end
\ No newline at end of file
diff --git a/fish/theme-t31m/functions/t31m_prompt.fish b/fish/theme-t31m/functions/t31m_prompt.fish
index 1f624ed..3defef2 100644
--- a/fish/theme-t31m/functions/t31m_prompt.fish
+++ b/fish/theme-t31m/functions/t31m_prompt.fish
@@ -22,7 +22,6 @@ function prompt::pyenv
         set venv (echo "$VIRTUAL_ENV" | grep -Eo '[^/]+/?$' | cut -d / -f1)
         echo -n -s (printf '%s' \U1F40D)(yellow)"["(cyan)"$venv"(yellow)"@"(off)"$python_version"(yellow)"]"(off)
     else if test -n "$PYENV_VERSION"; and [ "$PYENV_VERSION" != "$python_version" ]
-        # echo -n -s (yellow)(printf '%s' \U1F40D)"["(cyan)(pyenv version-name | sed 's/:.*$//' )(off)"@$python_version"(yellow)"]"(off)
         echo -n -s (yellow)(printf '%s' \U1F40D)"["(cyan)(pyenv version-name )(off)"@$python_version"(yellow)"]"(off)
     else if test -n "$python_version"
        echo -n -s (yellow)(printf '%s' \U1F40D)"["(off)$python_version(yellow)"]"(off)