-
Notifications
You must be signed in to change notification settings - Fork 3
Expand file tree
/
Copy path061-base-access-policies-import.sh
More file actions
executable file
·99 lines (73 loc) · 2.99 KB
/
061-base-access-policies-import.sh
File metadata and controls
executable file
·99 lines (73 loc) · 2.99 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
#! /bin/bash
source utils/common.sh
source utils/policy-helper.sh
register_last_words "Import access policies"
DATA_DIR="data"
SRC_DIR="$DATA_DIR/policies/iam"
TEMP_DIR="$PWD/$SRC_DIR/$(date +%s)"
INTERVAL=2
import_org_rolebindings() {
scope="organization"
org_temp="$TEMP_DIR/$scope"
mkdir -p $org_temp
pushd $SRC_DIR/$scope > /dev/null
rolebindings="$org_temp/rolebindings.json"
direct_effectives=$(jq '.policyList[] | length' rolebindings.json)
if [ $direct_effectives -ne 0 ]; then
jq '.policyList[0] | del(.meta)' rolebindings.json | update_default_group > $rolebindings
import_rolebindings "$rolebindings" "$scope"
sleep $INTERVAL
fi
popd > /dev/null
}
import_clustergroup_rolebindings() {
scope="clustergroups"
clustergroup_temp="$TEMP_DIR/$scope"
mkdir -p $clustergroup_temp
pushd $SRC_DIR/$scope > /dev/null
ls *.json | sed 's/.json$//'\ | \
while read -r resource_name
do
log info "Importing access policies on clustergroup $resource_name ..."
rolebindings="$clustergroup_temp/$resource_name.json"
direct_effectives=$(jq '.effective[] | select(.spec.inherited != true)' $resource_name.json)
if [ -z "$direct_effectives" ]; then
log info "[SKIP] no direct rolebinding for $scope:$resource_name is required to imported"
continue
fi
jq '.effective[] | select(.spec.inherited != true).spec.policySpec' $resource_name.json | update_default_group > $rolebindings
import_rolebindings "$rolebindings" "$scope" "$resource_name"
sleep $INTERVAL
done
popd > /dev/null
}
import_workspace_rolebindings() {
scope="workspaces"
workspace_temp="$TEMP_DIR/$scope"
mkdir -p $workspace_temp
pushd $SRC_DIR/$scope > /dev/null
ls *.json | sed 's/.json$//'\ | \
while read -r resource_name
do
log info "Importing access policies on workspace $resource_name ..."
rolebindings="$workspace_temp/$resource_name.json"
direct_effectives=$(jq '.effective[] | select(.spec.inherited != true)' $resource_name.json)
if [ -z "$direct_effectives" ]; then
log info "[SKIP] no direct rolebinding for $scope:$resource_name is required to imported"
continue
fi
jq '.effective[] | select(.spec.inherited != true).spec.policySpec' $resource_name.json | update_default_group > $rolebindings
import_rolebindings "$rolebindings" "$scope" "$resource_name"
sleep $INTERVAL
done
popd > /dev/null
}
log "************************************************************************"
log "* Import Policy Access to TMC SM ..."
log "************************************************************************"
log info "Importing rolebindings on organization ..."
import_org_rolebindings
log info "Importing rolebindings on clustergroups ..."
import_clustergroup_rolebindings
log info "Importing rolebindings on workspaces ..."
import_workspace_rolebindings