Add ability to source inital user configuration from AWS SM

tomklapiscak · tomklapiscak · commit f828dac51128 · 2025-03-27T13:07:14.000Z
diff --git a/README.md b/README.md
@@ -37,3 +37,44 @@ updateTektonDefinitions(pipelinesNamespace, "/mascli/templates/ibm-mas-tekton.ya
 pipelineURL = launchUpgradePipeline(self.dynamicClient, instanceId)
 print(pipelineURL)
 ```
+
+
+mas-devops-create-initial-users
+---------------------------------------------
+
+
+```bash
+SM_AWS_REGION=""
+SM_AWS_ACCESS_KEY_ID=""
+SM_AWS_SECRET_ACCESS_KEY=""
+
+aws configure set default.region ${SM_AWS_REGION}
+aws configure set aws_access_key_id ${SM_AWS_ACCESS_KEY_ID}
+aws configure set aws_secret_access_key ${SM_AWS_SECRET_ACCESS_KEY}
+
+
+oc login --token=sha256~xxx --server=https://xxx:6443
+
+oc port-forward service/admin-dashboard 8445:443 -n mas-tgk01-core
+oc port-forward service/coreapi 8444:443 -n mas-tgk01-core
+oc port-forward service/tgk01-masdev 8443:443 -n mas-tgk01-manage
+
+mas-devops-create-initial-users-for-saas \
+    --mas-instance-id tgk01 \
+    --mas-workspace-id masdev \
+    --log-level INFO \
+    --initial-users-secret-name "aws-dev/noble4/tgk01/initial_users" \
+    --manage-api-port 8443 \
+    --coreapi-port 8444 \
+    --admin-dashboard-port 8445
+    
+
+mas-devops-create-initial-users-for-saas \
+    --mas-instance-id tgk01 \
+    --mas-workspace-id masdev \
+    --log-level INFO \
+    --initial-users-yaml-file /home/tom/workspaces/notes/mascore3423/example-users-single.yaml \
+    --manage-api-port 8443 \
+    --coreapi-port 8444 \
+    --admin-dashboard-port 8445
+```
diff --git a/bin/mas-devops-create-initial-users-for-saas b/bin/mas-devops-create-initial-users-for-saas
@@ -16,11 +16,12 @@ import argparse
 import logging
 import urllib3
 urllib3.disable_warnings()
-import os
-import sys
-import json
-import re
 import yaml
+import json
+import sys
+
+import boto3
+from botocore.exceptions import ClientError
 
 from mas.devops.users import MASUserUtils
 
@@ -30,18 +31,20 @@ if __name__ == "__main__":
     parser = argparse.ArgumentParser()
 
     # Primary Options
+    parser.add_argument("--mas-account-id", required=False) # TODO: remove if unused
+    parser.add_argument("--mas-cluster-id", required=False) # TODO: remove if unused
     parser.add_argument("--mas-instance-id", required=True)
     parser.add_argument("--mas-workspace-id", required=True)
-    parser.add_argument("--initial-users-yaml-file", required=True)
     parser.add_argument("--log-level", required=False, choices=["DEBUG", "INFO", "WARNING", "ERROR", "CRITICAL"], default="WARNING")
-    parser.add_argument("--dry-run", required=False, help="When specified, nothing will actually be deleted from the cluster", action="store_true")
-
-
     parser.add_argument("--coreapi-port", required=False, default=443)
     parser.add_argument("--admin-dashboard-port", required=False, default=443)
     parser.add_argument("--manage-api-port", required=False, default=443)
 
 
+    group = parser.add_mutually_exclusive_group(required=True)
+    group.add_argument("--initial-users-yaml-file")
+    group.add_argument("--initial-users-secret-name")
+
     args, unknown = parser.parse_known_args()
 
     log_level = getattr(logging, args.log_level)
@@ -57,26 +60,29 @@ if __name__ == "__main__":
     ch.setFormatter(chFormatter)
     logger.addHandler(ch)
 
-
+    mas_account_id = args.mas_account_id
+    mas_cluster_id = args.mas_cluster_id
     mas_instance_id = args.mas_instance_id
     mas_workspace_id = args.mas_workspace_id
     initial_users_yaml_file = args.initial_users_yaml_file
-    dry_run = args.dry_run
+    initial_users_secret_name = args.initial_users_secret_name
     coreapi_port = args.coreapi_port
     admin_dashboard_port = args.admin_dashboard_port
     manage_api_port = args.manage_api_port
 
 
     logger.info("Configuration:")
     logger.info("--------------")
-    logger.info(f"mas_instance_id:         {mas_instance_id}")
-    logger.info(f"mas_workspace_id:        {mas_workspace_id}")
-    logger.info(f"initial_users_yaml_file: {initial_users_yaml_file}")
-    logger.info(f"log_level:               {log_level}")
-    logger.info(f"dry_run:                 {dry_run}")
-    logger.info(f"coreapi_port:            {coreapi_port}")
-    logger.info(f"admin_dashboard_port:    {admin_dashboard_port}")
-    logger.info(f"manage_api_port:         {manage_api_port}")
+    logger.info(f"mas_account_id:            {mas_account_id}")
+    logger.info(f"mas_cluster_id:            {mas_cluster_id}")
+    logger.info(f"mas_instance_id:           {mas_instance_id}")
+    logger.info(f"mas_workspace_id:          {mas_workspace_id}")
+    logger.info(f"initial_users_yaml_file:   {initial_users_yaml_file}")
+    logger.info(f"initial_users_secret_name: {initial_users_secret_name}")
+    logger.info(f"log_level:                 {log_level}")
+    logger.info(f"coreapi_port:              {coreapi_port}")
+    logger.info(f"admin_dashboard_port:      {admin_dashboard_port}")
+    logger.info(f"manage_api_port:           {manage_api_port}")
     logger.info("")
 
     try:
@@ -88,11 +94,30 @@ if __name__ == "__main__":
         config.load_kube_config()
         logger.debug("Loaded kubeconfig file")
 
-    user_utils = MASUserUtils(mas_instance_id, mas_workspace_id, client.api_client.ApiClient(), coreapi_port=coreapi_port, admin_dashboard_port=admin_dashboard_port, manage_api_port=manage_api_port)
-
-    with open(initial_users_yaml_file, 'r') as file:
-       initial_users_yaml = yaml.safe_load(file)
 
+    user_utils = MASUserUtils(mas_instance_id, mas_workspace_id, client.api_client.ApiClient(), coreapi_port=coreapi_port, admin_dashboard_port=admin_dashboard_port, manage_api_port=manage_api_port)
 
-    user_utils.create_initial_users_for_saas(initial_users_yaml)
+    if initial_users_secret_name is not None:
+
+        session = boto3.session.Session()
+        aws_sm_client = session.client(
+            service_name='secretsmanager',
+        )
+        try:
+            initial_users_secret = aws_sm_client.get_secret_value( # pragma: allowlist secret
+                SecretId=initial_users_secret_name
+            )
+        except ClientError as e:
+            raise Exception(f"Failed to fetch secret {initial_users_secret_name}: {str(e)}")
+        
+        secret_json = json.loads(initial_users_secret['SecretString'])
+        initial_users = user_utils.parse_initial_users_from_aws_secret_json(secret_json)
+    elif initial_users_yaml_file is not None:
+        with open(initial_users_yaml_file, 'r') as file:
+            initial_users = yaml.safe_load(file)
+    else:
+        raise Exception("Something unexpected happened")
+    
+    user_utils.create_initial_users_for_saas(initial_users)
+   
 
diff --git a/setup.py b/setup.py
@@ -60,7 +60,8 @@ def get_version(rel_path):
         'kubernetes',              # Apache Software License
         'kubeconfig',              # BSD License
         'jinja2',                  # BSD License
-        'jinja2-base64-filters'    # MIT License
+        'jinja2-base64-filters',    # MIT License
+        'boto3'
     ],
     extras_require={
         'dev': [
diff --git a/src/mas/devops/users.py b/src/mas/devops/users.py
@@ -27,8 +27,6 @@
     MVI / other apps?
     unit tests
 
-    dry-run support
-
     where are we going to run this from? Needs to run in cluster, so a Job in an app
     which app though? Manage?
     Perhaps we do the core bits in a core app (suite workspace?)
@@ -830,6 +828,35 @@ def await_mas_application_availability(self, mas_application_id, timeout_secs=60
                 time.sleep(5)
         raise Exception(f"{mas_application_id} did not become ready and available in time, aborting")
 
+    def parse_initial_users_from_aws_secret_json(self, secret_json):
+        primary = []
+        secondary = []
+        for (email, csv) in secret_json.items():
+            values = csv.split(",")
+            user_type = values[0].strip()
+            given_name = values[1].strip()
+            family_name = values[2].strip()
+
+            user = {
+                "email": email,
+                "given_name": given_name,
+                "family_name": family_name
+            }
+            if user_type == "primary":
+                primary.append(user)
+            elif user_type == "secondary":
+                secondary.append(user)
+            else:
+                raise Exception(f"Unknown user type for {email}: {user_type}")
+
+        initial_users = {
+            "users": {
+                "primary": primary,
+                "secondary": secondary
+            }
+        }
+        return initial_users
+
     def create_initial_users_for_saas(self, initial_users):
 
         # Validate input
