-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathinit
executable file
·68 lines (58 loc) · 1.71 KB
/
init
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
#!/usr/bin/env -S deno run --allow-read --allow-net
// Take "Authorised key" for your service user and place it into this
// folder as `authorized_key.json`.
//
// Run
//
// $(./init)
//
// Then you can use `terraform <cmd>`.
//
// References:
// https://yandex.cloud/ru/docs/iam/operations/iam-token/create-for-sa#node_1
import { exit } from 'node:process';
import * as jose from 'https://deno.land/x/jose@v5.4.1/index.ts';
import parseArgs from 'https://deno.land/x/deno_minimist@v1.0.2/mod.ts';
const TOKEN_API = 'https://iam.api.cloud.yandex.net/iam/v1/tokens';
const EXPIRATION = '1h';
const ALGORITHM = 'PS256';
const argv = parseArgs(Deno.args, {
alias: {
h: ['help'],
},
string: ['log_file'],
});
if (argv.help) {
console.log(`
$(./init [--log_file=terraform.log])
`);
exit();
}
// Reading `authorized_key.json` ...
const authorized = JSON.parse(await Deno.readTextFile('authorized_key.json'));
// Constructing JWT ...
const privateKeyText = authorized.private_key.replace(/^.*\n/, '');
const privateKey = await jose.importPKCS8(privateKeyText, ALGORITHM);
const jwt = await new jose.SignJWT()
.setProtectedHeader({ kid: authorized.id, alg: ALGORITHM })
.setIssuedAt()
.setIssuer(authorized.service_account_id)
.setAudience(TOKEN_API)
.setExpirationTime(EXPIRATION)
.sign(privateKey);
// Getting IAM token ...
const response = await fetch(TOKEN_API, {
headers: {
'Content-Type': 'application/json',
},
method: 'POST',
body: JSON.stringify({ jwt }),
});
const payload = await response.json();
console.log(`export TF_VAR_token=${payload.iamToken}`);
if (argv.log_file) {
console.log(`
export TF_LOG=INFO
export TF_LOG_PATH=${argv.log_file}
`.trim())
}