Adds a few helper scripts

Notably, the 'MDRAdmin' password has been moved in vault from the individual entries into engineering/cloud/aws/root-credits/MDRAdmin

bin/credential_report.sh

@@ -0,0 +1,11 @@
+#! /bin/bash
+# 
+# Expects a profile name as the first argument. No error checking.
+
+# Wait for successful credential report
+while [[ "$( aws --profile $1 iam generate-credential-report | jq -r .State)" != "COMPLETE" ]]; do
+  >&2 echo "Credential report not ready. Waiting..."
+  sleep 1
+done
+
+aws --profile $1 iam get-credential-report | jq -r .Content | base64 --decode

bin/delete-cloudcheckr-user.sh

@@ -0,0 +1,67 @@
+#!/bin/bash
+# Runs the same aws CLI command in "most" of the defined profiles
+# in $HOME/.aws/config
+#
+# You can pass in via an environment variable a "profile set"
+# of either "commercial", "govcloud", or "both".  Default is "both"
+#
+# Does an "aws sts get-caller-identity" to confirm that your AssumeRole
+# and other necessities are properly set up before attempting to call the
+# actual AWS command.
+#
+# PROFILE_SET=commercial aws-all.sh ec2 describe-instances
+#
+set -eu -o pipefail
+
+AWS=${AWS:-/usr/local/bin/aws}
+PROFILE_SET=${PROFILE_SET:-both}
+
+ALL_PROFILES=$( egrep "\[profile" ~/.aws/config | 	\
+		awk '{ print $2 }' | 			\
+		sed "s/\]//" | 				\
+		egrep -v "default|commercial|govcloud" )
+
+COMMERCIAL_PROFILES=""
+GOVCLOUD_PROFILES=""
+
+for i in $ALL_PROFILES; do
+	if [[ "$i" =~ -gov$ ]]; then
+		GOVCLOUD_PROFILES="$GOVCLOUD_PROFILES $i"
+	else
+		COMMERCIAL_PROFILES="$COMMERCIAL_PROFILES $i"
+	fi
+done
+
+case $PROFILE_SET in
+
+	both) 
+		PROFILES="$COMMERCIAL_PROFILES $GOVCLOUD_PROFILES"
+		;;
+	
+	govcloud) 
+		PROFILES="$GOVCLOUD_PROFILES"
+		;;
+
+	commercial) 
+		PROFILES="$COMMERCIAL_PROFILES"
+		;;
+esac
+
+for i in $PROFILES; do
+
+	echo "======================================================================================"
+	export AWS_PROFILE=$i 
+	
+	set +e
+	${AWS} sts get-caller-identity > /dev/null 2>&1
+	RC=$?
+	set -e
+
+	if [[ $RC -eq 0 ]]; then
+		echo "GetCallerIdentity (AssumeRole Test) for $i OK"
+		echo delete-iam-user.py CloudCheckrUser
+		delete-iam-user.py CloudCheckrUser
+	else
+		echo "GetCallerIdentity (AssumeRole Test) for $i FAILED"
+	fi
+ done

bin/rotate_mdradmin.sh

@@ -0,0 +1,38 @@
+#! /usr/local/bin/bash
+# 
+# Requires a new bash than comes with OS X. Install bash from homebrew
+# via `brew install bash`
+
+ALL_PROFILES=$( egrep "\[profile" ~/.aws/config | 	\
+		awk '{ print $2 }' | 			\
+		sed "s/\]//" | 				\
+		egrep -v "default|commercial|govcloud" )
+
+
+read -p "THIS WILL RESET THE MDRADMIN USER PASSWORD IN EVERY PROFILE. Continue [y/N]? " -n 1 -r
+
+if [[ $REPLY =~ ^[Yy]$ ]]; then
+  echo ""
+else
+  echo Exiting...
+  exit 10
+fi
+
+echo ""
+echo "Copy and paste the following into the vault under engineering/cloud/aws/root-credits/MDRAdmin"
+echo "If there are errors, try running a second (or third) time"
+echo ""
+
+echo \{
+  
+for p in $ALL_PROFILES; do
+  NEWPASS=$( </dev/urandom LC_ALL=C tr -dc 'A-Za-z0-9@#%_+=' | head -c 32 )
+  # The "@Q" syntax ensures the password is shell escaped
+  aws --profile $p iam update-login-profile --user-name MDRAdmin --no-password-reset-required --password ${NEWPASS@Q} > /dev/null
+  echo \ \ \"${p}\": \"${NEWPASS}\",
+done
+
+# Trailing comma is a problem, so we'll just add the date
+echo \ \ \"LAST_UPDATED\": \"$(date)\"
+
+echo \}