#!/bin/bash
# Runs the same aws CLI command in "most" of the defined profiles
# in $HOME/.aws/config
#
# You can pass in via an environment variable a "profile set"
# of either "commercial", "govcloud", or "both".  Default is "both"
#
# Does an "aws sts get-caller-identity" to confirm that your AssumeRole
# and other necessities are properly set up before attempting to call the
# actual AWS command.
#
# PROFILE_SET=commercial aws-all.sh ec2 describe-instances
#
set -u -o pipefail # can't use -e since a pipe intentionally fails below

AWS=${AWS:-/usr/local/bin/aws}
PROFILE_SET=${PROFILE_SET:-both}

ALL_PROFILES=$( egrep "\[profile" ~/.aws/config | 	\
		awk '{ print $2 }' | 			\
		sed "s/\]//" | 				\
		egrep -v "default|commercial|govcloud" )

COMMERCIAL_PROFILES=""
GOVCLOUD_PROFILES=""

export AWS_PAGER="" # Don't paginate output

for i in $ALL_PROFILES; do
	if [[ "$i" =~ -gov$ ]]; then
		GOVCLOUD_PROFILES="$GOVCLOUD_PROFILES $i"
	else
		COMMERCIAL_PROFILES="$COMMERCIAL_PROFILES $i"
	fi
done

case $PROFILE_SET in

	both) 
		PROFILES="$COMMERCIAL_PROFILES $GOVCLOUD_PROFILES"
		;;
	
	govcloud) 
		PROFILES="$GOVCLOUD_PROFILES"
		;;

	commercial) 
		PROFILES="$COMMERCIAL_PROFILES"
		;;
esac

for i in $PROFILES; do
	echo "======================================================================================"
	export AWS_PROFILE=$i 
	
	${AWS} sts get-caller-identity > /dev/null 2>&1
	RC=$?

	if [[ $RC -eq 0 ]]; then
		echo "GetCallerIdentity (AssumeRole Test) for $i OK"
		aws iam generate-credential-report --output=text
    sleep 5
    aws iam get-credential-report | jq -r .Content | base64 --decode | tee $i.tmp
    echo "" >> $i.tmp
	else
		echo "GetCallerIdentity (AssumeRole Test) for $i FAILED"
	fi
done

echo Combining
{ cat *.tmp | head -1; cat *.tmp | grep -v 'user,arn,user_creation_time' | sort -u; } > combined.tmp2
# Only the columsn we want. Since format is likely to change, this may be a bad idea
echo cutting
cut -d, -f1,2,5,6,8,9,10,11,14,15,16,19,20,21,22 combined.tmp2 > combined.csv
rm -f *.tmp *.tmp2