config_o_mat 0.2.1 → 0.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 35eaeccb6abdf69afb14c8cbe951c4579734f27af4844673b1761db70dfd1bf1
-  data.tar.gz: 392a61b3ee55ba8d9351c2b7d69d39de7d591bbde87f3374fac77fc425e628b8
+  metadata.gz: bd094e1ed00e6019a324570d47475448e924c6c31abe2c9fb7c31cd37064ddfe
+  data.tar.gz: e9712d360ae7da7adf5c15142bf3a2365465832071998790ebd8e5a089429f9a
 SHA512:
-  metadata.gz: 31f9277ada3b1a7fc09efe007a3b530fb3f100c480c09ab0af83a9879ab1fa3ea0b0db3252300fe8dbe9bb9877acf2244727a94554a6384bf52641a5a95c685b
-  data.tar.gz: 4346bae4957800e67e238c0231ddf1b424e1c5afe60a86e2d29e2134f480d56979d320514e24b412557f7f31b239fd7342ffdce459c387ba2b3ce56ce3e3e054
+  metadata.gz: 1a63b431f2fe289c0defaadc88a7105910d0198bf8dc3862da8effb908953f2b480687cc7750fc4f282cc410dcc6f3dc4e8d54659523e909c07f5e8e8059a1e3
+  data.tar.gz: 8763d1eff5f21f0cb2cfc603595fb8b4e198dad30ccbb8f2727ee930df1438d8b5a5c5075de674e269b99a25313f6648be160b72ed6caa3d921d595af7c8fb83

data/.gitignore

@@ -7,3 +7,6 @@ coverage/
 # YARD doc db and output
 .yardoc/
 doc/
+
+# Gem builds
+pkg/

data/Gemfile

@@ -16,11 +16,4 @@
 
 source 'https://rubygems.org'
 
-gem 'aws-sdk-appconfig', '~> 1.18', require: false
-gem 'logsformyfamily', '~> 0.2', require: false
-gem 'lifecycle_vm', '~> 0.1.1', require: false
-gem 'ruby-dbus', '~> 0.16.0', require: false
-gem 'sd_notify', '~> 0.1', require: false
-
-gem 'rspec', '~> 3.10', group: :test, require: false
-gem 'simplecov', '~> 0.21', group: :test, require: false
+gemspec

data/Gemfile.lock

@@ -1,36 +1,50 @@
+PATH
+  remote: .
+  specs:
+    config_o_mat (0.2.1)
+      aws-sdk-appconfig (~> 1.18)
+      aws-sdk-secretsmanager (~> 1.57)
+      lifecycle_vm (~> 0.1.1)
+      logsformyfamily (~> 0.2)
+      ruby-dbus (~> 0.16.0)
+      sd_notify (~> 0.1.1)
+
 GEM
   remote: https://rubygems.org/
   specs:
     aws-eventstream (1.2.0)
-    aws-partitions (1.525.0)
-    aws-sdk-appconfig (1.19.0)
-      aws-sdk-core (~> 3, >= 3.122.0)
+    aws-partitions (1.554.0)
+    aws-sdk-appconfig (1.24.0)
+      aws-sdk-core (~> 3, >= 3.126.0)
       aws-sigv4 (~> 1.1)
-    aws-sdk-core (3.122.0)
+    aws-sdk-core (3.126.1)
       aws-eventstream (~> 1, >= 1.0.2)
       aws-partitions (~> 1, >= 1.525.0)
       aws-sigv4 (~> 1.1)
       jmespath (~> 1.0)
+    aws-sdk-secretsmanager (1.57.0)
+      aws-sdk-core (~> 3, >= 3.126.0)
+      aws-sigv4 (~> 1.1)
     aws-sigv4 (1.4.0)
       aws-eventstream (~> 1, >= 1.0.2)
-    diff-lcs (1.4.4)
+    diff-lcs (1.5.0)
     docile (1.4.0)
-    jmespath (1.4.0)
+    jmespath (1.6.0)
     lifecycle_vm (0.1.2)
     logsformyfamily (0.2.3)
-    rspec (3.10.0)
-      rspec-core (~> 3.10.0)
-      rspec-expectations (~> 3.10.0)
-      rspec-mocks (~> 3.10.0)
-    rspec-core (3.10.1)
-      rspec-support (~> 3.10.0)
-    rspec-expectations (3.10.1)
+    rspec (3.11.0)
+      rspec-core (~> 3.11.0)
+      rspec-expectations (~> 3.11.0)
+      rspec-mocks (~> 3.11.0)
+    rspec-core (3.11.0)
+      rspec-support (~> 3.11.0)
+    rspec-expectations (3.11.0)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.10.0)
-    rspec-mocks (3.10.2)
+      rspec-support (~> 3.11.0)
+    rspec-mocks (3.11.0)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.10.0)
-    rspec-support (3.10.3)
+      rspec-support (~> 3.11.0)
+    rspec-support (3.11.0)
     ruby-dbus (0.16.0)
     sd_notify (0.1.1)
     simplecov (0.21.2)
@@ -38,19 +52,15 @@ GEM
       simplecov-html (~> 0.11)
       simplecov_json_formatter (~> 0.1)
     simplecov-html (0.12.3)
-    simplecov_json_formatter (0.1.3)
+    simplecov_json_formatter (0.1.4)
 
 PLATFORMS
   ruby
 
 DEPENDENCIES
-  aws-sdk-appconfig (~> 1.18)
-  lifecycle_vm (~> 0.1.1)
-  logsformyfamily (~> 0.2)
+  config_o_mat!
   rspec (~> 3.10)
-  ruby-dbus (~> 0.16.0)
-  sd_notify (~> 0.1)
-  simplecov (~> 0.21)
+  simplecov (~> 0.21.2)
 
 BUNDLED WITH
    2.1.4

data/config_o_mat.gemspec

@@ -39,6 +39,7 @@ Gem::Specification.new do |spec|
   spec.executables   = ["config_o_mat-configurator", "config_o_mat-meta_configurator"]
 
   spec.add_dependency('aws-sdk-appconfig', '~> 1.18')
+  spec.add_dependency('aws-sdk-secretsmanager', '~> 1.57')
   spec.add_dependency('logsformyfamily', '~> 0.2')
   spec.add_dependency('lifecycle_vm', '~> 0.1.1')
   spec.add_dependency('ruby-dbus', '~> 0.16.0')

data/lib/config_o_mat/configurator/memory.rb

@@ -25,7 +25,8 @@ module ConfigOMat
                     :client_id, :compiled_templates, :applied_profiles, :applying_profile,
                     :generated_templates, :services_to_reload, :profiles_to_apply,
                     :last_refresh_time, :next_state, :retry_count, :retries_left, :retry_wait,
-                    :region, :appconfig_client, :systemd_interface
+                    :region, :appconfig_client, :secretsmanager_client, :systemd_interface,
+                    :secrets_loader_memory
 
       def initialize(
         argv: [],
@@ -55,7 +56,9 @@ module ConfigOMat
         retry_wait: 2,
         region: nil,
         appconfig_client: nil,
-        systemd_interface: nil
+        secretsmanager_client: nil,
+        systemd_interface: nil,
+        secrets_loader_memory: nil
       )
         super()
 
@@ -86,7 +89,9 @@ module ConfigOMat
         @retry_wait = retry_wait
         @region = region
         @appconfig_client = appconfig_client
+        @secretsmanager_client = secretsmanager_client
         @systemd_interface = systemd_interface
+        @secrets_loader_memory = secrets_loader_memory
       end
     end
   end

data/lib/config_o_mat/configurator/op/{connect_to_appconfig.rb → connect_to_aws.rb}

@@ -17,18 +17,20 @@
 require 'lifecycle_vm/op_base'
 
 require 'aws-sdk-appconfig'
+require 'aws-sdk-secretsmanager'
 
 module ConfigOMat
   module Op
-    class ConnectToAppconfig < LifecycleVM::OpBase
+    class ConnectToAws < LifecycleVM::OpBase
       reads :region
-      writes :appconfig_client
+      writes :appconfig_client, :secretsmanager_client
 
       def call
         client_opts = { logger: logger }
         client_opts[:region] = region if region
 
         self.appconfig_client = Aws::AppConfig::Client.new(client_opts)
+        self.secretsmanager_client = Aws::SecretsManager::Client.new(client_opts)
       end
     end
   end

data/lib/config_o_mat/configurator/op/refresh_all_profiles.rb

@@ -16,11 +16,13 @@
 
 require 'lifecycle_vm/op_base'
 
+require 'config_o_mat/secrets_loader'
+
 module ConfigOMat
   module Op
     class RefreshAllProfiles < LifecycleVM::OpBase
-      reads :profile_defs, :applied_profiles, :client_id, :appconfig_client
-      writes :profiles_to_apply, :last_refresh_time
+      reads :profile_defs, :applied_profiles, :client_id, :appconfig_client, :secrets_loader_memory, :secretsmanager_client
+      writes :profiles_to_apply, :last_refresh_time, :secrets_loader_memory
 
       def call
         self.profiles_to_apply = []
@@ -53,9 +55,29 @@ module ConfigOMat
             name: profile_name, previous_version: current_version, new_version: loaded_version
           )
 
-          profiles_to_apply << LoadedProfile.new(
+          profile = LoadedAppconfigProfile.new(
             profile_name, loaded_version, response.content.read, response.content_type
           )
+
+          loaded_secrets = nil
+
+          if !profile.secret_defs.empty?
+            self.secrets_loader_memory ||= ConfigOMat::SecretsLoader::Memory.new(secretsmanager_client: secretsmanager_client)
+            secrets_loader_memory.update_secret_defs_to_load(profile.secret_defs.values)
+
+            vm = ConfigOMat::SecretsLoader::VM.new(secrets_loader_memory).call
+
+            if vm.errors?
+              error :"#{profile_name}_secrets", vm.errors
+              next
+            end
+
+            loaded_secrets = secrets_loader_memory.loaded_secrets.each_with_object({}) do |(key, value), hash|
+              hash[value.name] = value
+            end
+          end
+
+          profiles_to_apply << LoadedProfile.new(profile, loaded_secrets)
         end
       end
     end

data/lib/config_o_mat/configurator/op/refresh_profile.rb

@@ -19,8 +19,8 @@ require 'lifecycle_vm/op_base'
 module ConfigOMat
   module Op
     class RefreshProfile < LifecycleVM::OpBase
-      reads :profile_defs, :client_id, :applying_profile, :appconfig_client
-      writes :applying_profile
+      reads :profile_defs, :client_id, :applying_profile, :appconfig_client, :secretsmanager_client, :secrets_loader_memory
+      writes :applying_profile, :secrets_loader_memory
 
       def call
         profile_name = applying_profile.name
@@ -56,9 +56,29 @@ module ConfigOMat
           name: profile_name, previous_version: profile_version, new_version: loaded_version
         )
 
-        self.applying_profile = LoadedProfile.new(
+        profile = LoadedAppconfigProfile.new(
           profile_name, loaded_version, response.content.read, response.content_type
         )
+
+        loaded_secrets = nil
+
+        if !profile.secret_defs.empty?
+          self.secrets_loader_memory ||= ConfigOMat::SecretsLoader::Memory.new(secretsmanager_client: secretsmanager_client)
+          secrets_loader_memory.update_secret_defs_to_load(profile.secret_defs.values)
+
+          vm = ConfigOMat::SecretsLoader::VM.new(secrets_loader_memory).call
+
+          if vm.errors?
+            error :"#{profile_name}_secrets", vm.errors
+            return
+          end
+
+          loaded_secrets = secrets_loader_memory.loaded_secrets.each_with_object({}) do |(key, value), hash|
+            hash[value.name] = value
+          end
+        end
+
+        self.applying_profile = LoadedProfile.new(profile, loaded_secrets)
       end
     end
   end

data/lib/config_o_mat/configurator.rb

@@ -41,9 +41,9 @@ module ConfigOMat
 
       on :reading_meta_config, do: Op::LoadMetaConfig, then: :compiling_templates
 
-      on :compiling_templates, do: Op::CompileTemplates, then: :connecting_to_appconfig
+      on :compiling_templates, do: Op::CompileTemplates, then: :connecting_to_aws
 
-      on :connecting_to_appconfig, do: Op::ConnectToAppconfig, then: :refreshing_profiles
+      on :connecting_to_aws, do: Op::ConnectToAws, then: :refreshing_profiles
 
       on :refreshing_profiles,
          do: Op::RefreshAllProfiles,
@@ -116,7 +116,7 @@ module ConfigOMat
            }
          }
 
-      on :refreshing_profile, do: Op::RefreshProfile, then: :applying_profile
+      on :refreshing_profile, do: Op::RefreshProfile, then: :generating_templates
     end
   end
 end

data/lib/config_o_mat/secrets_loader/cond/requires_load.rb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+# Copyright 2021 Teak.io, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require 'lifecycle_vm/cond_base'
+
+module ConfigOMat
+  module Cond
+    class RequiresLoad < LifecycleVM::CondBase
+      reads :loading_secret
+
+      def call
+        !loading_secret.nil?
+      end
+    end
+  end
+end

data/lib/config_o_mat/secrets_loader/cond/secrets_to_load.rb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+# Copyright 2021 Teak.io, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require 'lifecycle_vm/cond_base'
+
+module ConfigOMat
+  module Cond
+    class SecretsToLoad < LifecycleVM::CondBase
+      reads :secret_defs_to_load
+
+      def call
+        !secret_defs_to_load.empty?
+      end
+    end
+  end
+end

data/lib/config_o_mat/secrets_loader/cond.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+# Copyright 2021 Teak.io, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+Dir[File.join(__dir__, 'cond', '*')].sort.each { |file| require file }

data/lib/config_o_mat/secrets_loader/memory.rb

@@ -0,0 +1,48 @@
+# frozen_string_literal: true
+
+# Copyright 2021 Teak.io, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require 'lifecycle_vm'
+
+module ConfigOMat
+  module SecretsLoader
+    class Memory < LifecycleVM::Memory
+      attr_reader :secretsmanager_client
+
+      attr_accessor :secrets_cache, :secret_defs_to_load, :loaded_secrets, :loading_secret
+
+      def initialize(
+        secretsmanager_client: nil,
+        secret_defs_to_load: [],
+        secrets_cache: {},
+        loading_secret: nil,
+        logger: nil
+      )
+        @secretsmanager_client = secretsmanager_client
+        @secret_defs_to_load = secret_defs_to_load
+        @secrets_cache = secrets_cache
+        @loading_secret = loading_secret
+        @loaded_secrets = {}
+        @logger = logger
+      end
+
+       def update_secret_defs_to_load(defs)
+        @loaded_secrets = {}
+        @secret_defs_to_load = defs
+        self
+      end
+    end
+  end
+end

data/lib/config_o_mat/secrets_loader/op/check_cache.rb

@@ -0,0 +1,47 @@
+# frozen_string_literal: true
+
+# Copyright 2021 Teak.io, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require 'lifecycle_vm/op_base'
+
+module ConfigOMat
+  module Op
+    class CheckCache < LifecycleVM::OpBase
+      reads :loading_secret, :secrets_cache, :loaded_secrets
+      writes :loading_secret, :loaded_secrets
+
+      def call
+        # If we're referencing a secret by its version stage, never cache it, since these can be
+        # updated out from under us.
+        return unless loading_secret.version_stage.nil? || loading_secret.version_stage.empty?
+
+        cached_secret = secrets_cache[loading_secret.secret_id]
+
+        if cached_secret && cached_secret.version_id == loading_secret.version_id
+          logger&.info(:cached_secret, name: loading_secret.name, version_id: loading_secret.version_id)
+          loaded_secrets[loading_secret] = cached_secret
+          self.loading_secret = nil
+        elsif cached_secret
+          logger&.info(
+            :invalid_cached_secret,
+            name: loading_secret.name,
+            expected_version_id: loading_secret.version_id,
+            cached_version_id: cached_secret.version_id
+          )
+        end
+      end
+    end
+  end
+end

data/lib/config_o_mat/secrets_loader/op/load_secret.rb

@@ -0,0 +1,76 @@
+# frozen_string_literal: true
+
+# Copyright 2021 Teak.io, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require 'lifecycle_vm/op_base'
+
+require 'config_o_mat/shared/types'
+
+module ConfigOMat
+  module Op
+    class LoadSecret < LifecycleVM::OpBase
+      reads :loading_secret, :secrets_cache, :loaded_secrets, :secretsmanager_client
+      writes :loading_secret, :loaded_secrets, :secrets_cache
+
+      def call
+        opts = {
+          secret_id: loading_secret.secret_id
+        }
+
+        if loading_secret.version_id
+          opts[:version_id] = loading_secret.version_id
+        else
+          opts[:version_stage] = loading_secret.version_stage
+        end
+
+        response =
+          begin
+            secretsmanager_client.get_secret_value(opts)
+          rescue StandardError => e
+            error loading_secret.name, e
+            nil
+          end
+
+        return if response.nil? || errors?
+
+        loaded_secret = LoadedSecret.new(
+          loading_secret.name, loading_secret.secret_id, response.version_id,
+          response.secret_string, loading_secret.content_type
+        )
+
+        logger&.info(
+          :loaded_secret, name: loading_secret.name, arn: response.arn,
+          version_id: response.version_id
+        )
+
+        begin
+          loaded_secret.validate!
+        rescue StandardError => e
+          logger&.error(
+            :invalid_secret, name: loading_secret.name, arn: response.arn,
+            version_id: response.version_id, errors: e
+          )
+          error loaded_secret.name, e
+        end
+
+        return if errors?
+
+        secrets_cache[loading_secret.secret_id] = loaded_secret
+        loaded_secrets[loading_secret] = loaded_secret
+        self.loading_secret = nil
+      end
+    end
+  end
+end

data/lib/config_o_mat/secrets_loader/op/stage_one_secret.rb

@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+
+# Copyright 2021 Teak.io, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require 'lifecycle_vm/op_base'
+
+module ConfigOMat
+  module Op
+    class StageOneSecret < LifecycleVM::OpBase
+      reads :secret_defs_to_load
+      writes :loading_secret, :secret_defs_to_load
+
+      def call
+        self.loading_secret = secret_defs_to_load.pop
+      end
+    end
+  end
+end

data/lib/config_o_mat/secrets_loader/op.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+# Copyright 2021 Teak.io, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+Dir[File.join(__dir__, 'op', '*')].sort.each { |file| require file }

data/lib/config_o_mat/secrets_loader.rb

@@ -0,0 +1,52 @@
+# frozen_string_literal: true
+
+# Copyright 2021 Teak.io, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require 'lifecycle_vm'
+
+require 'config_o_mat/secrets_loader/op'
+require 'config_o_mat/secrets_loader/cond'
+require 'config_o_mat/secrets_loader/memory'
+
+module ConfigOMat
+  module SecretsLoader
+    class VM < LifecycleVM::VM
+      memory_class ConfigOMat::SecretsLoader::Memory
+
+      on :start, then: {
+        case: Cond::SecretsToLoad,
+        when: {
+          true => {
+            do: Op::StageOneSecret,
+            then: :check_cache
+          },
+          false => {
+            then: :exit
+          }
+        }
+      }
+
+      on :check_cache, do: Op::CheckCache, then: {
+        case: Cond::RequiresLoad,
+        when: {
+          true => :load_secret,
+          false => :start
+        }
+      }
+
+      on :load_secret, do: Op::LoadSecret, then: :start
+    end
+  end
+end

data/lib/config_o_mat/shared/types.rb

@@ -187,8 +187,8 @@ module ConfigOMat
     end
   end
 
-  class LoadedProfile < ConfigItem
-    attr_reader :name, :version, :contents
+  class LoadedAppconfigProfile < ConfigItem
+    attr_reader :name, :version, :contents, :secret_defs
 
     PARSERS = {
       'text/plain' => proc { |str| str },
@@ -199,12 +199,14 @@ module ConfigOMat
     def initialize(name, version, contents, content_type)
       @name = name
       @version = version
+      @secret_defs = {}
 
       parser = PARSERS[content_type]
 
       if parser
         begin
           @contents = parser.call(contents)
+          parse_secrets if @contents.kind_of?(Hash)
         rescue StandardError => e
           error :contents, e
         end
@@ -233,6 +235,133 @@ module ConfigOMat
       return false if other.version != version || other.contents != contents || other.name != name
       true
     end
+
+  private
+
+    def parse_secrets
+      secret_entries = @contents[:"aws:secrets"]
+      return if secret_entries.nil?
+
+      error :contents_secrets, 'must be a dictionary' if !secret_entries.kind_of?(Hash)
+
+      secret_entries.each do |(secret_name, secret_conf)|
+        secret_def = Secret.new(secret_name, secret_conf)
+        secret_def.validate
+        error :"contents_secrets_#{secret_name}", secret_def.errors if secret_def.errors?
+
+        @secret_defs[secret_name] = secret_def
+      end
+    end
+  end
+
+  class Secret < ConfigItem
+    VALID_CONTENT_TYPES = LoadedAppconfigProfile::PARSERS.keys.freeze
+
+    attr_reader :name, :secret_id, :version_id, :version_stage, :content_type
+
+    def initialize(name, opts)
+      @name = name
+      @secret_id = opts[:secret_id]
+      @version_id = opts[:version_id]
+      @version_stage = opts[:version_stage]
+      @content_type = opts[:content_type]&.downcase
+
+      if (@version_id.nil? || @version_id.empty?) && (@version_stage.nil? || @version_stage.empty?)
+        @version_stage = 'AWSCURRENT'
+      end
+
+      @content_type ||= 'application/json'
+    end
+
+    def validate
+      error :secret_id, 'must be present' if @secret_id.nil? || @secret_id.empty?
+      error :content_type, "must be one of #{VALID_CONTENT_TYPES}" unless VALID_CONTENT_TYPES.include?(@content_type)
+    end
+
+    def hash
+      secret_id.hash ^ version_id.hash ^ version_stage.hash & content_type.hash
+    end
+
+    def eql?(other)
+      return false if !super(other)
+      if other.name != name ||
+         other.secret_id != secret_id ||
+         other.version_id != version_id ||
+         other.version_stage != version_stage ||
+         other.content_type != content_type
+        return false
+      end
+      true
+    end
+  end
+
+  class LoadedSecret < ConfigItem
+    attr_reader :name, :secret_id, :version_id, :contents
+
+    def initialize(name, secret_id, version_id, secret_string, content_type)
+      @name = name
+      @secret_id = secret_id
+      @version_id = version_id
+
+      begin
+        @contents = LoadedAppconfigProfile::PARSERS[content_type].call(secret_string)
+      rescue StandardError => e
+        error :contents, e
+      end
+    end
+
+    def validate
+      # Since name and version_id are coming from AWS and must be present, I'm not going to check
+      # them here.
+    end
+
+    def hash
+      @name.hash ^ @secret_id.hash ^ @version_id.hash ^ @contents.hash
+    end
+
+    def eql?(other)
+      return false if !super(other)
+      if other.name != name ||
+         other.secret_id != secret_id ||
+         other.version_id != version_id ||
+         other.contents != contents
+        return false
+      end
+      true
+    end
+  end
+
+
+  class LoadedProfile < ConfigItem
+    extend Forwardable
+
+    attr_reader :secrets, :loaded_appconfig_profile
+
+    def_delegators :@loaded_appconfig_profile, :name, :version, :contents
+
+    def initialize(loaded_appconfig_profile, secrets)
+      @loaded_appconfig_profile = loaded_appconfig_profile
+      @secrets = secrets || {}
+
+      @errors = @loaded_appconfig_profile.errors if @loaded_appconfig_profile.errors?
+    end
+
+    def validate
+    end
+
+    def hash
+      @loaded_appconfig_profile.hash ^ @secrets.hash
+    end
+
+    def to_h
+      contents
+    end
+
+    def eql?(other)
+      return false if !super(other)
+      return false if other.loaded_appconfig_profile != @loaded_appconfig_profile || other.secrets != @secrets
+      true
+    end
   end
 
   class GeneratedTemplate < ConfigItem

data/lib/config_o_mat/version.rb

@@ -15,5 +15,5 @@
 # limitations under the License.
 
 module ConfigOMat
-  VERSION = "0.2.1"
+  VERSION = "0.3.0"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: config_o_mat
 version: !ruby/object:Gem::Version
-  version: 0.2.1
+  version: 0.3.0
 platform: ruby
 authors:
 - Alex Scarborough
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-02-15 00:00:00.000000000 Z
+date: 2022-02-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk-appconfig
@@ -24,6 +24,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1.18'
+- !ruby/object:Gem::Dependency
+  name: aws-sdk-secretsmanager
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.57'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.57'
 - !ruby/object:Gem::Dependency
   name: logsformyfamily
   requirement: !ruby/object:Gem::Requirement
@@ -144,7 +158,7 @@ files:
 - lib/config_o_mat/configurator/op/apply_all_profiles.rb
 - lib/config_o_mat/configurator/op/commit_staged_profile.rb
 - lib/config_o_mat/configurator/op/compile_templates.rb
-- lib/config_o_mat/configurator/op/connect_to_appconfig.rb
+- lib/config_o_mat/configurator/op/connect_to_aws.rb
 - lib/config_o_mat/configurator/op/generate_all_templates.rb
 - lib/config_o_mat/configurator/op/next_tick.rb
 - lib/config_o_mat/configurator/op/notify_systemd_start.rb
@@ -170,6 +184,15 @@ files:
 - lib/config_o_mat/meta_configurator/op.rb
 - lib/config_o_mat/meta_configurator/op/generate_systemd_config.rb
 - lib/config_o_mat/meta_configurator/op/parse_meta_cli.rb
+- lib/config_o_mat/secrets_loader.rb
+- lib/config_o_mat/secrets_loader/cond.rb
+- lib/config_o_mat/secrets_loader/cond/requires_load.rb
+- lib/config_o_mat/secrets_loader/cond/secrets_to_load.rb
+- lib/config_o_mat/secrets_loader/memory.rb
+- lib/config_o_mat/secrets_loader/op.rb
+- lib/config_o_mat/secrets_loader/op/check_cache.rb
+- lib/config_o_mat/secrets_loader/op/load_secret.rb
+- lib/config_o_mat/secrets_loader/op/stage_one_secret.rb
 - lib/config_o_mat/shared/cond.rb
 - lib/config_o_mat/shared/cond/early_exit.rb
 - lib/config_o_mat/shared/op.rb