credstash-init 0.1.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +7 -0
- data/.gitignore +9 -0
- data/.rspec +2 -0
- data/.travis.yml +3 -0
- data/Gemfile +4 -0
- data/README.md +16 -0
- data/Rakefile +2 -0
- data/bin/console +14 -0
- data/bin/setup +7 -0
- data/credstash-init.gemspec +25 -0
- data/exe/credstash-init +6 -0
- data/lib/credstash/init.rb +98 -0
- data/lib/credstash/init/version.rb +3 -0
- data/lib/credstash/template/credstash-key-policy.json.erb +73 -0
- metadata +100 -0
checksums.yaml
ADDED
@@ -0,0 +1,7 @@
|
|
1
|
+
---
|
2
|
+
SHA1:
|
3
|
+
metadata.gz: 73f92cc0bfebad087d95de2b4fcc012b722abb5d
|
4
|
+
data.tar.gz: 6271da4757edddebdde04c78af8d90d14c227f0c
|
5
|
+
SHA512:
|
6
|
+
metadata.gz: 84d716ed172b29b8333ac8c5b3334224fb51d9af61fead366cb125a08c899ef9d1fdc8ce7b8b77e4eb179659735be3b0dc0a56da27a6f2d8588bf70592a27502
|
7
|
+
data.tar.gz: f697f461b2e99177d5943d3cf51defdf07da39ffe019a53d51df696ab270c9a05e77c63028935d7900c5bc8f1f8f5b0019fa8a560f4eb0c91023376001ddbadf
|
data/.gitignore
ADDED
data/.rspec
ADDED
data/.travis.yml
ADDED
data/Gemfile
ADDED
data/README.md
ADDED
@@ -0,0 +1,16 @@
|
|
1
|
+
# credstash-init
|
2
|
+
|
3
|
+
Set up individual credstash keys and DBs for isolated environments
|
4
|
+
|
5
|
+
## Usage
|
6
|
+
|
7
|
+
```
|
8
|
+
gem install credstash-init
|
9
|
+
credstash-init <profile> <region> <admin_username> [ ... ]
|
10
|
+
```
|
11
|
+
|
12
|
+
You must specify (explicitly) all of the above. You may specify multiple key admin users. You must use the IAM username as reflected in AWS.
|
13
|
+
|
14
|
+
## License
|
15
|
+
|
16
|
+
MIT
|
data/Rakefile
ADDED
data/bin/console
ADDED
@@ -0,0 +1,14 @@
|
|
1
|
+
#!/usr/bin/env ruby
|
2
|
+
|
3
|
+
require "bundler/setup"
|
4
|
+
require "credstash/init"
|
5
|
+
|
6
|
+
# You can add fixtures and/or initialization code here to make experimenting
|
7
|
+
# with your gem easier. You can also use a different console, if you like.
|
8
|
+
|
9
|
+
# (If you use this, don't forget to add pry to your Gemfile!)
|
10
|
+
# require "pry"
|
11
|
+
# Pry.start
|
12
|
+
|
13
|
+
require "irb"
|
14
|
+
IRB.start
|
data/bin/setup
ADDED
@@ -0,0 +1,25 @@
|
|
1
|
+
# coding: utf-8
|
2
|
+
lib = File.expand_path('../lib', __FILE__)
|
3
|
+
$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
|
4
|
+
require 'credstash/init/version'
|
5
|
+
|
6
|
+
Gem::Specification.new do |spec|
|
7
|
+
spec.name = "credstash-init"
|
8
|
+
spec.version = Credstash::VERSION
|
9
|
+
spec.authors = ["Bryan Conrad"]
|
10
|
+
spec.email = ["bkconrad@gmail.com"]
|
11
|
+
|
12
|
+
spec.summary = %q{Set up individual credstash keys and DBs for isolated environments}
|
13
|
+
spec.homepage = "https://github.com/bkconrad/credstash-init"
|
14
|
+
spec.license = "MIT"
|
15
|
+
|
16
|
+
spec.files = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
|
17
|
+
spec.bindir = "exe"
|
18
|
+
spec.executables = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
|
19
|
+
spec.require_paths = ["lib"]
|
20
|
+
|
21
|
+
spec.add_dependency "aws-sdk-resources", "~> 2"
|
22
|
+
|
23
|
+
spec.add_development_dependency "bundler", "~> 1.8"
|
24
|
+
spec.add_development_dependency "rake", "~> 10.0"
|
25
|
+
end
|
data/exe/credstash-init
ADDED
@@ -0,0 +1,98 @@
|
|
1
|
+
require "erb"
|
2
|
+
require "json"
|
3
|
+
require "credstash/init/version"
|
4
|
+
require "aws-sdk-resources"
|
5
|
+
|
6
|
+
module Credstash
|
7
|
+
class Init
|
8
|
+
# Your code goes here...
|
9
|
+
def init!
|
10
|
+
usage! unless profile_name && region && users.any?
|
11
|
+
%w(production staging development).each do |env|
|
12
|
+
ensure_kms_key_exists env
|
13
|
+
run_credstash_setup env
|
14
|
+
end
|
15
|
+
end
|
16
|
+
|
17
|
+
def usage!
|
18
|
+
puts "Usage: #{$0} <profile> <region> <admin_username> [ ... ]"
|
19
|
+
puts "You must provide a profile, region, and list of users (in that order)"
|
20
|
+
exit 1
|
21
|
+
end
|
22
|
+
|
23
|
+
private
|
24
|
+
|
25
|
+
def ensure_kms_key_exists env
|
26
|
+
create_kms_key! env unless kms_key_exists? env
|
27
|
+
end
|
28
|
+
|
29
|
+
def kms_key_exists? env
|
30
|
+
begin
|
31
|
+
kms.describe_key(key_id: key_name(env))
|
32
|
+
puts "Found existing key alias #{key_name env}"
|
33
|
+
return true
|
34
|
+
rescue Aws::KMS::Errors::NotFoundException => e
|
35
|
+
return false
|
36
|
+
end
|
37
|
+
end
|
38
|
+
|
39
|
+
def create_kms_key! env
|
40
|
+
puts "Creating KMS Key for #{env}"
|
41
|
+
result = kms.create_key description: "Credstash key for #{env} secrets", policy: policy(env)
|
42
|
+
puts "Creating KMS Alias #{key_name env}"
|
43
|
+
kms.create_alias alias_name: key_name(env), target_key_id: result.key_metadata.key_id
|
44
|
+
end
|
45
|
+
|
46
|
+
def policy env
|
47
|
+
template_file = File.join File.dirname(__FILE__), 'template', 'credstash-key-policy.json.erb'
|
48
|
+
|
49
|
+
# expose some variables to the binding
|
50
|
+
@env = env
|
51
|
+
@account_id = account_id
|
52
|
+
data = JSON.parse ERB.new(File.read(template_file)).result(binding)
|
53
|
+
require 'pp'
|
54
|
+
data['Statement'].each do |statement|
|
55
|
+
next unless statement['Principal']['AWS'].is_a? Array
|
56
|
+
statement['Principal']['AWS'] = user_arns
|
57
|
+
end
|
58
|
+
|
59
|
+
JSON.pretty_generate data
|
60
|
+
end
|
61
|
+
|
62
|
+
def user_arns
|
63
|
+
users.map { |user| "arn:aws:iam::#{account_id}:user/#{user}" }
|
64
|
+
end
|
65
|
+
|
66
|
+
def account_id
|
67
|
+
iam.get_user.user.arn.split(':')[4]
|
68
|
+
end
|
69
|
+
|
70
|
+
def key_name env
|
71
|
+
"alias/credstash-#{env}"
|
72
|
+
end
|
73
|
+
|
74
|
+
def run_credstash_setup env
|
75
|
+
system "credstash -p #{profile_name} -r #{region} -t credstash-#{env} setup"
|
76
|
+
end
|
77
|
+
|
78
|
+
def kms
|
79
|
+
@kms ||= ::Aws::KMS::Client.new profile: profile_name, region: region
|
80
|
+
end
|
81
|
+
|
82
|
+
def iam
|
83
|
+
@iam ||= ::Aws::IAM::Client.new profile: profile_name, region: region
|
84
|
+
end
|
85
|
+
|
86
|
+
def profile_name
|
87
|
+
ARGV.first
|
88
|
+
end
|
89
|
+
|
90
|
+
def region
|
91
|
+
ARGV[1]
|
92
|
+
end
|
93
|
+
|
94
|
+
def users
|
95
|
+
ARGV.last ARGV.length - 2
|
96
|
+
end
|
97
|
+
end
|
98
|
+
end
|
@@ -0,0 +1,73 @@
|
|
1
|
+
{
|
2
|
+
"Version": "2012-10-17",
|
3
|
+
"Id": "credstash-key-policy-<%= @env %>",
|
4
|
+
"Statement": [
|
5
|
+
{
|
6
|
+
"Sid": "Enable IAM User Permissions",
|
7
|
+
"Effect": "Allow",
|
8
|
+
"Principal": {
|
9
|
+
"AWS": "arn:aws:iam::<%= @account_id %>:root"
|
10
|
+
},
|
11
|
+
"Action": "kms:*",
|
12
|
+
"Resource": "*"
|
13
|
+
},
|
14
|
+
{
|
15
|
+
"Sid": "Allow access for Key Administrators",
|
16
|
+
"Effect": "Allow",
|
17
|
+
"Principal": {
|
18
|
+
"AWS": [
|
19
|
+
]
|
20
|
+
},
|
21
|
+
"Action": [
|
22
|
+
"kms:Create*",
|
23
|
+
"kms:Describe*",
|
24
|
+
"kms:Enable*",
|
25
|
+
"kms:List*",
|
26
|
+
"kms:Put*",
|
27
|
+
"kms:Update*",
|
28
|
+
"kms:Revoke*",
|
29
|
+
"kms:Disable*",
|
30
|
+
"kms:Get*",
|
31
|
+
"kms:Delete*",
|
32
|
+
"kms:ScheduleKeyDeletion",
|
33
|
+
"kms:CancelKeyDeletion"
|
34
|
+
],
|
35
|
+
"Resource": "*"
|
36
|
+
},
|
37
|
+
{
|
38
|
+
"Sid": "Allow use of the key",
|
39
|
+
"Effect": "Allow",
|
40
|
+
"Principal": {
|
41
|
+
"AWS": [
|
42
|
+
]
|
43
|
+
},
|
44
|
+
"Action": [
|
45
|
+
"kms:Encrypt",
|
46
|
+
"kms:Decrypt",
|
47
|
+
"kms:ReEncrypt*",
|
48
|
+
"kms:GenerateDataKey*",
|
49
|
+
"kms:DescribeKey"
|
50
|
+
],
|
51
|
+
"Resource": "*"
|
52
|
+
},
|
53
|
+
{
|
54
|
+
"Sid": "Allow attachment of persistent resources",
|
55
|
+
"Effect": "Allow",
|
56
|
+
"Principal": {
|
57
|
+
"AWS": [
|
58
|
+
]
|
59
|
+
},
|
60
|
+
"Action": [
|
61
|
+
"kms:CreateGrant",
|
62
|
+
"kms:ListGrants",
|
63
|
+
"kms:RevokeGrant"
|
64
|
+
],
|
65
|
+
"Resource": "*",
|
66
|
+
"Condition": {
|
67
|
+
"Bool": {
|
68
|
+
"kms:GrantIsForAWSResource": "true"
|
69
|
+
}
|
70
|
+
}
|
71
|
+
}
|
72
|
+
]
|
73
|
+
}
|
metadata
ADDED
@@ -0,0 +1,100 @@
|
|
1
|
+
--- !ruby/object:Gem::Specification
|
2
|
+
name: credstash-init
|
3
|
+
version: !ruby/object:Gem::Version
|
4
|
+
version: 0.1.0
|
5
|
+
platform: ruby
|
6
|
+
authors:
|
7
|
+
- Bryan Conrad
|
8
|
+
autorequire:
|
9
|
+
bindir: exe
|
10
|
+
cert_chain: []
|
11
|
+
date: 2016-02-02 00:00:00.000000000 Z
|
12
|
+
dependencies:
|
13
|
+
- !ruby/object:Gem::Dependency
|
14
|
+
name: aws-sdk-resources
|
15
|
+
requirement: !ruby/object:Gem::Requirement
|
16
|
+
requirements:
|
17
|
+
- - "~>"
|
18
|
+
- !ruby/object:Gem::Version
|
19
|
+
version: '2'
|
20
|
+
type: :runtime
|
21
|
+
prerelease: false
|
22
|
+
version_requirements: !ruby/object:Gem::Requirement
|
23
|
+
requirements:
|
24
|
+
- - "~>"
|
25
|
+
- !ruby/object:Gem::Version
|
26
|
+
version: '2'
|
27
|
+
- !ruby/object:Gem::Dependency
|
28
|
+
name: bundler
|
29
|
+
requirement: !ruby/object:Gem::Requirement
|
30
|
+
requirements:
|
31
|
+
- - "~>"
|
32
|
+
- !ruby/object:Gem::Version
|
33
|
+
version: '1.8'
|
34
|
+
type: :development
|
35
|
+
prerelease: false
|
36
|
+
version_requirements: !ruby/object:Gem::Requirement
|
37
|
+
requirements:
|
38
|
+
- - "~>"
|
39
|
+
- !ruby/object:Gem::Version
|
40
|
+
version: '1.8'
|
41
|
+
- !ruby/object:Gem::Dependency
|
42
|
+
name: rake
|
43
|
+
requirement: !ruby/object:Gem::Requirement
|
44
|
+
requirements:
|
45
|
+
- - "~>"
|
46
|
+
- !ruby/object:Gem::Version
|
47
|
+
version: '10.0'
|
48
|
+
type: :development
|
49
|
+
prerelease: false
|
50
|
+
version_requirements: !ruby/object:Gem::Requirement
|
51
|
+
requirements:
|
52
|
+
- - "~>"
|
53
|
+
- !ruby/object:Gem::Version
|
54
|
+
version: '10.0'
|
55
|
+
description:
|
56
|
+
email:
|
57
|
+
- bkconrad@gmail.com
|
58
|
+
executables:
|
59
|
+
- credstash-init
|
60
|
+
extensions: []
|
61
|
+
extra_rdoc_files: []
|
62
|
+
files:
|
63
|
+
- ".gitignore"
|
64
|
+
- ".rspec"
|
65
|
+
- ".travis.yml"
|
66
|
+
- Gemfile
|
67
|
+
- README.md
|
68
|
+
- Rakefile
|
69
|
+
- bin/console
|
70
|
+
- bin/setup
|
71
|
+
- credstash-init.gemspec
|
72
|
+
- exe/credstash-init
|
73
|
+
- lib/credstash/init.rb
|
74
|
+
- lib/credstash/init/version.rb
|
75
|
+
- lib/credstash/template/credstash-key-policy.json.erb
|
76
|
+
homepage: https://github.com/bkconrad/credstash-init
|
77
|
+
licenses:
|
78
|
+
- MIT
|
79
|
+
metadata: {}
|
80
|
+
post_install_message:
|
81
|
+
rdoc_options: []
|
82
|
+
require_paths:
|
83
|
+
- lib
|
84
|
+
required_ruby_version: !ruby/object:Gem::Requirement
|
85
|
+
requirements:
|
86
|
+
- - ">="
|
87
|
+
- !ruby/object:Gem::Version
|
88
|
+
version: '0'
|
89
|
+
required_rubygems_version: !ruby/object:Gem::Requirement
|
90
|
+
requirements:
|
91
|
+
- - ">="
|
92
|
+
- !ruby/object:Gem::Version
|
93
|
+
version: '0'
|
94
|
+
requirements: []
|
95
|
+
rubyforge_project:
|
96
|
+
rubygems_version: 2.4.6
|
97
|
+
signing_key:
|
98
|
+
specification_version: 4
|
99
|
+
summary: Set up individual credstash keys and DBs for isolated environments
|
100
|
+
test_files: []
|