credstash-init 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 73f92cc0bfebad087d95de2b4fcc012b722abb5d
+  data.tar.gz: 6271da4757edddebdde04c78af8d90d14c227f0c
+SHA512:
+  metadata.gz: 84d716ed172b29b8333ac8c5b3334224fb51d9af61fead366cb125a08c899ef9d1fdc8ce7b8b77e4eb179659735be3b0dc0a56da27a6f2d8588bf70592a27502
+  data.tar.gz: f697f461b2e99177d5943d3cf51defdf07da39ffe019a53d51df696ab270c9a05e77c63028935d7900c5bc8f1f8f5b0019fa8a560f4eb0c91023376001ddbadf

data/.gitignore

@@ -0,0 +1,9 @@
+/.bundle/
+/.yardoc
+/Gemfile.lock
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/

data/.rspec

@@ -0,0 +1,2 @@
+--format documentation
+--color

data/.travis.yml

@@ -0,0 +1,3 @@
+language: ruby
+rvm:
+  - 2.2.0

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in credstash-init.gemspec
+gemspec

data/README.md

@@ -0,0 +1,16 @@
+# credstash-init
+
+Set up individual credstash keys and DBs for isolated environments
+
+## Usage
+
+```
+gem install credstash-init
+credstash-init <profile> <region> <admin_username> [ ... ]
+```
+
+You must specify (explicitly) all of the above. You may specify multiple key admin users. You must use the IAM username as reflected in AWS.
+
+## License
+
+MIT

data/Rakefile

@@ -0,0 +1,2 @@
+require "bundler/gem_tasks"
+

data/bin/console

@@ -0,0 +1,14 @@
+#!/usr/bin/env ruby
+
+require "bundler/setup"
+require "credstash/init"
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require "pry"
+# Pry.start
+
+require "irb"
+IRB.start

data/bin/setup

@@ -0,0 +1,7 @@
+#!/bin/bash
+set -euo pipefail
+IFS=$'\n\t'
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/credstash-init.gemspec

@@ -0,0 +1,25 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'credstash/init/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = "credstash-init"
+  spec.version       = Credstash::VERSION
+  spec.authors       = ["Bryan Conrad"]
+  spec.email         = ["bkconrad@gmail.com"]
+
+  spec.summary       = %q{Set up individual credstash keys and DBs for isolated environments}
+  spec.homepage      = "https://github.com/bkconrad/credstash-init"
+  spec.license       = "MIT"
+
+  spec.files         = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  spec.bindir        = "exe"
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ["lib"]
+
+  spec.add_dependency "aws-sdk-resources", "~> 2"
+
+  spec.add_development_dependency "bundler", "~> 1.8"
+  spec.add_development_dependency "rake", "~> 10.0"
+end

data/exe/credstash-init

@@ -0,0 +1,6 @@
+#!/usr/bin/env ruby
+
+require "bundler/setup"
+require "credstash/init"
+
+Credstash::Init.new.init!

data/lib/credstash/init.rb

@@ -0,0 +1,98 @@
+require "erb"
+require "json"
+require "credstash/init/version"
+require "aws-sdk-resources"
+
+module Credstash
+  class Init
+    # Your code goes here...
+    def init!
+      usage! unless profile_name && region && users.any?
+      %w(production staging development).each do |env|
+        ensure_kms_key_exists env
+        run_credstash_setup env
+      end
+    end
+
+    def usage!
+      puts "Usage: #{$0} <profile> <region> <admin_username> [ ... ]"
+      puts "You must provide a profile, region, and list of users (in that order)"
+      exit 1
+    end
+
+    private
+
+    def ensure_kms_key_exists env
+      create_kms_key! env unless kms_key_exists? env
+    end
+
+    def kms_key_exists? env
+      begin
+        kms.describe_key(key_id: key_name(env))
+        puts "Found existing key alias #{key_name env}"
+        return true
+      rescue Aws::KMS::Errors::NotFoundException => e
+        return false
+      end
+    end
+
+    def create_kms_key! env
+      puts "Creating KMS Key for #{env}"
+      result = kms.create_key description: "Credstash key for #{env} secrets", policy: policy(env)
+      puts "Creating KMS Alias #{key_name env}"
+      kms.create_alias alias_name: key_name(env), target_key_id: result.key_metadata.key_id
+    end
+
+    def policy env
+      template_file = File.join File.dirname(__FILE__), 'template', 'credstash-key-policy.json.erb'
+
+      # expose some variables to the binding
+      @env = env
+      @account_id = account_id
+      data = JSON.parse ERB.new(File.read(template_file)).result(binding)
+      require 'pp'
+      data['Statement'].each do |statement|
+        next unless statement['Principal']['AWS'].is_a? Array
+        statement['Principal']['AWS'] = user_arns
+      end
+
+      JSON.pretty_generate data
+    end
+
+    def user_arns
+      users.map { |user| "arn:aws:iam::#{account_id}:user/#{user}" }
+    end
+
+    def account_id
+      iam.get_user.user.arn.split(':')[4]
+    end
+
+    def key_name env
+      "alias/credstash-#{env}"
+    end
+
+    def run_credstash_setup env
+      system "credstash -p #{profile_name} -r #{region} -t credstash-#{env} setup"
+    end
+
+    def kms
+      @kms ||= ::Aws::KMS::Client.new profile: profile_name, region: region
+    end
+
+    def iam
+      @iam ||= ::Aws::IAM::Client.new profile: profile_name, region: region
+    end
+
+    def profile_name
+      ARGV.first
+    end
+
+    def region
+      ARGV[1]
+    end
+
+    def users
+      ARGV.last ARGV.length - 2
+    end
+  end
+end

data/lib/credstash/init/version.rb

@@ -0,0 +1,3 @@
+module Credstash
+  VERSION = "0.1.0"
+end

data/lib/credstash/template/credstash-key-policy.json.erb

@@ -0,0 +1,73 @@
+{
+  "Version": "2012-10-17",
+  "Id": "credstash-key-policy-<%= @env %>",
+  "Statement": [
+    {
+      "Sid": "Enable IAM User Permissions",
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": "arn:aws:iam::<%= @account_id %>:root"
+      },
+      "Action": "kms:*",
+      "Resource": "*"
+    },
+    {
+      "Sid": "Allow access for Key Administrators",
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": [
+        ]
+      },
+      "Action": [
+        "kms:Create*",
+        "kms:Describe*",
+        "kms:Enable*",
+        "kms:List*",
+        "kms:Put*",
+        "kms:Update*",
+        "kms:Revoke*",
+        "kms:Disable*",
+        "kms:Get*",
+        "kms:Delete*",
+        "kms:ScheduleKeyDeletion",
+        "kms:CancelKeyDeletion"
+      ],
+      "Resource": "*"
+    },
+    {
+      "Sid": "Allow use of the key",
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": [
+        ]
+      },
+      "Action": [
+        "kms:Encrypt",
+        "kms:Decrypt",
+        "kms:ReEncrypt*",
+        "kms:GenerateDataKey*",
+        "kms:DescribeKey"
+      ],
+      "Resource": "*"
+    },
+    {
+      "Sid": "Allow attachment of persistent resources",
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": [
+        ]
+      },
+      "Action": [
+        "kms:CreateGrant",
+        "kms:ListGrants",
+        "kms:RevokeGrant"
+      ],
+      "Resource": "*",
+      "Condition": {
+        "Bool": {
+          "kms:GrantIsForAWSResource": "true"
+        }
+      }
+    }
+  ]
+}

metadata

@@ -0,0 +1,100 @@
+--- !ruby/object:Gem::Specification
+name: credstash-init
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Bryan Conrad
+autorequire: 
+bindir: exe
+cert_chain: []
+date: 2016-02-02 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: aws-sdk-resources
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.8'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.8'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+description: 
+email:
+- bkconrad@gmail.com
+executables:
+- credstash-init
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".rspec"
+- ".travis.yml"
+- Gemfile
+- README.md
+- Rakefile
+- bin/console
+- bin/setup
+- credstash-init.gemspec
+- exe/credstash-init
+- lib/credstash/init.rb
+- lib/credstash/init/version.rb
+- lib/credstash/template/credstash-key-policy.json.erb
+homepage: https://github.com/bkconrad/credstash-init
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.4.6
+signing_key: 
+specification_version: 4
+summary: Set up individual credstash keys and DBs for isolated environments
+test_files: []