hiera-secrets-manager 0.1.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +7 -0
- data/lib/hiera/backend/secrets_manager_backend.rb +48 -0
- data/spec/secrets_manager_backend_spec.rb +125 -0
- metadata +61 -0
checksums.yaml
ADDED
|
@@ -0,0 +1,7 @@
|
|
|
1
|
+
---
|
|
2
|
+
SHA256:
|
|
3
|
+
metadata.gz: ddb4e09c2998f196711cd698067557e0ba49e66c315a8bb77cabdf75cc4d309b
|
|
4
|
+
data.tar.gz: bc5fab11b745e1d8b42054a652f9bc0a704642d84fae56c2fe59b77f10265d5a
|
|
5
|
+
SHA512:
|
|
6
|
+
metadata.gz: 61f468931ae0cc0ec27c9b312c511b95f607d994bd4ddd2489feb9db7ab7968861e0c4dd402b063d25c02043d76cf6a07ddb1ae30df3876e8e5720b20356fa6c
|
|
7
|
+
data.tar.gz: 1c4fac048ab6cc8083bc28d97f7f0e0b712b8b4e06767f82fa01b0d64a69469afa4f56bc4ec3301dfa4fbf263bd13f2fefd61e7de9c9b54dbb541e0d0a9974b7
|
|
@@ -0,0 +1,48 @@
|
|
|
1
|
+
class Hiera
|
|
2
|
+
module Backend
|
|
3
|
+
class Secrets_manager_backend
|
|
4
|
+
def initialize
|
|
5
|
+
require 'aws-sdk-secretsmanager'
|
|
6
|
+
@client = Aws::SecretsManager::Client.new(
|
|
7
|
+
region: Config[:secrets_manager][:region]
|
|
8
|
+
)
|
|
9
|
+
|
|
10
|
+
Hiera.debug('AWS Secrets Manager backend starting')
|
|
11
|
+
end
|
|
12
|
+
|
|
13
|
+
def lookup(key, scope, order_override, resolution_type)
|
|
14
|
+
answer = nil
|
|
15
|
+
|
|
16
|
+
key_to_query = format_key(key, scope, Config[:secrets_manager])
|
|
17
|
+
|
|
18
|
+
begin
|
|
19
|
+
answer = @client.get_secret_value(secret_id: key_to_query)['secret_string']
|
|
20
|
+
rescue Aws::SecretsManager::Errors::ResourceNotFoundException => error
|
|
21
|
+
Hiera.debug("#{key} not found: #{error.message}")
|
|
22
|
+
end
|
|
23
|
+
|
|
24
|
+
answer
|
|
25
|
+
end
|
|
26
|
+
|
|
27
|
+
private
|
|
28
|
+
|
|
29
|
+
def get_prefix(environments, scope)
|
|
30
|
+
if environments && environments.key?(scope['environment'])
|
|
31
|
+
environments[scope['environment']]
|
|
32
|
+
else
|
|
33
|
+
scope['environment']
|
|
34
|
+
end
|
|
35
|
+
end
|
|
36
|
+
|
|
37
|
+
def format_key(key, scope, config)
|
|
38
|
+
if scope.key?('environment')
|
|
39
|
+
environments = config[:environments]
|
|
40
|
+
prefix = get_prefix(environments, scope)
|
|
41
|
+
"#{prefix}/#{key}"
|
|
42
|
+
else
|
|
43
|
+
key
|
|
44
|
+
end
|
|
45
|
+
end
|
|
46
|
+
end
|
|
47
|
+
end
|
|
48
|
+
end
|
|
@@ -0,0 +1,125 @@
|
|
|
1
|
+
require 'spec_helper'
|
|
2
|
+
require 'hiera/backend/secrets_manager_backend'
|
|
3
|
+
|
|
4
|
+
class Hiera
|
|
5
|
+
module Backend
|
|
6
|
+
describe Secrets_manager_backend do
|
|
7
|
+
before do
|
|
8
|
+
@region_object = { region: 'some_region' }
|
|
9
|
+
@config_object = { secrets_manager:
|
|
10
|
+
{
|
|
11
|
+
region: @region_object[:region],
|
|
12
|
+
environments:
|
|
13
|
+
{
|
|
14
|
+
'env1' => 'production',
|
|
15
|
+
'env2' => 'staging',
|
|
16
|
+
'env3' => 'development'
|
|
17
|
+
}
|
|
18
|
+
} }
|
|
19
|
+
Config.load(@config_object)
|
|
20
|
+
Hiera.stubs(:debug)
|
|
21
|
+
Aws::SecretsManager::Client
|
|
22
|
+
.stubs(:new)
|
|
23
|
+
.with(@region_object)
|
|
24
|
+
end
|
|
25
|
+
|
|
26
|
+
describe '#initialize' do
|
|
27
|
+
it 'should announce its creation' do
|
|
28
|
+
Hiera
|
|
29
|
+
.expects(:debug)
|
|
30
|
+
.with('AWS Secrets Manager backend starting')
|
|
31
|
+
Secrets_manager_backend.new
|
|
32
|
+
end
|
|
33
|
+
|
|
34
|
+
it 'should set up a connection to AWS Secrets Manager' do
|
|
35
|
+
Aws::SecretsManager::Client
|
|
36
|
+
.expects(:new)
|
|
37
|
+
.with(@region_object)
|
|
38
|
+
Secrets_manager_backend.new
|
|
39
|
+
end
|
|
40
|
+
end
|
|
41
|
+
|
|
42
|
+
describe '#lookup' do
|
|
43
|
+
before do
|
|
44
|
+
@mock_client = mock('client')
|
|
45
|
+
Aws::SecretsManager::Client
|
|
46
|
+
.stubs(:new)
|
|
47
|
+
.with(@region_object).returns(@mock_client)
|
|
48
|
+
@backend = Secrets_manager_backend.new
|
|
49
|
+
@scope = { 'environment' => 'env1' }
|
|
50
|
+
end
|
|
51
|
+
|
|
52
|
+
it 'should return a secret that exists' do
|
|
53
|
+
secret_name = 'secret_name'
|
|
54
|
+
secret_string = 'i_am_a_secret'
|
|
55
|
+
prefixed_secret_name = 'production/secret_name'
|
|
56
|
+
|
|
57
|
+
@mock_client.stubs(:get_secret_value)
|
|
58
|
+
.with(secret_id: prefixed_secret_name)
|
|
59
|
+
.returns('secret_string' => secret_string)
|
|
60
|
+
|
|
61
|
+
answer = @backend.lookup(secret_name, @scope, nil, nil)
|
|
62
|
+
expect(answer).to eq(secret_string)
|
|
63
|
+
end
|
|
64
|
+
|
|
65
|
+
it 'should not return a secret that does not exist' do
|
|
66
|
+
nonexistent_secret = 'does_not_exist'
|
|
67
|
+
prefixed_nonexistent_secret = 'production/does_not_exist'
|
|
68
|
+
mock_context = {}
|
|
69
|
+
error_message = 'Secrets Manager could not find this secret.'
|
|
70
|
+
error = Aws::
|
|
71
|
+
SecretsManager::
|
|
72
|
+
Errors::
|
|
73
|
+
ResourceNotFoundException.new(
|
|
74
|
+
mock_context,
|
|
75
|
+
error_message
|
|
76
|
+
)
|
|
77
|
+
@mock_client.stubs(:get_secret_value)
|
|
78
|
+
.with(secret_id: prefixed_nonexistent_secret)
|
|
79
|
+
.raises(error)
|
|
80
|
+
Hiera
|
|
81
|
+
.expects(:debug)
|
|
82
|
+
.with("#{nonexistent_secret} not found: #{error_message}")
|
|
83
|
+
answer = @backend.lookup(nonexistent_secret, @scope, nil, nil)
|
|
84
|
+
expect(answer).to eq(nil)
|
|
85
|
+
end
|
|
86
|
+
|
|
87
|
+
it 'falls back to provided scope environment when Hiera config does not include environment as a key / value pair' do
|
|
88
|
+
scope = { 'environment' => 'some_env_not_in_config' }
|
|
89
|
+
prefixed_secret_name = 'some_env_not_in_config/secret_name'
|
|
90
|
+
|
|
91
|
+
@mock_client
|
|
92
|
+
.expects(:get_secret_value)
|
|
93
|
+
.with(secret_id: prefixed_secret_name)
|
|
94
|
+
.returns('secret_string' => 'the_secret')
|
|
95
|
+
@backend.lookup('secret_name', scope, nil, nil)
|
|
96
|
+
end
|
|
97
|
+
|
|
98
|
+
it 'falls back to provided scope environment when Hiera config does not include any environments' do
|
|
99
|
+
incomplete_config = { secrets_manager: { region: @region_object[:region] } }
|
|
100
|
+
Config.load(incomplete_config)
|
|
101
|
+
|
|
102
|
+
scope = { 'environment' => 'some_env' }
|
|
103
|
+
prefixed_secret_name = 'some_env/secret_name'
|
|
104
|
+
|
|
105
|
+
@mock_client
|
|
106
|
+
.expects(:get_secret_value)
|
|
107
|
+
.with(secret_id: prefixed_secret_name)
|
|
108
|
+
.returns('secret_string' => 'the_secret')
|
|
109
|
+
@backend.lookup('secret_name', scope, nil, nil)
|
|
110
|
+
end
|
|
111
|
+
|
|
112
|
+
it 'does not use prefix if no environment is provided in scope' do
|
|
113
|
+
scope = { 'no_environment_key' => 'some_value' }
|
|
114
|
+
secret_name = 'secret_name'
|
|
115
|
+
|
|
116
|
+
@mock_client
|
|
117
|
+
.expects(:get_secret_value)
|
|
118
|
+
.with(secret_id: secret_name)
|
|
119
|
+
.returns('secret_string' => 'the_secret')
|
|
120
|
+
@backend.lookup('secret_name', scope, nil, nil)
|
|
121
|
+
end
|
|
122
|
+
end
|
|
123
|
+
end
|
|
124
|
+
end
|
|
125
|
+
end
|
metadata
ADDED
|
@@ -0,0 +1,61 @@
|
|
|
1
|
+
--- !ruby/object:Gem::Specification
|
|
2
|
+
name: hiera-secrets-manager
|
|
3
|
+
version: !ruby/object:Gem::Version
|
|
4
|
+
version: 0.1.0
|
|
5
|
+
platform: ruby
|
|
6
|
+
authors:
|
|
7
|
+
- Unruly
|
|
8
|
+
autorequire:
|
|
9
|
+
bindir: bin
|
|
10
|
+
cert_chain: []
|
|
11
|
+
date: 2018-08-21 00:00:00.000000000 Z
|
|
12
|
+
dependencies:
|
|
13
|
+
- !ruby/object:Gem::Dependency
|
|
14
|
+
name: aws-sdk-secretsmanager
|
|
15
|
+
requirement: !ruby/object:Gem::Requirement
|
|
16
|
+
requirements:
|
|
17
|
+
- - '='
|
|
18
|
+
- !ruby/object:Gem::Version
|
|
19
|
+
version: 1.11.0
|
|
20
|
+
type: :runtime
|
|
21
|
+
prerelease: false
|
|
22
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
23
|
+
requirements:
|
|
24
|
+
- - '='
|
|
25
|
+
- !ruby/object:Gem::Version
|
|
26
|
+
version: 1.11.0
|
|
27
|
+
description: Hiera-Secrets-Manager is a backend for Hiera which can look up secrets
|
|
28
|
+
from AWS Secrets Manager.
|
|
29
|
+
email: boss@unrulygroup.com
|
|
30
|
+
executables: []
|
|
31
|
+
extensions: []
|
|
32
|
+
extra_rdoc_files: []
|
|
33
|
+
files:
|
|
34
|
+
- lib/hiera/backend/secrets_manager_backend.rb
|
|
35
|
+
- spec/secrets_manager_backend_spec.rb
|
|
36
|
+
homepage: https://github.com/unruly/hiera-secrets-manager
|
|
37
|
+
licenses:
|
|
38
|
+
- MIT
|
|
39
|
+
metadata: {}
|
|
40
|
+
post_install_message:
|
|
41
|
+
rdoc_options: []
|
|
42
|
+
require_paths:
|
|
43
|
+
- lib
|
|
44
|
+
required_ruby_version: !ruby/object:Gem::Requirement
|
|
45
|
+
requirements:
|
|
46
|
+
- - ">="
|
|
47
|
+
- !ruby/object:Gem::Version
|
|
48
|
+
version: '0'
|
|
49
|
+
required_rubygems_version: !ruby/object:Gem::Requirement
|
|
50
|
+
requirements:
|
|
51
|
+
- - ">="
|
|
52
|
+
- !ruby/object:Gem::Version
|
|
53
|
+
version: '0'
|
|
54
|
+
requirements: []
|
|
55
|
+
rubyforge_project:
|
|
56
|
+
rubygems_version: 2.7.7
|
|
57
|
+
signing_key:
|
|
58
|
+
specification_version: 4
|
|
59
|
+
summary: AWS Secrets Manager backend for Hiera
|
|
60
|
+
test_files:
|
|
61
|
+
- spec/secrets_manager_backend_spec.rb
|