hiera-secrets-manager 0.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +7 -0
- data/lib/hiera/backend/secrets_manager_backend.rb +48 -0
- data/spec/secrets_manager_backend_spec.rb +125 -0
- metadata +61 -0
checksums.yaml
ADDED
|
@@ -0,0 +1,7 @@
|
|
|
1
|
+
---
|
|
2
|
+
SHA256:
|
|
3
|
+
metadata.gz: ddb4e09c2998f196711cd698067557e0ba49e66c315a8bb77cabdf75cc4d309b
|
|
4
|
+
data.tar.gz: bc5fab11b745e1d8b42054a652f9bc0a704642d84fae56c2fe59b77f10265d5a
|
|
5
|
+
SHA512:
|
|
6
|
+
metadata.gz: 61f468931ae0cc0ec27c9b312c511b95f607d994bd4ddd2489feb9db7ab7968861e0c4dd402b063d25c02043d76cf6a07ddb1ae30df3876e8e5720b20356fa6c
|
|
7
|
+
data.tar.gz: 1c4fac048ab6cc8083bc28d97f7f0e0b712b8b4e06767f82fa01b0d64a69469afa4f56bc4ec3301dfa4fbf263bd13f2fefd61e7de9c9b54dbb541e0d0a9974b7
|
|
@@ -0,0 +1,48 @@
|
|
|
1
|
+
class Hiera
|
|
2
|
+
module Backend
|
|
3
|
+
class Secrets_manager_backend
|
|
4
|
+
def initialize
|
|
5
|
+
require 'aws-sdk-secretsmanager'
|
|
6
|
+
@client = Aws::SecretsManager::Client.new(
|
|
7
|
+
region: Config[:secrets_manager][:region]
|
|
8
|
+
)
|
|
9
|
+
|
|
10
|
+
Hiera.debug('AWS Secrets Manager backend starting')
|
|
11
|
+
end
|
|
12
|
+
|
|
13
|
+
def lookup(key, scope, order_override, resolution_type)
|
|
14
|
+
answer = nil
|
|
15
|
+
|
|
16
|
+
key_to_query = format_key(key, scope, Config[:secrets_manager])
|
|
17
|
+
|
|
18
|
+
begin
|
|
19
|
+
answer = @client.get_secret_value(secret_id: key_to_query)['secret_string']
|
|
20
|
+
rescue Aws::SecretsManager::Errors::ResourceNotFoundException => error
|
|
21
|
+
Hiera.debug("#{key} not found: #{error.message}")
|
|
22
|
+
end
|
|
23
|
+
|
|
24
|
+
answer
|
|
25
|
+
end
|
|
26
|
+
|
|
27
|
+
private
|
|
28
|
+
|
|
29
|
+
def get_prefix(environments, scope)
|
|
30
|
+
if environments && environments.key?(scope['environment'])
|
|
31
|
+
environments[scope['environment']]
|
|
32
|
+
else
|
|
33
|
+
scope['environment']
|
|
34
|
+
end
|
|
35
|
+
end
|
|
36
|
+
|
|
37
|
+
def format_key(key, scope, config)
|
|
38
|
+
if scope.key?('environment')
|
|
39
|
+
environments = config[:environments]
|
|
40
|
+
prefix = get_prefix(environments, scope)
|
|
41
|
+
"#{prefix}/#{key}"
|
|
42
|
+
else
|
|
43
|
+
key
|
|
44
|
+
end
|
|
45
|
+
end
|
|
46
|
+
end
|
|
47
|
+
end
|
|
48
|
+
end
|
|
@@ -0,0 +1,125 @@
|
|
|
1
|
+
require 'spec_helper'
|
|
2
|
+
require 'hiera/backend/secrets_manager_backend'
|
|
3
|
+
|
|
4
|
+
class Hiera
|
|
5
|
+
module Backend
|
|
6
|
+
describe Secrets_manager_backend do
|
|
7
|
+
before do
|
|
8
|
+
@region_object = { region: 'some_region' }
|
|
9
|
+
@config_object = { secrets_manager:
|
|
10
|
+
{
|
|
11
|
+
region: @region_object[:region],
|
|
12
|
+
environments:
|
|
13
|
+
{
|
|
14
|
+
'env1' => 'production',
|
|
15
|
+
'env2' => 'staging',
|
|
16
|
+
'env3' => 'development'
|
|
17
|
+
}
|
|
18
|
+
} }
|
|
19
|
+
Config.load(@config_object)
|
|
20
|
+
Hiera.stubs(:debug)
|
|
21
|
+
Aws::SecretsManager::Client
|
|
22
|
+
.stubs(:new)
|
|
23
|
+
.with(@region_object)
|
|
24
|
+
end
|
|
25
|
+
|
|
26
|
+
describe '#initialize' do
|
|
27
|
+
it 'should announce its creation' do
|
|
28
|
+
Hiera
|
|
29
|
+
.expects(:debug)
|
|
30
|
+
.with('AWS Secrets Manager backend starting')
|
|
31
|
+
Secrets_manager_backend.new
|
|
32
|
+
end
|
|
33
|
+
|
|
34
|
+
it 'should set up a connection to AWS Secrets Manager' do
|
|
35
|
+
Aws::SecretsManager::Client
|
|
36
|
+
.expects(:new)
|
|
37
|
+
.with(@region_object)
|
|
38
|
+
Secrets_manager_backend.new
|
|
39
|
+
end
|
|
40
|
+
end
|
|
41
|
+
|
|
42
|
+
describe '#lookup' do
|
|
43
|
+
before do
|
|
44
|
+
@mock_client = mock('client')
|
|
45
|
+
Aws::SecretsManager::Client
|
|
46
|
+
.stubs(:new)
|
|
47
|
+
.with(@region_object).returns(@mock_client)
|
|
48
|
+
@backend = Secrets_manager_backend.new
|
|
49
|
+
@scope = { 'environment' => 'env1' }
|
|
50
|
+
end
|
|
51
|
+
|
|
52
|
+
it 'should return a secret that exists' do
|
|
53
|
+
secret_name = 'secret_name'
|
|
54
|
+
secret_string = 'i_am_a_secret'
|
|
55
|
+
prefixed_secret_name = 'production/secret_name'
|
|
56
|
+
|
|
57
|
+
@mock_client.stubs(:get_secret_value)
|
|
58
|
+
.with(secret_id: prefixed_secret_name)
|
|
59
|
+
.returns('secret_string' => secret_string)
|
|
60
|
+
|
|
61
|
+
answer = @backend.lookup(secret_name, @scope, nil, nil)
|
|
62
|
+
expect(answer).to eq(secret_string)
|
|
63
|
+
end
|
|
64
|
+
|
|
65
|
+
it 'should not return a secret that does not exist' do
|
|
66
|
+
nonexistent_secret = 'does_not_exist'
|
|
67
|
+
prefixed_nonexistent_secret = 'production/does_not_exist'
|
|
68
|
+
mock_context = {}
|
|
69
|
+
error_message = 'Secrets Manager could not find this secret.'
|
|
70
|
+
error = Aws::
|
|
71
|
+
SecretsManager::
|
|
72
|
+
Errors::
|
|
73
|
+
ResourceNotFoundException.new(
|
|
74
|
+
mock_context,
|
|
75
|
+
error_message
|
|
76
|
+
)
|
|
77
|
+
@mock_client.stubs(:get_secret_value)
|
|
78
|
+
.with(secret_id: prefixed_nonexistent_secret)
|
|
79
|
+
.raises(error)
|
|
80
|
+
Hiera
|
|
81
|
+
.expects(:debug)
|
|
82
|
+
.with("#{nonexistent_secret} not found: #{error_message}")
|
|
83
|
+
answer = @backend.lookup(nonexistent_secret, @scope, nil, nil)
|
|
84
|
+
expect(answer).to eq(nil)
|
|
85
|
+
end
|
|
86
|
+
|
|
87
|
+
it 'falls back to provided scope environment when Hiera config does not include environment as a key / value pair' do
|
|
88
|
+
scope = { 'environment' => 'some_env_not_in_config' }
|
|
89
|
+
prefixed_secret_name = 'some_env_not_in_config/secret_name'
|
|
90
|
+
|
|
91
|
+
@mock_client
|
|
92
|
+
.expects(:get_secret_value)
|
|
93
|
+
.with(secret_id: prefixed_secret_name)
|
|
94
|
+
.returns('secret_string' => 'the_secret')
|
|
95
|
+
@backend.lookup('secret_name', scope, nil, nil)
|
|
96
|
+
end
|
|
97
|
+
|
|
98
|
+
it 'falls back to provided scope environment when Hiera config does not include any environments' do
|
|
99
|
+
incomplete_config = { secrets_manager: { region: @region_object[:region] } }
|
|
100
|
+
Config.load(incomplete_config)
|
|
101
|
+
|
|
102
|
+
scope = { 'environment' => 'some_env' }
|
|
103
|
+
prefixed_secret_name = 'some_env/secret_name'
|
|
104
|
+
|
|
105
|
+
@mock_client
|
|
106
|
+
.expects(:get_secret_value)
|
|
107
|
+
.with(secret_id: prefixed_secret_name)
|
|
108
|
+
.returns('secret_string' => 'the_secret')
|
|
109
|
+
@backend.lookup('secret_name', scope, nil, nil)
|
|
110
|
+
end
|
|
111
|
+
|
|
112
|
+
it 'does not use prefix if no environment is provided in scope' do
|
|
113
|
+
scope = { 'no_environment_key' => 'some_value' }
|
|
114
|
+
secret_name = 'secret_name'
|
|
115
|
+
|
|
116
|
+
@mock_client
|
|
117
|
+
.expects(:get_secret_value)
|
|
118
|
+
.with(secret_id: secret_name)
|
|
119
|
+
.returns('secret_string' => 'the_secret')
|
|
120
|
+
@backend.lookup('secret_name', scope, nil, nil)
|
|
121
|
+
end
|
|
122
|
+
end
|
|
123
|
+
end
|
|
124
|
+
end
|
|
125
|
+
end
|
metadata
ADDED
|
@@ -0,0 +1,61 @@
|
|
|
1
|
+
--- !ruby/object:Gem::Specification
|
|
2
|
+
name: hiera-secrets-manager
|
|
3
|
+
version: !ruby/object:Gem::Version
|
|
4
|
+
version: 0.1.0
|
|
5
|
+
platform: ruby
|
|
6
|
+
authors:
|
|
7
|
+
- Unruly
|
|
8
|
+
autorequire:
|
|
9
|
+
bindir: bin
|
|
10
|
+
cert_chain: []
|
|
11
|
+
date: 2018-08-21 00:00:00.000000000 Z
|
|
12
|
+
dependencies:
|
|
13
|
+
- !ruby/object:Gem::Dependency
|
|
14
|
+
name: aws-sdk-secretsmanager
|
|
15
|
+
requirement: !ruby/object:Gem::Requirement
|
|
16
|
+
requirements:
|
|
17
|
+
- - '='
|
|
18
|
+
- !ruby/object:Gem::Version
|
|
19
|
+
version: 1.11.0
|
|
20
|
+
type: :runtime
|
|
21
|
+
prerelease: false
|
|
22
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
23
|
+
requirements:
|
|
24
|
+
- - '='
|
|
25
|
+
- !ruby/object:Gem::Version
|
|
26
|
+
version: 1.11.0
|
|
27
|
+
description: Hiera-Secrets-Manager is a backend for Hiera which can look up secrets
|
|
28
|
+
from AWS Secrets Manager.
|
|
29
|
+
email: boss@unrulygroup.com
|
|
30
|
+
executables: []
|
|
31
|
+
extensions: []
|
|
32
|
+
extra_rdoc_files: []
|
|
33
|
+
files:
|
|
34
|
+
- lib/hiera/backend/secrets_manager_backend.rb
|
|
35
|
+
- spec/secrets_manager_backend_spec.rb
|
|
36
|
+
homepage: https://github.com/unruly/hiera-secrets-manager
|
|
37
|
+
licenses:
|
|
38
|
+
- MIT
|
|
39
|
+
metadata: {}
|
|
40
|
+
post_install_message:
|
|
41
|
+
rdoc_options: []
|
|
42
|
+
require_paths:
|
|
43
|
+
- lib
|
|
44
|
+
required_ruby_version: !ruby/object:Gem::Requirement
|
|
45
|
+
requirements:
|
|
46
|
+
- - ">="
|
|
47
|
+
- !ruby/object:Gem::Version
|
|
48
|
+
version: '0'
|
|
49
|
+
required_rubygems_version: !ruby/object:Gem::Requirement
|
|
50
|
+
requirements:
|
|
51
|
+
- - ">="
|
|
52
|
+
- !ruby/object:Gem::Version
|
|
53
|
+
version: '0'
|
|
54
|
+
requirements: []
|
|
55
|
+
rubyforge_project:
|
|
56
|
+
rubygems_version: 2.7.7
|
|
57
|
+
signing_key:
|
|
58
|
+
specification_version: 4
|
|
59
|
+
summary: AWS Secrets Manager backend for Hiera
|
|
60
|
+
test_files:
|
|
61
|
+
- spec/secrets_manager_backend_spec.rb
|