rrx_config 0.1.1 → 0.1.2

data/lib/rrx_config/aws.rb

@@ -2,10 +2,11 @@
 
 module RrxConfig
   module Aws
-    PROFILE_VARIABLE = 'RRX_AWS_PROFILE'
-    REGION_VARIABLE  = 'RRX_AWS_REGION'
-    REGION_DEFAULT   = 'us-west-2'
-    PROFILE_DEFAULT = 'default'
+    PROFILE_VARIABLE      = 'RRX_AWS_PROFILE'
+    REGION_VARIABLE       = 'RRX_AWS_REGION'
+    REGION_DEFAULT        = 'us-west-2'
+    PROFILE_DEFAULT       = 'default'
+    ECS_METADATA_VARIABLE = 'ECS_CONTAINER_METADATA_URI_V4'
 
     class << self
       def profile?
@@ -17,16 +18,7 @@ module RrxConfig
       end
 
       def credentials
-        if profile
-          require 'aws-sdk-core/shared_credentials'
-          ::Aws::SharedCredentials.new(profile_name: profile)
-        else
-          require 'aws-sdk-core/instance_profile_credentials'
-          require 'aws-sdk-core/ecs_credentials'
-          ec2 = ::Aws::InstanceProfileCredentials.new
-          ecs = ::Aws::ECSCredentials.new
-          ec2.set? ? ec2 : ecs
-        end
+        @credentials ||= profile_credentials || environment_credentials || ecs_credentials || ec2_credentials
       end
 
       def client_args
@@ -36,6 +28,36 @@ module RrxConfig
       def region
         ENV.fetch(REGION_VARIABLE, REGION_DEFAULT)
       end
+
+      def profile_credentials
+        if profile?
+          RrxConfig.logger.info 'Using shared credentials'
+          require 'aws-sdk-core/shared_credentials'
+          ::Aws::SharedCredentials.new(profile_name: profile)
+        end
+      end
+
+      def environment_credentials
+        if ENV.include?('AWS_ACCESS_KEY_ID')
+          require 'aws-sdk-core/credentials'
+          RrxConfig.logger.info 'Using explicit credentials'
+          ::Aws::Credentials.new(ENV['AWS_ACCESS_KEY_ID'], ENV['AWS_SECRET_ACCESS_KEY'])
+        end
+      end
+
+      def ecs_credentials
+        if ENV.include?(ECS_METADATA_VARIABLE)
+          RrxConfig.logger.info 'Using ECS credentials'
+          require 'aws-sdk-core/ecs_credentials'
+          ::Aws::ECSCredentials.new
+        end
+      end
+
+      def ec2_credentials
+        RrxConfig.logger.info 'Using EC2 credentials'
+        require 'aws-sdk-core/instance_profile_credentials'
+        ::Aws::InstanceProfileCredentials.new
+      end
     end
   end
 end

data/lib/rrx_config/configuration.rb

@@ -34,6 +34,12 @@ module RrxConfig
     def default_config
       Data.define.new
     end
+
+    class << self
+      def hash_data(hash)
+        Data.define(*hash.keys).new(**hash.transform_values { |v| v.is_a?(Hash) ? hash_data(v) : v })
+      end
+    end
   end
 
   def self.respond_to_missing?(...)

data/lib/rrx_config/database_config/iam_hash_config.rb

@@ -0,0 +1,87 @@
+# frozen_string_literal: true
+
+require 'active_record/database_configurations'
+
+module RrxConfig
+  module DatabaseConfig
+    class IamHashConfig < ActiveRecord::DatabaseConfigurations::HashConfig
+      GLOBAL_PEM_URL      = 'https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem'
+      PASSWORD_EXPIRATION = 10.minutes
+
+      alias raw_configuration_hash configuration_hash
+
+      # @param [Hash] configuration_hash
+      def initialize(env_name, name, configuration_hash)
+        config = configuration_hash.except(:iam)
+        case config[:adapter]
+        when 'mysql2'
+          config[:enable_cleartext_plugin] = true
+        end
+        super(env_name, name, config)
+      end
+
+      def configuration_hash
+        { password:, sslca:, ssl_mode: :required }.reverse_merge!(raw_configuration_hash).freeze.tap do |it|
+          if RrxConfig.logger.respond_to?(:with_tags)
+            RrxConfig.logger.with_tags(**it) { RrxConfig.debug 'Generated IAM DB config' }
+          else
+            RrxConfig.debug "Generated IAM DB config: #{JSON(it)}"
+          end
+        end
+      end
+
+      def password
+        if password_expired?
+          @password            = generate_password
+          @password_expiration = PASSWORD_EXPIRATION.from_now
+        end
+        @password
+      end
+
+      def password_expired?
+        !(@password && @password_expiration && (@password_expiration > Time.now))
+      end
+
+      def endpoint
+        "#{raw_configuration_hash[:host]}:#{raw_configuration_hash[:port]}"
+      end
+
+      def region
+        raw_configuration_hash.fetch(:region, Aws.region)
+      end
+
+      def user_name
+        raw_configuration_hash[:username] || raw_configuration_hash[:user]
+      end
+
+      def generate_password
+        generator.auth_token(endpoint:, region:, user_name:)
+      end
+
+      def generator
+        require 'aws-sdk-rds'
+        require_relative '../aws'
+        @generator ||= ::Aws::RDS::AuthTokenGenerator.new(credentials: Aws.credentials)
+      end
+
+      def sslca
+        sslca_download unless sslca_path.exist?
+        sslca_path.to_s
+      end
+
+      def sslca_path
+        @sslca_path ||= Rails.root.join('tmp/aws-rds-ca.pem')
+      end
+
+      def sslca_download
+        require 'open-uri'
+        download = URI.open(GLOBAL_PEM_URL)
+        sslca_path.truncate(0) if sslca_path.exist?
+        IO.copy_stream download, sslca_path
+
+        RrxConfig.info "Downloaded AWS certs to #{sslca_path}"
+      end
+    end
+
+  end
+end

data/lib/rrx_config/database_config.rb

@@ -1,84 +1,44 @@
 # frozen_string_literal: true
 
-if defined?(ActiveRecord)
-  require 'active_record/database_configurations'
-
-  module RrxConfig
-    class IamHashConfig < ActiveRecord::DatabaseConfigurations::HashConfig
-      GLOBAL_PEM_URL='https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem'
-
-      alias raw_configuration_hash configuration_hash
-
-      # @param [Hash] configuration_hash
-      def initialize(env_name, name, configuration_hash)
-        config = configuration_hash.except(:iam)
-        case config[:adapter]
-        when 'mysql2'
-          config[:enable_cleartext_plugin] = true
-        end
-        super(env_name, name, config)
-      end
-
-      def configuration_hash
-        { password:, sslca:, ssl_mode: :required }.reverse_merge!(raw_configuration_hash).freeze
-      end
-
-      def password
-        generator.auth_token(endpoint:, region:, user_name:)
-      end
-
-      def endpoint
-        "#{raw_configuration_hash[:host]}:#{raw_configuration_hash[:port]}"
-      end
-
-      def region
-        raw_configuration_hash.fetch(:region, Aws.region)
-      end
-
-      def user_name
-        raw_configuration_hash[:username] || raw_configuration_hash[:user]
-      end
-
-      def generator
-        require 'aws-sdk-rds'
-        require_relative './aws'
-        @generator ||= ::Aws::RDS::AuthTokenGenerator.new(credentials: Aws.credentials)
-      end
-
-      def sslca
-        unless sslca_path.exist?
-          require 'open-uri'
-          download = URI.open(GLOBAL_PEM_URL)
-          IO.copy_stream download, sslca_path
+require_relative './database_config/iam_hash_config'
+
+module RrxConfig
+  module DatabaseConfig
+    class << self
+      def db_config_handler(env_name, name, url, config)
+        case
+        when url
+          # Pass to default handler
+          nil
+        when RrxConfig.database?
+          # Use config from RrxConfig
+          if RrxConfig.database.try(:iam)
+            config = RrxConfig.database.to_h
+            RrxConfig.info "Using AWS IAM config for #{obfuscate(config)}"
+            IamHashConfig.new(env_name, name, config)
+          else
+            ActiveRecord::DatabaseConfigurations::HashConfig.new(env_name, name, RrxConfig.database.to_h)
+          end
+        when config.fetch(:iam, false)
+          # Use standard config with IAM support
+          IamHashConfig.new(env_name, name, config)
         end
-        sslca_path.to_s
       end
 
-      def sslca_path
-        @sslca_path ||= Rails.root.join('tmp/aws-rds-ca.pem')
-      end
-    end
+      protected
 
-    def self.db_config_handler(env_name, name, url, config)
-      case
-      when url
-        # Pass to default handler
-        nil
-      when RrxConfig.database?
-        # Use config from RrxConfig
-        if RrxConfig.database.try(:iam)
-          IamHashConfig.new(env_name, name, RrxConfig.database.to_h)
-        else
-          ActiveRecord::DatabaseConfigurations::HashConfig.new(env_name, name, RrxConfig.database.to_h)
+      def obfuscate(config)
+        if config.include?(:password)
+          # @type {String}
+          password          = config[:password]
+          config[:password] = "#{password.length > 1 ? password[0..1] : ''}*********"
         end
-      when config.fetch(:iam, false)
-        # Use standard config with IAM support
-        IamHashConfig.new(env_name, name, config)
+        config
       end
     end
   end
+end
 
-  ActiveRecord::DatabaseConfigurations.register_db_config_handler do |env_name, name, url, config|
-    RrxConfig.db_config_handler env_name, name, url, config
-  end
+ActiveRecord::DatabaseConfigurations.register_db_config_handler do |env_name, name, url, config|
+  RrxConfig::DatabaseConfig.db_config_handler env_name, name, url, config
 end

data/lib/rrx_config/environment.rb

@@ -1,6 +1,13 @@
 # frozen_string_literal: true
+require_relative './error'
 
 module RrxConfig
+  class EnvironmentError < Error
+    def initialize(msg)
+      super("Invalid environment '#{msg}'")
+    end
+  end
+
   class Environment < ActiveSupport::StringInquirer
     RRX_ENVIRONMENT_VARIABLE = 'RRX_ENVIRONMENT'
     RRX_ENVIRONMENT_DEFAULT  = 'development'

data/lib/rrx_config/error.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module RrxConfig
+  class Error < StandardError; end
+end

data/lib/rrx_config/railtie.rb

@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+
+require 'rails/railtie'
+require 'active_support'
+
+module RrxConfig
+  class Railtie < Rails::Railtie
+    initializer 'rrx_config.initialize_database', before: 'active_record.initialize_database' do
+      ActiveSupport.on_load(:active_record) do
+        # Make sure our config handler is registered before Rails initializes
+        require_relative './database_config'
+      end
+    end
+
+    rake_tasks do
+      namespace :db do
+        task rrx_init_config: :environment do
+          # Make sure our config handler is registered before the Rails rake task runs
+          require_relative './database_config'
+        end
+
+        task load_config: 'db:rrx_init_config'
+
+        task print_config: 'db:load_config' do
+          puts JSON.pretty_generate(ActiveRecord::Base.connection_db_config.configuration_hash)
+        end
+      end
+    end
+  end
+end

data/lib/rrx_config/sources/aws_secret_source.rb

@@ -2,12 +2,15 @@
 
 require_relative './base'
 require_relative '../aws'
+require_relative '../error'
 
 module RrxConfig
   module Sources
     class AwsSecretSource < Base
       SECRET_VARIABLE  = 'RRX_AWS_CONFIG_SECRET_NAME'
 
+      class GetAwsSecretError < Error; end
+
       def read
         read_secret if secret_id
       end
@@ -17,14 +20,14 @@ module RrxConfig
       def write(value)
         raise NotImplementedError unless Rails.env.test?
 
-        puts "Writing secret #{secret_id}"
+        RrxConfig.info "Writing secret #{secret_id}"
         result = client.create_secret({
                                name:                           secret_id,
                                secret_string:                  value,
                                force_overwrite_replica_secret: true,
                                description:                    'Integration test'
                              })
-        puts "Secret created: #{result.arn}"
+        RrxConfig.info "Secret created: #{result.arn}"
       end
 
       ##
@@ -32,7 +35,7 @@ module RrxConfig
       def delete
         raise NotImplementedError unless Rails.env.test?
 
-        puts "Deleting secret #{secret_id}"
+        RrxConfig.info "Deleting secret #{secret_id}"
         client.delete_secret({ secret_id:, force_delete_without_recovery: true }) rescue nil
       end
 
@@ -54,6 +57,9 @@ module RrxConfig
 
       def read_secret
         read_json client.get_secret_value({secret_id:}).secret_string
+      rescue x
+        RrxConfig.error "Failed to read AWS secret #{secret_id}: #{x}"
+        raise GetAwsSecretError, "Failed to read AWS secret #{secret_id}", x.backtrace
       end
     end
   end

data/lib/rrx_config/sources/base.rb

@@ -12,16 +12,21 @@ module RrxConfig
       # @param [String, nil] value
       # @return [Data, nil]
       def read_json(value)
-        value ? json_to_data(JSON.parse(value, { symbolize_keys: true })) : nil
+        if value
+          result = json_to_data(JSON.parse(value, { symbolize_keys: true }))
+          RrxConfig.info 'Successfully read config from %s (%s)' % [
+            self.class.name.split('::').last.sub('Source', ''),
+            result.members.join(', ')
+          ]
+          result
+        else
+          nil
+        end
       end
 
       # @param [Hash] json
       def json_to_data(json)
-        json = json.transform_values do |v|
-          v.is_a?(Hash) ? json_to_data(v) : v
-        end
-
-        Data.define(*json.keys).new(**json)
+        Configuration.hash_data(json)
       end
     end
   end

data/lib/rrx_config/sources/environment_source.rb

@@ -7,7 +7,6 @@ module RrxConfig
     class EnvironmentSource < Base
       VARIABLE_NAME = 'RRX_CONFIG'
 
-      # @return [Struct, nil]
       def read
         read_json ENV.fetch(VARIABLE_NAME, nil)
       end

data/lib/rrx_config/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module RrxConfig
-  VERSION = "0.1.1"
+  VERSION = "0.1.2"
 end

data/lib/rrx_config.rb

@@ -3,14 +3,39 @@
 require_relative 'rrx_config/version'
 require_relative 'rrx_config/configuration'
 require_relative 'rrx_config/environment'
-require_relative 'rrx_config/database_config'
+require_relative 'rrx_config/railtie'
 
 module RrxConfig
-  class Error < StandardError; end
+  class << self
+    def logger
+      if defined?(Rails) && Rails.logger
+        if Rails.logger.respond_to?(:scoped)
+          Rails.logger.scoped(name: 'rrx_config')
+        else
+          Rails.logger
+        end
+      end
+    end
+
+    def log(level, msg)
+      logger = self.logger
+      if logger
+        logger.send(level.to_sym, msg)
+      else
+        puts "[RRX_CONFIG][#{level.to_s.upcase}] #{msg}"
+      end
+    end
+
+    def debug(msg)
+      log(:debug, msg)
+    end
+
+    def info(msg)
+      log(:info, msg)
+    end
 
-  class EnvironmentError < Error
-    def initialize(msg)
-      super("Invalid environment '#{msg}'")
+    def error(msg)
+      log(:error, msg)
     end
   end
 end

metadata

@@ -1,15 +1,29 @@
 --- !ruby/object:Gem::Specification
 name: rrx_config
 version: !ruby/object:Gem::Version
-  version: 0.1.1
+  version: 0.1.2
 platform: ruby
 authors:
 - Dan Drew
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2024-01-30 00:00:00.000000000 Z
+date: 2024-02-02 00:00:00.000000000 Z
 dependencies:
+- !ruby/object:Gem::Dependency
+  name: activesupport
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: railties
   requirement: !ruby/object:Gem::Requirement
@@ -24,6 +38,76 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: aws-sdk-rds
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: aws-sdk-secretsmanager
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: mysql2
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rrx_dev
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: sqlite3
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 description: 
 email:
 - dan.drew@hotmail.com
@@ -32,11 +116,6 @@ extensions: []
 extra_rdoc_files: []
 files:
 - ".editorconfig"
-- ".idea/.gitignore"
-- ".idea/inspectionProfiles/Project_Default.xml"
-- ".idea/modules.xml"
-- ".idea/rrx_config.iml"
-- ".idea/vcs.xml"
 - ".rspec"
 - ".rubocop.yml"
 - CODE_OF_CONDUCT.md
@@ -45,11 +124,15 @@ files:
 - LICENSE.txt
 - README.md
 - Rakefile
+- global.pem
 - lib/rrx_config.rb
 - lib/rrx_config/aws.rb
 - lib/rrx_config/configuration.rb
 - lib/rrx_config/database_config.rb
+- lib/rrx_config/database_config/iam_hash_config.rb
 - lib/rrx_config/environment.rb
+- lib/rrx_config/error.rb
+- lib/rrx_config/railtie.rb
 - lib/rrx_config/sources/aws_secret_source.rb
 - lib/rrx_config/sources/base.rb
 - lib/rrx_config/sources/environment_source.rb

data/.idea/.gitignore

@@ -1,8 +0,0 @@
-# Default ignored files
-/shelf/
-/workspace.xml
-# Editor-based HTTP Client requests
-/httpRequests/
-# Datasource local storage ignored files
-/dataSources/
-/dataSources.local.xml

data/.idea/inspectionProfiles/Project_Default.xml

@@ -1,8 +0,0 @@
-<component name="InspectionProjectProfileManager">
-  <profile version="1.0">
-    <option name="myName" value="Project Default" />
-    <inspection_tool class="RbsMissingTypeSignature" enabled="false" level="WEAK WARNING" enabled_by_default="false" />
-    <inspection_tool class="RubyCaseWithoutElseBlockInspection" enabled="false" level="WARNING" enabled_by_default="false" />
-    <inspection_tool class="RubyMismatchedParameterType" enabled="false" level="WARNING" enabled_by_default="false" />
-  </profile>
-</component>

data/.idea/modules.xml

@@ -1,8 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<project version="4">
-  <component name="ProjectModuleManager">
-    <modules>
-      <module fileurl="file://$PROJECT_DIR$/.idea/rrx_config.iml" filepath="$PROJECT_DIR$/.idea/rrx_config.iml" />
-    </modules>
-  </component>
-</project>