stack_master 1.1.0 → 1.2.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: a51b4fe56605619be180809d3e8b936beba108c0
-  data.tar.gz: 479573ec4534231f8cc2dad7a1d7396f240c3ed6
+SHA256:
+  metadata.gz: 77c6c6c758e05af556c50439bfdf5dce99720a8deb44f485f0e17bcbd82890a6
+  data.tar.gz: 8f467f0f94b7e963afac93400d4f2c4152a3cbc6e12dc0949ed8fcfc857f5d9d
 SHA512:
-  metadata.gz: 9c7784db458ab74af7d4b7d1b18c4603c1227d73574d1624d013fded5bb6af8ec2f74239b7d30b50085fb6c5b781f62a46905b89f883fe00a77bc469621cdb8e
-  data.tar.gz: e5244c0803bd55d3462fb02f79d239a6b240fd3ca7dd88649021097bc0b20c9ac97fa5e9070667ef5a5d7e3bcc6f3a94cb2ec733a02329692f3fea66719da605
+  metadata.gz: f32beb39936cbe533bf08949f2a9657f69dc353dda6bf12f9d98d4736a00060d3745baec090d02fb02288d7abf739a923c0d21af6f7d77f27d2540b67971535d
+  data.tar.gz: 467c51b8edc25e774f20ab3a804b8d44f3559bbde1e9c7817f67935d8a1a4a577d7d4f3181650c48bfa708b11a314213c1ae40e44a546dd03ba882ef225608a1

data/README.md

@@ -240,6 +240,21 @@ db_password:
   secret: db_password
 ```
 
+### Parameter Store
+An alternative to the secrets store, uses the AWS SSM Parameter store to protect
+secrets.   Expects a parameter of either `String` or `SecureString` type to be present in the
+same region as the stack. You can store the parameter using a command like this
+
+`aws ssm put-parameter --region <region> --name <parameter name> --value <secret> --type (String|SecureString)`
+
+When doing so make sure you don't accidentally store the secret in your `.bash_history` and
+you will likely want to set the parameter to NoEcho in your template.
+
+```yaml
+db_password:
+  parameter_store: ssm_parameter_name
+```
+
 ### Security Group
 
 Looks up a security group by name and returns the ARN.

data/features/apply_with_parameter_store_parameters.feature

@@ -0,0 +1,47 @@
+Feature: Apply command with parameter_store parameter
+
+  Background:
+    Given a file named "stack_master.yml" with:
+      """
+      stacks:
+        us-east-2:
+          vpc:
+            template: vpc.rb
+      """
+    And a directory named "parameters"
+    And a file named "parameters/vpc.yml" with:
+      """
+      vpc_cidr:
+        parameter_store: "/cucumber-test-vpc-cidr"
+      """
+    And a SSM parameter named "/cucumber-test-vpc-cidr" with value "10.0.0.0/16" in region "us-east-2"
+    And a directory named "templates"
+    And a file named "templates/vpc.rb" with:
+      """
+      SparkleFormation.new(:vpc) do
+
+        parameters.vpc_cidr do
+          type 'String'
+        end
+
+        resources.vpc do
+          type 'AWS::EC2::VPC'
+          properties do
+            cidr_block ref!(:vpc_cidr)
+          end
+        end
+
+      end
+      """
+
+  Scenario: Run apply and create a new stack
+    Given I stub the following stack events:
+      | stack_id | event_id | stack_name | logical_resource_id | resource_status | resource_type              | timestamp           |
+      | 1        | 1        | vpc        | Vpc                 | CREATE_COMPLETE | AWS::EC2::VPC              | 2020-10-29 00:00:00 |
+      | 1        | 1        | vpc        | vpc                 | CREATE_COMPLETE | AWS::CloudFormation::Stack | 2020-10-29 00:00:00 |
+    When I run `stack_master apply us-east-2 vpc --trace`
+    And the output should contain all of these lines:
+      | +---                  |
+      | +VpcCidr: 10.0.0.0/16 |
+    And the output should match /2020-10-29 00:00:00 (\+|\-)[0-9]{4} vpc AWS::CloudFormation::Stack CREATE_COMPLETE/
+    Then the exit status should be 0

data/features/step_definitions/parameter_store_steps.rb

@@ -0,0 +1,14 @@
+Given(/^(?:a|the) SSM parameter(?: named)? "([^"]*)" with value "([^"]*)" in region "([^"]*)"$/) do |parameter_name, parameter_value, parameter_region|
+  Aws.config[:ssm] = {
+    stub_responses: {
+      get_parameter: {
+        parameter: {
+          name: parameter_name,
+          value: parameter_value,
+          type: "SecureString",
+          version: 1
+        }
+      }
+    }
+  }
+end

data/lib/stack_master.rb

@@ -61,6 +61,7 @@ module StackMaster
     autoload :LatestAmiByTags, 'stack_master/parameter_resolvers/latest_ami_by_tags'
     autoload :LatestAmi, 'stack_master/parameter_resolvers/latest_ami'
     autoload :Env, 'stack_master/parameter_resolvers/env'
+    autoload :ParameterStore, 'stack_master/parameter_resolvers/parameter_store'
   end
 
   module AwsDriver

data/lib/stack_master/parameter_resolvers/parameter_store.rb

@@ -0,0 +1,31 @@
+module StackMaster
+  module ParameterResolvers
+    class ParameterStore < Resolver
+
+      ParameterNotFound = Class.new(StandardError)
+
+      def initialize(config, stack_definition)
+        @config = config
+        @stack_definition = stack_definition
+      end
+
+      def resolve(value)
+        begin
+          resp = ssm.get_parameter(
+            name: value,
+            with_decryption: true
+          )
+        rescue Aws::SSM::Errors::ParameterNotFound
+          raise ParameterNotFound, "Unable to find #{value} in Parameter Store"
+        end
+        resp.parameter.value
+      end
+
+      private
+
+      def ssm
+        @ssm ||= Aws::SSM::Client.new(region: @stack_definition.region)
+      end
+    end
+  end
+end

data/lib/stack_master/version.rb

@@ -1,3 +1,3 @@
 module StackMaster
-  VERSION = "1.1.0"
+  VERSION = "1.2.1"
 end

data/spec/stack_master/parameter_resolvers/parameter_store_spec.rb

@@ -0,0 +1,50 @@
+RSpec.describe StackMaster::ParameterResolvers::ParameterStore do
+
+  describe '#resolve' do
+
+    let(:config) { double(base_dir: '/base') }
+    let(:stack_definition) { double(stack_name: 'mystack', region: 'us-east-1') }
+    subject(:resolver) { described_class.new(config, stack_definition) }
+    let(:parameter_name) { 'TEST' }
+    let(:parameter_value) { 'TEST' }
+    let(:unknown_parameter_name) { 'NOTEST' }
+    let(:unencryptable_parameter_name) { 'SECRETTEST' }
+
+
+    context 'the parameter is defined' do
+      before do
+        Aws.config[:ssm] = {
+          stub_responses: {
+            get_parameter: {
+              parameter: {
+                name: parameter_name,
+                value: parameter_value,
+                type: "SecureString",
+                version: 1
+              }
+            }
+          }
+        }
+      end
+  
+      it 'should return the parameter value' do
+        expect(resolver.resolve(parameter_name)).to eq parameter_value
+      end
+    end
+
+    context 'the parameter is undefined' do
+      before do
+        Aws.config[:ssm] = {
+          stub_responses: {
+            get_parameter: 
+              Aws::SSM::Errors::ParameterNotFound.new(unknown_parameter_name, "Parameter #{unknown_parameter_name} not found")
+          }
+        }
+      end
+      it 'should raise and error' do
+        expect { resolver.resolve(unknown_parameter_name) }
+            .to raise_error(StackMaster::ParameterResolvers::ParameterStore::ParameterNotFound, "Unable to find #{unknown_parameter_name} in Parameter Store")
+      end
+    end
+  end
+end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: stack_master
 version: !ruby/object:Gem::Version
-  version: 1.1.0
+  version: 1.2.1
 platform: ruby
 authors:
 - Steve Hodgkiss
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-02-21 00:00:00.000000000 Z
+date: 2018-02-23 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -304,6 +304,7 @@ files:
 - features/apply.feature
 - features/apply_with_compile_time_parameters.feature
 - features/apply_with_env_parameters.feature
+- features/apply_with_parameter_store_parameters.feature
 - features/apply_with_s3.feature
 - features/delete.feature
 - features/diff.feature
@@ -314,6 +315,7 @@ files:
 - features/resources.feature
 - features/stack_defaults.feature
 - features/status.feature
+- features/step_definitions/parameter_store_steps.rb
 - features/step_definitions/stack_steps.rb
 - features/support/env.rb
 - features/validate.feature
@@ -343,6 +345,7 @@ files:
 - lib/stack_master/parameter_resolvers/env.rb
 - lib/stack_master/parameter_resolvers/latest_ami.rb
 - lib/stack_master/parameter_resolvers/latest_ami_by_tags.rb
+- lib/stack_master/parameter_resolvers/parameter_store.rb
 - lib/stack_master/parameter_resolvers/secret.rb
 - lib/stack_master/parameter_resolvers/security_group.rb
 - lib/stack_master/parameter_resolvers/sns_topic_name.rb
@@ -417,6 +420,7 @@ files:
 - spec/stack_master/parameter_resolvers/env_spec.rb
 - spec/stack_master/parameter_resolvers/latest_ami_by_tags_spec.rb
 - spec/stack_master/parameter_resolvers/latest_ami_spec.rb
+- spec/stack_master/parameter_resolvers/parameter_store_spec.rb
 - spec/stack_master/parameter_resolvers/secret_spec.rb
 - spec/stack_master/parameter_resolvers/security_group_spec.rb
 - spec/stack_master/parameter_resolvers/security_groups_spec.rb
@@ -485,7 +489,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.6.11
+rubygems_version: 2.7.6
 signing_key: 
 specification_version: 4
 summary: StackMaster is a sure-footed way of creating, updating and keeping track
@@ -494,6 +498,7 @@ test_files:
 - features/apply.feature
 - features/apply_with_compile_time_parameters.feature
 - features/apply_with_env_parameters.feature
+- features/apply_with_parameter_store_parameters.feature
 - features/apply_with_s3.feature
 - features/delete.feature
 - features/diff.feature
@@ -504,6 +509,7 @@ test_files:
 - features/resources.feature
 - features/stack_defaults.feature
 - features/status.feature
+- features/step_definitions/parameter_store_steps.rb
 - features/step_definitions/stack_steps.rb
 - features/support/env.rb
 - features/validate.feature
@@ -533,6 +539,7 @@ test_files:
 - spec/stack_master/parameter_resolvers/env_spec.rb
 - spec/stack_master/parameter_resolvers/latest_ami_by_tags_spec.rb
 - spec/stack_master/parameter_resolvers/latest_ami_spec.rb
+- spec/stack_master/parameter_resolvers/parameter_store_spec.rb
 - spec/stack_master/parameter_resolvers/secret_spec.rb
 - spec/stack_master/parameter_resolvers/security_group_spec.rb
 - spec/stack_master/parameter_resolvers/security_groups_spec.rb