stack_master 1.14.0-x64-mingw32 → 1.17.1-x64-mingw32

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: a0c3168b5e279ae1b4944be5eb01d4fa799e5794
-  data.tar.gz: d4da17e1b54e40434c60060204a4d9e96f720833
+  metadata.gz: 118dcd91cc2b5b9ae3c7dc9911fb59714c8562af
+  data.tar.gz: 46c2fc8ba4d25944d958b243c8b7e298ca39e53c
 SHA512:
-  metadata.gz: d2b34d6a2f518904738c2cbfb18c1f57bbbe89637fb322f7e4706ff3683f8986f700ff440196168664689d5fd4082e200109df6d89e13e3a9928565fe3c5082c
-  data.tar.gz: 5797d1e8cc5e595ff7f91b86ba97296bdcd68862c30e0e64ab3ca5ac11bd9d4a68417b814831703aa292c48d7cb7ec3f40d1199ed5553b2bb0d3618edbb27f09
+  metadata.gz: a0b5bc48a5b7fd17d7f379a5852f33dcddcd5fae2350f72bb17c1320bb3711c38f192399e8768dae66b221da7d13e61569903be244b4b5e102ccaee281955a4b
+  data.tar.gz: d13c6bcc6c47c28547e49e06768fa155f2d6d39e3a5f53dd0305d250f7bb8293c261436a9307f00203573771da022133c5fe6c69a9200ad650d86ed9c8f76c85

data/README.md

@@ -175,7 +175,7 @@ key_name: myapp-us-east-1
 
 ### Compile Time Parameters
 
-Compile time parameters can be used for [SparkleFormation](http://www.sparkleformation.io) templates. It conforms and 
+Compile time parameters can be used for [SparkleFormation](http://www.sparkleformation.io) templates. It conforms and
 allows you to use the [Compile Time Parameters](http://www.sparkleformation.io/docs/sparkle_formation/compile-time-parameters.html) feature.
 
 A simple example looks like this
@@ -268,6 +268,7 @@ you will likely want to set the parameter to NoEcho in your template.
 db_password:
   parameter_store: ssm_parameter_name
 ```
+
 ### 1Password Lookup
 An Alternative to the alternative secret store is accessing 1password secrets using the 1password cli (`op`).
 You declare a 1password lookup with the following parameters in your parameters file:
@@ -286,6 +287,44 @@ Currently we support two types of secrets, `password`s and `secureNote`s. All va
 
 For more information on 1password cli please see [here](https://support.1password.com/command-line-getting-started/)
 
+### EJSON Store
+
+[ejson](https://github.com/Shopify/ejson) is a tool to manage asymmetrically encrypted values in JSON format.
+This allows you to keep secrets securely in git/Github and gives anyone the ability the capability to add new
+secrets without requiring access to the private key. [ejson_wrapper](https://github.com/envato/ejson_wrapper)
+encrypts the underlying EJSON private key with KMS and stores it in the ejson file as `_private_key_enc`. Each
+time an ejson secret is required, the underlying EJSON private key is first decrypted before passing it onto
+ejson to decrypt the file.
+
+First, generate an ejson file with ejson_wrapper, specifying the KMS key ID to be used:
+
+```shell
+gem install ejson_wrapper
+ejson_wrapper generate --region us-east-1 --kms-key-id [key_id] --file secrets/production.ejson
+```
+
+Then, add the `ejson_file` argument to your stack in stack_master.yml:
+
+```yaml
+stacks:
+  us-east-1:
+    my_app:
+      template: my_app.json
+      ejson_file: production.ejson
+```
+
+finally refer to the secret key in the parameter file, i.e. parameters/my_app.yml:
+
+```yaml
+my_param:
+  ejson: "my_secret"
+```
+
+Additional configuration options:
+
+- `ejson_file_region` The AWS region to attempt to decrypt private key with
+- `ejson_file_kms` Default: true. Set to false to use ejson without KMS.
+
 ### Security Group
 
 Looks up a security group by name and returns the ARN.
@@ -531,7 +570,7 @@ stacks:
 
 ```yaml
 stacks:
-  us-east-1
+  us-east-1:
     my-stack:
       template: my-stack-with-dynamic.rb
       compiler_options:
@@ -549,6 +588,28 @@ end
 
 Note though that if a dynamic with the same name exists in your `templates/dynamics/` directory it will get loaded since it has higher precedence.
 
+Templates can be also loaded from sparkle packs by defining `sparkle_pack_template`. The name corresponds to the registered symbol rather than specific name. That means for a sparkle pack containing:
+
+```ruby
+SparkleFormation.new(:template_name) do
+  ...
+end
+```
+
+we can use stack defined as follows:
+
+```yaml
+stacks:
+  us-east-1:
+    my-stack:
+      template: template_name
+      compiler: sparkle_formation
+      compiler_options:
+        sparkle_packs:
+          - some-sparkle-pack
+        sparkle_pack_template: true
+```
+
 ## Allowed accounts
 
 The AWS account the command is executing in can be restricted to a specific list of allowed accounts. This is useful in reducing the possibility of applying non-production changes in a production account. Each stack definition can specify the `allowed_accounts` property with an array of AWS account IDs the stack is allowed to work with.

data/lib/stack_master.rb

@@ -68,6 +68,7 @@ module StackMaster
     autoload :AcmCertificate, 'stack_master/parameter_resolvers/acm_certificate'
     autoload :AmiFinder, 'stack_master/parameter_resolvers/ami_finder'
     autoload :StackOutput, 'stack_master/parameter_resolvers/stack_output'
+    autoload :Ejson, 'stack_master/parameter_resolvers/ejson'
     autoload :Secret, 'stack_master/parameter_resolvers/secret'
     autoload :SnsTopicName, 'stack_master/parameter_resolvers/sns_topic_name'
     autoload :SecurityGroup, 'stack_master/parameter_resolvers/security_group'

data/lib/stack_master/parameter_resolvers/ejson.rb

@@ -0,0 +1,48 @@
+require 'ejson_wrapper'
+
+module StackMaster
+  module ParameterResolvers
+    class Ejson < Resolver
+      SecretNotFound = Class.new(StandardError)
+
+      def initialize(config, stack_definition)
+        @config = config
+        @stack_definition = stack_definition
+      end
+
+      def resolve(secret_key)
+        validate_ejson_file_specified
+        secrets = decrypt_ejson_file
+        secrets.fetch(secret_key.to_sym) do
+          raise SecretNotFound, "Unable to find key #{secret_key} in file #{@stack_definition.ejson_file}"
+        end
+      end
+
+      private
+
+      def validate_ejson_file_specified
+        if @stack_definition.ejson_file.nil?
+          raise ArgumentError, "No ejson_file defined for stack definition #{@stack_definition.stack_name} in #{@stack_definition.region}"
+        end
+      end
+
+      def decrypt_ejson_file
+        @decrypt_ejson_file ||= EJSONWrapper.decrypt(ejson_file_path,
+                                                     use_kms: @stack_definition.ejson_file_kms,
+                                                     region: ejson_file_region)
+      end
+
+      def ejson_file_region
+        @stack_definition.ejson_file_region || StackMaster.cloud_formation_driver.region
+      end
+
+      def ejson_file_path
+        @ejson_file_path ||= File.join(@config.base_dir, secret_path_relative_to_base)
+      end
+
+      def secret_path_relative_to_base
+        @secret_path_relative_to_base ||= File.join('secrets', @stack_definition.ejson_file)
+      end
+    end
+  end
+end

data/lib/stack_master/stack.rb

@@ -65,7 +65,7 @@ module StackMaster
       parameter_hash = ParameterLoader.load(stack_definition.parameter_files)
       template_parameters = ParameterResolver.resolve(config, stack_definition, parameter_hash[:template_parameters])
       compile_time_parameters = ParameterResolver.resolve(config, stack_definition, parameter_hash[:compile_time_parameters])
-      template_body = TemplateCompiler.compile(config, stack_definition.template_file_path, compile_time_parameters, stack_definition.compiler_options)
+      template_body = TemplateCompiler.compile(config, stack_definition.compiler, stack_definition.template_dir, stack_definition.template, compile_time_parameters, stack_definition.compiler_options)
       template_format = TemplateUtils.identify_template_format(template_body)
       stack_policy_body = if stack_definition.stack_policy_file_path
                             File.read(stack_definition.stack_policy_file_path)

data/lib/stack_master/stack_definition.rb

@@ -10,12 +10,17 @@ module StackMaster
                   :base_dir,
                   :template_dir,
                   :secret_file,
+                  :ejson_file,
+                  :ejson_file_region,
+                  :ejson_file_kms,
                   :stack_policy_file,
                   :additional_parameter_lookup_dirs,
                   :s3,
                   :files,
                   :compiler_options
 
+    attr_reader :compiler
+
     include Utils::Initializable
 
     def initialize(attributes = {})
@@ -25,6 +30,8 @@ module StackMaster
       @s3 = {}
       @files = []
       @allowed_accounts = nil
+      @ejson_file_kms = true
+      @compiler = nil
       super
       @template_dir ||= File.join(@base_dir, 'templates')
       @allowed_accounts = Array(@allowed_accounts)
@@ -41,13 +48,22 @@ module StackMaster
         @notification_arns == other.notification_arns &&
         @base_dir == other.base_dir &&
         @secret_file == other.secret_file &&
+        @ejson_file == other.ejson_file &&
+        @ejson_file_region == other.ejson_file_region &&
+        @ejson_file_kms == other.ejson_file_kms &&
         @stack_policy_file == other.stack_policy_file &&
         @additional_parameter_lookup_dirs == other.additional_parameter_lookup_dirs &&
         @s3 == other.s3 &&
+        @compiler == other.compiler &&
         @compiler_options == other.compiler_options
     end
 
+    def compiler=(compiler)
+      @compiler = compiler.&to_sym
+    end
+
     def template_file_path
+      return unless template
       File.expand_path(File.join(template_dir, template))
     end
 

data/lib/stack_master/stack_differ.rb

@@ -75,7 +75,7 @@ module StackMaster
 
     def single_param_update?(param_name)
       return false if param_name.blank? || @current_stack.blank? || body_different?
-      differences = HashDiff.diff(@current_stack.parameters_with_defaults, @proposed_stack.parameters_with_defaults)
+      differences = Hashdiff.diff(@current_stack.parameters_with_defaults, @proposed_stack.parameters_with_defaults)
       return false if differences.count != 1
       diff = differences[0]
       diff[0] == "~" && diff[1] == param_name

data/lib/stack_master/template_compiler.rb

@@ -2,12 +2,16 @@ module StackMaster
   class TemplateCompiler
     TemplateCompilationFailed = Class.new(RuntimeError)
 
-    def self.compile(config, template_file_path, compile_time_parameters, compiler_options = {})
-      compiler = template_compiler_for_file(template_file_path, config)
+    def self.compile(config, template_compiler, template_dir, template, compile_time_parameters, compiler_options = {})
+      compiler = if template_compiler
+                   find_compiler(template_compiler)
+                 else
+                   template_compiler_for_stack(template, config)
+                 end
       compiler.require_dependencies
-      compiler.compile(template_file_path, compile_time_parameters, compiler_options)
+      compiler.compile(template_dir, template, compile_time_parameters, compiler_options)
     rescue StandardError => e
-      raise TemplateCompilationFailed.new("Failed to compile #{template_file_path} with error #{e}.\n#{e.backtrace}")
+      raise TemplateCompilationFailed.new("Failed to compile #{template} with error #{e}.\n#{e.backtrace}")
     end
 
     def self.register(name, klass)
@@ -16,15 +20,22 @@ module StackMaster
     end
 
     # private
-    def self.template_compiler_for_file(template_file_path, config)
-      compiler_name = config.template_compilers.fetch(file_ext(template_file_path))
-      @compilers.fetch(compiler_name)
+    def self.template_compiler_for_stack(template, config)
+      ext = file_ext(template)
+      compiler_name = config.template_compilers.fetch(ext)
+      find_compiler(compiler_name)
     end
-    private_class_method :template_compiler_for_file
+    private_class_method :template_compiler_for_stack
 
-    def self.file_ext(template_file_path)
-      File.extname(template_file_path).gsub('.', '').to_sym
+    def self.file_ext(template)
+      File.extname(template).gsub('.', '').to_sym
     end
     private_class_method :file_ext
+
+    def self.find_compiler(name)
+      @compilers.fetch(name.to_sym) do
+        raise "Unknown compiler #{name.inspect}"
+      end
+    end
   end
 end

data/lib/stack_master/template_compilers/cfndsl.rb

@@ -4,10 +4,11 @@ module StackMaster::TemplateCompilers
       require 'cfndsl'
     end
 
-    def self.compile(template_file_path, compile_time_parameters, _compiler_options = {})
+    def self.compile(template_dir, template, compile_time_parameters, _compiler_options = {})
       CfnDsl.disable_binding
       CfnDsl::ExternalParameters.defaults.clear # Ensure there's no leakage across invocations
       CfnDsl::ExternalParameters.defaults(compile_time_parameters.symbolize_keys)
+      template_file_path = File.join(template_dir, template)
       ::CfnDsl.eval_file_with_extras(template_file_path).to_json
     end
 

data/lib/stack_master/template_compilers/json.rb

@@ -7,7 +7,8 @@ module StackMaster::TemplateCompilers
       require 'json'
     end
 
-    def self.compile(template_file_path, _compile_time_parameters, _compiler_options = {})
+    def self.compile(template_dir, template, _compile_time_parameters, _compiler_options = {})
+      template_file_path = File.join(template_dir, template)
       template_body = File.read(template_file_path)
       if template_body.size > MAX_TEMPLATE_SIZE
         # Parse the json and rewrite compressed

data/lib/stack_master/template_compilers/sparkle_formation.rb

@@ -12,8 +12,8 @@ module StackMaster::TemplateCompilers
       require 'stack_master/sparkle_formation/template_file'
     end
 
-    def self.compile(template_file_path, compile_time_parameters, compiler_options = {})
-      sparkle_template = compile_sparkle_template(template_file_path, compiler_options)
+    def self.compile(template_dir, template, compile_time_parameters, compiler_options = {})
+      sparkle_template = compile_sparkle_template(template_dir, template, compiler_options)
       definitions = sparkle_template.parameters
       validate_definitions(definitions)
       validate_parameters(definitions, compile_time_parameters)
@@ -27,9 +27,12 @@ module StackMaster::TemplateCompilers
 
     private
 
-    def self.compile_sparkle_template(template_file_path, compiler_options)
-      sparkle_path = compiler_options['sparkle_path'] ?
-                        File.expand_path(compiler_options['sparkle_path']) : File.dirname(template_file_path)
+    def self.compile_sparkle_template(template_dir, template, compiler_options)
+      sparkle_path = if compiler_options['sparkle_path']
+        File.expand_path(compiler_options['sparkle_path'])
+      else
+        template_dir
+      end
 
       collection = ::SparkleFormation::SparkleCollection.new
       root_pack = ::SparkleFormation::Sparkle.new(
@@ -44,6 +47,13 @@ module StackMaster::TemplateCompilers
         end
       end
 
+      if compiler_options['sparkle_pack_template']
+        raise ArgumentError.new("Template #{template.inspect} not found in any sparkle pack") unless collection.templates['aws'].include? template
+        template_file_path = collection.templates['aws'][template].top['path']
+      else
+        template_file_path = File.join(template_dir, template)
+      end
+
       sparkle_template = compile_template_with_sparkle_path(template_file_path, sparkle_path)
       sparkle_template.sparkle.apply(collection)
       sparkle_template

data/lib/stack_master/template_compilers/yaml.rb

@@ -5,7 +5,8 @@ module StackMaster::TemplateCompilers
       require 'json'
     end
 
-    def self.compile(template_file_path, _compile_time_parameters, _compiler_options = {})
+    def self.compile(template_dir, template, _compile_time_parameters, _compiler_options = {})
+      template_file_path = File.join(template_dir, template)
       File.read(template_file_path)
     end
 

data/lib/stack_master/validator.rb

@@ -14,7 +14,7 @@ module StackMaster
       compile_time_parameters = ParameterResolver.resolve(@config, @stack_definition, parameter_hash[:compile_time_parameters])
 
       StackMaster.stdout.print "#{@stack_definition.stack_name}: "
-      template_body = TemplateCompiler.compile(@config, @stack_definition.template_file_path, compile_time_parameters, @stack_definition.compiler_options)
+      template_body = TemplateCompiler.compile(@config, @stack_definition.compiler, @stack_definition.template_dir, @stack_definition.template, compile_time_parameters, @stack_definition.compiler_options)
       cf.validate_template(template_body: TemplateUtils.maybe_compressed_template_body(template_body))
       StackMaster.stdout.puts "valid"
       true
@@ -28,6 +28,5 @@ module StackMaster
     def cf
       @cf ||= StackMaster.cloud_formation_driver
     end
-
   end
 end

data/lib/stack_master/version.rb

@@ -1,3 +1,3 @@
 module StackMaster
-  VERSION = "1.14.0"
+  VERSION = "1.17.1"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: stack_master
 version: !ruby/object:Gem::Version
-  version: 1.14.0
+  version: 1.17.1
 platform: x64-mingw32
 authors:
 - Steve Hodgkiss
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-07-03 00:00:00.000000000 Z
+date: 2019-10-03 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -377,6 +377,20 @@ dependencies:
         version: '0'
 - !ruby/object:Gem::Dependency
   name: hashdiff
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1'
+- !ruby/object:Gem::Dependency
+  name: ejson_wrapper
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -441,6 +455,7 @@ files:
 - lib/stack_master/parameter_resolver.rb
 - lib/stack_master/parameter_resolvers/acm_certificate.rb
 - lib/stack_master/parameter_resolvers/ami_finder.rb
+- lib/stack_master/parameter_resolvers/ejson.rb
 - lib/stack_master/parameter_resolvers/env.rb
 - lib/stack_master/parameter_resolvers/latest_ami.rb
 - lib/stack_master/parameter_resolvers/latest_ami_by_tags.rb