RubyGems - stack_master - Versions diffs - 1.14.0 → 1.15.0 - Mend

stack_master 1.14.0 → 1.15.0

Files changed (8) hide show

checksums.yaml +4 -4
data/README.md +40 -1
data/lib/stack_master.rb +1 -0
data/lib/stack_master/parameter_resolvers/ejson.rb +48 -0
data/lib/stack_master/stack_definition.rb +7 -0
data/lib/stack_master/stack_differ.rb +1 -1
data/lib/stack_master/version.rb +1 -1
metadata +18 -4

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c6272dd327e82ec747c26129191c4c8e262a4350d6634941f14035746399cb77
-  data.tar.gz: 6dc8058810bee48a3aed457669ffdda94e9d88fdc2ab1e1c12b9a689a3799c46
+  metadata.gz: 1acbc281b89ec3188892fac6692c4e885780efd8ba83f746a774557c0e1194ca
+  data.tar.gz: e18cb99eb7f3e99ac0b8fee4b952cb1d21b9f1467a4bbe8dac9250695649f543
 SHA512:
-  metadata.gz: 6dad4bcffbc40f9a45377625ef7769f122b5880bbcc61bead8a9ffdd75ee063001f322f9e62079aa00b370f791afd2f76c7acb9b668f6d4f7f41128c63954b65
-  data.tar.gz: a12c14c9024e187a5b734020cda2adc1c40d7983f58450022ea5f2301412968a167f4ebd6233f02097b8341541dc5ae50b213b6b59730f540594df90b327fd5f
+  metadata.gz: bcc6882c647189f6f758896da7cd8084638b707af26faeb234435b99a1e5cd466c0ca90e2f30a67b4414f21f38d899414d7935e49d2a7355ccd84ad700c87ba9
+  data.tar.gz: b48a690acadd00aa426084cc3b3b7aeb100b6fbfeaad738cb645df77ca6bd3edce347acf71d2b28ec3ff80833f15e4c55f95f5719922f0d061b2102c0ae1760c

data/README.md CHANGED Viewed

@@ -175,7 +175,7 @@ key_name: myapp-us-east-1
 ### Compile Time Parameters
-Compile time parameters can be used for [SparkleFormation](http://www.sparkleformation.io) templates. It conforms and
+Compile time parameters can be used for [SparkleFormation](http://www.sparkleformation.io) templates. It conforms and
 allows you to use the [Compile Time Parameters](http://www.sparkleformation.io/docs/sparkle_formation/compile-time-parameters.html) feature.
 A simple example looks like this
@@ -268,6 +268,7 @@ you will likely want to set the parameter to NoEcho in your template.
 db_password:
   parameter_store: ssm_parameter_name
 ```
 ### 1Password Lookup
 An Alternative to the alternative secret store is accessing 1password secrets using the 1password cli (`op`).
 You declare a 1password lookup with the following parameters in your parameters file:
@@ -286,6 +287,44 @@ Currently we support two types of secrets, `password`s and `secureNote`s. All va
 For more information on 1password cli please see [here](https://support.1password.com/command-line-getting-started/)
+### EJSON Store
+[ejson](https://github.com/Shopify/ejson) is a tool to manage asymmetrically encrypted values in JSON format.
+This allows you to keep secrets securely in git/Github and gives anyone the ability the capability to add new
+secrets without requiring access to the private key. [ejson_wrapper](https://github.com/envato/ejson_wrapper)
+encrypts the underlying EJSON private key with KMS and stores it in the ejson file as `_private_key_enc`. Each
+time an ejson secret is required, the underlying EJSON private key is first decrypted before passing it onto
+ejson to decrypt the file.
+First, generate an ejson file with ejson_wrapper, specifying the KMS key ID to be used:
+```shell
+gem install ejson_wrapper
+ejson_wrapper generate --region us-east-1 --kms-key-id [key_id] --file secrets/production.ejson
+```
+Then, add the `ejson_file` argument to your stack in stack_master.yml:
+```yaml
+stacks:
+  us-east-1:
+    my_app:
+      template: my_app.json
+      ejson_file: production.ejson
+```
+finally refer to the secret key in the parameter file, i.e. parameters/my_app.yml:
+```yaml
+my_param:
+  ejson: "my_secret"
+```
+Additional configuration options:
+- `ejson_file_region` The AWS region to attempt to decrypt private key with
+- `ejson_file_kms` Default: true. Set to false to use ejson without KMS.
 ### Security Group
 Looks up a security group by name and returns the ARN.

data/lib/stack_master.rb CHANGED Viewed

@@ -68,6 +68,7 @@ module StackMaster
     autoload :AcmCertificate, 'stack_master/parameter_resolvers/acm_certificate'
     autoload :AmiFinder, 'stack_master/parameter_resolvers/ami_finder'
     autoload :StackOutput, 'stack_master/parameter_resolvers/stack_output'
+    autoload :Ejson, 'stack_master/parameter_resolvers/ejson'
     autoload :Secret, 'stack_master/parameter_resolvers/secret'
     autoload :SnsTopicName, 'stack_master/parameter_resolvers/sns_topic_name'
     autoload :SecurityGroup, 'stack_master/parameter_resolvers/security_group'

data/lib/stack_master/parameter_resolvers/ejson.rb ADDED Viewed

@@ -0,0 +1,48 @@
+require 'ejson_wrapper'
+module StackMaster
+  module ParameterResolvers
+    class Ejson < Resolver
+      SecretNotFound = Class.new(StandardError)
+      def initialize(config, stack_definition)
+        @config = config
+        @stack_definition = stack_definition
+      end
+      def resolve(secret_key)
+        validate_ejson_file_specified
+        secrets = decrypt_ejson_file
+        secrets.fetch(secret_key.to_sym) do
+          raise SecretNotFound, "Unable to find key #{secret_key} in file #{ejson_file}"
+        end
+      end
+      private
+      def validate_ejson_file_specified
+        if @stack_definition.ejson_file.nil?
+          raise ArgumentError, "No ejson_file defined for stack definition #{@stack_definition.stack_name} in #{@stack_definition.region}"
+        end
+      end
+      def decrypt_ejson_file
+        @decrypt_ejson_file ||= EJSONWrapper.decrypt(ejson_file_path,
+                                                     use_kms: @stack_definition.ejson_file_kms,
+                                                     region: ejson_file_region)
+      end
+      def ejson_file_region
+        @stack_definition.ejson_file_region || StackMaster.cloud_formation_driver.region
+      end
+      def ejson_file_path
+        @ejson_file_path ||= File.join(@config.base_dir, secret_path_relative_to_base)
+      end
+      def secret_path_relative_to_base
+        @secret_path_relative_to_base ||= File.join('secrets', @stack_definition.ejson_file)
+      end
+    end
+  end
+end

data/lib/stack_master/stack_definition.rb CHANGED Viewed

@@ -10,6 +10,9 @@ module StackMaster
                   :base_dir,
                   :template_dir,
                   :secret_file,
+                  :ejson_file,
+                  :ejson_file_region,
+                  :ejson_file_kms,
                   :stack_policy_file,
                   :additional_parameter_lookup_dirs,
                   :s3,
@@ -25,6 +28,7 @@ module StackMaster
       @s3 = {}
       @files = []
       @allowed_accounts = nil
+      @ejson_file_kms = true
       super
       @template_dir ||= File.join(@base_dir, 'templates')
       @allowed_accounts = Array(@allowed_accounts)
@@ -41,6 +45,9 @@ module StackMaster
         @notification_arns == other.notification_arns &&
         @base_dir == other.base_dir &&
         @secret_file == other.secret_file &&
+        @ejson_file == other.ejson_file &&
+        @ejson_file_region == other.ejson_file_region &&
+        @ejson_file_kms == other.ejson_file_kms &&
         @stack_policy_file == other.stack_policy_file &&
         @additional_parameter_lookup_dirs == other.additional_parameter_lookup_dirs &&
         @s3 == other.s3 &&

data/lib/stack_master/stack_differ.rb CHANGED Viewed

@@ -75,7 +75,7 @@ module StackMaster
     def single_param_update?(param_name)
       return false if param_name.blank? || @current_stack.blank? || body_different?
-      differences = HashDiff.diff(@current_stack.parameters_with_defaults, @proposed_stack.parameters_with_defaults)
+      differences = Hashdiff.diff(@current_stack.parameters_with_defaults, @proposed_stack.parameters_with_defaults)
       return false if differences.count != 1
       diff = differences[0]
       diff[0] == "~" && diff[1] == param_name

data/lib/stack_master/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module StackMaster
-  VERSION = "1.14.0"
+  VERSION = "1.15.0"
 end

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: stack_master
 version: !ruby/object:Gem::Version
-  version: 1.14.0
+  version: 1.15.0
 platform: ruby
 authors:
 - Steve Hodgkiss
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2019-07-03 00:00:00.000000000 Z
+date: 2019-08-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -377,6 +377,20 @@ dependencies:
         version: '0'
 - !ruby/object:Gem::Dependency
   name: hashdiff
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1'
+- !ruby/object:Gem::Dependency
+  name: ejson_wrapper
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -441,6 +455,7 @@ files:
 - lib/stack_master/parameter_resolver.rb
 - lib/stack_master/parameter_resolvers/acm_certificate.rb
 - lib/stack_master/parameter_resolvers/ami_finder.rb
+- lib/stack_master/parameter_resolvers/ejson.rb
 - lib/stack_master/parameter_resolvers/env.rb
 - lib/stack_master/parameter_resolvers/latest_ami.rb
 - lib/stack_master/parameter_resolvers/latest_ami_by_tags.rb
@@ -514,8 +529,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project:
-rubygems_version: 2.7.6
+rubygems_version: 3.0.3
 signing_key:
 specification_version: 4
 summary: StackMaster is a sure-footed way of creating, updating and keeping track