terraspace_plugin_aws 0.2.0 → 0.3.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +14 -0
- data/README.md +1 -1
- data/lib/templates/hcl/project/config/terraform/backend.tf.tt +2 -2
- data/lib/terraspace_plugin_aws/autoloader.rb +1 -1
- data/lib/terraspace_plugin_aws/clients.rb +23 -2
- data/lib/terraspace_plugin_aws/interfaces/backend/base.rb +1 -4
- data/lib/terraspace_plugin_aws/interfaces/backend/bucket/secure.rb +6 -6
- data/lib/terraspace_plugin_aws/interfaces/config.rb +1 -1
- data/lib/terraspace_plugin_aws/interfaces/helper/secret.rb +18 -0
- data/lib/terraspace_plugin_aws/interfaces/helper/secret_base.rb +13 -0
- data/lib/terraspace_plugin_aws/interfaces/helper/ssm.rb +18 -0
- data/lib/terraspace_plugin_aws/interfaces/helper.rb +15 -0
- data/lib/terraspace_plugin_aws/interfaces/summary.rb +1 -1
- data/lib/terraspace_plugin_aws/logging.rb +7 -0
- data/lib/terraspace_plugin_aws/version.rb +1 -1
- data/lib/terraspace_plugin_aws.rb +11 -1
- data/terraspace_plugin_aws.gemspec +2 -0
- metadata +36 -3
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 855a5c7166b24f8881c2d735edd0c252cefd6d0175a9a0f1156090ca08a11e5d
|
|
4
|
+
data.tar.gz: be95c5a77b116c62dac152ec6f8ec9cfb5b68ad372475373823508472bca3566
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 12ff9c7c0fcc8b10d82385855b5a5724392729ef79254cad41fce51b0ddab0d3ec17a927b08da1e071adde23e1c8e1289e48d32f7948753675b6d0fd680596c7
|
|
7
|
+
data.tar.gz: 717dffbad397bb5fd3953739060e5e2ad7bb6d90f842c13ab6f0fb00f5f3cf1b82357ed401b118a2ddde584c9dd6ccdda0712cce493fd2ec0be48433b35f52ab
|
data/CHANGELOG.md
CHANGED
|
@@ -3,6 +3,20 @@
|
|
|
3
3
|
All notable changes to this project will be documented in this file.
|
|
4
4
|
This project *loosely tries* to adhere to [Semantic Versioning](http://semver.org/).
|
|
5
5
|
|
|
6
|
+
## [0.3.1] - 2021-12-14
|
|
7
|
+
- [#8](https://github.com/boltops-tools/terraspace_plugin_aws/pull/8) use region configured in the backend.tf for the s3 client
|
|
8
|
+
|
|
9
|
+
## [0.3.0] - 2020-11-15
|
|
10
|
+
- [#5](https://github.com/boltops-tools/terraspace_plugin_aws/pull/5) helper and secrets support
|
|
11
|
+
- aws_secret and aws_ssm helpers
|
|
12
|
+
|
|
13
|
+
## [0.2.2]
|
|
14
|
+
- #4 default access logging to false
|
|
15
|
+
- set prefix to @folder for performance improvement
|
|
16
|
+
|
|
17
|
+
## [0.2.1]
|
|
18
|
+
- #3 quiet s3-secure messages
|
|
19
|
+
|
|
6
20
|
## [0.2.0]
|
|
7
21
|
- #2 include layer interface, update template to expansion method
|
|
8
22
|
|
data/README.md
CHANGED
|
@@ -24,7 +24,7 @@ TerraspacePluginAws.configure do |config|
|
|
|
24
24
|
config.s3.enforce_ssl = true
|
|
25
25
|
config.s3.versioning = true
|
|
26
26
|
config.s3.lifecycle = true
|
|
27
|
-
config.s3.access_logging =
|
|
27
|
+
config.s3.access_logging = false # false by default
|
|
28
28
|
config.s3.secure_existing = false # run the security controls on existing buckets. by default, only run on newly created bucket the first time
|
|
29
29
|
|
|
30
30
|
config.dynamodb.encryption = true
|
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
terraform {
|
|
2
2
|
backend "s3" {
|
|
3
|
-
bucket = "<%%= expansion('terraform-state-:ACCOUNT-:REGION-:ENV') %>"
|
|
4
|
-
key = "<%%= expansion(':REGION/:ENV/:BUILD_DIR/terraform.tfstate') %>"
|
|
3
|
+
bucket = "<%%= expansion('terraform-state-:ACCOUNT-:REGION-:ENV') %>"
|
|
4
|
+
key = "<%%= expansion(':REGION/:ENV/:BUILD_DIR/terraform.tfstate') %>"
|
|
5
5
|
region = "<%%= expansion(':REGION') %>"
|
|
6
6
|
encrypt = true
|
|
7
7
|
dynamodb_table = "terraform_locks"
|
|
@@ -1,18 +1,39 @@
|
|
|
1
1
|
require "aws-sdk-dynamodb"
|
|
2
2
|
require "aws-sdk-s3"
|
|
3
|
+
require "aws-sdk-secretsmanager"
|
|
4
|
+
require "aws-sdk-ssm"
|
|
3
5
|
|
|
4
6
|
module TerraspacePluginAws
|
|
5
7
|
module Clients
|
|
6
8
|
extend Memoist
|
|
7
9
|
|
|
8
10
|
def s3
|
|
9
|
-
Aws::S3::Client.new
|
|
11
|
+
Aws::S3::Client.new(client_options)
|
|
10
12
|
end
|
|
11
13
|
memoize :s3
|
|
12
14
|
|
|
15
|
+
def secretsmanager
|
|
16
|
+
Aws::SecretsManager::Client.new(client_options)
|
|
17
|
+
end
|
|
18
|
+
memoize :secretsmanager
|
|
19
|
+
|
|
20
|
+
def ssm
|
|
21
|
+
Aws::SSM::Client.new(client_options)
|
|
22
|
+
end
|
|
23
|
+
memoize :ssm
|
|
24
|
+
|
|
13
25
|
def dynamodb
|
|
14
|
-
Aws::DynamoDB::Client.new
|
|
26
|
+
Aws::DynamoDB::Client.new(client_options)
|
|
15
27
|
end
|
|
16
28
|
memoize :dynamodb
|
|
29
|
+
|
|
30
|
+
# Typically inferred from AWS_REGION unless set in the backend.tf
|
|
31
|
+
def client_options
|
|
32
|
+
if @info['region']
|
|
33
|
+
{region: @info['region']}
|
|
34
|
+
else
|
|
35
|
+
{}
|
|
36
|
+
end
|
|
37
|
+
end
|
|
17
38
|
end
|
|
18
39
|
end
|
|
@@ -3,13 +3,10 @@ require "s3-secure"
|
|
|
3
3
|
class TerraspacePluginAws::Interfaces::Backend
|
|
4
4
|
class Base
|
|
5
5
|
include TerraspacePluginAws::Clients
|
|
6
|
+
include TerraspacePluginAws::Logging
|
|
6
7
|
|
|
7
8
|
def initialize(info)
|
|
8
9
|
@info = info
|
|
9
10
|
end
|
|
10
|
-
|
|
11
|
-
def logger
|
|
12
|
-
Terraspace.logger
|
|
13
|
-
end
|
|
14
11
|
end
|
|
15
12
|
end
|
|
@@ -4,12 +4,12 @@ class TerraspacePluginAws::Interfaces::Backend::Bucket
|
|
|
4
4
|
module Secure
|
|
5
5
|
def secure(bucket)
|
|
6
6
|
c = TerraspacePluginAws::Interfaces::Config.instance.config.s3
|
|
7
|
-
|
|
8
|
-
S3Secure::Encryption::Enable.new(
|
|
9
|
-
S3Secure::Policy::Enforce.new(
|
|
10
|
-
S3Secure::Versioning::Enable.new(
|
|
11
|
-
S3Secure::Lifecycle::Add.new(
|
|
12
|
-
S3Secure::AccessLogs::Enable.new(
|
|
7
|
+
options = {bucket: bucket, quiet: true}
|
|
8
|
+
S3Secure::Encryption::Enable.new(options).run if c.encryption
|
|
9
|
+
S3Secure::Policy::Enforce.new(options.merge(sid: "ForceSSLOnlyAccess")).run if c.enforce_ssl
|
|
10
|
+
S3Secure::Versioning::Enable.new(options).run if c.versioning
|
|
11
|
+
S3Secure::Lifecycle::Add.new(options).run if c.lifecycle
|
|
12
|
+
S3Secure::AccessLogs::Enable.new(options).run if c.access_logging
|
|
13
13
|
end
|
|
14
14
|
end
|
|
15
15
|
end
|
|
@@ -20,7 +20,7 @@ module TerraspacePluginAws::Interfaces
|
|
|
20
20
|
c.s3.enforce_ssl = true
|
|
21
21
|
c.s3.versioning = true
|
|
22
22
|
c.s3.lifecycle = true
|
|
23
|
-
c.s3.access_logging =
|
|
23
|
+
c.s3.access_logging = false
|
|
24
24
|
c.s3.secure_existing = false # run the security controls on existing buckets. by default, only run on newly created bucket the first time
|
|
25
25
|
|
|
26
26
|
c.dynamodb = ActiveSupport::OrderedOptions.new
|
|
@@ -0,0 +1,18 @@
|
|
|
1
|
+
module TerraspacePluginAws::Interfaces::Helper
|
|
2
|
+
class Secret < SecretBase
|
|
3
|
+
def fetch(secret_id)
|
|
4
|
+
value = fetch_value(secret_id)
|
|
5
|
+
value = Base64.strict_encode64(value).strip if @base64
|
|
6
|
+
value
|
|
7
|
+
end
|
|
8
|
+
|
|
9
|
+
def fetch_value(secret_id)
|
|
10
|
+
secret_value = secretsmanager.get_secret_value(secret_id: secret_id)
|
|
11
|
+
secret_value.secret_string
|
|
12
|
+
rescue Aws::SecretsManager::Errors::ResourceNotFoundException => e
|
|
13
|
+
logger.info "WARN: secret_id #{secret_id} not found".color(:yellow)
|
|
14
|
+
logger.info e.message
|
|
15
|
+
"NOT FOUND #{secret_id}" # simple string so Kubernetes YAML is valid
|
|
16
|
+
end
|
|
17
|
+
end
|
|
18
|
+
end
|
|
@@ -0,0 +1,13 @@
|
|
|
1
|
+
require "base64"
|
|
2
|
+
|
|
3
|
+
module TerraspacePluginAws::Interfaces::Helper
|
|
4
|
+
class SecretBase
|
|
5
|
+
include TerraspacePluginAws::Clients
|
|
6
|
+
include TerraspacePluginAws::Logging
|
|
7
|
+
|
|
8
|
+
def initialize(options={})
|
|
9
|
+
@options = options
|
|
10
|
+
@base64 = options[:base64]
|
|
11
|
+
end
|
|
12
|
+
end
|
|
13
|
+
end
|
|
@@ -0,0 +1,18 @@
|
|
|
1
|
+
module TerraspacePluginAws::Interfaces::Helper
|
|
2
|
+
class SSM < SecretBase
|
|
3
|
+
def fetch(name)
|
|
4
|
+
value = fetch_value(name)
|
|
5
|
+
value = Base64.strict_encode64(value).strip if @base64
|
|
6
|
+
value
|
|
7
|
+
end
|
|
8
|
+
|
|
9
|
+
def fetch_value(name)
|
|
10
|
+
resp = ssm.get_parameter(name: name, with_decryption: true)
|
|
11
|
+
resp.parameter.value
|
|
12
|
+
rescue Aws::SSM::Errors::ParameterNotFound => e
|
|
13
|
+
logger.info "WARN: name #{name} not found".color(:yellow)
|
|
14
|
+
logger.info e.message
|
|
15
|
+
"NOT FOUND #{name}" # simple string so tfvars valid
|
|
16
|
+
end
|
|
17
|
+
end
|
|
18
|
+
end
|
|
@@ -0,0 +1,15 @@
|
|
|
1
|
+
module TerraspacePluginAws::Interfaces
|
|
2
|
+
module Helper
|
|
3
|
+
include Terraspace::Plugin::Helper::Interface
|
|
4
|
+
|
|
5
|
+
def aws_secret(name, options={})
|
|
6
|
+
Secret.new(options).fetch(name)
|
|
7
|
+
end
|
|
8
|
+
cache_helper :aws_secret
|
|
9
|
+
|
|
10
|
+
def aws_ssm(name, options={})
|
|
11
|
+
SSM.new(options).fetch(name)
|
|
12
|
+
end
|
|
13
|
+
cache_helper :aws_ssm
|
|
14
|
+
end
|
|
15
|
+
end
|
|
@@ -5,7 +5,7 @@ module TerraspacePluginAws::Interfaces
|
|
|
5
5
|
|
|
6
6
|
# interface method
|
|
7
7
|
def download
|
|
8
|
-
resp = s3.list_objects(bucket: @bucket)
|
|
8
|
+
resp = s3.list_objects(bucket: @bucket, prefix: @folder)
|
|
9
9
|
resp.contents.each do |content|
|
|
10
10
|
local_path = "#{@dest}/#{content.key}"
|
|
11
11
|
FileUtils.mkdir_p(File.dirname(local_path))
|
|
@@ -22,12 +22,22 @@ module TerraspacePluginAws
|
|
|
22
22
|
Interfaces::Config.instance.config
|
|
23
23
|
end
|
|
24
24
|
|
|
25
|
+
@@logger = nil
|
|
26
|
+
def logger
|
|
27
|
+
@@logger ||= Terraspace.logger
|
|
28
|
+
end
|
|
29
|
+
|
|
30
|
+
def logger=(v)
|
|
31
|
+
@@logger = v
|
|
32
|
+
end
|
|
33
|
+
|
|
25
34
|
extend self
|
|
26
35
|
end
|
|
27
36
|
|
|
28
37
|
Terraspace::Plugin.register("aws",
|
|
29
38
|
backend: "s3",
|
|
30
39
|
config_class: TerraspacePluginAws::Interfaces::Config,
|
|
31
|
-
|
|
40
|
+
helper_class: TerraspacePluginAws::Interfaces::Helper,
|
|
41
|
+
layer_class: TerraspacePluginAws::Interfaces::Layer,
|
|
32
42
|
root: File.dirname(__dir__),
|
|
33
43
|
)
|
|
@@ -24,6 +24,8 @@ Gem::Specification.new do |spec|
|
|
|
24
24
|
|
|
25
25
|
spec.add_dependency "aws-sdk-dynamodb"
|
|
26
26
|
spec.add_dependency "aws-sdk-s3"
|
|
27
|
+
spec.add_dependency "aws-sdk-secretsmanager"
|
|
28
|
+
spec.add_dependency "aws-sdk-ssm"
|
|
27
29
|
spec.add_dependency "aws_data"
|
|
28
30
|
spec.add_dependency "memoist"
|
|
29
31
|
spec.add_dependency "s3-secure"
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: terraspace_plugin_aws
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.3.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Tung Nguyen
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2021-12-14 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: aws-sdk-dynamodb
|
|
@@ -38,6 +38,34 @@ dependencies:
|
|
|
38
38
|
- - ">="
|
|
39
39
|
- !ruby/object:Gem::Version
|
|
40
40
|
version: '0'
|
|
41
|
+
- !ruby/object:Gem::Dependency
|
|
42
|
+
name: aws-sdk-secretsmanager
|
|
43
|
+
requirement: !ruby/object:Gem::Requirement
|
|
44
|
+
requirements:
|
|
45
|
+
- - ">="
|
|
46
|
+
- !ruby/object:Gem::Version
|
|
47
|
+
version: '0'
|
|
48
|
+
type: :runtime
|
|
49
|
+
prerelease: false
|
|
50
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
51
|
+
requirements:
|
|
52
|
+
- - ">="
|
|
53
|
+
- !ruby/object:Gem::Version
|
|
54
|
+
version: '0'
|
|
55
|
+
- !ruby/object:Gem::Dependency
|
|
56
|
+
name: aws-sdk-ssm
|
|
57
|
+
requirement: !ruby/object:Gem::Requirement
|
|
58
|
+
requirements:
|
|
59
|
+
- - ">="
|
|
60
|
+
- !ruby/object:Gem::Version
|
|
61
|
+
version: '0'
|
|
62
|
+
type: :runtime
|
|
63
|
+
prerelease: false
|
|
64
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
65
|
+
requirements:
|
|
66
|
+
- - ">="
|
|
67
|
+
- !ruby/object:Gem::Version
|
|
68
|
+
version: '0'
|
|
41
69
|
- !ruby/object:Gem::Dependency
|
|
42
70
|
name: aws_data
|
|
43
71
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -149,8 +177,13 @@ files:
|
|
|
149
177
|
- lib/terraspace_plugin_aws/interfaces/decorator/aws_security_group.rb
|
|
150
178
|
- lib/terraspace_plugin_aws/interfaces/decorator/base.rb
|
|
151
179
|
- lib/terraspace_plugin_aws/interfaces/expander.rb
|
|
180
|
+
- lib/terraspace_plugin_aws/interfaces/helper.rb
|
|
181
|
+
- lib/terraspace_plugin_aws/interfaces/helper/secret.rb
|
|
182
|
+
- lib/terraspace_plugin_aws/interfaces/helper/secret_base.rb
|
|
183
|
+
- lib/terraspace_plugin_aws/interfaces/helper/ssm.rb
|
|
152
184
|
- lib/terraspace_plugin_aws/interfaces/layer.rb
|
|
153
185
|
- lib/terraspace_plugin_aws/interfaces/summary.rb
|
|
186
|
+
- lib/terraspace_plugin_aws/logging.rb
|
|
154
187
|
- lib/terraspace_plugin_aws/version.rb
|
|
155
188
|
- terraspace_plugin_aws.gemspec
|
|
156
189
|
homepage: https://github.com/boltops-tools/terraspace_plugin_aws
|
|
@@ -173,7 +206,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
173
206
|
- !ruby/object:Gem::Version
|
|
174
207
|
version: '0'
|
|
175
208
|
requirements: []
|
|
176
|
-
rubygems_version: 3.
|
|
209
|
+
rubygems_version: 3.2.32
|
|
177
210
|
signing_key:
|
|
178
211
|
specification_version: 4
|
|
179
212
|
summary: Terraspace AWS Plugin
|