terraspace_plugin_aws 0.2.0 → 0.3.1

Sign up to get free protection for your applications and to get access to all the features.
Files changed (19) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +14 -0
  3. data/README.md +1 -1
  4. data/lib/templates/hcl/project/config/terraform/backend.tf.tt +2 -2
  5. data/lib/terraspace_plugin_aws/autoloader.rb +1 -1
  6. data/lib/terraspace_plugin_aws/clients.rb +23 -2
  7. data/lib/terraspace_plugin_aws/interfaces/backend/base.rb +1 -4
  8. data/lib/terraspace_plugin_aws/interfaces/backend/bucket/secure.rb +6 -6
  9. data/lib/terraspace_plugin_aws/interfaces/config.rb +1 -1
  10. data/lib/terraspace_plugin_aws/interfaces/helper/secret.rb +18 -0
  11. data/lib/terraspace_plugin_aws/interfaces/helper/secret_base.rb +13 -0
  12. data/lib/terraspace_plugin_aws/interfaces/helper/ssm.rb +18 -0
  13. data/lib/terraspace_plugin_aws/interfaces/helper.rb +15 -0
  14. data/lib/terraspace_plugin_aws/interfaces/summary.rb +1 -1
  15. data/lib/terraspace_plugin_aws/logging.rb +7 -0
  16. data/lib/terraspace_plugin_aws/version.rb +1 -1
  17. data/lib/terraspace_plugin_aws.rb +11 -1
  18. data/terraspace_plugin_aws.gemspec +2 -0
  19. metadata +36 -3
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: a5637326fc002e5732dc1f88390505ad9287ce54926e24646ae6fac4070d851f
4
- data.tar.gz: 9bd59a232bed2d678dbb6d04c2043c91a0312f8f2385623d5eb7c27416e507cc
3
+ metadata.gz: 855a5c7166b24f8881c2d735edd0c252cefd6d0175a9a0f1156090ca08a11e5d
4
+ data.tar.gz: be95c5a77b116c62dac152ec6f8ec9cfb5b68ad372475373823508472bca3566
5
5
  SHA512:
6
- metadata.gz: 5415e06cdac40d7b415474bcf4fcce6f063369e3e3a7354a9256ecb1adaba51dc23b8d1d8c56c53be90c21d5eb8fef4fddce951784eb193dc974829b2a825671
7
- data.tar.gz: f6b29f9a92920e925a4a7c85817f8d03ad2e94899a51849a1e88cb523d81b77440fec922907f12da94955f30807817fb92bca20000bc0f4ec4efcdaa69f61a02
6
+ metadata.gz: 12ff9c7c0fcc8b10d82385855b5a5724392729ef79254cad41fce51b0ddab0d3ec17a927b08da1e071adde23e1c8e1289e48d32f7948753675b6d0fd680596c7
7
+ data.tar.gz: 717dffbad397bb5fd3953739060e5e2ad7bb6d90f842c13ab6f0fb00f5f3cf1b82357ed401b118a2ddde584c9dd6ccdda0712cce493fd2ec0be48433b35f52ab
data/CHANGELOG.md CHANGED
@@ -3,6 +3,20 @@
3
3
  All notable changes to this project will be documented in this file.
4
4
  This project *loosely tries* to adhere to [Semantic Versioning](http://semver.org/).
5
5
 
6
+ ## [0.3.1] - 2021-12-14
7
+ - [#8](https://github.com/boltops-tools/terraspace_plugin_aws/pull/8) use region configured in the backend.tf for the s3 client
8
+
9
+ ## [0.3.0] - 2020-11-15
10
+ - [#5](https://github.com/boltops-tools/terraspace_plugin_aws/pull/5) helper and secrets support
11
+ - aws_secret and aws_ssm helpers
12
+
13
+ ## [0.2.2]
14
+ - #4 default access logging to false
15
+ - set prefix to @folder for performance improvement
16
+
17
+ ## [0.2.1]
18
+ - #3 quiet s3-secure messages
19
+
6
20
  ## [0.2.0]
7
21
  - #2 include layer interface, update template to expansion method
8
22
 
data/README.md CHANGED
@@ -24,7 +24,7 @@ TerraspacePluginAws.configure do |config|
24
24
  config.s3.enforce_ssl = true
25
25
  config.s3.versioning = true
26
26
  config.s3.lifecycle = true
27
- config.s3.access_logging = true
27
+ config.s3.access_logging = false # false by default
28
28
  config.s3.secure_existing = false # run the security controls on existing buckets. by default, only run on newly created bucket the first time
29
29
 
30
30
  config.dynamodb.encryption = true
data/lib/templates/hcl/project/config/terraform/backend.tf.tt CHANGED
@@ -1,7 +1,7 @@
1
1
  terraform {
2
2
  backend "s3" {
3
- bucket = "<%%= expansion('terraform-state-:ACCOUNT-:REGION-:ENV') %>" # expanded by terraspace IE: terraform-state-112233445566-us-west-2-dev
4
- key = "<%%= expansion(':REGION/:ENV/:BUILD_DIR/terraform.tfstate') %>" # expanded by terraspace IE: us-west-2/dev/modules/vm/terraform.tfstate
3
+ bucket = "<%%= expansion('terraform-state-:ACCOUNT-:REGION-:ENV') %>"
4
+ key = "<%%= expansion(':REGION/:ENV/:BUILD_DIR/terraform.tfstate') %>"
5
5
  region = "<%%= expansion(':REGION') %>"
6
6
  encrypt = true
7
7
  dynamodb_table = "terraform_locks"
data/lib/terraspace_plugin_aws/autoloader.rb CHANGED
@@ -4,7 +4,7 @@ module TerraspacePluginAws
4
4
  class Autoloader
5
5
  class Inflector < Zeitwerk::Inflector
6
6
  def camelize(basename, _abspath)
7
- map = { cli: "CLI", version: "VERSION" }
7
+ map = { cli: "CLI", ssm: "SSM", version: "VERSION" }
8
8
  map[basename.to_sym] || super
9
9
  end
10
10
  end
data/lib/terraspace_plugin_aws/clients.rb CHANGED
@@ -1,18 +1,39 @@
1
1
  require "aws-sdk-dynamodb"
2
2
  require "aws-sdk-s3"
3
+ require "aws-sdk-secretsmanager"
4
+ require "aws-sdk-ssm"
3
5
 
4
6
  module TerraspacePluginAws
5
7
  module Clients
6
8
  extend Memoist
7
9
 
8
10
  def s3
9
- Aws::S3::Client.new
11
+ Aws::S3::Client.new(client_options)
10
12
  end
11
13
  memoize :s3
12
14
 
15
+ def secretsmanager
16
+ Aws::SecretsManager::Client.new(client_options)
17
+ end
18
+ memoize :secretsmanager
19
+
20
+ def ssm
21
+ Aws::SSM::Client.new(client_options)
22
+ end
23
+ memoize :ssm
24
+
13
25
  def dynamodb
14
- Aws::DynamoDB::Client.new
26
+ Aws::DynamoDB::Client.new(client_options)
15
27
  end
16
28
  memoize :dynamodb
29
+
30
+ # Typically inferred from AWS_REGION unless set in the backend.tf
31
+ def client_options
32
+ if @info['region']
33
+ {region: @info['region']}
34
+ else
35
+ {}
36
+ end
37
+ end
17
38
  end
18
39
  end
data/lib/terraspace_plugin_aws/interfaces/backend/base.rb CHANGED
@@ -3,13 +3,10 @@ require "s3-secure"
3
3
  class TerraspacePluginAws::Interfaces::Backend
4
4
  class Base
5
5
  include TerraspacePluginAws::Clients
6
+ include TerraspacePluginAws::Logging
6
7
 
7
8
  def initialize(info)
8
9
  @info = info
9
10
  end
10
-
11
- def logger
12
- Terraspace.logger
13
- end
14
11
  end
15
12
  end
data/lib/terraspace_plugin_aws/interfaces/backend/bucket/secure.rb CHANGED
@@ -4,12 +4,12 @@ class TerraspacePluginAws::Interfaces::Backend::Bucket
4
4
  module Secure
5
5
  def secure(bucket)
6
6
  c = TerraspacePluginAws::Interfaces::Config.instance.config.s3
7
-
8
- S3Secure::Encryption::Enable.new(bucket: bucket).run if c.encryption
9
- S3Secure::Policy::Enforce.new(bucket: bucket, sid: "ForceSSLOnlyAccess").run if c.enforce_ssl
10
- S3Secure::Versioning::Enable.new(bucket: bucket).run if c.versioning
11
- S3Secure::Lifecycle::Add.new(bucket: bucket).run if c.lifecycle
12
- S3Secure::AccessLogs::Enable.new(bucket: bucket).run if c.access_logging
7
+ options = {bucket: bucket, quiet: true}
8
+ S3Secure::Encryption::Enable.new(options).run if c.encryption
9
+ S3Secure::Policy::Enforce.new(options.merge(sid: "ForceSSLOnlyAccess")).run if c.enforce_ssl
10
+ S3Secure::Versioning::Enable.new(options).run if c.versioning
11
+ S3Secure::Lifecycle::Add.new(options).run if c.lifecycle
12
+ S3Secure::AccessLogs::Enable.new(options).run if c.access_logging
13
13
  end
14
14
  end
15
15
  end
data/lib/terraspace_plugin_aws/interfaces/config.rb CHANGED
@@ -20,7 +20,7 @@ module TerraspacePluginAws::Interfaces
20
20
  c.s3.enforce_ssl = true
21
21
  c.s3.versioning = true
22
22
  c.s3.lifecycle = true
23
- c.s3.access_logging = true
23
+ c.s3.access_logging = false
24
24
  c.s3.secure_existing = false # run the security controls on existing buckets. by default, only run on newly created bucket the first time
25
25
 
26
26
  c.dynamodb = ActiveSupport::OrderedOptions.new
data/lib/terraspace_plugin_aws/interfaces/helper/secret.rb ADDED
@@ -0,0 +1,18 @@
1
+ module TerraspacePluginAws::Interfaces::Helper
2
+ class Secret < SecretBase
3
+ def fetch(secret_id)
4
+ value = fetch_value(secret_id)
5
+ value = Base64.strict_encode64(value).strip if @base64
6
+ value
7
+ end
8
+
9
+ def fetch_value(secret_id)
10
+ secret_value = secretsmanager.get_secret_value(secret_id: secret_id)
11
+ secret_value.secret_string
12
+ rescue Aws::SecretsManager::Errors::ResourceNotFoundException => e
13
+ logger.info "WARN: secret_id #{secret_id} not found".color(:yellow)
14
+ logger.info e.message
15
+ "NOT FOUND #{secret_id}" # simple string so Kubernetes YAML is valid
16
+ end
17
+ end
18
+ end
data/lib/terraspace_plugin_aws/interfaces/helper/secret_base.rb ADDED
@@ -0,0 +1,13 @@
1
+ require "base64"
2
+
3
+ module TerraspacePluginAws::Interfaces::Helper
4
+ class SecretBase
5
+ include TerraspacePluginAws::Clients
6
+ include TerraspacePluginAws::Logging
7
+
8
+ def initialize(options={})
9
+ @options = options
10
+ @base64 = options[:base64]
11
+ end
12
+ end
13
+ end
data/lib/terraspace_plugin_aws/interfaces/helper/ssm.rb ADDED
@@ -0,0 +1,18 @@
1
+ module TerraspacePluginAws::Interfaces::Helper
2
+ class SSM < SecretBase
3
+ def fetch(name)
4
+ value = fetch_value(name)
5
+ value = Base64.strict_encode64(value).strip if @base64
6
+ value
7
+ end
8
+
9
+ def fetch_value(name)
10
+ resp = ssm.get_parameter(name: name, with_decryption: true)
11
+ resp.parameter.value
12
+ rescue Aws::SSM::Errors::ParameterNotFound => e
13
+ logger.info "WARN: name #{name} not found".color(:yellow)
14
+ logger.info e.message
15
+ "NOT FOUND #{name}" # simple string so tfvars valid
16
+ end
17
+ end
18
+ end
data/lib/terraspace_plugin_aws/interfaces/helper.rb ADDED
@@ -0,0 +1,15 @@
1
+ module TerraspacePluginAws::Interfaces
2
+ module Helper
3
+ include Terraspace::Plugin::Helper::Interface
4
+
5
+ def aws_secret(name, options={})
6
+ Secret.new(options).fetch(name)
7
+ end
8
+ cache_helper :aws_secret
9
+
10
+ def aws_ssm(name, options={})
11
+ SSM.new(options).fetch(name)
12
+ end
13
+ cache_helper :aws_ssm
14
+ end
15
+ end
data/lib/terraspace_plugin_aws/interfaces/summary.rb CHANGED
@@ -5,7 +5,7 @@ module TerraspacePluginAws::Interfaces
5
5
 
6
6
  # interface method
7
7
  def download
8
- resp = s3.list_objects(bucket: @bucket)
8
+ resp = s3.list_objects(bucket: @bucket, prefix: @folder)
9
9
  resp.contents.each do |content|
10
10
  local_path = "#{@dest}/#{content.key}"
11
11
  FileUtils.mkdir_p(File.dirname(local_path))
data/lib/terraspace_plugin_aws/logging.rb ADDED
@@ -0,0 +1,7 @@
1
+ module TerraspacePluginAws
2
+ module Logging
3
+ def logger
4
+ Terraspace.logger
5
+ end
6
+ end
7
+ end
data/lib/terraspace_plugin_aws/version.rb CHANGED
@@ -1,3 +1,3 @@
1
1
  module TerraspacePluginAws
2
- VERSION = "0.2.0"
2
+ VERSION = "0.3.1"
3
3
  end
data/lib/terraspace_plugin_aws.rb CHANGED
@@ -22,12 +22,22 @@ module TerraspacePluginAws
22
22
  Interfaces::Config.instance.config
23
23
  end
24
24
 
25
+ @@logger = nil
26
+ def logger
27
+ @@logger ||= Terraspace.logger
28
+ end
29
+
30
+ def logger=(v)
31
+ @@logger = v
32
+ end
33
+
25
34
  extend self
26
35
  end
27
36
 
28
37
  Terraspace::Plugin.register("aws",
29
38
  backend: "s3",
30
39
  config_class: TerraspacePluginAws::Interfaces::Config,
31
- layer_class: TerraspacePluginAws::Interfaces::Layer, # used for layering
40
+ helper_class: TerraspacePluginAws::Interfaces::Helper,
41
+ layer_class: TerraspacePluginAws::Interfaces::Layer,
32
42
  root: File.dirname(__dir__),
33
43
  )
data/terraspace_plugin_aws.gemspec CHANGED
@@ -24,6 +24,8 @@ Gem::Specification.new do |spec|
24
24
 
25
25
  spec.add_dependency "aws-sdk-dynamodb"
26
26
  spec.add_dependency "aws-sdk-s3"
27
+ spec.add_dependency "aws-sdk-secretsmanager"
28
+ spec.add_dependency "aws-sdk-ssm"
27
29
  spec.add_dependency "aws_data"
28
30
  spec.add_dependency "memoist"
29
31
  spec.add_dependency "s3-secure"
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: terraspace_plugin_aws
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.2.0
4
+ version: 0.3.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - Tung Nguyen
8
8
  autorequire:
9
9
  bindir: exe
10
10
  cert_chain: []
11
- date: 2020-08-20 00:00:00.000000000 Z
11
+ date: 2021-12-14 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: aws-sdk-dynamodb
@@ -38,6 +38,34 @@ dependencies:
38
38
  - - ">="
39
39
  - !ruby/object:Gem::Version
40
40
  version: '0'
41
+ - !ruby/object:Gem::Dependency
42
+ name: aws-sdk-secretsmanager
43
+ requirement: !ruby/object:Gem::Requirement
44
+ requirements:
45
+ - - ">="
46
+ - !ruby/object:Gem::Version
47
+ version: '0'
48
+ type: :runtime
49
+ prerelease: false
50
+ version_requirements: !ruby/object:Gem::Requirement
51
+ requirements:
52
+ - - ">="
53
+ - !ruby/object:Gem::Version
54
+ version: '0'
55
+ - !ruby/object:Gem::Dependency
56
+ name: aws-sdk-ssm
57
+ requirement: !ruby/object:Gem::Requirement
58
+ requirements:
59
+ - - ">="
60
+ - !ruby/object:Gem::Version
61
+ version: '0'
62
+ type: :runtime
63
+ prerelease: false
64
+ version_requirements: !ruby/object:Gem::Requirement
65
+ requirements:
66
+ - - ">="
67
+ - !ruby/object:Gem::Version
68
+ version: '0'
41
69
  - !ruby/object:Gem::Dependency
42
70
  name: aws_data
43
71
  requirement: !ruby/object:Gem::Requirement
@@ -149,8 +177,13 @@ files:
149
177
  - lib/terraspace_plugin_aws/interfaces/decorator/aws_security_group.rb
150
178
  - lib/terraspace_plugin_aws/interfaces/decorator/base.rb
151
179
  - lib/terraspace_plugin_aws/interfaces/expander.rb
180
+ - lib/terraspace_plugin_aws/interfaces/helper.rb
181
+ - lib/terraspace_plugin_aws/interfaces/helper/secret.rb
182
+ - lib/terraspace_plugin_aws/interfaces/helper/secret_base.rb
183
+ - lib/terraspace_plugin_aws/interfaces/helper/ssm.rb
152
184
  - lib/terraspace_plugin_aws/interfaces/layer.rb
153
185
  - lib/terraspace_plugin_aws/interfaces/summary.rb
186
+ - lib/terraspace_plugin_aws/logging.rb
154
187
  - lib/terraspace_plugin_aws/version.rb
155
188
  - terraspace_plugin_aws.gemspec
156
189
  homepage: https://github.com/boltops-tools/terraspace_plugin_aws
@@ -173,7 +206,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
173
206
  - !ruby/object:Gem::Version
174
207
  version: '0'
175
208
  requirements: []
176
- rubygems_version: 3.1.2
209
+ rubygems_version: 3.2.32
177
210
  signing_key:
178
211
  specification_version: 4
179
212
  summary: Terraspace AWS Plugin