RubyGems - terraspace_plugin_aws - Versions diffs - 0.2.1 → 0.3.2 - Mend

terraspace_plugin_aws 0.2.1 → 0.3.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (20) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +14 -0
data/README.md +1 -1
data/lib/templates/hcl/project/config/terraform/backend.tf.tt +2 -2
data/lib/terraspace_plugin_aws/autoloader.rb +1 -1
data/lib/terraspace_plugin_aws/clients/options.rb +100 -0
data/lib/terraspace_plugin_aws/clients.rb +15 -2
data/lib/terraspace_plugin_aws/interfaces/backend/base.rb +1 -4
data/lib/terraspace_plugin_aws/interfaces/backend/bucket/secure.rb +24 -0
data/lib/terraspace_plugin_aws/interfaces/config.rb +1 -1
data/lib/terraspace_plugin_aws/interfaces/helper/secret.rb +18 -0
data/lib/terraspace_plugin_aws/interfaces/helper/secret_base.rb +13 -0
data/lib/terraspace_plugin_aws/interfaces/helper/ssm.rb +18 -0
data/lib/terraspace_plugin_aws/interfaces/helper.rb +15 -0
data/lib/terraspace_plugin_aws/interfaces/summary.rb +1 -1
data/lib/terraspace_plugin_aws/logging.rb +7 -0
data/lib/terraspace_plugin_aws/version.rb +1 -1
data/lib/terraspace_plugin_aws.rb +11 -1
data/terraspace_plugin_aws.gemspec +2 -0
metadata +37 -3

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: fe3bb9a8a7744b46c03ecb1abb577b0c0efd86e5304041b5e0c3e2aa085edb36
-  data.tar.gz: 0c5c7d985be2fc6eb218ade8b698f4e4534038428c238af911f8bdab903be846
+  metadata.gz: eb8991c0ca2191cc5ec5d81a91afb2e1db4f7a7bdc8b1542d7e662ee55be2e05
+  data.tar.gz: f7bf38b1edc49e949643a9df6e70b0826ca5336c18e790513e094054a39ef09c
 SHA512:
-  metadata.gz: 9aa446bf85feb83a954620b52222f3e28215a36e8769fdc4c620af2d02913ad7c81b4985674220d222c5ee95cf6226ce24cf8761d4bd991a6cb967037be11b3c
-  data.tar.gz: a7fd615550e52f1ec56d1b1701f843c4fa9b21f664efd286e01552a1bc9b875db2ea1b02247b7961ab4788107551ad6247f7e330e09d2097680f33660a3b958f
+  metadata.gz: 4850daa5645efdde37d39ee36fc826bd82993c084d0deabafe83cbd7f182ce630e01d9b5cd7bcde45c366d1e9beeb766cd3f97f411723f9d843a861c4e0a62e5
+  data.tar.gz: e0229d052f5fb491562683391cec533cddb47cc453d08795200101f20e2b408f51241e1ebe73b4cd5622a5640df06d6236727e4345ae55512e98555f8f95305e

data/CHANGELOG.md CHANGED Viewed

@@ -3,6 +3,20 @@
 All notable changes to this project will be documented in this file.
 This project *loosely tries* to adhere to [Semantic Versioning](http://semver.org/).
+## [0.3.2] - 2021-12-14
+- [#9](https://github.com/boltops-tools/terraspace_plugin_aws/pull/9) support separate aws account for s3 backend bucket
+## [0.3.1] - 2021-12-14
+- [#8](https://github.com/boltops-tools/terraspace_plugin_aws/pull/8) use region configured in the backend.tf for the s3 client
+## [0.3.0] - 2020-11-15
+- [#5](https://github.com/boltops-tools/terraspace_plugin_aws/pull/5) helper and secrets support
+- aws_secret and aws_ssm helpers
+## [0.2.2]
+- #4 default access logging to false
+- set prefix to @folder for performance improvement
 ## [0.2.1]
 - #3 quiet s3-secure messages

data/README.md CHANGED Viewed

@@ -24,7 +24,7 @@ TerraspacePluginAws.configure do |config|
   config.s3.enforce_ssl = true
   config.s3.versioning = true
   config.s3.lifecycle = true
-  config.s3.access_logging = true
+  config.s3.access_logging = false # false by default
   config.s3.secure_existing = false # run the security controls on existing buckets. by default, only run on newly created bucket the first time
   config.dynamodb.encryption = true

data/lib/templates/hcl/project/config/terraform/backend.tf.tt CHANGED Viewed

@@ -1,7 +1,7 @@
 terraform {
   backend "s3" {
-    bucket         = "<%%= expansion('terraform-state-:ACCOUNT-:REGION-:ENV') %>"     # expanded by terraspace IE: terraform-state-112233445566-us-west-2-dev
-    key            = "<%%= expansion(':REGION/:ENV/:BUILD_DIR/terraform.tfstate') %>" # expanded by terraspace IE: us-west-2/dev/modules/vm/terraform.tfstate
+    bucket         = "<%%= expansion('terraform-state-:ACCOUNT-:REGION-:ENV') %>"
+    key            = "<%%= expansion(':REGION/:ENV/:BUILD_DIR/terraform.tfstate') %>"
     region         = "<%%= expansion(':REGION') %>"
     encrypt        = true
     dynamodb_table = "terraform_locks"

data/lib/terraspace_plugin_aws/autoloader.rb CHANGED Viewed

@@ -4,7 +4,7 @@ module TerraspacePluginAws
   class Autoloader
     class Inflector < Zeitwerk::Inflector
       def camelize(basename, _abspath)
-        map = { cli: "CLI", version: "VERSION" }
+        map = { cli: "CLI", ssm: "SSM", version: "VERSION" }
         map[basename.to_sym] || super
       end
     end

data/lib/terraspace_plugin_aws/clients/options.rb ADDED Viewed

@@ -0,0 +1,100 @@
+module TerraspacePluginAws::Clients
+  module Options
+  private
+    def client_options
+      if @info['role_arn']
+        client_assume_role_config
+      else
+        client_default_options
+      end
+    end
+    # Typically, aws sdk client options are inferred from the user environment unless set in the backend.tf
+    #
+    # terraform s3 backend assume role configuration: https://www.terraform.io/docs/language/settings/backends/s3.html
+    #
+    #     assume_role_duration_seconds - (Optional) Number of seconds to restrict the assume role session duration.
+    #     assume_role_policy - (Optional) IAM Policy JSON describing further restricting permissions for the IAM Role being assumed.
+    #     assume_role_policy_arns - (Optional) Set of Amazon Resource Names (ARNs) of IAM Policies describing further restricting permissions for the IAM Role being assumed.
+    #     assume_role_tags - (Optional) Map of assume role session tags.
+    #     assume_role_transitive_tag_keys - (Optional) Set of assume role session tag keys to pass to any subsequent sessions.
+    #     external_id - (Optional) External identifier to use when assuming the role.
+    #     role_arn - (Optional) Amazon Resource Name (ARN) of the IAM Role to assume.
+    #     session_name - (Optional) Session name to use when assuming the role.
+    #
+    # ruby sdk: https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/AssumeRoleCredentials.html
+    #
+    #     :role_arn (required, String)
+    #     :role_session_name (required, String)
+    #     :policy (String)
+    #     :duration_seconds (Integer)
+    #     :external_id (String)
+    #     :client (STS::Client)
+    #
+    def client_assume_role_config
+      whitelist = %w[
+        assume_role_duration_seconds
+        assume_role_policy
+        session_name
+        external_id
+        role_arn
+      ]
+      assume_role_config = @info.slice(*whitelist)
+      # not supported?
+      #   assume_role_policy_arns
+      #   assume_role_tags
+      #   assume_role_transitive_tag_keys
+      # already matches
+      #   external_id
+      #   role_arn
+      # rest needs to be mapped
+      map = {
+        'assume_role_duration_seconds' => 'duration_seconds',
+        'assume_role_policy' => 'policy',
+        'session_name' => 'role_session_name',
+      }
+      map.each do |terraform_key, ruby_sdk_key|
+        v = assume_role_config.delete(terraform_key)
+        assume_role_config[ruby_sdk_key] = v if v
+      end
+      assume_role_config.symbolize_keys! # ruby sdk expects symbols for keys
+      assume_role_config[:role_session_name] ||= [ENV['C9_USER'] || ENV['USER'], 'session'].compact.join('-') # session name is required for the ruby sdk
+      # options = {client: Aws::STS::Client.new(client_region_option)}
+      options = {}
+      options.merge!(assume_role_config)
+      role_credentials = Aws::AssumeRoleCredentials.new(options)
+      {credentials: role_credentials}
+    end
+    # terraform s3 backend configuration: https://www.terraform.io/docs/language/settings/backends/s3.html
+    #
+    #     access_key - (Optional) AWS access key. If configured, must also configure secret_key. This can also be sourced from the AWS_ACCESS_KEY_ID environment variable, AWS shared credentials file (e.g. ~/.aws/credentials), or AWS shared configuration file (e.g. ~/.aws/config).
+    #     secret_key - (Optional) AWS access key. If configured, must also configure access_key. This can also be sourced from the AWS_SECRET_ACCESS_KEY environment variable, AWS shared credentials file (e.g. ~/.aws/credentials), or AWS shared configuration file (e.g. ~/.aws/config).
+    #
+    # ruby sdk: https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/Credentials.html
+    #
+    #     access_key_id (String)
+    #     secret_access_key (String)
+    #     session_token (String) (defaults to: nil) — (nil)
+    #
+    def client_default_options
+      whitelist = %w[
+        access_key_id
+        secret_access_key
+        session_token
+        profile
+      ]
+      options = @info.slice(*whitelist)
+      options.symbolize_keys! # ruby sdk expects symbols for keys
+      client_region_option.merge(options)
+    end
+    def client_region_option
+      if @info['region']
+        {region: @info['region']}
+      else
+        {}
+      end
+    end
+  end
+end

data/lib/terraspace_plugin_aws/clients.rb CHANGED Viewed

@@ -1,17 +1,30 @@
 require "aws-sdk-dynamodb"
 require "aws-sdk-s3"
+require "aws-sdk-secretsmanager"
+require "aws-sdk-ssm"
 module TerraspacePluginAws
   module Clients
     extend Memoist
+    include Options
     def s3
-      Aws::S3::Client.new
+      Aws::S3::Client.new(client_options)
     end
     memoize :s3
+    def secretsmanager
+      Aws::SecretsManager::Client.new(client_options)
+    end
+    memoize :secretsmanager
+    def ssm
+      Aws::SSM::Client.new(client_options)
+    end
+    memoize :ssm
     def dynamodb
-      Aws::DynamoDB::Client.new
+      Aws::DynamoDB::Client.new(client_options)
     end
     memoize :dynamodb
   end

data/lib/terraspace_plugin_aws/interfaces/backend/base.rb CHANGED Viewed

@@ -3,13 +3,10 @@ require "s3-secure"
 class TerraspacePluginAws::Interfaces::Backend
   class Base
     include TerraspacePluginAws::Clients
+    include TerraspacePluginAws::Logging
     def initialize(info)
       @info = info
     end
-    def logger
-      Terraspace.logger
-    end
   end
 end

data/lib/terraspace_plugin_aws/interfaces/backend/bucket/secure.rb CHANGED Viewed

@@ -2,6 +2,27 @@ require "s3-secure"
 class TerraspacePluginAws::Interfaces::Backend::Bucket
   module Secure
+    # Why the retry logic?
+    #
+    # When using profile or role_arn in the terraform backend it the ruby aws sdk
+    # assumes the profile or role.
+    # In doing so, it errors when the s3-secure library calls s3_client.get_bucket_location
+    #
+    #   https://github.com/boltops-tools/s3-secure/blob/d2c8e9eba745a75d094a3c566bd5fe47476d3638/lib/s3_secure/aws_services/s3.rb#L43
+    #
+    # Here's an example stack trace of the error:
+    #
+    #   https://gist.github.com/tongueroo/dd74b67c17433c6f8dd890225104aef9
+    #
+    # Unsure if this is a terraform backend interfering with the ruby sdk thing (unlikely)
+    # Or if it's a general AWS sdk thing.
+    # Or if it's how I'm calling the sdk and initializing the client. Maybe an initializing the client early on and it caches it.
+    # Unsure. But using this hack instead because life's short.
+    #
+    # Throwing the retry logic in here fixes the issue. This only happens the when the bucket is brand new.
+    # Limiting the retry to only a single attempt.
+    #
+    @@retries = 0
     def secure(bucket)
       c = TerraspacePluginAws::Interfaces::Config.instance.config.s3
       options = {bucket: bucket, quiet: true}
@@ -10,6 +31,9 @@ class TerraspacePluginAws::Interfaces::Backend::Bucket
       S3Secure::Versioning::Enable.new(options).run if c.versioning
       S3Secure::Lifecycle::Add.new(options).run if c.lifecycle
       S3Secure::AccessLogs::Enable.new(options).run if c.access_logging
+    rescue Aws::S3::Errors::AccessDenied => e
+      @@retries += 1
+      retry unless @@retries > 1
     end
   end
 end

data/lib/terraspace_plugin_aws/interfaces/config.rb CHANGED Viewed

@@ -20,7 +20,7 @@ module TerraspacePluginAws::Interfaces
       c.s3.enforce_ssl = true
       c.s3.versioning = true
       c.s3.lifecycle = true
-      c.s3.access_logging = true
+      c.s3.access_logging = false
       c.s3.secure_existing = false # run the security controls on existing buckets. by default, only run on newly created bucket the first time
       c.dynamodb = ActiveSupport::OrderedOptions.new

data/lib/terraspace_plugin_aws/interfaces/helper/secret.rb ADDED Viewed

@@ -0,0 +1,18 @@
+module TerraspacePluginAws::Interfaces::Helper
+  class Secret < SecretBase
+    def fetch(secret_id)
+      value = fetch_value(secret_id)
+      value = Base64.strict_encode64(value).strip if @base64
+      value
+    end
+    def fetch_value(secret_id)
+      secret_value = secretsmanager.get_secret_value(secret_id: secret_id)
+      secret_value.secret_string
+    rescue Aws::SecretsManager::Errors::ResourceNotFoundException => e
+      logger.info "WARN: secret_id #{secret_id} not found".color(:yellow)
+      logger.info e.message
+      "NOT FOUND #{secret_id}" # simple string so Kubernetes YAML is valid
+    end
+  end
+end

data/lib/terraspace_plugin_aws/interfaces/helper/secret_base.rb ADDED Viewed

@@ -0,0 +1,13 @@
+require "base64"
+module TerraspacePluginAws::Interfaces::Helper
+  class SecretBase
+    include TerraspacePluginAws::Clients
+    include TerraspacePluginAws::Logging
+    def initialize(options={})
+      @options = options
+      @base64 = options[:base64]
+    end
+  end
+end

data/lib/terraspace_plugin_aws/interfaces/helper/ssm.rb ADDED Viewed

@@ -0,0 +1,18 @@
+module TerraspacePluginAws::Interfaces::Helper
+  class SSM < SecretBase
+    def fetch(name)
+      value = fetch_value(name)
+      value = Base64.strict_encode64(value).strip if @base64
+      value
+    end
+    def fetch_value(name)
+      resp = ssm.get_parameter(name: name, with_decryption: true)
+      resp.parameter.value
+    rescue Aws::SSM::Errors::ParameterNotFound => e
+      logger.info "WARN: name #{name} not found".color(:yellow)
+      logger.info e.message
+      "NOT FOUND #{name}" # simple string so tfvars valid
+    end
+  end
+end

data/lib/terraspace_plugin_aws/interfaces/helper.rb ADDED Viewed

@@ -0,0 +1,15 @@
+module TerraspacePluginAws::Interfaces
+  module Helper
+    include Terraspace::Plugin::Helper::Interface
+    def aws_secret(name, options={})
+      Secret.new(options).fetch(name)
+    end
+    cache_helper :aws_secret
+    def aws_ssm(name, options={})
+      SSM.new(options).fetch(name)
+    end
+    cache_helper :aws_ssm
+  end
+end

data/lib/terraspace_plugin_aws/interfaces/summary.rb CHANGED Viewed

@@ -5,7 +5,7 @@ module TerraspacePluginAws::Interfaces
     # interface method
     def download
-      resp = s3.list_objects(bucket: @bucket)
+      resp = s3.list_objects(bucket: @bucket, prefix: @folder)
       resp.contents.each do |content|
         local_path = "#{@dest}/#{content.key}"
         FileUtils.mkdir_p(File.dirname(local_path))

data/lib/terraspace_plugin_aws/logging.rb ADDED Viewed

@@ -0,0 +1,7 @@
+module TerraspacePluginAws
+  module Logging
+    def logger
+      Terraspace.logger
+    end
+  end
+end

data/lib/terraspace_plugin_aws/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module TerraspacePluginAws
-  VERSION = "0.2.1"
+  VERSION = "0.3.2"
 end

data/lib/terraspace_plugin_aws.rb CHANGED Viewed

@@ -22,12 +22,22 @@ module TerraspacePluginAws
     Interfaces::Config.instance.config
   end
+  @@logger = nil
+  def logger
+    @@logger ||= Terraspace.logger
+  end
+  def logger=(v)
+    @@logger = v
+  end
   extend self
 end
 Terraspace::Plugin.register("aws",
   backend: "s3",
   config_class: TerraspacePluginAws::Interfaces::Config,
-  layer_class: TerraspacePluginAws::Interfaces::Layer, # used for layering
+  helper_class: TerraspacePluginAws::Interfaces::Helper,
+  layer_class: TerraspacePluginAws::Interfaces::Layer,
   root: File.dirname(__dir__),
 )

data/terraspace_plugin_aws.gemspec CHANGED Viewed

@@ -24,6 +24,8 @@ Gem::Specification.new do |spec|
   spec.add_dependency "aws-sdk-dynamodb"
   spec.add_dependency "aws-sdk-s3"
+  spec.add_dependency "aws-sdk-secretsmanager"
+  spec.add_dependency "aws-sdk-ssm"
   spec.add_dependency "aws_data"
   spec.add_dependency "memoist"
   spec.add_dependency "s3-secure"

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: terraspace_plugin_aws
 version: !ruby/object:Gem::Version
-  version: 0.2.1
+  version: 0.3.2
 platform: ruby
 authors:
 - Tung Nguyen
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2020-09-19 00:00:00.000000000 Z
+date: 2021-12-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk-dynamodb
@@ -38,6 +38,34 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: aws-sdk-secretsmanager
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: aws-sdk-ssm
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: aws_data
   requirement: !ruby/object:Gem::Requirement
@@ -139,6 +167,7 @@ files:
 - lib/terraspace_plugin_aws.rb
 - lib/terraspace_plugin_aws/autoloader.rb
 - lib/terraspace_plugin_aws/clients.rb
+- lib/terraspace_plugin_aws/clients/options.rb
 - lib/terraspace_plugin_aws/interfaces/backend.rb
 - lib/terraspace_plugin_aws/interfaces/backend/base.rb
 - lib/terraspace_plugin_aws/interfaces/backend/bucket.rb
@@ -149,8 +178,13 @@ files:
 - lib/terraspace_plugin_aws/interfaces/decorator/aws_security_group.rb
 - lib/terraspace_plugin_aws/interfaces/decorator/base.rb
 - lib/terraspace_plugin_aws/interfaces/expander.rb
+- lib/terraspace_plugin_aws/interfaces/helper.rb
+- lib/terraspace_plugin_aws/interfaces/helper/secret.rb
+- lib/terraspace_plugin_aws/interfaces/helper/secret_base.rb
+- lib/terraspace_plugin_aws/interfaces/helper/ssm.rb
 - lib/terraspace_plugin_aws/interfaces/layer.rb
 - lib/terraspace_plugin_aws/interfaces/summary.rb
+- lib/terraspace_plugin_aws/logging.rb
 - lib/terraspace_plugin_aws/version.rb
 - terraspace_plugin_aws.gemspec
 homepage: https://github.com/boltops-tools/terraspace_plugin_aws
@@ -173,7 +207,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.2
+rubygems_version: 3.2.32
 signing_key:
 specification_version: 4
 summary: Terraspace AWS Plugin