RubyGems - terraspace_plugin_aws - Versions diffs - 0.2.1 → 0.3.2 - Mend

terraspace_plugin_aws 0.2.1 → 0.3.2

Files changed (20) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +14 -0
data/README.md +1 -1
data/lib/templates/hcl/project/config/terraform/backend.tf.tt +2 -2
data/lib/terraspace_plugin_aws/autoloader.rb +1 -1
data/lib/terraspace_plugin_aws/clients/options.rb +100 -0
data/lib/terraspace_plugin_aws/clients.rb +15 -2
data/lib/terraspace_plugin_aws/interfaces/backend/base.rb +1 -4
data/lib/terraspace_plugin_aws/interfaces/backend/bucket/secure.rb +24 -0
data/lib/terraspace_plugin_aws/interfaces/config.rb +1 -1
data/lib/terraspace_plugin_aws/interfaces/helper/secret.rb +18 -0
data/lib/terraspace_plugin_aws/interfaces/helper/secret_base.rb +13 -0
data/lib/terraspace_plugin_aws/interfaces/helper/ssm.rb +18 -0
data/lib/terraspace_plugin_aws/interfaces/helper.rb +15 -0
data/lib/terraspace_plugin_aws/interfaces/summary.rb +1 -1
data/lib/terraspace_plugin_aws/logging.rb +7 -0
data/lib/terraspace_plugin_aws/version.rb +1 -1
data/lib/terraspace_plugin_aws.rb +11 -1
data/terraspace_plugin_aws.gemspec +2 -0
metadata +37 -3

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: fe3bb9a8a7744b46c03ecb1abb577b0c0efd86e5304041b5e0c3e2aa085edb36
-  data.tar.gz: 0c5c7d985be2fc6eb218ade8b698f4e4534038428c238af911f8bdab903be846
+  metadata.gz: eb8991c0ca2191cc5ec5d81a91afb2e1db4f7a7bdc8b1542d7e662ee55be2e05
+  data.tar.gz: f7bf38b1edc49e949643a9df6e70b0826ca5336c18e790513e094054a39ef09c
 SHA512:
-  metadata.gz: 9aa446bf85feb83a954620b52222f3e28215a36e8769fdc4c620af2d02913ad7c81b4985674220d222c5ee95cf6226ce24cf8761d4bd991a6cb967037be11b3c
-  data.tar.gz: a7fd615550e52f1ec56d1b1701f843c4fa9b21f664efd286e01552a1bc9b875db2ea1b02247b7961ab4788107551ad6247f7e330e09d2097680f33660a3b958f
+  metadata.gz: 4850daa5645efdde37d39ee36fc826bd82993c084d0deabafe83cbd7f182ce630e01d9b5cd7bcde45c366d1e9beeb766cd3f97f411723f9d843a861c4e0a62e5
+  data.tar.gz: e0229d052f5fb491562683391cec533cddb47cc453d08795200101f20e2b408f51241e1ebe73b4cd5622a5640df06d6236727e4345ae55512e98555f8f95305e

data/CHANGELOG.md CHANGED Viewed

@@ -3,6 +3,20 @@
 All notable changes to this project will be documented in this file.
 This project *loosely tries* to adhere to [Semantic Versioning](http://semver.org/).
+## [0.3.2] - 2021-12-14
+- [#9](https://github.com/boltops-tools/terraspace_plugin_aws/pull/9) support separate aws account for s3 backend bucket
+## [0.3.1] - 2021-12-14
+- [#8](https://github.com/boltops-tools/terraspace_plugin_aws/pull/8) use region configured in the backend.tf for the s3 client
+## [0.3.0] - 2020-11-15
+- [#5](https://github.com/boltops-tools/terraspace_plugin_aws/pull/5) helper and secrets support
+- aws_secret and aws_ssm helpers
+## [0.2.2]
+- #4 default access logging to false
+- set prefix to @folder for performance improvement
 ## [0.2.1]
 - #3 quiet s3-secure messages

data/README.md CHANGED Viewed

@@ -24,7 +24,7 @@ TerraspacePluginAws.configure do |config|
   config.s3.enforce_ssl = true
   config.s3.versioning = true
   config.s3.lifecycle = true
-  config.s3.access_logging = true
+  config.s3.access_logging = false # false by default
   config.s3.secure_existing = false # run the security controls on existing buckets. by default, only run on newly created bucket the first time
   config.dynamodb.encryption = true

data/lib/templates/hcl/project/config/terraform/backend.tf.tt CHANGED Viewed

@@ -1,7 +1,7 @@
 terraform {
   backend "s3" {
-    bucket         = "<%%= expansion('terraform-state-:ACCOUNT-:REGION-:ENV') %>"     # expanded by terraspace IE: terraform-state-112233445566-us-west-2-dev
-    key            = "<%%= expansion(':REGION/:ENV/:BUILD_DIR/terraform.tfstate') %>" # expanded by terraspace IE: us-west-2/dev/modules/vm/terraform.tfstate
+    bucket         = "<%%= expansion('terraform-state-:ACCOUNT-:REGION-:ENV') %>"
+    key            = "<%%= expansion(':REGION/:ENV/:BUILD_DIR/terraform.tfstate') %>"
     region         = "<%%= expansion(':REGION') %>"
     encrypt        = true
     dynamodb_table = "terraform_locks"

data/lib/terraspace_plugin_aws/autoloader.rb CHANGED Viewed

@@ -4,7 +4,7 @@ module TerraspacePluginAws
   class Autoloader
     class Inflector < Zeitwerk::Inflector
       def camelize(basename, _abspath)
-        map = { cli: "CLI", version: "VERSION" }
+        map = { cli: "CLI", ssm: "SSM", version: "VERSION" }
         map[basename.to_sym] || super
       end
     end

data/lib/terraspace_plugin_aws/clients/options.rb ADDED Viewed

@@ -0,0 +1,100 @@
+module TerraspacePluginAws::Clients
+  module Options
+  private
+    def client_options
+      if @info['role_arn']
+        client_assume_role_config
+      else
+        client_default_options
+      end
+    end
+    # Typically, aws sdk client options are inferred from the user environment unless set in the backend.tf
+    #
+    # terraform s3 backend assume role configuration: https://www.terraform.io/docs/language/settings/backends/s3.html
+    #
+    #     assume_role_duration_seconds - (Optional) Number of seconds to restrict the assume role session duration.
+    #     assume_role_policy - (Optional) IAM Policy JSON describing further restricting permissions for the IAM Role being assumed.
+    #     assume_role_policy_arns - (Optional) Set of Amazon Resource Names (ARNs) of IAM Policies describing further restricting permissions for the IAM Role being assumed.
+    #     assume_role_tags - (Optional) Map of assume role session tags.
+    #     assume_role_transitive_tag_keys - (Optional) Set of assume role session tag keys to pass to any subsequent sessions.
+    #     external_id - (Optional) External identifier to use when assuming the role.
+    #     role_arn - (Optional) Amazon Resource Name (ARN) of the IAM Role to assume.
+    #     session_name - (Optional) Session name to use when assuming the role.
+    #
+    # ruby sdk: https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/AssumeRoleCredentials.html
+    #
+    #     :role_arn (required, String)
+    #     :role_session_name (required, String)
+    #     :policy (String)
+    #     :duration_seconds (Integer)
+    #     :external_id (String)
+    #     :client (STS::Client)
+    #
+    def client_assume_role_config
+      whitelist = %w[
+        assume_role_duration_seconds
+        assume_role_policy
+        session_name
+        external_id
+        role_arn
+      ]
+      assume_role_config = @info.slice(*whitelist)
+      # not supported?
+      #   assume_role_policy_arns
+      #   assume_role_tags
+      #   assume_role_transitive_tag_keys
+      # already matches
+      #   external_id
+      #   role_arn
+      # rest needs to be mapped
+      map = {
+        'assume_role_duration_seconds' => 'duration_seconds',
+        'assume_role_policy' => 'policy',
+        'session_name' => 'role_session_name',
+      }
+      map.each do |terraform_key, ruby_sdk_key|
+        v = assume_role_config.delete(terraform_key)
+        assume_role_config[ruby_sdk_key] = v if v
+      end
+      assume_role_config.symbolize_keys! # ruby sdk expects symbols for keys
+      assume_role_config[:role_session_name] ||= [ENV['C9_USER'] || ENV['USER'], 'session'].compact.join('-') # session name is required for the ruby sdk
+      # options = {client: Aws::STS::Client.new(client_region_option)}
+      options = {}
+      options.merge!(assume_role_config)
+      role_credentials = Aws::AssumeRoleCredentials.new(options)
+      {credentials: role_credentials}
+    end
+    # terraform s3 backend configuration: https://www.terraform.io/docs/language/settings/backends/s3.html
+    #
+    #     access_key - (Optional) AWS access key. If configured, must also configure secret_key. This can also be sourced from the AWS_ACCESS_KEY_ID environment variable, AWS shared credentials file (e.g. ~/.aws/credentials), or AWS shared configuration file (e.g. ~/.aws/config).
+    #     secret_key - (Optional) AWS access key. If configured, must also configure access_key. This can also be sourced from the AWS_SECRET_ACCESS_KEY environment variable, AWS shared credentials file (e.g. ~/.aws/credentials), or AWS shared configuration file (e.g. ~/.aws/config).
+    #
+    # ruby sdk: https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/Credentials.html
+    #
+    #     access_key_id (String)
+    #     secret_access_key (String)
+    #     session_token (String) (defaults to: nil) — (nil)
+    #
+    def client_default_options
+      whitelist = %w[
+        access_key_id
+        secret_access_key
+        session_token
+        profile
+      ]
+      options = @info.slice(*whitelist)
+      options.symbolize_keys! # ruby sdk expects symbols for keys
+      client_region_option.merge(options)
+    end
+    def client_region_option
+      if @info['region']
+        {region: @info['region']}
+      else
+        {}
+      end
+    end
+  end
+end

data/lib/terraspace_plugin_aws/clients.rb CHANGED Viewed

@@ -1,17 +1,30 @@
 require "aws-sdk-dynamodb"
 require "aws-sdk-s3"
+require "aws-sdk-secretsmanager"
+require "aws-sdk-ssm"
 module TerraspacePluginAws
   module Clients
     extend Memoist
+    include Options
     def s3
-      Aws::S3::Client.new
+      Aws::S3::Client.new(client_options)
     end
     memoize :s3
+    def secretsmanager
+      Aws::SecretsManager::Client.new(client_options)
+    end
+    memoize :secretsmanager
+    def ssm
+      Aws::SSM::Client.new(client_options)
+    end
+    memoize :ssm
     def dynamodb
-      Aws::DynamoDB::Client.new
+      Aws::DynamoDB::Client.new(client_options)
     end
     memoize :dynamodb
   end

data/lib/terraspace_plugin_aws/interfaces/backend/base.rb CHANGED Viewed

@@ -3,13 +3,10 @@ require "s3-secure"
 class TerraspacePluginAws::Interfaces::Backend
   class Base
     include TerraspacePluginAws::Clients
+    include TerraspacePluginAws::Logging
     def initialize(info)
       @info = info
     end
-    def logger
-      Terraspace.logger
-    end
   end
 end

data/lib/terraspace_plugin_aws/interfaces/backend/bucket/secure.rb CHANGED Viewed

@@ -2,6 +2,27 @@ require "s3-secure"
 class TerraspacePluginAws::Interfaces::Backend::Bucket
   module Secure
+    # Why the retry logic?
+    #
+    # When using profile or role_arn in the terraform backend it the ruby aws sdk
+    # assumes the profile or role.
+    # In doing so, it errors when the s3-secure library calls s3_client.get_bucket_location
+    #
+    #   https://github.com/boltops-tools/s3-secure/blob/d2c8e9eba745a75d094a3c566bd5fe47476d3638/lib/s3_secure/aws_services/s3.rb#L43
+    #
+    # Here's an example stack trace of the error:
+    #
+    #   https://gist.github.com/tongueroo/dd74b67c17433c6f8dd890225104aef9
+    #
+    # Unsure if this is a terraform backend interfering with the ruby sdk thing (unlikely)
+    # Or if it's a general AWS sdk thing.
+    # Or if it's how I'm calling the sdk and initializing the client. Maybe an initializing the client early on and it caches it.
+    # Unsure. But using this hack instead because life's short.
+    #
+    # Throwing the retry logic in here fixes the issue. This only happens the when the bucket is brand new.
+    # Limiting the retry to only a single attempt.
+    #
+    @@retries = 0
     def secure(bucket)
       c = TerraspacePluginAws::Interfaces::Config.instance.config.s3
       options = {bucket: bucket, quiet: true}
@@ -10,6 +31,9 @@ class TerraspacePluginAws::Interfaces::Backend::Bucket
       S3Secure::Versioning::Enable.new(options).run if c.versioning
       S3Secure::Lifecycle::Add.new(options).run if c.lifecycle
       S3Secure::AccessLogs::Enable.new(options).run if c.access_logging
+    rescue Aws::S3::Errors::AccessDenied => e
+      @@retries += 1
+      retry unless @@retries > 1
     end
   end
 end

data/lib/terraspace_plugin_aws/interfaces/config.rb CHANGED Viewed

@@ -20,7 +20,7 @@ module TerraspacePluginAws::Interfaces
       c.s3.enforce_ssl = true
       c.s3.versioning = true
       c.s3.lifecycle = true
-      c.s3.access_logging = true
+      c.s3.access_logging = false
       c.s3.secure_existing = false # run the security controls on existing buckets. by default, only run on newly created bucket the first time
       c.dynamodb = ActiveSupport::OrderedOptions.new

data/lib/terraspace_plugin_aws/interfaces/helper/secret.rb ADDED Viewed

@@ -0,0 +1,18 @@
+module TerraspacePluginAws::Interfaces::Helper
+  class Secret < SecretBase
+    def fetch(secret_id)
+      value = fetch_value(secret_id)
+      value = Base64.strict_encode64(value).strip if @base64
+      value
+    end
+    def fetch_value(secret_id)
+      secret_value = secretsmanager.get_secret_value(secret_id: secret_id)
+      secret_value.secret_string
+    rescue Aws::SecretsManager::Errors::ResourceNotFoundException => e
+      logger.info "WARN: secret_id #{secret_id} not found".color(:yellow)
+      logger.info e.message
+      "NOT FOUND #{secret_id}" # simple string so Kubernetes YAML is valid
+    end
+  end
+end

data/lib/terraspace_plugin_aws/interfaces/helper/secret_base.rb ADDED Viewed

@@ -0,0 +1,13 @@
+require "base64"
+module TerraspacePluginAws::Interfaces::Helper
+  class SecretBase
+    include TerraspacePluginAws::Clients
+    include TerraspacePluginAws::Logging
+    def initialize(options={})
+      @options = options
+      @base64 = options[:base64]
+    end
+  end
+end

data/lib/terraspace_plugin_aws/interfaces/helper/ssm.rb ADDED Viewed

@@ -0,0 +1,18 @@
+module TerraspacePluginAws::Interfaces::Helper
+  class SSM < SecretBase
+    def fetch(name)
+      value = fetch_value(name)
+      value = Base64.strict_encode64(value).strip if @base64
+      value
+    end
+    def fetch_value(name)
+      resp = ssm.get_parameter(name: name, with_decryption: true)
+      resp.parameter.value
+    rescue Aws::SSM::Errors::ParameterNotFound => e
+      logger.info "WARN: name #{name} not found".color(:yellow)
+      logger.info e.message
+      "NOT FOUND #{name}" # simple string so tfvars valid
+    end
+  end
+end

data/lib/terraspace_plugin_aws/interfaces/helper.rb ADDED Viewed

@@ -0,0 +1,15 @@
+module TerraspacePluginAws::Interfaces
+  module Helper
+    include Terraspace::Plugin::Helper::Interface
+    def aws_secret(name, options={})
+      Secret.new(options).fetch(name)
+    end
+    cache_helper :aws_secret
+    def aws_ssm(name, options={})
+      SSM.new(options).fetch(name)
+    end
+    cache_helper :aws_ssm
+  end
+end

data/lib/terraspace_plugin_aws/interfaces/summary.rb CHANGED Viewed

@@ -5,7 +5,7 @@ module TerraspacePluginAws::Interfaces
     # interface method
     def download
-      resp = s3.list_objects(bucket: @bucket)
+      resp = s3.list_objects(bucket: @bucket, prefix: @folder)
       resp.contents.each do |content|
         local_path = "#{@dest}/#{content.key}"
         FileUtils.mkdir_p(File.dirname(local_path))

data/lib/terraspace_plugin_aws/logging.rb ADDED Viewed

@@ -0,0 +1,7 @@
+module TerraspacePluginAws
+  module Logging
+    def logger
+      Terraspace.logger
+    end
+  end
+end

data/lib/terraspace_plugin_aws/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module TerraspacePluginAws
-  VERSION = "0.2.1"
+  VERSION = "0.3.2"
 end

data/lib/terraspace_plugin_aws.rb CHANGED Viewed

@@ -22,12 +22,22 @@ module TerraspacePluginAws
     Interfaces::Config.instance.config
   end
+  @@logger = nil
+  def logger
+    @@logger ||= Terraspace.logger
+  end
+  def logger=(v)
+    @@logger = v
+  end
   extend self
 end
 Terraspace::Plugin.register("aws",
   backend: "s3",
   config_class: TerraspacePluginAws::Interfaces::Config,
-  layer_class: TerraspacePluginAws::Interfaces::Layer, # used for layering
+  helper_class: TerraspacePluginAws::Interfaces::Helper,
+  layer_class: TerraspacePluginAws::Interfaces::Layer,
   root: File.dirname(__dir__),
 )

data/terraspace_plugin_aws.gemspec CHANGED Viewed

@@ -24,6 +24,8 @@ Gem::Specification.new do |spec|
   spec.add_dependency "aws-sdk-dynamodb"
   spec.add_dependency "aws-sdk-s3"
+  spec.add_dependency "aws-sdk-secretsmanager"
+  spec.add_dependency "aws-sdk-ssm"
   spec.add_dependency "aws_data"
   spec.add_dependency "memoist"
   spec.add_dependency "s3-secure"

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: terraspace_plugin_aws
 version: !ruby/object:Gem::Version
-  version: 0.2.1
+  version: 0.3.2
 platform: ruby
 authors:
 - Tung Nguyen
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2020-09-19 00:00:00.000000000 Z
+date: 2021-12-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk-dynamodb
@@ -38,6 +38,34 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: aws-sdk-secretsmanager
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: aws-sdk-ssm
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: aws_data
   requirement: !ruby/object:Gem::Requirement
@@ -139,6 +167,7 @@ files:
 - lib/terraspace_plugin_aws.rb
 - lib/terraspace_plugin_aws/autoloader.rb
 - lib/terraspace_plugin_aws/clients.rb
+- lib/terraspace_plugin_aws/clients/options.rb
 - lib/terraspace_plugin_aws/interfaces/backend.rb
 - lib/terraspace_plugin_aws/interfaces/backend/base.rb
 - lib/terraspace_plugin_aws/interfaces/backend/bucket.rb
@@ -149,8 +178,13 @@ files:
 - lib/terraspace_plugin_aws/interfaces/decorator/aws_security_group.rb
 - lib/terraspace_plugin_aws/interfaces/decorator/base.rb
 - lib/terraspace_plugin_aws/interfaces/expander.rb
+- lib/terraspace_plugin_aws/interfaces/helper.rb
+- lib/terraspace_plugin_aws/interfaces/helper/secret.rb
+- lib/terraspace_plugin_aws/interfaces/helper/secret_base.rb
+- lib/terraspace_plugin_aws/interfaces/helper/ssm.rb
 - lib/terraspace_plugin_aws/interfaces/layer.rb
 - lib/terraspace_plugin_aws/interfaces/summary.rb
+- lib/terraspace_plugin_aws/logging.rb
 - lib/terraspace_plugin_aws/version.rb
 - terraspace_plugin_aws.gemspec
 homepage: https://github.com/boltops-tools/terraspace_plugin_aws
@@ -173,7 +207,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.2
+rubygems_version: 3.2.32
 signing_key:
 specification_version: 4
 summary: Terraspace AWS Plugin