terraspace_plugin_aws 0.3.0 → 0.3.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b62c32aa56b1d692d2438f73de9a320cc428b6905b37f622576c0ecb47ae4e08
-  data.tar.gz: 4f3e359016f41e102f4666a5494d76114bad4b0e24ea98530dea4167764643c8
+  metadata.gz: a734d60b2713b55bfaf56b012c3f9a496524ea91e9d929de9390c50748cb6eac
+  data.tar.gz: 7e7ff81c606f4dab49c37bb217efc676c58c522ceb49a6b95e7b06e398040687
 SHA512:
-  metadata.gz: 2db6fa9293af079f29af0823e77176a26b8b5634bdc03a4cf057add8c5b945b53adf58e48ab5bf84758ad219bff3298428e129545a977db0b7a6e9aff8c53391
-  data.tar.gz: bad12d3090b11d5320e0636b3abfd2ad5722963ad48ae7a96f58864e716b1150fbde41bc96ad4da097e9a13cf723333b67bae2f1f8295aae61ef31d15c24d440
+  metadata.gz: 99a83edd45b95fbafbce17c2c7a992524176d1335754404716d1d2546ac311baf5010a8e5e3204fd0153e1d718374dda895834947d3d1fb064581e5396df260b
+  data.tar.gz: b0f16167fbf2cfa375b487993540072e757c17cbfe1781e4476f6a680fa69c8757e501adc67aea9099e32b4c0e1bfab3352c72c0162592479c3c11ef3c694fda

data/CHANGELOG.md

@@ -3,6 +3,19 @@
 All notable changes to this project will be documented in this file.
 This project *loosely tries* to adhere to [Semantic Versioning](http://semver.org/).
 
+## [0.3.4] - 2021-12-30
+- [#13](https://github.com/boltops-tools/terraspace_plugin_aws/pull/13) check aws setup and provide friendly message
+- [#14](https://github.com/boltops-tools/terraspace_plugin_aws/pull/14) fix aws_secret helper
+
+## [0.3.3] - 2021-12-14
+- [#10](https://github.com/boltops-tools/terraspace_plugin_aws/pull/10) implement expand_string? to not expand aws arn values
+
+## [0.3.2] - 2021-12-14
+- [#9](https://github.com/boltops-tools/terraspace_plugin_aws/pull/9) support separate aws account for s3 backend bucket
+
+## [0.3.1] - 2021-12-14
+- [#8](https://github.com/boltops-tools/terraspace_plugin_aws/pull/8) use region configured in the backend.tf for the s3 client
+
 ## [0.3.0] - 2020-11-15
 - [#5](https://github.com/boltops-tools/terraspace_plugin_aws/pull/5) helper and secrets support
 - aws_secret and aws_ssm helpers

data/lib/terraspace_plugin_aws/clients/options.rb

@@ -0,0 +1,98 @@
+module TerraspacePluginAws::Clients
+  module Options
+  private
+    def client_options
+      return {} unless @info # aws_secret helper wont have @info
+      if @info['role_arn']
+        client_assume_role_options
+      else
+        client_default_options
+      end
+    end
+
+    # Typically, aws sdk client options are inferred from the user environment unless set in the backend.tf
+    #
+    # terraform s3 backend assume role configuration: https://www.terraform.io/docs/language/settings/backends/s3.html
+    #
+    #     assume_role_duration_seconds - (Optional) Number of seconds to restrict the assume role session duration.
+    #     assume_role_policy - (Optional) IAM Policy JSON describing further restricting permissions for the IAM Role being assumed.
+    #     assume_role_policy_arns - (Optional) Set of Amazon Resource Names (ARNs) of IAM Policies describing further restricting permissions for the IAM Role being assumed.
+    #     assume_role_tags - (Optional) Map of assume role session tags.
+    #     assume_role_transitive_tag_keys - (Optional) Set of assume role session tag keys to pass to any subsequent sessions.
+    #     external_id - (Optional) External identifier to use when assuming the role.
+    #     role_arn - (Optional) Amazon Resource Name (ARN) of the IAM Role to assume.
+    #     session_name - (Optional) Session name to use when assuming the role.
+    #
+    # ruby sdk: https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/AssumeRoleCredentials.html
+    #
+    #     :role_arn (required, String)
+    #     :role_session_name (required, String)
+    #     :policy (String)
+    #     :duration_seconds (Integer)
+    #     :external_id (String)
+    #     :client (STS::Client)
+    #
+    def client_assume_role_options
+      whitelist = %w[
+        assume_role_duration_seconds
+        assume_role_policy
+        session_name
+        external_id
+        role_arn
+      ]
+      assume_role_config = @info.slice(*whitelist)
+      # not supported?
+      #   assume_role_policy_arns
+      #   assume_role_tags
+      #   assume_role_transitive_tag_keys
+      # already matches
+      #   external_id
+      #   role_arn
+      # rest needs to be mapped
+      map = {
+        'assume_role_duration_seconds' => 'duration_seconds',
+        'assume_role_policy' => 'policy',
+        'session_name' => 'role_session_name',
+      }
+      map.each do |terraform_key, ruby_sdk_key|
+        v = assume_role_config.delete(terraform_key)
+        assume_role_config[ruby_sdk_key] = v if v
+      end
+      assume_role_config.symbolize_keys! # ruby sdk expects symbols for keys
+      assume_role_config[:role_session_name] ||= [ENV['C9_USER'] || ENV['USER'], 'session'].compact.join('-') # session name is required for the ruby sdk
+      role_credentials = Aws::AssumeRoleCredentials.new(assume_role_config)
+      {credentials: role_credentials}
+    end
+
+    # terraform s3 backend configuration: https://www.terraform.io/docs/language/settings/backends/s3.html
+    #
+    #     access_key - (Optional) AWS access key. If configured, must also configure secret_key. This can also be sourced from the AWS_ACCESS_KEY_ID environment variable, AWS shared credentials file (e.g. ~/.aws/credentials), or AWS shared configuration file (e.g. ~/.aws/config).
+    #     secret_key - (Optional) AWS access key. If configured, must also configure access_key. This can also be sourced from the AWS_SECRET_ACCESS_KEY environment variable, AWS shared credentials file (e.g. ~/.aws/credentials), or AWS shared configuration file (e.g. ~/.aws/config).
+    #
+    # ruby sdk: https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/Credentials.html
+    #
+    #     access_key_id (String)
+    #     secret_access_key (String)
+    #     session_token (String) (defaults to: nil) — (nil)
+    #
+    def client_default_options
+      whitelist = %w[
+        access_key_id
+        secret_access_key
+        session_token
+        profile
+      ]
+      options = @info.slice(*whitelist)
+      options.symbolize_keys! # ruby sdk expects symbols for keys
+      client_region_option.merge(options)
+    end
+
+    def client_region_option
+      if @info['region']
+        {region: @info['region']}
+      else
+        {}
+      end
+    end
+  end
+end

data/lib/terraspace_plugin_aws/clients.rb

@@ -6,24 +6,30 @@ require "aws-sdk-ssm"
 module TerraspacePluginAws
   module Clients
     extend Memoist
+    include Options
 
     def s3
-      Aws::S3::Client.new
+      Aws::S3::Client.new(client_options)
     end
     memoize :s3
 
     def secretsmanager
-      Aws::SecretsManager::Client.new
+      Aws::SecretsManager::Client.new(client_options)
     end
     memoize :secretsmanager
 
     def ssm
-      Aws::SSM::Client.new
+      Aws::SSM::Client.new(client_options)
     end
     memoize :ssm
 
+    def sts
+      Aws::STS::Client.new(client_options)
+    end
+    memoize :sts
+
     def dynamodb
-      Aws::DynamoDB::Client.new
+      Aws::DynamoDB::Client.new(client_options)
     end
     memoize :dynamodb
   end

data/lib/terraspace_plugin_aws/interfaces/backend/bucket/secure.rb

@@ -2,6 +2,27 @@ require "s3-secure"
 
 class TerraspacePluginAws::Interfaces::Backend::Bucket
   module Secure
+    # Why the retry logic?
+    #
+    # When using profile or role_arn in the terraform backend it the ruby aws sdk
+    # assumes the profile or role.
+    # In doing so, it errors when the s3-secure library calls s3_client.get_bucket_location
+    #
+    #   https://github.com/boltops-tools/s3-secure/blob/d2c8e9eba745a75d094a3c566bd5fe47476d3638/lib/s3_secure/aws_services/s3.rb#L43
+    #
+    # Here's an example stack trace of the error:
+    #
+    #   https://gist.github.com/tongueroo/dd74b67c17433c6f8dd890225104aef9
+    #
+    # Unsure if this is a terraform backend interfering with the ruby sdk thing (unlikely)
+    # Or if it's a general AWS sdk thing.
+    # Or if it's how I'm calling the sdk and initializing the client. Maybe an initializing the client early on and it caches it.
+    # Unsure. But using this hack instead because life's short.
+    #
+    # Throwing the retry logic in here fixes the issue. This only happens the when the bucket is brand new.
+    # Limiting the retry to only a single attempt.
+    #
+    @@retries = 0
     def secure(bucket)
       c = TerraspacePluginAws::Interfaces::Config.instance.config.s3
       options = {bucket: bucket, quiet: true}
@@ -10,6 +31,9 @@ class TerraspacePluginAws::Interfaces::Backend::Bucket
       S3Secure::Versioning::Enable.new(options).run if c.versioning
       S3Secure::Lifecycle::Add.new(options).run if c.lifecycle
       S3Secure::AccessLogs::Enable.new(options).run if c.access_logging
+    rescue Aws::S3::Errors::AccessDenied => e
+      @@retries += 1
+      retry unless @@retries > 1
     end
   end
 end

data/lib/terraspace_plugin_aws/interfaces/backend/setup.rb

@@ -0,0 +1,15 @@
+class TerraspacePluginAws::Interfaces::Backend
+  class Setup < Base
+    def check!
+      sts.get_caller_identity
+    rescue Aws::Errors::MissingCredentialsError => e
+      logger.info "ERROR: #{e.class}: #{e.message}".color(:red)
+      logger.info <<~EOL
+        It doesnt look like AWS credentials and access has been setup.
+        Please double check the AWS credentials setup.
+        IE: ~/.aws/config and the AWS_PROFILE env variable.
+      EOL
+      exit 1
+    end
+  end
+end

data/lib/terraspace_plugin_aws/interfaces/backend.rb

@@ -6,6 +6,7 @@ module TerraspacePluginAws::Interfaces
     def call
       return unless TerraspacePluginAws.config.auto_create
 
+      Setup.new(@info).check!
       Bucket.new(@info).create
       Table.new(@info).create
     end

data/lib/terraspace_plugin_aws/interfaces/expander.rb

@@ -10,5 +10,9 @@ module TerraspacePluginAws::Interfaces
     def aws_data
       $__aws_data ||= AwsData.new
     end
+
+    def expand_string?(string)
+      !string.include?("arn:")
+    end
   end
 end

data/lib/terraspace_plugin_aws/version.rb

@@ -1,3 +1,3 @@
 module TerraspacePluginAws
-  VERSION = "0.3.0"
+  VERSION = "0.3.4"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: terraspace_plugin_aws
 version: !ruby/object:Gem::Version
-  version: 0.3.0
+  version: 0.3.4
 platform: ruby
 authors:
 - Tung Nguyen
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2020-11-15 00:00:00.000000000 Z
+date: 2021-12-30 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk-dynamodb
@@ -167,10 +167,12 @@ files:
 - lib/terraspace_plugin_aws.rb
 - lib/terraspace_plugin_aws/autoloader.rb
 - lib/terraspace_plugin_aws/clients.rb
+- lib/terraspace_plugin_aws/clients/options.rb
 - lib/terraspace_plugin_aws/interfaces/backend.rb
 - lib/terraspace_plugin_aws/interfaces/backend/base.rb
 - lib/terraspace_plugin_aws/interfaces/backend/bucket.rb
 - lib/terraspace_plugin_aws/interfaces/backend/bucket/secure.rb
+- lib/terraspace_plugin_aws/interfaces/backend/setup.rb
 - lib/terraspace_plugin_aws/interfaces/backend/table.rb
 - lib/terraspace_plugin_aws/interfaces/config.rb
 - lib/terraspace_plugin_aws/interfaces/decorator.rb
@@ -206,7 +208,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.4
+rubygems_version: 3.2.32
 signing_key: 
 specification_version: 4
 summary: Terraspace AWS Plugin