terraspace_plugin_aws 0.3.0 → 0.3.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +13 -0
- data/lib/terraspace_plugin_aws/clients/options.rb +98 -0
- data/lib/terraspace_plugin_aws/clients.rb +10 -4
- data/lib/terraspace_plugin_aws/interfaces/backend/bucket/secure.rb +24 -0
- data/lib/terraspace_plugin_aws/interfaces/backend/setup.rb +15 -0
- data/lib/terraspace_plugin_aws/interfaces/backend.rb +1 -0
- data/lib/terraspace_plugin_aws/interfaces/expander.rb +4 -0
- data/lib/terraspace_plugin_aws/version.rb +1 -1
- metadata +5 -3
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: a734d60b2713b55bfaf56b012c3f9a496524ea91e9d929de9390c50748cb6eac
|
|
4
|
+
data.tar.gz: 7e7ff81c606f4dab49c37bb217efc676c58c522ceb49a6b95e7b06e398040687
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 99a83edd45b95fbafbce17c2c7a992524176d1335754404716d1d2546ac311baf5010a8e5e3204fd0153e1d718374dda895834947d3d1fb064581e5396df260b
|
|
7
|
+
data.tar.gz: b0f16167fbf2cfa375b487993540072e757c17cbfe1781e4476f6a680fa69c8757e501adc67aea9099e32b4c0e1bfab3352c72c0162592479c3c11ef3c694fda
|
data/CHANGELOG.md
CHANGED
|
@@ -3,6 +3,19 @@
|
|
|
3
3
|
All notable changes to this project will be documented in this file.
|
|
4
4
|
This project *loosely tries* to adhere to [Semantic Versioning](http://semver.org/).
|
|
5
5
|
|
|
6
|
+
## [0.3.4] - 2021-12-30
|
|
7
|
+
- [#13](https://github.com/boltops-tools/terraspace_plugin_aws/pull/13) check aws setup and provide friendly message
|
|
8
|
+
- [#14](https://github.com/boltops-tools/terraspace_plugin_aws/pull/14) fix aws_secret helper
|
|
9
|
+
|
|
10
|
+
## [0.3.3] - 2021-12-14
|
|
11
|
+
- [#10](https://github.com/boltops-tools/terraspace_plugin_aws/pull/10) implement expand_string? to not expand aws arn values
|
|
12
|
+
|
|
13
|
+
## [0.3.2] - 2021-12-14
|
|
14
|
+
- [#9](https://github.com/boltops-tools/terraspace_plugin_aws/pull/9) support separate aws account for s3 backend bucket
|
|
15
|
+
|
|
16
|
+
## [0.3.1] - 2021-12-14
|
|
17
|
+
- [#8](https://github.com/boltops-tools/terraspace_plugin_aws/pull/8) use region configured in the backend.tf for the s3 client
|
|
18
|
+
|
|
6
19
|
## [0.3.0] - 2020-11-15
|
|
7
20
|
- [#5](https://github.com/boltops-tools/terraspace_plugin_aws/pull/5) helper and secrets support
|
|
8
21
|
- aws_secret and aws_ssm helpers
|
|
@@ -0,0 +1,98 @@
|
|
|
1
|
+
module TerraspacePluginAws::Clients
|
|
2
|
+
module Options
|
|
3
|
+
private
|
|
4
|
+
def client_options
|
|
5
|
+
return {} unless @info # aws_secret helper wont have @info
|
|
6
|
+
if @info['role_arn']
|
|
7
|
+
client_assume_role_options
|
|
8
|
+
else
|
|
9
|
+
client_default_options
|
|
10
|
+
end
|
|
11
|
+
end
|
|
12
|
+
|
|
13
|
+
# Typically, aws sdk client options are inferred from the user environment unless set in the backend.tf
|
|
14
|
+
#
|
|
15
|
+
# terraform s3 backend assume role configuration: https://www.terraform.io/docs/language/settings/backends/s3.html
|
|
16
|
+
#
|
|
17
|
+
# assume_role_duration_seconds - (Optional) Number of seconds to restrict the assume role session duration.
|
|
18
|
+
# assume_role_policy - (Optional) IAM Policy JSON describing further restricting permissions for the IAM Role being assumed.
|
|
19
|
+
# assume_role_policy_arns - (Optional) Set of Amazon Resource Names (ARNs) of IAM Policies describing further restricting permissions for the IAM Role being assumed.
|
|
20
|
+
# assume_role_tags - (Optional) Map of assume role session tags.
|
|
21
|
+
# assume_role_transitive_tag_keys - (Optional) Set of assume role session tag keys to pass to any subsequent sessions.
|
|
22
|
+
# external_id - (Optional) External identifier to use when assuming the role.
|
|
23
|
+
# role_arn - (Optional) Amazon Resource Name (ARN) of the IAM Role to assume.
|
|
24
|
+
# session_name - (Optional) Session name to use when assuming the role.
|
|
25
|
+
#
|
|
26
|
+
# ruby sdk: https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/AssumeRoleCredentials.html
|
|
27
|
+
#
|
|
28
|
+
# :role_arn (required, String)
|
|
29
|
+
# :role_session_name (required, String)
|
|
30
|
+
# :policy (String)
|
|
31
|
+
# :duration_seconds (Integer)
|
|
32
|
+
# :external_id (String)
|
|
33
|
+
# :client (STS::Client)
|
|
34
|
+
#
|
|
35
|
+
def client_assume_role_options
|
|
36
|
+
whitelist = %w[
|
|
37
|
+
assume_role_duration_seconds
|
|
38
|
+
assume_role_policy
|
|
39
|
+
session_name
|
|
40
|
+
external_id
|
|
41
|
+
role_arn
|
|
42
|
+
]
|
|
43
|
+
assume_role_config = @info.slice(*whitelist)
|
|
44
|
+
# not supported?
|
|
45
|
+
# assume_role_policy_arns
|
|
46
|
+
# assume_role_tags
|
|
47
|
+
# assume_role_transitive_tag_keys
|
|
48
|
+
# already matches
|
|
49
|
+
# external_id
|
|
50
|
+
# role_arn
|
|
51
|
+
# rest needs to be mapped
|
|
52
|
+
map = {
|
|
53
|
+
'assume_role_duration_seconds' => 'duration_seconds',
|
|
54
|
+
'assume_role_policy' => 'policy',
|
|
55
|
+
'session_name' => 'role_session_name',
|
|
56
|
+
}
|
|
57
|
+
map.each do |terraform_key, ruby_sdk_key|
|
|
58
|
+
v = assume_role_config.delete(terraform_key)
|
|
59
|
+
assume_role_config[ruby_sdk_key] = v if v
|
|
60
|
+
end
|
|
61
|
+
assume_role_config.symbolize_keys! # ruby sdk expects symbols for keys
|
|
62
|
+
assume_role_config[:role_session_name] ||= [ENV['C9_USER'] || ENV['USER'], 'session'].compact.join('-') # session name is required for the ruby sdk
|
|
63
|
+
role_credentials = Aws::AssumeRoleCredentials.new(assume_role_config)
|
|
64
|
+
{credentials: role_credentials}
|
|
65
|
+
end
|
|
66
|
+
|
|
67
|
+
# terraform s3 backend configuration: https://www.terraform.io/docs/language/settings/backends/s3.html
|
|
68
|
+
#
|
|
69
|
+
# access_key - (Optional) AWS access key. If configured, must also configure secret_key. This can also be sourced from the AWS_ACCESS_KEY_ID environment variable, AWS shared credentials file (e.g. ~/.aws/credentials), or AWS shared configuration file (e.g. ~/.aws/config).
|
|
70
|
+
# secret_key - (Optional) AWS access key. If configured, must also configure access_key. This can also be sourced from the AWS_SECRET_ACCESS_KEY environment variable, AWS shared credentials file (e.g. ~/.aws/credentials), or AWS shared configuration file (e.g. ~/.aws/config).
|
|
71
|
+
#
|
|
72
|
+
# ruby sdk: https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/Credentials.html
|
|
73
|
+
#
|
|
74
|
+
# access_key_id (String)
|
|
75
|
+
# secret_access_key (String)
|
|
76
|
+
# session_token (String) (defaults to: nil) — (nil)
|
|
77
|
+
#
|
|
78
|
+
def client_default_options
|
|
79
|
+
whitelist = %w[
|
|
80
|
+
access_key_id
|
|
81
|
+
secret_access_key
|
|
82
|
+
session_token
|
|
83
|
+
profile
|
|
84
|
+
]
|
|
85
|
+
options = @info.slice(*whitelist)
|
|
86
|
+
options.symbolize_keys! # ruby sdk expects symbols for keys
|
|
87
|
+
client_region_option.merge(options)
|
|
88
|
+
end
|
|
89
|
+
|
|
90
|
+
def client_region_option
|
|
91
|
+
if @info['region']
|
|
92
|
+
{region: @info['region']}
|
|
93
|
+
else
|
|
94
|
+
{}
|
|
95
|
+
end
|
|
96
|
+
end
|
|
97
|
+
end
|
|
98
|
+
end
|
|
@@ -6,24 +6,30 @@ require "aws-sdk-ssm"
|
|
|
6
6
|
module TerraspacePluginAws
|
|
7
7
|
module Clients
|
|
8
8
|
extend Memoist
|
|
9
|
+
include Options
|
|
9
10
|
|
|
10
11
|
def s3
|
|
11
|
-
Aws::S3::Client.new
|
|
12
|
+
Aws::S3::Client.new(client_options)
|
|
12
13
|
end
|
|
13
14
|
memoize :s3
|
|
14
15
|
|
|
15
16
|
def secretsmanager
|
|
16
|
-
Aws::SecretsManager::Client.new
|
|
17
|
+
Aws::SecretsManager::Client.new(client_options)
|
|
17
18
|
end
|
|
18
19
|
memoize :secretsmanager
|
|
19
20
|
|
|
20
21
|
def ssm
|
|
21
|
-
Aws::SSM::Client.new
|
|
22
|
+
Aws::SSM::Client.new(client_options)
|
|
22
23
|
end
|
|
23
24
|
memoize :ssm
|
|
24
25
|
|
|
26
|
+
def sts
|
|
27
|
+
Aws::STS::Client.new(client_options)
|
|
28
|
+
end
|
|
29
|
+
memoize :sts
|
|
30
|
+
|
|
25
31
|
def dynamodb
|
|
26
|
-
Aws::DynamoDB::Client.new
|
|
32
|
+
Aws::DynamoDB::Client.new(client_options)
|
|
27
33
|
end
|
|
28
34
|
memoize :dynamodb
|
|
29
35
|
end
|
|
@@ -2,6 +2,27 @@ require "s3-secure"
|
|
|
2
2
|
|
|
3
3
|
class TerraspacePluginAws::Interfaces::Backend::Bucket
|
|
4
4
|
module Secure
|
|
5
|
+
# Why the retry logic?
|
|
6
|
+
#
|
|
7
|
+
# When using profile or role_arn in the terraform backend it the ruby aws sdk
|
|
8
|
+
# assumes the profile or role.
|
|
9
|
+
# In doing so, it errors when the s3-secure library calls s3_client.get_bucket_location
|
|
10
|
+
#
|
|
11
|
+
# https://github.com/boltops-tools/s3-secure/blob/d2c8e9eba745a75d094a3c566bd5fe47476d3638/lib/s3_secure/aws_services/s3.rb#L43
|
|
12
|
+
#
|
|
13
|
+
# Here's an example stack trace of the error:
|
|
14
|
+
#
|
|
15
|
+
# https://gist.github.com/tongueroo/dd74b67c17433c6f8dd890225104aef9
|
|
16
|
+
#
|
|
17
|
+
# Unsure if this is a terraform backend interfering with the ruby sdk thing (unlikely)
|
|
18
|
+
# Or if it's a general AWS sdk thing.
|
|
19
|
+
# Or if it's how I'm calling the sdk and initializing the client. Maybe an initializing the client early on and it caches it.
|
|
20
|
+
# Unsure. But using this hack instead because life's short.
|
|
21
|
+
#
|
|
22
|
+
# Throwing the retry logic in here fixes the issue. This only happens the when the bucket is brand new.
|
|
23
|
+
# Limiting the retry to only a single attempt.
|
|
24
|
+
#
|
|
25
|
+
@@retries = 0
|
|
5
26
|
def secure(bucket)
|
|
6
27
|
c = TerraspacePluginAws::Interfaces::Config.instance.config.s3
|
|
7
28
|
options = {bucket: bucket, quiet: true}
|
|
@@ -10,6 +31,9 @@ class TerraspacePluginAws::Interfaces::Backend::Bucket
|
|
|
10
31
|
S3Secure::Versioning::Enable.new(options).run if c.versioning
|
|
11
32
|
S3Secure::Lifecycle::Add.new(options).run if c.lifecycle
|
|
12
33
|
S3Secure::AccessLogs::Enable.new(options).run if c.access_logging
|
|
34
|
+
rescue Aws::S3::Errors::AccessDenied => e
|
|
35
|
+
@@retries += 1
|
|
36
|
+
retry unless @@retries > 1
|
|
13
37
|
end
|
|
14
38
|
end
|
|
15
39
|
end
|
|
@@ -0,0 +1,15 @@
|
|
|
1
|
+
class TerraspacePluginAws::Interfaces::Backend
|
|
2
|
+
class Setup < Base
|
|
3
|
+
def check!
|
|
4
|
+
sts.get_caller_identity
|
|
5
|
+
rescue Aws::Errors::MissingCredentialsError => e
|
|
6
|
+
logger.info "ERROR: #{e.class}: #{e.message}".color(:red)
|
|
7
|
+
logger.info <<~EOL
|
|
8
|
+
It doesnt look like AWS credentials and access has been setup.
|
|
9
|
+
Please double check the AWS credentials setup.
|
|
10
|
+
IE: ~/.aws/config and the AWS_PROFILE env variable.
|
|
11
|
+
EOL
|
|
12
|
+
exit 1
|
|
13
|
+
end
|
|
14
|
+
end
|
|
15
|
+
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: terraspace_plugin_aws
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.3.
|
|
4
|
+
version: 0.3.4
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Tung Nguyen
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2021-12-30 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: aws-sdk-dynamodb
|
|
@@ -167,10 +167,12 @@ files:
|
|
|
167
167
|
- lib/terraspace_plugin_aws.rb
|
|
168
168
|
- lib/terraspace_plugin_aws/autoloader.rb
|
|
169
169
|
- lib/terraspace_plugin_aws/clients.rb
|
|
170
|
+
- lib/terraspace_plugin_aws/clients/options.rb
|
|
170
171
|
- lib/terraspace_plugin_aws/interfaces/backend.rb
|
|
171
172
|
- lib/terraspace_plugin_aws/interfaces/backend/base.rb
|
|
172
173
|
- lib/terraspace_plugin_aws/interfaces/backend/bucket.rb
|
|
173
174
|
- lib/terraspace_plugin_aws/interfaces/backend/bucket/secure.rb
|
|
175
|
+
- lib/terraspace_plugin_aws/interfaces/backend/setup.rb
|
|
174
176
|
- lib/terraspace_plugin_aws/interfaces/backend/table.rb
|
|
175
177
|
- lib/terraspace_plugin_aws/interfaces/config.rb
|
|
176
178
|
- lib/terraspace_plugin_aws/interfaces/decorator.rb
|
|
@@ -206,7 +208,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
206
208
|
- !ruby/object:Gem::Version
|
|
207
209
|
version: '0'
|
|
208
210
|
requirements: []
|
|
209
|
-
rubygems_version: 3.
|
|
211
|
+
rubygems_version: 3.2.32
|
|
210
212
|
signing_key:
|
|
211
213
|
specification_version: 4
|
|
212
214
|
summary: Terraspace AWS Plugin
|