terraspace_plugin_aws 0.3.1 → 0.3.2
Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: eb8991c0ca2191cc5ec5d81a91afb2e1db4f7a7bdc8b1542d7e662ee55be2e05
|
|
4
|
+
data.tar.gz: f7bf38b1edc49e949643a9df6e70b0826ca5336c18e790513e094054a39ef09c
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 4850daa5645efdde37d39ee36fc826bd82993c084d0deabafe83cbd7f182ce630e01d9b5cd7bcde45c366d1e9beeb766cd3f97f411723f9d843a861c4e0a62e5
|
|
7
|
+
data.tar.gz: e0229d052f5fb491562683391cec533cddb47cc453d08795200101f20e2b408f51241e1ebe73b4cd5622a5640df06d6236727e4345ae55512e98555f8f95305e
|
data/CHANGELOG.md
CHANGED
|
@@ -3,6 +3,9 @@
|
|
|
3
3
|
All notable changes to this project will be documented in this file.
|
|
4
4
|
This project *loosely tries* to adhere to [Semantic Versioning](http://semver.org/).
|
|
5
5
|
|
|
6
|
+
## [0.3.2] - 2021-12-14
|
|
7
|
+
- [#9](https://github.com/boltops-tools/terraspace_plugin_aws/pull/9) support separate aws account for s3 backend bucket
|
|
8
|
+
|
|
6
9
|
## [0.3.1] - 2021-12-14
|
|
7
10
|
- [#8](https://github.com/boltops-tools/terraspace_plugin_aws/pull/8) use region configured in the backend.tf for the s3 client
|
|
8
11
|
|
|
@@ -0,0 +1,100 @@
|
|
|
1
|
+
module TerraspacePluginAws::Clients
|
|
2
|
+
module Options
|
|
3
|
+
private
|
|
4
|
+
def client_options
|
|
5
|
+
if @info['role_arn']
|
|
6
|
+
client_assume_role_config
|
|
7
|
+
else
|
|
8
|
+
client_default_options
|
|
9
|
+
end
|
|
10
|
+
end
|
|
11
|
+
|
|
12
|
+
# Typically, aws sdk client options are inferred from the user environment unless set in the backend.tf
|
|
13
|
+
#
|
|
14
|
+
# terraform s3 backend assume role configuration: https://www.terraform.io/docs/language/settings/backends/s3.html
|
|
15
|
+
#
|
|
16
|
+
# assume_role_duration_seconds - (Optional) Number of seconds to restrict the assume role session duration.
|
|
17
|
+
# assume_role_policy - (Optional) IAM Policy JSON describing further restricting permissions for the IAM Role being assumed.
|
|
18
|
+
# assume_role_policy_arns - (Optional) Set of Amazon Resource Names (ARNs) of IAM Policies describing further restricting permissions for the IAM Role being assumed.
|
|
19
|
+
# assume_role_tags - (Optional) Map of assume role session tags.
|
|
20
|
+
# assume_role_transitive_tag_keys - (Optional) Set of assume role session tag keys to pass to any subsequent sessions.
|
|
21
|
+
# external_id - (Optional) External identifier to use when assuming the role.
|
|
22
|
+
# role_arn - (Optional) Amazon Resource Name (ARN) of the IAM Role to assume.
|
|
23
|
+
# session_name - (Optional) Session name to use when assuming the role.
|
|
24
|
+
#
|
|
25
|
+
# ruby sdk: https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/AssumeRoleCredentials.html
|
|
26
|
+
#
|
|
27
|
+
# :role_arn (required, String)
|
|
28
|
+
# :role_session_name (required, String)
|
|
29
|
+
# :policy (String)
|
|
30
|
+
# :duration_seconds (Integer)
|
|
31
|
+
# :external_id (String)
|
|
32
|
+
# :client (STS::Client)
|
|
33
|
+
#
|
|
34
|
+
def client_assume_role_config
|
|
35
|
+
whitelist = %w[
|
|
36
|
+
assume_role_duration_seconds
|
|
37
|
+
assume_role_policy
|
|
38
|
+
session_name
|
|
39
|
+
external_id
|
|
40
|
+
role_arn
|
|
41
|
+
]
|
|
42
|
+
assume_role_config = @info.slice(*whitelist)
|
|
43
|
+
# not supported?
|
|
44
|
+
# assume_role_policy_arns
|
|
45
|
+
# assume_role_tags
|
|
46
|
+
# assume_role_transitive_tag_keys
|
|
47
|
+
# already matches
|
|
48
|
+
# external_id
|
|
49
|
+
# role_arn
|
|
50
|
+
# rest needs to be mapped
|
|
51
|
+
map = {
|
|
52
|
+
'assume_role_duration_seconds' => 'duration_seconds',
|
|
53
|
+
'assume_role_policy' => 'policy',
|
|
54
|
+
'session_name' => 'role_session_name',
|
|
55
|
+
}
|
|
56
|
+
map.each do |terraform_key, ruby_sdk_key|
|
|
57
|
+
v = assume_role_config.delete(terraform_key)
|
|
58
|
+
assume_role_config[ruby_sdk_key] = v if v
|
|
59
|
+
end
|
|
60
|
+
assume_role_config.symbolize_keys! # ruby sdk expects symbols for keys
|
|
61
|
+
assume_role_config[:role_session_name] ||= [ENV['C9_USER'] || ENV['USER'], 'session'].compact.join('-') # session name is required for the ruby sdk
|
|
62
|
+
# options = {client: Aws::STS::Client.new(client_region_option)}
|
|
63
|
+
options = {}
|
|
64
|
+
options.merge!(assume_role_config)
|
|
65
|
+
role_credentials = Aws::AssumeRoleCredentials.new(options)
|
|
66
|
+
{credentials: role_credentials}
|
|
67
|
+
end
|
|
68
|
+
|
|
69
|
+
# terraform s3 backend configuration: https://www.terraform.io/docs/language/settings/backends/s3.html
|
|
70
|
+
#
|
|
71
|
+
# access_key - (Optional) AWS access key. If configured, must also configure secret_key. This can also be sourced from the AWS_ACCESS_KEY_ID environment variable, AWS shared credentials file (e.g. ~/.aws/credentials), or AWS shared configuration file (e.g. ~/.aws/config).
|
|
72
|
+
# secret_key - (Optional) AWS access key. If configured, must also configure access_key. This can also be sourced from the AWS_SECRET_ACCESS_KEY environment variable, AWS shared credentials file (e.g. ~/.aws/credentials), or AWS shared configuration file (e.g. ~/.aws/config).
|
|
73
|
+
#
|
|
74
|
+
# ruby sdk: https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/Credentials.html
|
|
75
|
+
#
|
|
76
|
+
# access_key_id (String)
|
|
77
|
+
# secret_access_key (String)
|
|
78
|
+
# session_token (String) (defaults to: nil) — (nil)
|
|
79
|
+
#
|
|
80
|
+
def client_default_options
|
|
81
|
+
whitelist = %w[
|
|
82
|
+
access_key_id
|
|
83
|
+
secret_access_key
|
|
84
|
+
session_token
|
|
85
|
+
profile
|
|
86
|
+
]
|
|
87
|
+
options = @info.slice(*whitelist)
|
|
88
|
+
options.symbolize_keys! # ruby sdk expects symbols for keys
|
|
89
|
+
client_region_option.merge(options)
|
|
90
|
+
end
|
|
91
|
+
|
|
92
|
+
def client_region_option
|
|
93
|
+
if @info['region']
|
|
94
|
+
{region: @info['region']}
|
|
95
|
+
else
|
|
96
|
+
{}
|
|
97
|
+
end
|
|
98
|
+
end
|
|
99
|
+
end
|
|
100
|
+
end
|
|
@@ -6,6 +6,7 @@ require "aws-sdk-ssm"
|
|
|
6
6
|
module TerraspacePluginAws
|
|
7
7
|
module Clients
|
|
8
8
|
extend Memoist
|
|
9
|
+
include Options
|
|
9
10
|
|
|
10
11
|
def s3
|
|
11
12
|
Aws::S3::Client.new(client_options)
|
|
@@ -26,14 +27,5 @@ module TerraspacePluginAws
|
|
|
26
27
|
Aws::DynamoDB::Client.new(client_options)
|
|
27
28
|
end
|
|
28
29
|
memoize :dynamodb
|
|
29
|
-
|
|
30
|
-
# Typically inferred from AWS_REGION unless set in the backend.tf
|
|
31
|
-
def client_options
|
|
32
|
-
if @info['region']
|
|
33
|
-
{region: @info['region']}
|
|
34
|
-
else
|
|
35
|
-
{}
|
|
36
|
-
end
|
|
37
|
-
end
|
|
38
30
|
end
|
|
39
31
|
end
|
|
@@ -2,6 +2,27 @@ require "s3-secure"
|
|
|
2
2
|
|
|
3
3
|
class TerraspacePluginAws::Interfaces::Backend::Bucket
|
|
4
4
|
module Secure
|
|
5
|
+
# Why the retry logic?
|
|
6
|
+
#
|
|
7
|
+
# When using profile or role_arn in the terraform backend it the ruby aws sdk
|
|
8
|
+
# assumes the profile or role.
|
|
9
|
+
# In doing so, it errors when the s3-secure library calls s3_client.get_bucket_location
|
|
10
|
+
#
|
|
11
|
+
# https://github.com/boltops-tools/s3-secure/blob/d2c8e9eba745a75d094a3c566bd5fe47476d3638/lib/s3_secure/aws_services/s3.rb#L43
|
|
12
|
+
#
|
|
13
|
+
# Here's an example stack trace of the error:
|
|
14
|
+
#
|
|
15
|
+
# https://gist.github.com/tongueroo/dd74b67c17433c6f8dd890225104aef9
|
|
16
|
+
#
|
|
17
|
+
# Unsure if this is a terraform backend interfering with the ruby sdk thing (unlikely)
|
|
18
|
+
# Or if it's a general AWS sdk thing.
|
|
19
|
+
# Or if it's how I'm calling the sdk and initializing the client. Maybe an initializing the client early on and it caches it.
|
|
20
|
+
# Unsure. But using this hack instead because life's short.
|
|
21
|
+
#
|
|
22
|
+
# Throwing the retry logic in here fixes the issue. This only happens the when the bucket is brand new.
|
|
23
|
+
# Limiting the retry to only a single attempt.
|
|
24
|
+
#
|
|
25
|
+
@@retries = 0
|
|
5
26
|
def secure(bucket)
|
|
6
27
|
c = TerraspacePluginAws::Interfaces::Config.instance.config.s3
|
|
7
28
|
options = {bucket: bucket, quiet: true}
|
|
@@ -10,6 +31,9 @@ class TerraspacePluginAws::Interfaces::Backend::Bucket
|
|
|
10
31
|
S3Secure::Versioning::Enable.new(options).run if c.versioning
|
|
11
32
|
S3Secure::Lifecycle::Add.new(options).run if c.lifecycle
|
|
12
33
|
S3Secure::AccessLogs::Enable.new(options).run if c.access_logging
|
|
34
|
+
rescue Aws::S3::Errors::AccessDenied => e
|
|
35
|
+
@@retries += 1
|
|
36
|
+
retry unless @@retries > 1
|
|
13
37
|
end
|
|
14
38
|
end
|
|
15
39
|
end
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: terraspace_plugin_aws
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.3.
|
|
4
|
+
version: 0.3.2
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Tung Nguyen
|
|
@@ -167,6 +167,7 @@ files:
|
|
|
167
167
|
- lib/terraspace_plugin_aws.rb
|
|
168
168
|
- lib/terraspace_plugin_aws/autoloader.rb
|
|
169
169
|
- lib/terraspace_plugin_aws/clients.rb
|
|
170
|
+
- lib/terraspace_plugin_aws/clients/options.rb
|
|
170
171
|
- lib/terraspace_plugin_aws/interfaces/backend.rb
|
|
171
172
|
- lib/terraspace_plugin_aws/interfaces/backend/base.rb
|
|
172
173
|
- lib/terraspace_plugin_aws/interfaces/backend/bucket.rb
|