terraspace_plugin_aws 0.3.1 → 0.3.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: eb8991c0ca2191cc5ec5d81a91afb2e1db4f7a7bdc8b1542d7e662ee55be2e05
|
|
4
|
+
data.tar.gz: f7bf38b1edc49e949643a9df6e70b0826ca5336c18e790513e094054a39ef09c
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 4850daa5645efdde37d39ee36fc826bd82993c084d0deabafe83cbd7f182ce630e01d9b5cd7bcde45c366d1e9beeb766cd3f97f411723f9d843a861c4e0a62e5
|
|
7
|
+
data.tar.gz: e0229d052f5fb491562683391cec533cddb47cc453d08795200101f20e2b408f51241e1ebe73b4cd5622a5640df06d6236727e4345ae55512e98555f8f95305e
|
data/CHANGELOG.md
CHANGED
|
@@ -3,6 +3,9 @@
|
|
|
3
3
|
All notable changes to this project will be documented in this file.
|
|
4
4
|
This project *loosely tries* to adhere to [Semantic Versioning](http://semver.org/).
|
|
5
5
|
|
|
6
|
+
## [0.3.2] - 2021-12-14
|
|
7
|
+
- [#9](https://github.com/boltops-tools/terraspace_plugin_aws/pull/9) support separate aws account for s3 backend bucket
|
|
8
|
+
|
|
6
9
|
## [0.3.1] - 2021-12-14
|
|
7
10
|
- [#8](https://github.com/boltops-tools/terraspace_plugin_aws/pull/8) use region configured in the backend.tf for the s3 client
|
|
8
11
|
|
|
@@ -0,0 +1,100 @@
|
|
|
1
|
+
module TerraspacePluginAws::Clients
|
|
2
|
+
module Options
|
|
3
|
+
private
|
|
4
|
+
def client_options
|
|
5
|
+
if @info['role_arn']
|
|
6
|
+
client_assume_role_config
|
|
7
|
+
else
|
|
8
|
+
client_default_options
|
|
9
|
+
end
|
|
10
|
+
end
|
|
11
|
+
|
|
12
|
+
# Typically, aws sdk client options are inferred from the user environment unless set in the backend.tf
|
|
13
|
+
#
|
|
14
|
+
# terraform s3 backend assume role configuration: https://www.terraform.io/docs/language/settings/backends/s3.html
|
|
15
|
+
#
|
|
16
|
+
# assume_role_duration_seconds - (Optional) Number of seconds to restrict the assume role session duration.
|
|
17
|
+
# assume_role_policy - (Optional) IAM Policy JSON describing further restricting permissions for the IAM Role being assumed.
|
|
18
|
+
# assume_role_policy_arns - (Optional) Set of Amazon Resource Names (ARNs) of IAM Policies describing further restricting permissions for the IAM Role being assumed.
|
|
19
|
+
# assume_role_tags - (Optional) Map of assume role session tags.
|
|
20
|
+
# assume_role_transitive_tag_keys - (Optional) Set of assume role session tag keys to pass to any subsequent sessions.
|
|
21
|
+
# external_id - (Optional) External identifier to use when assuming the role.
|
|
22
|
+
# role_arn - (Optional) Amazon Resource Name (ARN) of the IAM Role to assume.
|
|
23
|
+
# session_name - (Optional) Session name to use when assuming the role.
|
|
24
|
+
#
|
|
25
|
+
# ruby sdk: https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/AssumeRoleCredentials.html
|
|
26
|
+
#
|
|
27
|
+
# :role_arn (required, String)
|
|
28
|
+
# :role_session_name (required, String)
|
|
29
|
+
# :policy (String)
|
|
30
|
+
# :duration_seconds (Integer)
|
|
31
|
+
# :external_id (String)
|
|
32
|
+
# :client (STS::Client)
|
|
33
|
+
#
|
|
34
|
+
def client_assume_role_config
|
|
35
|
+
whitelist = %w[
|
|
36
|
+
assume_role_duration_seconds
|
|
37
|
+
assume_role_policy
|
|
38
|
+
session_name
|
|
39
|
+
external_id
|
|
40
|
+
role_arn
|
|
41
|
+
]
|
|
42
|
+
assume_role_config = @info.slice(*whitelist)
|
|
43
|
+
# not supported?
|
|
44
|
+
# assume_role_policy_arns
|
|
45
|
+
# assume_role_tags
|
|
46
|
+
# assume_role_transitive_tag_keys
|
|
47
|
+
# already matches
|
|
48
|
+
# external_id
|
|
49
|
+
# role_arn
|
|
50
|
+
# rest needs to be mapped
|
|
51
|
+
map = {
|
|
52
|
+
'assume_role_duration_seconds' => 'duration_seconds',
|
|
53
|
+
'assume_role_policy' => 'policy',
|
|
54
|
+
'session_name' => 'role_session_name',
|
|
55
|
+
}
|
|
56
|
+
map.each do |terraform_key, ruby_sdk_key|
|
|
57
|
+
v = assume_role_config.delete(terraform_key)
|
|
58
|
+
assume_role_config[ruby_sdk_key] = v if v
|
|
59
|
+
end
|
|
60
|
+
assume_role_config.symbolize_keys! # ruby sdk expects symbols for keys
|
|
61
|
+
assume_role_config[:role_session_name] ||= [ENV['C9_USER'] || ENV['USER'], 'session'].compact.join('-') # session name is required for the ruby sdk
|
|
62
|
+
# options = {client: Aws::STS::Client.new(client_region_option)}
|
|
63
|
+
options = {}
|
|
64
|
+
options.merge!(assume_role_config)
|
|
65
|
+
role_credentials = Aws::AssumeRoleCredentials.new(options)
|
|
66
|
+
{credentials: role_credentials}
|
|
67
|
+
end
|
|
68
|
+
|
|
69
|
+
# terraform s3 backend configuration: https://www.terraform.io/docs/language/settings/backends/s3.html
|
|
70
|
+
#
|
|
71
|
+
# access_key - (Optional) AWS access key. If configured, must also configure secret_key. This can also be sourced from the AWS_ACCESS_KEY_ID environment variable, AWS shared credentials file (e.g. ~/.aws/credentials), or AWS shared configuration file (e.g. ~/.aws/config).
|
|
72
|
+
# secret_key - (Optional) AWS access key. If configured, must also configure access_key. This can also be sourced from the AWS_SECRET_ACCESS_KEY environment variable, AWS shared credentials file (e.g. ~/.aws/credentials), or AWS shared configuration file (e.g. ~/.aws/config).
|
|
73
|
+
#
|
|
74
|
+
# ruby sdk: https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/Credentials.html
|
|
75
|
+
#
|
|
76
|
+
# access_key_id (String)
|
|
77
|
+
# secret_access_key (String)
|
|
78
|
+
# session_token (String) (defaults to: nil) — (nil)
|
|
79
|
+
#
|
|
80
|
+
def client_default_options
|
|
81
|
+
whitelist = %w[
|
|
82
|
+
access_key_id
|
|
83
|
+
secret_access_key
|
|
84
|
+
session_token
|
|
85
|
+
profile
|
|
86
|
+
]
|
|
87
|
+
options = @info.slice(*whitelist)
|
|
88
|
+
options.symbolize_keys! # ruby sdk expects symbols for keys
|
|
89
|
+
client_region_option.merge(options)
|
|
90
|
+
end
|
|
91
|
+
|
|
92
|
+
def client_region_option
|
|
93
|
+
if @info['region']
|
|
94
|
+
{region: @info['region']}
|
|
95
|
+
else
|
|
96
|
+
{}
|
|
97
|
+
end
|
|
98
|
+
end
|
|
99
|
+
end
|
|
100
|
+
end
|
|
@@ -6,6 +6,7 @@ require "aws-sdk-ssm"
|
|
|
6
6
|
module TerraspacePluginAws
|
|
7
7
|
module Clients
|
|
8
8
|
extend Memoist
|
|
9
|
+
include Options
|
|
9
10
|
|
|
10
11
|
def s3
|
|
11
12
|
Aws::S3::Client.new(client_options)
|
|
@@ -26,14 +27,5 @@ module TerraspacePluginAws
|
|
|
26
27
|
Aws::DynamoDB::Client.new(client_options)
|
|
27
28
|
end
|
|
28
29
|
memoize :dynamodb
|
|
29
|
-
|
|
30
|
-
# Typically inferred from AWS_REGION unless set in the backend.tf
|
|
31
|
-
def client_options
|
|
32
|
-
if @info['region']
|
|
33
|
-
{region: @info['region']}
|
|
34
|
-
else
|
|
35
|
-
{}
|
|
36
|
-
end
|
|
37
|
-
end
|
|
38
30
|
end
|
|
39
31
|
end
|
|
@@ -2,6 +2,27 @@ require "s3-secure"
|
|
|
2
2
|
|
|
3
3
|
class TerraspacePluginAws::Interfaces::Backend::Bucket
|
|
4
4
|
module Secure
|
|
5
|
+
# Why the retry logic?
|
|
6
|
+
#
|
|
7
|
+
# When using profile or role_arn in the terraform backend it the ruby aws sdk
|
|
8
|
+
# assumes the profile or role.
|
|
9
|
+
# In doing so, it errors when the s3-secure library calls s3_client.get_bucket_location
|
|
10
|
+
#
|
|
11
|
+
# https://github.com/boltops-tools/s3-secure/blob/d2c8e9eba745a75d094a3c566bd5fe47476d3638/lib/s3_secure/aws_services/s3.rb#L43
|
|
12
|
+
#
|
|
13
|
+
# Here's an example stack trace of the error:
|
|
14
|
+
#
|
|
15
|
+
# https://gist.github.com/tongueroo/dd74b67c17433c6f8dd890225104aef9
|
|
16
|
+
#
|
|
17
|
+
# Unsure if this is a terraform backend interfering with the ruby sdk thing (unlikely)
|
|
18
|
+
# Or if it's a general AWS sdk thing.
|
|
19
|
+
# Or if it's how I'm calling the sdk and initializing the client. Maybe an initializing the client early on and it caches it.
|
|
20
|
+
# Unsure. But using this hack instead because life's short.
|
|
21
|
+
#
|
|
22
|
+
# Throwing the retry logic in here fixes the issue. This only happens the when the bucket is brand new.
|
|
23
|
+
# Limiting the retry to only a single attempt.
|
|
24
|
+
#
|
|
25
|
+
@@retries = 0
|
|
5
26
|
def secure(bucket)
|
|
6
27
|
c = TerraspacePluginAws::Interfaces::Config.instance.config.s3
|
|
7
28
|
options = {bucket: bucket, quiet: true}
|
|
@@ -10,6 +31,9 @@ class TerraspacePluginAws::Interfaces::Backend::Bucket
|
|
|
10
31
|
S3Secure::Versioning::Enable.new(options).run if c.versioning
|
|
11
32
|
S3Secure::Lifecycle::Add.new(options).run if c.lifecycle
|
|
12
33
|
S3Secure::AccessLogs::Enable.new(options).run if c.access_logging
|
|
34
|
+
rescue Aws::S3::Errors::AccessDenied => e
|
|
35
|
+
@@retries += 1
|
|
36
|
+
retry unless @@retries > 1
|
|
13
37
|
end
|
|
14
38
|
end
|
|
15
39
|
end
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: terraspace_plugin_aws
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.3.
|
|
4
|
+
version: 0.3.2
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Tung Nguyen
|
|
@@ -167,6 +167,7 @@ files:
|
|
|
167
167
|
- lib/terraspace_plugin_aws.rb
|
|
168
168
|
- lib/terraspace_plugin_aws/autoloader.rb
|
|
169
169
|
- lib/terraspace_plugin_aws/clients.rb
|
|
170
|
+
- lib/terraspace_plugin_aws/clients/options.rb
|
|
170
171
|
- lib/terraspace_plugin_aws/interfaces/backend.rb
|
|
171
172
|
- lib/terraspace_plugin_aws/interfaces/backend/base.rb
|
|
172
173
|
- lib/terraspace_plugin_aws/interfaces/backend/bucket.rb
|