terraspace_plugin_aws 0.3.2 → 0.3.6

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: eb8991c0ca2191cc5ec5d81a91afb2e1db4f7a7bdc8b1542d7e662ee55be2e05
-  data.tar.gz: f7bf38b1edc49e949643a9df6e70b0826ca5336c18e790513e094054a39ef09c
+  metadata.gz: cdced79235a57025ab37b33dbdf98d9146caffaa4f3eac5f40b2a657a99ea3ca
+  data.tar.gz: 154369a87b3ffb7fb8290a4b3564108b976e1f7826b0f36fa737b88050e4755c
 SHA512:
-  metadata.gz: 4850daa5645efdde37d39ee36fc826bd82993c084d0deabafe83cbd7f182ce630e01d9b5cd7bcde45c366d1e9beeb766cd3f97f411723f9d843a861c4e0a62e5
-  data.tar.gz: e0229d052f5fb491562683391cec533cddb47cc453d08795200101f20e2b408f51241e1ebe73b4cd5622a5640df06d6236727e4345ae55512e98555f8f95305e
+  metadata.gz: 42ebf3fabea658ddb1876aaefa972888e2d2b958239eed92ad9ad9dd3a4d23dea83d67beefbdce28512585a3ceecdb7f904dc08ce8ce87859dcd3e354ada313e
+  data.tar.gz: 84c6a6dc52b9f645f5dab2ab1284eccca1d152034106b4a694f42294149d441aaa5bffc0e67cc37e17c5d990758396dadef0761617a3a606372ecc25954d5ea3

data/CHANGELOG.md

@@ -3,6 +3,20 @@
 All notable changes to this project will be documented in this file.
 This project *loosely tries* to adhere to [Semantic Versioning](http://semver.org/).
 
+## [0.3.6] - 2022-01-04
+- [#17](https://github.com/boltops-tools/terraspace_plugin_aws/pull/17) aws_secret and aws_ssm: support expansion automatically
+
+## [0.3.5] - 2021-12-30
+- [#15](https://github.com/boltops-tools/terraspace_plugin_aws/pull/15) block public access support
+- [#16](https://github.com/boltops-tools/terraspace_plugin_aws/pull/16) tagging support for s3 bucket and dynamodb table
+
+## [0.3.4] - 2021-12-30
+- [#13](https://github.com/boltops-tools/terraspace_plugin_aws/pull/13) check aws setup and provide friendly message
+- [#14](https://github.com/boltops-tools/terraspace_plugin_aws/pull/14) fix aws_secret helper
+
+## [0.3.3] - 2021-12-14
+- [#10](https://github.com/boltops-tools/terraspace_plugin_aws/pull/10) implement expand_string? to not expand aws arn values
+
 ## [0.3.2] - 2021-12-14
 - [#9](https://github.com/boltops-tools/terraspace_plugin_aws/pull/9) support separate aws account for s3 backend bucket
 

data/README.md

@@ -1,5 +1,7 @@
 # Terraspace AWS Plugin
 
+[![BoltOps Badge](https://img.boltops.com/boltops/badges/boltops-badge.png)](https://www.boltops.com)
+
 AWS Cloud support for terraspace.
 
 ## Installation
@@ -12,6 +14,8 @@ gem 'terraspace_plugin_aws'
 
 ## Configure
 
+Terraspace Docs: [AWS Terraspace Plugin](https://terraspace.cloud/docs/plugins/aws/)
+
 Optionally configure the plugin. Here's an example `aws.rb` for your terraspace project.
 
 config/plugins/aws.rb

data/lib/terraspace_plugin_aws/clients/options.rb

@@ -2,8 +2,9 @@ module TerraspacePluginAws::Clients
   module Options
   private
     def client_options
+      return {} unless @info # aws_secret helper wont have @info
       if @info['role_arn']
-        client_assume_role_config
+        client_assume_role_options
       else
         client_default_options
       end
@@ -31,7 +32,7 @@ module TerraspacePluginAws::Clients
     #     :external_id (String)
     #     :client (STS::Client)
     #
-    def client_assume_role_config
+    def client_assume_role_options
       whitelist = %w[
         assume_role_duration_seconds
         assume_role_policy
@@ -59,10 +60,7 @@ module TerraspacePluginAws::Clients
       end
       assume_role_config.symbolize_keys! # ruby sdk expects symbols for keys
       assume_role_config[:role_session_name] ||= [ENV['C9_USER'] || ENV['USER'], 'session'].compact.join('-') # session name is required for the ruby sdk
-      # options = {client: Aws::STS::Client.new(client_region_option)}
-      options = {}
-      options.merge!(assume_role_config)
-      role_credentials = Aws::AssumeRoleCredentials.new(options)
+      role_credentials = Aws::AssumeRoleCredentials.new(assume_role_config)
       {credentials: role_credentials}
     end
 

data/lib/terraspace_plugin_aws/clients.rb

@@ -23,6 +23,11 @@ module TerraspacePluginAws
     end
     memoize :ssm
 
+    def sts
+      Aws::STS::Client.new(client_options)
+    end
+    memoize :sts
+
     def dynamodb
       Aws::DynamoDB::Client.new(client_options)
     end

data/lib/terraspace_plugin_aws/interfaces/backend/bucket/secure.rb

@@ -31,6 +31,7 @@ class TerraspacePluginAws::Interfaces::Backend::Bucket
       S3Secure::Versioning::Enable.new(options).run if c.versioning
       S3Secure::Lifecycle::Add.new(options).run if c.lifecycle
       S3Secure::AccessLogs::Enable.new(options).run if c.access_logging
+      S3Secure::PublicAccess::Block.new(options).run if c.block_public_access
     rescue Aws::S3::Errors::AccessDenied => e
       @@retries += 1
       retry unless @@retries > 1

data/lib/terraspace_plugin_aws/interfaces/backend/bucket/tagging.rb

@@ -0,0 +1,44 @@
+class TerraspacePluginAws::Interfaces::Backend::Bucket
+  class Tagging
+    include TerraspacePluginAws::Clients
+    include TerraspacePluginAws::Logging
+
+    def initialize(bucket)
+      @bucket = bucket
+    end
+
+    def tag
+      return if tagging.nil? || tagging[:tag_set].empty? # safeguard: dont overwrite current tags
+      s3.put_bucket_tagging(bucket: @bucket, tagging: tagging)
+    end
+
+    # Merges existing tag_set structure so always appends tags, wont remove tags.
+    # This behavior is consistent with the dynamodb tagging.
+    #
+    # Example return:
+    #
+    #     {
+    #       tag_set: [
+    #         { key: "Key1", value: "Value1" },
+    #         { key: "Key2", value: "Value2" },
+    #       ],
+    #     }
+    #
+    def tagging
+      c = TerraspacePluginAws::Interfaces::Config.instance.config
+      tags = !c.s3.tags.empty? ? c.s3.tags : c.tags
+      tag_set = tags.map do |k,v|
+        {key: k.to_s, value: v}
+      end
+      return if tag_set == existing_tagging[:tag_set] # return nil so we can avoid the put_bucket_tagging call
+      tag_set += existing_tagging[:tag_set]
+      { tag_set: tag_set }
+    end
+
+    def existing_tagging
+      s3.get_bucket_tagging(bucket: @bucket).to_h
+    rescue Aws::S3::Errors::NoSuchTagSet
+      {tag_set: []} # normalize return structure
+    end
+  end
+end

data/lib/terraspace_plugin_aws/interfaces/backend/bucket.rb

@@ -10,12 +10,14 @@ class TerraspacePluginAws::Interfaces::Backend
       end
       if exist?(bucket)
         logger.debug "Bucket already exist: #{bucket}"
-        c = TerraspacePluginAws::Interfaces::Config.instance.config.s3
-        secure(bucket) if c.secure_existing
+        c = TerraspacePluginAws::Interfaces::Config.instance.config
+        secure(bucket) if c.s3.secure_existing
+        tag(bucket) if c.tag_existing
       else
         logger.info "Creating bucket: #{bucket}"
         s3.create_bucket(bucket: bucket)
         secure(bucket)
+        tag(bucket)
       end
     end
 
@@ -30,5 +32,9 @@ class TerraspacePluginAws::Interfaces::Backend
       logger.error "Bucket might be owned by someone else or is on another one of your AWS accounts."
       exit 1
     end
+
+    def tag(bucket)
+      Tagging.new(@info["bucket"]).tag
+    end
   end
 end

data/lib/terraspace_plugin_aws/interfaces/backend/setup.rb

@@ -0,0 +1,15 @@
+class TerraspacePluginAws::Interfaces::Backend
+  class Setup < Base
+    def check!
+      sts.get_caller_identity
+    rescue Aws::Errors::MissingCredentialsError => e
+      logger.info "ERROR: #{e.class}: #{e.message}".color(:red)
+      logger.info <<~EOL
+        It doesnt look like AWS credentials and access has been setup.
+        Please double check the AWS credentials setup.
+        IE: ~/.aws/config and the AWS_PROFILE env variable.
+      EOL
+      exit 1
+    end
+  end
+end

data/lib/terraspace_plugin_aws/interfaces/backend/table.rb

@@ -6,6 +6,8 @@ class TerraspacePluginAws::Interfaces::Backend
 
       if exist?(table)
         logger.debug "Table already exist: #{table}"
+        c = TerraspacePluginAws::Interfaces::Config.instance.config
+        tag_existing(table) if c.tag_existing
       else
         logger.info "Creating dynamodb table: #{table}"
         create_table(table)
@@ -36,6 +38,7 @@ class TerraspacePluginAws::Interfaces::Backend
         table_name: name,
       }
       secure(definition)
+      tag(definition)
       definition
     end
 
@@ -64,6 +67,29 @@ class TerraspacePluginAws::Interfaces::Backend
       definition
     end
 
+    def tag(definition)
+      definition[:tags] = tags unless tags.empty?
+    end
+
+    def tag_existing(table_name)
+      return if tags.empty?
+      resp = dynamodb.describe_table(table_name: table_name)
+      # Always appends tags, wont remove tags.
+      dynamodb.tag_resource(
+        resource_arn: resp.table.table_arn,
+        tags: tags
+      )
+    end
+
+    def tags
+      c = TerraspacePluginAws::Interfaces::Config.instance.config
+      tags = !c.dynamodb.tags.empty? ? c.dynamodb.tags : c.tags
+      # Note there is no map! method for Hash
+      tags = tags.map do |k,v|
+        {key: k.to_s, value: v}
+      end
+    end
+
     def exist?(name)
       dynamodb.describe_table(table_name: name)
       true  # table exist

data/lib/terraspace_plugin_aws/interfaces/backend.rb

@@ -6,6 +6,7 @@ module TerraspacePluginAws::Interfaces
     def call
       return unless TerraspacePluginAws.config.auto_create
 
+      Setup.new(@info).check!
       Bucket.new(@info).create
       Table.new(@info).create
     end

data/lib/terraspace_plugin_aws/interfaces/config.rb

@@ -14,19 +14,24 @@ module TerraspacePluginAws::Interfaces
       c = ActiveSupport::OrderedOptions.new
 
       c.auto_create = true
+      c.tags = {} # can set tags for both s3 bucket and dynamodb table with this config
+      c.tag_existing = true
 
       c.s3 = ActiveSupport::OrderedOptions.new
+      c.s3.access_logging = false
+      c.s3.block_public_access = true
       c.s3.encryption = true
       c.s3.enforce_ssl = true
-      c.s3.versioning = true
       c.s3.lifecycle = true
-      c.s3.access_logging = false
+      c.s3.versioning = true
       c.s3.secure_existing = false # run the security controls on existing buckets. by default, only run on newly created bucket the first time
+      c.s3.tags = {} # cannot assign to c.tags here because it's a copy
 
       c.dynamodb = ActiveSupport::OrderedOptions.new
       c.dynamodb.encryption = true
       c.dynamodb.kms_master_key_id = nil
       c.dynamodb.sse_type = "KMS"
+      c.dynamodb.tags = {} # cannot assign to c.tags here because it's a copy
 
       c
     end

data/lib/terraspace_plugin_aws/interfaces/expander.rb

@@ -10,5 +10,9 @@ module TerraspacePluginAws::Interfaces
     def aws_data
       $__aws_data ||= AwsData.new
     end
+
+    def expand_string?(string)
+      !string.include?("arn:")
+    end
   end
 end

data/lib/terraspace_plugin_aws/interfaces/helper/secret.rb

@@ -1,6 +1,7 @@
 module TerraspacePluginAws::Interfaces::Helper
   class Secret < SecretBase
     def fetch(secret_id)
+      secret_id = expansion(secret_id) if expand?
       value = fetch_value(secret_id)
       value = Base64.strict_encode64(value).strip if @base64
       value
@@ -13,6 +14,10 @@ module TerraspacePluginAws::Interfaces::Helper
       logger.info "WARN: secret_id #{secret_id} not found".color(:yellow)
       logger.info e.message
       "NOT FOUND #{secret_id}" # simple string so Kubernetes YAML is valid
+    rescue Aws::SecretsManager::Errors::ValidationException => e
+      logger.info "WARN: secret_id #{secret_id} not found".color(:yellow)
+      logger.info e.message
+      "INVALID NAME #{secret_id}" # simple string so tfvars valid
     end
   end
 end

data/lib/terraspace_plugin_aws/interfaces/helper/secret_base.rb

@@ -4,10 +4,23 @@ module TerraspacePluginAws::Interfaces::Helper
   class SecretBase
     include TerraspacePluginAws::Clients
     include TerraspacePluginAws::Logging
+    extend Memoist
 
-    def initialize(options={})
+    def initialize(mod, options={})
+      @mod = mod
       @options = options
       @base64 = options[:base64]
     end
+
+  private
+    delegate :expansion, to: :expander
+    def expander
+      TerraspacePluginAws::Interfaces::Expander.new(@mod)
+    end
+    memoize :expander
+
+    def expand?
+      !(@options[:expansion] == false || @options[:expand] == false)
+    end
   end
 end

data/lib/terraspace_plugin_aws/interfaces/helper/ssm.rb

@@ -1,6 +1,10 @@
 module TerraspacePluginAws::Interfaces::Helper
   class SSM < SecretBase
+    include Terraspace::Compiler::Dsl::Syntax::Mod::Backend
+    extend Memoist
+
     def fetch(name)
+      name = expansion(name) if expand?
       value = fetch_value(name)
       value = Base64.strict_encode64(value).strip if @base64
       value
@@ -13,6 +17,10 @@ module TerraspacePluginAws::Interfaces::Helper
       logger.info "WARN: name #{name} not found".color(:yellow)
       logger.info e.message
       "NOT FOUND #{name}" # simple string so tfvars valid
+    rescue Aws::SSM::Errors::ValidationException => e
+      logger.info "WARN: name #{name} not found".color(:yellow)
+      logger.info e.message
+      "INVALID NAME #{name}" # simple string so tfvars valid
     end
   end
 end

data/lib/terraspace_plugin_aws/interfaces/helper.rb

@@ -3,12 +3,12 @@ module TerraspacePluginAws::Interfaces
     include Terraspace::Plugin::Helper::Interface
 
     def aws_secret(name, options={})
-      Secret.new(options).fetch(name)
+      Secret.new(@mod, options).fetch(name)
     end
     cache_helper :aws_secret
 
     def aws_ssm(name, options={})
-      SSM.new(options).fetch(name)
+      SSM.new(@mod, options).fetch(name)
     end
     cache_helper :aws_ssm
   end

data/lib/terraspace_plugin_aws/version.rb

@@ -1,3 +1,3 @@
 module TerraspacePluginAws
-  VERSION = "0.3.2"
+  VERSION = "0.3.6"
 end

data/terraspace_plugin_aws.gemspec

@@ -28,6 +28,6 @@ Gem::Specification.new do |spec|
   spec.add_dependency "aws-sdk-ssm"
   spec.add_dependency "aws_data"
   spec.add_dependency "memoist"
-  spec.add_dependency "s3-secure"
+  spec.add_dependency "s3-secure", "~> 0.6.1"
   spec.add_dependency "zeitwerk"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: terraspace_plugin_aws
 version: !ruby/object:Gem::Version
-  version: 0.3.2
+  version: 0.3.6
 platform: ruby
 authors:
 - Tung Nguyen
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2021-12-14 00:00:00.000000000 Z
+date: 2022-01-04 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk-dynamodb
@@ -98,16 +98,16 @@ dependencies:
   name: s3-secure
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 0.6.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 0.6.1
 - !ruby/object:Gem::Dependency
   name: zeitwerk
   requirement: !ruby/object:Gem::Requirement
@@ -172,6 +172,8 @@ files:
 - lib/terraspace_plugin_aws/interfaces/backend/base.rb
 - lib/terraspace_plugin_aws/interfaces/backend/bucket.rb
 - lib/terraspace_plugin_aws/interfaces/backend/bucket/secure.rb
+- lib/terraspace_plugin_aws/interfaces/backend/bucket/tagging.rb
+- lib/terraspace_plugin_aws/interfaces/backend/setup.rb
 - lib/terraspace_plugin_aws/interfaces/backend/table.rb
 - lib/terraspace_plugin_aws/interfaces/config.rb
 - lib/terraspace_plugin_aws/interfaces/decorator.rb