terraspace_plugin_aws 0.3.3 → 0.3.7

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9a3326332a1832e221e9962a51532ec8a6af56b9907b5bb7fa8cb6f3589d73cf
-  data.tar.gz: a615e24bcc2e831e52170665223eba3d714605b4f75fee2486c236d03fc112f6
+  metadata.gz: 1f6548d387f1353c70c8d7ce848f22f5e77f3cc0e9c2aaa19c9357c724b77ce9
+  data.tar.gz: 140d53ddb0ee7688a90b8acc04189d48079c88685d9d296420b8df3e5b9f05bd
 SHA512:
-  metadata.gz: cb39b0df24421a04fbf3bbd0892ba77f151ab248906c44ea6a0ea4de8067bbe7cd70fdc7857d73e008efabe3458467a41e50a866121ed42ce39eb9a0a22636e1
-  data.tar.gz: 90d815348cfd459edc71812c3d7ef5ae41007d7f9ea73c0dfb6be53d9212a2c1500cb4bc413645b73dccedbebb58ddc35628499bd80b9be0cbc20346ea965d27
+  metadata.gz: f920f7e43bb2fdd470ddbf1a12c906f0d76b4630070f466929d01941c82daead85cb7a5f955d9ca9dad129cbd144f91c81e9a6c4f7e84dbdd58585cf99c83e51
+  data.tar.gz: e61f88175f512a64687521f8cbc78b484702e2367d6c0eb65e40ef2a4a019a68ca54487b145787cfa525870437ff59aac61b459b735468759ec1d388a5ec02a9

data/CHANGELOG.md

@@ -3,6 +3,20 @@
 All notable changes to this project will be documented in this file.
 This project *loosely tries* to adhere to [Semantic Versioning](http://semver.org/).
 
+## [0.3.7] - 2022-02-15
+- [#18](https://github.com/boltops-tools/terraspace_plugin_aws/pull/18) update starter s3 bucket example to work with terraform aws provider v4
+
+## [0.3.6] - 2022-01-04
+- [#17](https://github.com/boltops-tools/terraspace_plugin_aws/pull/17) aws_secret and aws_ssm: support expansion automatically
+
+## [0.3.5] - 2021-12-30
+- [#15](https://github.com/boltops-tools/terraspace_plugin_aws/pull/15) block public access support
+- [#16](https://github.com/boltops-tools/terraspace_plugin_aws/pull/16) tagging support for s3 bucket and dynamodb table
+
+## [0.3.4] - 2021-12-30
+- [#13](https://github.com/boltops-tools/terraspace_plugin_aws/pull/13) check aws setup and provide friendly message
+- [#14](https://github.com/boltops-tools/terraspace_plugin_aws/pull/14) fix aws_secret helper
+
 ## [0.3.3] - 2021-12-14
 - [#10](https://github.com/boltops-tools/terraspace_plugin_aws/pull/10) implement expand_string? to not expand aws arn values
 

data/README.md

@@ -1,5 +1,7 @@
 # Terraspace AWS Plugin
 
+[![BoltOps Badge](https://img.boltops.com/boltops/badges/boltops-badge.png)](https://www.boltops.com)
+
 AWS Cloud support for terraspace.
 
 ## Installation
@@ -12,6 +14,8 @@ gem 'terraspace_plugin_aws'
 
 ## Configure
 
+Terraspace Docs: [AWS Terraspace Plugin](https://terraspace.cloud/docs/plugins/aws/)
+
 Optionally configure the plugin. Here's an example `aws.rb` for your terraspace project.
 
 config/plugins/aws.rb

data/lib/templates/hcl/module/main.tf

@@ -1,4 +1,8 @@
 resource "aws_s3_bucket" "this" {
   bucket = var.bucket # If omitted, Terraform will assign a random, unique name.
-  acl =    var.acl
+}
+
+resource "aws_s3_bucket_acl" "this" {
+  bucket = aws_s3_bucket.this.id
+  acl    = var.acl
 }

data/lib/templates/ruby/module/main.rb

@@ -1,4 +1,8 @@
 resource("aws_s3_bucket", "this",
   bucket: var.bucket, # If omitted, Terraform will assign a random, unique name.
+)
+
+resource("aws_s3_bucket_acl", "this",
+  bucket: "${aws_s3_bucket.this.id}",
   acl:    var.acl,
 )

data/lib/terraspace_plugin_aws/clients/options.rb

@@ -2,8 +2,9 @@ module TerraspacePluginAws::Clients
   module Options
   private
     def client_options
+      return {} unless @info # aws_secret helper wont have @info
       if @info['role_arn']
-        client_assume_role_config
+        client_assume_role_options
       else
         client_default_options
       end
@@ -31,7 +32,7 @@ module TerraspacePluginAws::Clients
     #     :external_id (String)
     #     :client (STS::Client)
     #
-    def client_assume_role_config
+    def client_assume_role_options
       whitelist = %w[
         assume_role_duration_seconds
         assume_role_policy
@@ -59,10 +60,7 @@ module TerraspacePluginAws::Clients
       end
       assume_role_config.symbolize_keys! # ruby sdk expects symbols for keys
       assume_role_config[:role_session_name] ||= [ENV['C9_USER'] || ENV['USER'], 'session'].compact.join('-') # session name is required for the ruby sdk
-      # options = {client: Aws::STS::Client.new(client_region_option)}
-      options = {}
-      options.merge!(assume_role_config)
-      role_credentials = Aws::AssumeRoleCredentials.new(options)
+      role_credentials = Aws::AssumeRoleCredentials.new(assume_role_config)
       {credentials: role_credentials}
     end
 

data/lib/terraspace_plugin_aws/clients.rb

@@ -23,6 +23,11 @@ module TerraspacePluginAws
     end
     memoize :ssm
 
+    def sts
+      Aws::STS::Client.new(client_options)
+    end
+    memoize :sts
+
     def dynamodb
       Aws::DynamoDB::Client.new(client_options)
     end

data/lib/terraspace_plugin_aws/interfaces/backend/bucket/secure.rb

@@ -31,6 +31,7 @@ class TerraspacePluginAws::Interfaces::Backend::Bucket
       S3Secure::Versioning::Enable.new(options).run if c.versioning
       S3Secure::Lifecycle::Add.new(options).run if c.lifecycle
       S3Secure::AccessLogs::Enable.new(options).run if c.access_logging
+      S3Secure::PublicAccess::Block.new(options).run if c.block_public_access
     rescue Aws::S3::Errors::AccessDenied => e
       @@retries += 1
       retry unless @@retries > 1

data/lib/terraspace_plugin_aws/interfaces/backend/bucket/tagging.rb

@@ -0,0 +1,44 @@
+class TerraspacePluginAws::Interfaces::Backend::Bucket
+  class Tagging
+    include TerraspacePluginAws::Clients
+    include TerraspacePluginAws::Logging
+
+    def initialize(bucket)
+      @bucket = bucket
+    end
+
+    def tag
+      return if tagging.nil? || tagging[:tag_set].empty? # safeguard: dont overwrite current tags
+      s3.put_bucket_tagging(bucket: @bucket, tagging: tagging)
+    end
+
+    # Merges existing tag_set structure so always appends tags, wont remove tags.
+    # This behavior is consistent with the dynamodb tagging.
+    #
+    # Example return:
+    #
+    #     {
+    #       tag_set: [
+    #         { key: "Key1", value: "Value1" },
+    #         { key: "Key2", value: "Value2" },
+    #       ],
+    #     }
+    #
+    def tagging
+      c = TerraspacePluginAws::Interfaces::Config.instance.config
+      tags = !c.s3.tags.empty? ? c.s3.tags : c.tags
+      tag_set = tags.map do |k,v|
+        {key: k.to_s, value: v}
+      end
+      return if tag_set == existing_tagging[:tag_set] # return nil so we can avoid the put_bucket_tagging call
+      tag_set += existing_tagging[:tag_set]
+      { tag_set: tag_set }
+    end
+
+    def existing_tagging
+      s3.get_bucket_tagging(bucket: @bucket).to_h
+    rescue Aws::S3::Errors::NoSuchTagSet
+      {tag_set: []} # normalize return structure
+    end
+  end
+end

data/lib/terraspace_plugin_aws/interfaces/backend/bucket.rb

@@ -10,12 +10,14 @@ class TerraspacePluginAws::Interfaces::Backend
       end
       if exist?(bucket)
         logger.debug "Bucket already exist: #{bucket}"
-        c = TerraspacePluginAws::Interfaces::Config.instance.config.s3
-        secure(bucket) if c.secure_existing
+        c = TerraspacePluginAws::Interfaces::Config.instance.config
+        secure(bucket) if c.s3.secure_existing
+        tag(bucket) if c.tag_existing
       else
         logger.info "Creating bucket: #{bucket}"
         s3.create_bucket(bucket: bucket)
         secure(bucket)
+        tag(bucket)
       end
     end
 
@@ -30,5 +32,9 @@ class TerraspacePluginAws::Interfaces::Backend
       logger.error "Bucket might be owned by someone else or is on another one of your AWS accounts."
       exit 1
     end
+
+    def tag(bucket)
+      Tagging.new(@info["bucket"]).tag
+    end
   end
 end

data/lib/terraspace_plugin_aws/interfaces/backend/setup.rb

@@ -0,0 +1,15 @@
+class TerraspacePluginAws::Interfaces::Backend
+  class Setup < Base
+    def check!
+      sts.get_caller_identity
+    rescue Aws::Errors::MissingCredentialsError => e
+      logger.info "ERROR: #{e.class}: #{e.message}".color(:red)
+      logger.info <<~EOL
+        It doesnt look like AWS credentials and access has been setup.
+        Please double check the AWS credentials setup.
+        IE: ~/.aws/config and the AWS_PROFILE env variable.
+      EOL
+      exit 1
+    end
+  end
+end

data/lib/terraspace_plugin_aws/interfaces/backend/table.rb

@@ -6,6 +6,8 @@ class TerraspacePluginAws::Interfaces::Backend
 
       if exist?(table)
         logger.debug "Table already exist: #{table}"
+        c = TerraspacePluginAws::Interfaces::Config.instance.config
+        tag_existing(table) if c.tag_existing
       else
         logger.info "Creating dynamodb table: #{table}"
         create_table(table)
@@ -36,6 +38,7 @@ class TerraspacePluginAws::Interfaces::Backend
         table_name: name,
       }
       secure(definition)
+      tag(definition)
       definition
     end
 
@@ -64,6 +67,29 @@ class TerraspacePluginAws::Interfaces::Backend
       definition
     end
 
+    def tag(definition)
+      definition[:tags] = tags unless tags.empty?
+    end
+
+    def tag_existing(table_name)
+      return if tags.empty?
+      resp = dynamodb.describe_table(table_name: table_name)
+      # Always appends tags, wont remove tags.
+      dynamodb.tag_resource(
+        resource_arn: resp.table.table_arn,
+        tags: tags
+      )
+    end
+
+    def tags
+      c = TerraspacePluginAws::Interfaces::Config.instance.config
+      tags = !c.dynamodb.tags.empty? ? c.dynamodb.tags : c.tags
+      # Note there is no map! method for Hash
+      tags = tags.map do |k,v|
+        {key: k.to_s, value: v}
+      end
+    end
+
     def exist?(name)
       dynamodb.describe_table(table_name: name)
       true  # table exist

data/lib/terraspace_plugin_aws/interfaces/backend.rb

@@ -6,6 +6,7 @@ module TerraspacePluginAws::Interfaces
     def call
       return unless TerraspacePluginAws.config.auto_create
 
+      Setup.new(@info).check!
       Bucket.new(@info).create
       Table.new(@info).create
     end

data/lib/terraspace_plugin_aws/interfaces/config.rb

@@ -14,19 +14,24 @@ module TerraspacePluginAws::Interfaces
       c = ActiveSupport::OrderedOptions.new
 
       c.auto_create = true
+      c.tags = {} # can set tags for both s3 bucket and dynamodb table with this config
+      c.tag_existing = true
 
       c.s3 = ActiveSupport::OrderedOptions.new
+      c.s3.access_logging = false
+      c.s3.block_public_access = true
       c.s3.encryption = true
       c.s3.enforce_ssl = true
-      c.s3.versioning = true
       c.s3.lifecycle = true
-      c.s3.access_logging = false
+      c.s3.versioning = true
       c.s3.secure_existing = false # run the security controls on existing buckets. by default, only run on newly created bucket the first time
+      c.s3.tags = {} # cannot assign to c.tags here because it's a copy
 
       c.dynamodb = ActiveSupport::OrderedOptions.new
       c.dynamodb.encryption = true
       c.dynamodb.kms_master_key_id = nil
       c.dynamodb.sse_type = "KMS"
+      c.dynamodb.tags = {} # cannot assign to c.tags here because it's a copy
 
       c
     end

data/lib/terraspace_plugin_aws/interfaces/helper/secret.rb

@@ -1,6 +1,7 @@
 module TerraspacePluginAws::Interfaces::Helper
   class Secret < SecretBase
     def fetch(secret_id)
+      secret_id = expansion(secret_id) if expand?
       value = fetch_value(secret_id)
       value = Base64.strict_encode64(value).strip if @base64
       value
@@ -13,6 +14,10 @@ module TerraspacePluginAws::Interfaces::Helper
       logger.info "WARN: secret_id #{secret_id} not found".color(:yellow)
       logger.info e.message
       "NOT FOUND #{secret_id}" # simple string so Kubernetes YAML is valid
+    rescue Aws::SecretsManager::Errors::ValidationException => e
+      logger.info "WARN: secret_id #{secret_id} not found".color(:yellow)
+      logger.info e.message
+      "INVALID NAME #{secret_id}" # simple string so tfvars valid
     end
   end
 end

data/lib/terraspace_plugin_aws/interfaces/helper/secret_base.rb

@@ -4,10 +4,23 @@ module TerraspacePluginAws::Interfaces::Helper
   class SecretBase
     include TerraspacePluginAws::Clients
     include TerraspacePluginAws::Logging
+    extend Memoist
 
-    def initialize(options={})
+    def initialize(mod, options={})
+      @mod = mod
       @options = options
       @base64 = options[:base64]
     end
+
+  private
+    delegate :expansion, to: :expander
+    def expander
+      TerraspacePluginAws::Interfaces::Expander.new(@mod)
+    end
+    memoize :expander
+
+    def expand?
+      !(@options[:expansion] == false || @options[:expand] == false)
+    end
   end
 end

data/lib/terraspace_plugin_aws/interfaces/helper/ssm.rb

@@ -1,6 +1,10 @@
 module TerraspacePluginAws::Interfaces::Helper
   class SSM < SecretBase
+    include Terraspace::Compiler::Dsl::Syntax::Mod::Backend
+    extend Memoist
+
     def fetch(name)
+      name = expansion(name) if expand?
       value = fetch_value(name)
       value = Base64.strict_encode64(value).strip if @base64
       value
@@ -13,6 +17,10 @@ module TerraspacePluginAws::Interfaces::Helper
       logger.info "WARN: name #{name} not found".color(:yellow)
       logger.info e.message
       "NOT FOUND #{name}" # simple string so tfvars valid
+    rescue Aws::SSM::Errors::ValidationException => e
+      logger.info "WARN: name #{name} not found".color(:yellow)
+      logger.info e.message
+      "INVALID NAME #{name}" # simple string so tfvars valid
     end
   end
 end

data/lib/terraspace_plugin_aws/interfaces/helper.rb

@@ -3,12 +3,12 @@ module TerraspacePluginAws::Interfaces
     include Terraspace::Plugin::Helper::Interface
 
     def aws_secret(name, options={})
-      Secret.new(options).fetch(name)
+      Secret.new(@mod, options).fetch(name)
     end
     cache_helper :aws_secret
 
     def aws_ssm(name, options={})
-      SSM.new(options).fetch(name)
+      SSM.new(@mod, options).fetch(name)
     end
     cache_helper :aws_ssm
   end

data/lib/terraspace_plugin_aws/version.rb

@@ -1,3 +1,3 @@
 module TerraspacePluginAws
-  VERSION = "0.3.3"
+  VERSION = "0.3.7"
 end

data/terraspace_plugin_aws.gemspec

@@ -28,6 +28,6 @@ Gem::Specification.new do |spec|
   spec.add_dependency "aws-sdk-ssm"
   spec.add_dependency "aws_data"
   spec.add_dependency "memoist"
-  spec.add_dependency "s3-secure"
+  spec.add_dependency "s3-secure", "~> 0.6.1"
   spec.add_dependency "zeitwerk"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: terraspace_plugin_aws
 version: !ruby/object:Gem::Version
-  version: 0.3.3
+  version: 0.3.7
 platform: ruby
 authors:
 - Tung Nguyen
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2021-12-14 00:00:00.000000000 Z
+date: 2022-02-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk-dynamodb
@@ -98,16 +98,16 @@ dependencies:
   name: s3-secure
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 0.6.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 0.6.1
 - !ruby/object:Gem::Dependency
   name: zeitwerk
   requirement: !ruby/object:Gem::Requirement
@@ -172,6 +172,8 @@ files:
 - lib/terraspace_plugin_aws/interfaces/backend/base.rb
 - lib/terraspace_plugin_aws/interfaces/backend/bucket.rb
 - lib/terraspace_plugin_aws/interfaces/backend/bucket/secure.rb
+- lib/terraspace_plugin_aws/interfaces/backend/bucket/tagging.rb
+- lib/terraspace_plugin_aws/interfaces/backend/setup.rb
 - lib/terraspace_plugin_aws/interfaces/backend/table.rb
 - lib/terraspace_plugin_aws/interfaces/config.rb
 - lib/terraspace_plugin_aws/interfaces/decorator.rb