terraspace_plugin_azurerm 0.2.2 → 0.3.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b3ff4bc13ad8e73d40b985420c107ef791d652bde858092271a239715ec6b824
-  data.tar.gz: cdbc5ddac31c0c4fad5676ea802810fd9982f02a59f3347bf72d4e407f7abec7
+  metadata.gz: bfebfed0cf4e44986ab752e4ff8f642da04b3037b37c869811a49f4cdb6f4959
+  data.tar.gz: 7525c37602f54facae4281a53961a3531f8238aa2931e76cf11e0535a1042fe2
 SHA512:
-  metadata.gz: 878dc0469567622cd0bf3ef0c378ae5ba9962035511110fdb057892873d0d4e67cf0e00c2173cc52904ea9d2a58d7c2062b1bac8673a8dd45c03bb946e220149
-  data.tar.gz: f9f776fc7ad11500b9f29c57a141012b883295f59e25c67d7393d07a6dde2aadaf71f7e2322848bdf67ba5feaebce3553c49a4004632e83f9fc5026b965278bf
+  metadata.gz: 194ee7307c72d33dabab6067386240c32cadaa995fd064fc25aa9fc61a6027919fe33919afa6b1fc365daf915a7899ef36425516a5ba6ab81fb933143c266dd8
+  data.tar.gz: 4a7a9e4f831682a3e2b0d902537d6a9bab1fea6658dfad7f55115cadb1ea8552cc01ea3cb99e6803c90c1d5577ad8e8aed7fafa455d625d11fd38250ce6c5fd5

data/CHANGELOG.md

@@ -3,6 +3,19 @@
 All notable changes to this project will be documented in this file.
 This project *loosely tries* to adhere to [Semantic Versioning](http://semver.org/).
 
+## [0.3.2] - 2021-11-29
+- [#9](https://github.com/boltops-tools/terraspace_plugin_azurerm/pull/9) change starter resource_group_name to have env
+
+## [0.3.1] - 2021-04-15
+- update azure_info dependency
+
+## [0.3.0] - 2020-11-15
+- [#5](https://github.com/boltops-tools/terraspace_plugin_azurerm/pull/5) helper and secrets support
+- azure_secret helper
+
+## [0.2.3]
+- #4 validate env vars and use older storage client
+
 ## [0.2.2]
 - #3 fix test template
 

data/README.md

@@ -27,7 +27,7 @@ end
 
 By default, this plugin will automatically create the:
 
-* [resource group](Pluginazurerm)
+* [resource group](https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/manage-resource-groups-portal)
 * [storage account](https://docs.microsoft.com/en-us/azure/storage/common/storage-account-create?tabs=azure-portal)
 * [storage container](https://docs.microsoft.com/en-us/cli/azure/storage/container?view=azure-cli-latest#az-storage-container-create)
 
@@ -35,15 +35,17 @@ The settings generally only apply if the resource does not yet exist yet and is
 
 ## Environment Variables
 
-To create the Azure resources like [resource group](Pluginazurerm), [storage account](https://docs.microsoft.com/en-us/azure/storage/common/storage-account-create?tabs=azure-portal), and [storage container](https://docs.microsoft.com/en-us/cli/azure/storage/container?view=azure-cli-latest#az-storage-container-create) these environment variables are required:
+To create the Azure resources like [resource group](https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/manage-resource-groups-portal), [storage account](https://docs.microsoft.com/en-us/azure/storage/common/storage-account-create?tabs=azure-portal), and [storage container](https://docs.microsoft.com/en-us/cli/azure/storage/container?view=azure-cli-latest#az-storage-container-create) these environment variables are required:
 
-    AZURE_CLIENT_ID
-    AZURE_CLIENT_SECRET
+    ARM_CLIENT_ID
+    ARM_CLIENT_SECRET
 
-There's other env variables can also be set, but are generally inferred.
+Other env variables can be optionally set:
 
-    AZURE_TENANT_ID
-    AZURE_SUBSCRIPTION_ID
+    ARM_TENANT_ID
+    ARM_SUBSCRIPTION_ID
+
+When not set, their values are inferred from the [az cli](https://docs.microsoft.com/en-us/cli/azure/) settings. For those interested, this is done with the [boltops-tools/azure_info](https://github.com/boltops-tools/azure_info) library.
 
 ## Contributing
 

data/lib/templates/hcl/project/config/terraform/backend.tf

@@ -2,7 +2,7 @@
 # This is useful because azure storage account names are not allowed special characters and are limited to 24 chars.
 terraform {
   backend "azurerm" {
-    resource_group_name  = "<%= expansion('terraform-resources-:LOCATION') %>"
+    resource_group_name  = "<%= expansion(':ENV-:LOCATION') %>"
     storage_account_name = "<%= expansion('ts:SUBSCRIPTION_HASH:LOCATION:ENV') %>"
     container_name       = "terraform-state"
     key                  = "<%= expansion(':LOCATION/:ENV/:BUILD_DIR/terraform.tfstate') %>"

data/lib/terraspace_plugin_azurerm/clients/options.rb

@@ -3,21 +3,49 @@ module TerraspacePluginAzurerm::Clients
     extend Memoist
 
     def client_options
-      client_id       = ENV['AZURE_CLIENT_ID']
-      client_secret   = ENV['AZURE_CLIENT_SECRET']
-      subscription_id = ENV['AZURE_SUBSCRIPTION_ID'] || AzureInfo.subscription_id
-      tenant_id       = ENV['AZURE_TENANT_ID'] || AzureInfo.tenant_id
+      o = base_client_options
+      o[:credentials] = credentials
+      o
+    end
+
+    def credentials
+      o = base_client_options
+      provider = MsRestAzure::ApplicationTokenProvider.new(o[:tenant_id], o[:client_id], o[:client_secret])
+      MsRest::TokenCredentials.new(provider)
+    end
 
-      provider = MsRestAzure::ApplicationTokenProvider.new(tenant_id, client_id, client_secret)
-      credentials = MsRest::TokenCredentials.new(provider)
+    def base_client_options
+      # AZURE_* is used by ruby generally.
+      # ARM_* is used by Terraform azurerm provider: https://www.terraform.io/docs/providers/azurerm/index.html
+      # Favor ARM_ because this plugin is designed for Terraspace.
+      client_id       = ENV['ARM_CLIENT_ID'] || ENV['AZURE_CLIENT_ID']
+      client_secret   = ENV['ARM_CLIENT_SECRET'] || ENV['AZURE_CLIENT_SECRET']
+      subscription_id = ENV['ARM_SUBSCRIPTION_ID'] || ENV['AZURE_SUBSCRIPTION_ID'] || AzureInfo.subscription_id
+      tenant_id       = ENV['ARM_TENANT_ID'] || ENV['AZURE_TENANT_ID'] || AzureInfo.tenant_id
 
-      {
+      o = {
         tenant_id: tenant_id,
         client_id: client_id,
         client_secret: client_secret,
         subscription_id: subscription_id,
-        credentials: credentials
       }
+      validate_base_options!(o)
+      o
+    end
+    memoize :base_client_options
+
+    def validate_base_options!(options)
+      vars = []
+      options.each do |k,v|
+        vars << "ARM_#{k}".upcase if v.nil?
+      end
+      return if vars.empty?
+
+      logger.error "ERROR: Required Azure env variables missing. Please set these env variables:".color(:red)
+      vars.each do |var|
+        logger.error "    #{var}"
+      end
+      exit 1
     end
   end
 end

data/lib/terraspace_plugin_azurerm/clients/storage.rb

@@ -6,8 +6,8 @@ module TerraspacePluginAzurerm::Clients
     extend Memoist
 
     # Include SDK modules to ease access to Storage classes.
-    include Azure::Storage::Profiles::Latest::Mgmt
-    include Azure::Storage::Profiles::Latest::Mgmt::Models
+    include Azure::Storage::Mgmt::V2019_06_01
+    include Azure::Storage::Mgmt::V2019_06_01::Models
 
     def storage_accounts
       mgmt.storage_accounts
@@ -19,7 +19,9 @@ module TerraspacePluginAzurerm::Clients
     memoize :blob_containers
 
     def mgmt
-      Client.new(client_options)
+      client = StorageManagementClient.new(credentials)
+      client.subscription_id = client_options[:subscription_id]
+      client
     end
     memoize :mgmt
   end

data/lib/terraspace_plugin_azurerm/interfaces/backend/storage_container.rb

@@ -1,7 +1,6 @@
 class TerraspacePluginAzurerm::Interfaces::Backend
   class StorageContainer < Base
     include TerraspacePluginAzurerm::Clients::Storage
-    extend Memoist
 
     def create
       if exist?

data/lib/terraspace_plugin_azurerm/interfaces/config.rb

@@ -15,12 +15,12 @@ module TerraspacePluginAzurerm::Interfaces
       c = ActiveSupport::OrderedOptions.new
       c.auto_create = true
       c.location = nil # AzureInfo.location not assigned here so it can be lazily inferred
-
+      c.secrets = ActiveSupport::OrderedOptions.new
+      c.secrets.vault = nil
       c.storage_account = ActiveSupport::OrderedOptions.new
       c.storage_account.sku = ActiveSupport::OrderedOptions.new
       c.storage_account.sku.name = "Standard_LRS"
       c.storage_account.sku.tier = "Standard"
-
       c
     end
   end

data/lib/terraspace_plugin_azurerm/interfaces/helper/secret/fetcher.rb

@@ -0,0 +1,112 @@
+require "net/http"
+
+class TerraspacePluginAzurerm::Interfaces::Helper::Secret
+  class Fetcher
+    class Error < StandardError; end
+    class VaultNotFoundError < Error; end
+
+    include TerraspacePluginAzurerm::Logging
+    include TerraspacePluginAzurerm::Clients::Options
+
+    def initialize
+      o = base_client_options
+      @client_id     = o[:client_id]
+      @client_secret = o[:client_secret]
+      @tenant_id     = o[:tenant_id]
+    end
+
+    def fetch(name, opts={})
+      opts[:vault] ||= TerraspacePluginAzurerm.config.secrets.vault
+      get_secret(name, opts)
+    end
+
+    def get_secret(name, vault: nil, version: nil)
+      unless token
+        return "ERROR: Unable to authorize and get the temporary token. Double check your ARM_ env variables."
+      end
+
+      version = "/#{version}" if version
+      vault_subdomain = vault.downcase
+      # Using Azure REST API since the old gem doesnt support secrets https://github.com/Azure/azure-sdk-for-ruby
+      # https://docs.microsoft.com/en-us/rest/api/keyvault/getsecret/getsecret
+      url = "https://#{vault_subdomain}.vault.azure.net/secrets/#{name}#{version}?api-version=7.1"
+      uri = URI(url)
+      req = Net::HTTP::Get.new(uri)
+      req["Authorization"] = token
+      req["Content-Type"] = "application/json"
+
+      resp = nil
+      begin
+        resp = send_request(uri, req)
+      rescue VaultNotFoundError
+        message = "WARN: Vault not found #{vault}"
+        logger.info message.color(:yellow)
+        return message
+      end
+
+      case resp.code.to_s
+      when /^2/
+        data = JSON.load(resp.body)
+        data['value']
+      else
+        message = standard_error_message(resp)
+        logger.info "WARN: #{message}".color(:yellow)
+        message
+      end
+    end
+
+    def send_request(uri, req)
+      http = Net::HTTP.new(uri.host, uri.port)
+      http.open_timeout = http.read_timeout = 30
+      http.use_ssl = true if uri.scheme == 'https'
+
+      begin
+        http.request(req) # response
+      rescue SocketError => e
+        # SocketError: Failed to open TCP connection to MISSING-VAULT.vault.azure.net:443 (getaddrinfo: Name or service not known)
+        if e.message.include?("vault.azure.net")
+          raise VaultNotFoundError.new(e)
+        else
+          raise
+        end
+      end
+    end
+
+    # Secret error handling: 1. network 2. json parse 3. missing secret
+    #
+    # Azure API responses with decent error message when
+    #   403 Forbidden - KeyVault Access Policy needs to be set up
+    #   404 Not Found - Secret name is incorrect
+    #
+    def standard_error_message(resp)
+      data = JSON.load(resp.body)
+      data['error']['message']
+    rescue JSON::ParserError
+      resp.body
+    end
+
+    @@token = nil
+    def token
+      return @@token unless @@token.nil?
+      url = "https://login.microsoftonline.com/#{@tenant_id}/oauth2/token"
+      uri = URI(url)
+      req = Net::HTTP::Get.new(uri)
+      req.set_form_data(
+        grant_type: "client_credentials",
+        client_id: @client_id,
+        client_secret: @client_secret,
+        resource: "https://vault.azure.net",
+      )
+      resp = send_request(uri, req)
+      data = JSON.load(resp.body)
+      if resp.code =~ /^2/
+        @@token = "Bearer #{data['access_token']}" if data
+      else
+        logger.info "WARN: #{data['error_description']}".color(:yellow)
+        # return false otherwise error message is used as the bearer toke and get this error:
+        # ArgumentError: header field value cannot include CR/LF
+        @@token = false
+      end
+    end
+  end
+end

data/lib/terraspace_plugin_azurerm/interfaces/helper/secret.rb

@@ -0,0 +1,26 @@
+require "base64"
+
+module TerraspacePluginAzurerm::Interfaces::Helper
+  class Secret
+    extend Memoist
+    include TerraspacePluginAzurerm::Logging
+    include TerraspacePluginAzurerm::Clients::Options
+
+    def initialize(options={})
+      @options = options
+      @base64 = options[:base64]
+    end
+
+    # opts: version, vault
+    def fetch(name, opts={})
+      value = fetcher.fetch(name, opts)
+      value = Base64.strict_encode64(value).strip if @base64
+      value
+    end
+
+    def fetcher
+      Fetcher.new
+    end
+    memoize :fetcher
+  end
+end

data/lib/terraspace_plugin_azurerm/interfaces/helper.rb

@@ -0,0 +1,10 @@
+module TerraspacePluginAzurerm::Interfaces
+  module Helper
+    include Terraspace::Plugin::Helper::Interface
+
+    def azure_secret(name, options={})
+      Secret.new(options).fetch(name, options)
+    end
+    cache_helper :azure_secret
+  end
+end

data/lib/terraspace_plugin_azurerm/logging.rb

@@ -0,0 +1,7 @@
+module TerraspacePluginAzurerm
+  module Logging
+    def logger
+      Terraspace.logger
+    end
+  end
+end

data/lib/terraspace_plugin_azurerm/version.rb

@@ -1,3 +1,3 @@
 module TerraspacePluginAzurerm
-  VERSION = "0.2.2"
+  VERSION = "0.3.2"
 end

data/lib/terraspace_plugin_azurerm.rb

@@ -23,12 +23,22 @@ module TerraspacePluginAzurerm
     Interfaces::Config.instance.config
   end
 
+  @@logger = nil
+  def logger
+    @@logger ||= Terraspace.logger
+  end
+
+  def logger=(v)
+    @@logger = v
+  end
+
   extend self
 end
 
 Terraspace::Plugin.register("azurerm",
   backend: "azurerm",
   config_class: TerraspacePluginAzurerm::Interfaces::Config,
+  helper_class: TerraspacePluginAzurerm::Interfaces::Helper,
   layer_class: TerraspacePluginAzurerm::Interfaces::Layer,
   root: File.dirname(__dir__),
 )

data/terraspace_plugin_azurerm.gemspec

@@ -23,7 +23,7 @@ Gem::Specification.new do |spec|
   spec.require_paths = ["lib"]
 
   spec.add_dependency "azure-storage-blob"
-  spec.add_dependency "azure_info"
+  spec.add_dependency "azure_info", "~> 0.1.2"
   spec.add_dependency "azure_mgmt_resources"
   spec.add_dependency "azure_mgmt_storage"
   spec.add_dependency "memoist"

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: terraspace_plugin_azurerm
 version: !ruby/object:Gem::Version
-  version: 0.2.2
+  version: 0.3.2
 platform: ruby
 authors:
 - Tung Nguyen
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2020-09-20 00:00:00.000000000 Z
+date: 2021-11-29 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: azure-storage-blob
@@ -28,16 +28,16 @@ dependencies:
   name: azure_info
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 0.1.2
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 0.1.2
 - !ruby/object:Gem::Dependency
   name: azure_mgmt_resources
   requirement: !ruby/object:Gem::Requirement
@@ -151,8 +151,12 @@ files:
 - lib/terraspace_plugin_azurerm/interfaces/backend/storage_container.rb
 - lib/terraspace_plugin_azurerm/interfaces/config.rb
 - lib/terraspace_plugin_azurerm/interfaces/expander.rb
+- lib/terraspace_plugin_azurerm/interfaces/helper.rb
+- lib/terraspace_plugin_azurerm/interfaces/helper/secret.rb
+- lib/terraspace_plugin_azurerm/interfaces/helper/secret/fetcher.rb
 - lib/terraspace_plugin_azurerm/interfaces/layer.rb
 - lib/terraspace_plugin_azurerm/interfaces/summary.rb
+- lib/terraspace_plugin_azurerm/logging.rb
 - lib/terraspace_plugin_azurerm/version.rb
 - terraspace_plugin_azurerm.gemspec
 homepage: https://github.com/boltops-tools/terraspace_plugin_azurerm
@@ -175,7 +179,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.2
+rubygems_version: 3.1.6
 signing_key: 
 specification_version: 4
 summary: Terraspace Azurerm Cloud Plugin