terraspace_plugin_azurerm 0.2.3 → 0.3.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3164712306e20fe0da2192f6e8168e7d19dc773f840f351f351bd3cd0c56fd76
-  data.tar.gz: 4e3a39f1aacad41a0806f5e9c81013119b58f11dc42b2d0ac791f9e0c4e44814
+  metadata.gz: 33dd9bb20fc1cc57ccd1e31f46e52621838ad043b118e67061b0c7b0bf96bf9c
+  data.tar.gz: c3721a61c30ad15870c1858ada72199380c9628572f80a3a0576750266a65b90
 SHA512:
-  metadata.gz: 005df536cf5d7b6ed59435e2560bce4924ecc8a0cf4be3a6c2ae294b711c160e435797a62758d476978d3be3914f10336d23c74a681f1b381bc6d820c68dbcae
-  data.tar.gz: 6c3169184cb1b3de048689ab79c9e860c6f9892c5c6ff74eca63db07010d2c6883e8a24d802d6d0d29d4b69d427243631fb66bc990c1e922fdbe9132cd4095cd
+  metadata.gz: 442becc7f22e2b5b3bf1dc6c621a1dd52af1d4696934c3e6fd9dfc83e4f5d723fb5b5aceb29d24ef47b5b7be939a2676d8d205f77422618a31c8f381ce5d468a
+  data.tar.gz: 3e10754d0616e4877c34435cf30da1452eb58cafa938d82d3326ded07670b01cf202d11410ea114a3bb21dc177acadaf9dc4a05b3a524108bb5865ad3fe16d62

data/CHANGELOG.md

@@ -3,6 +3,19 @@
 All notable changes to this project will be documented in this file.
 This project *loosely tries* to adhere to [Semantic Versioning](http://semver.org/).
 
+## [0.3.3] - 2022-01-04
+- [#10](https://github.com/boltops-tools/terraspace_plugin_azurerm/pull/10) azure_secret support expansion automatically
+
+## [0.3.2] - 2021-11-29
+- [#9](https://github.com/boltops-tools/terraspace_plugin_azurerm/pull/9) change starter resource_group_name to have env
+
+## [0.3.1] - 2021-04-15
+- update azure_info dependency
+
+## [0.3.0] - 2020-11-15
+- [#5](https://github.com/boltops-tools/terraspace_plugin_azurerm/pull/5) helper and secrets support
+- azure_secret helper
+
 ## [0.2.3]
 - #4 validate env vars and use older storage client
 

data/lib/templates/hcl/project/config/terraform/backend.tf

@@ -2,7 +2,7 @@
 # This is useful because azure storage account names are not allowed special characters and are limited to 24 chars.
 terraform {
   backend "azurerm" {
-    resource_group_name  = "<%= expansion('terraform-resources-:LOCATION') %>"
+    resource_group_name  = "<%= expansion(':ENV-:LOCATION') %>"
     storage_account_name = "<%= expansion('ts:SUBSCRIPTION_HASH:LOCATION:ENV') %>"
     container_name       = "terraform-state"
     key                  = "<%= expansion(':LOCATION/:ENV/:BUILD_DIR/terraform.tfstate') %>"

data/lib/terraspace_plugin_azurerm/interfaces/backend/storage_container.rb

@@ -1,7 +1,6 @@
 class TerraspacePluginAzurerm::Interfaces::Backend
   class StorageContainer < Base
     include TerraspacePluginAzurerm::Clients::Storage
-    extend Memoist
 
     def create
       if exist?

data/lib/terraspace_plugin_azurerm/interfaces/config.rb

@@ -15,12 +15,12 @@ module TerraspacePluginAzurerm::Interfaces
       c = ActiveSupport::OrderedOptions.new
       c.auto_create = true
       c.location = nil # AzureInfo.location not assigned here so it can be lazily inferred
-
+      c.secrets = ActiveSupport::OrderedOptions.new
+      c.secrets.vault = nil
       c.storage_account = ActiveSupport::OrderedOptions.new
       c.storage_account.sku = ActiveSupport::OrderedOptions.new
       c.storage_account.sku.name = "Standard_LRS"
       c.storage_account.sku.tier = "Standard"
-
       c
     end
   end

data/lib/terraspace_plugin_azurerm/interfaces/helper/secret/fetcher.rb

@@ -0,0 +1,148 @@
+require "net/http"
+
+class TerraspacePluginAzurerm::Interfaces::Helper::Secret
+  class Fetcher
+    class Error < StandardError; end
+    class VaultNotFoundError < Error; end
+    class VaultNotConfiguredError < Error; end
+
+    include TerraspacePluginAzurerm::Logging
+    include TerraspacePluginAzurerm::Clients::Options
+    extend Memoist
+
+    def initialize(mod, options={})
+      @mod, @options = mod, options
+      o = base_client_options
+      @client_id     = o[:client_id]
+      @client_secret = o[:client_secret]
+      @tenant_id     = o[:tenant_id]
+    end
+
+    def fetch(name, opts={})
+      opts[:vault] ||= TerraspacePluginAzurerm.config.secrets.vault
+      get_secret(name, opts)
+    end
+
+    def get_secret(name, options={})
+      vault = options[:vault]
+      version = options[:version]
+      unless token
+        return "ERROR: Unable to authorize and get the temporary token. Double check your ARM_ env variables."
+      end
+
+      version = "/#{version}" if version
+      check_vault_configured!(vault)
+      vault_subdomain = vault.downcase
+      # Using Azure REST API since the old gem doesnt support secrets https://github.com/Azure/azure-sdk-for-ruby
+      # https://docs.microsoft.com/en-us/rest/api/keyvault/getsecret/getsecret
+      name = expansion(name) if expand?
+      url = "https://#{vault_subdomain}.vault.azure.net/secrets/#{name}#{version}?api-version=7.1"
+      logger.debug "Azure vault url #{url}"
+      uri = URI(url)
+      req = Net::HTTP::Get.new(uri)
+      req["Authorization"] = token
+      req["Content-Type"] = "application/json"
+
+      resp = nil
+      begin
+        resp = send_request(uri, req)
+      rescue VaultNotFoundError
+        message = "WARN: Vault not found #{vault}"
+        logger.info message.color(:yellow)
+        return message
+      end
+
+      case resp.code.to_s
+      when /^2/
+        data = JSON.load(resp.body)
+        data['value']
+      else
+        message = standard_error_message(resp)
+        logger.info "WARN: #{message}".color(:yellow)
+        message
+      end
+    end
+
+    def check_vault_configured!(vault)
+      return if vault
+      logger.error "ERROR: Vault has not been configured or vault option not passed in the azure_secret helper method.".color(:red)
+      logger.error <<~EOL
+        Please configure the Azure KeyVault you want to use.  Example:
+
+        config/plugins/azurerm.rb
+
+            TerraspacePluginAzurerm.configure do |config|
+              config.secrets.vault = "REPLACE_WITH_YOUR_VAULT_NAME"
+            end
+
+        Docs: https://terraspace.cloud/docs/helpers/azure/secrets/
+      EOL
+      raise VaultNotConfiguredError.new
+    end
+
+    def send_request(uri, req)
+      http = Net::HTTP.new(uri.host, uri.port)
+      http.open_timeout = http.read_timeout = 30
+      http.use_ssl = true if uri.scheme == 'https'
+
+      begin
+        http.request(req) # response
+      rescue SocketError => e
+        # SocketError: Failed to open TCP connection to MISSING-VAULT.vault.azure.net:443 (getaddrinfo: Name or service not known)
+        if e.message.include?("vault.azure.net")
+          raise VaultNotFoundError.new(e)
+        else
+          raise
+        end
+      end
+    end
+
+    # Secret error handling: 1. network 2. json parse 3. missing secret
+    #
+    # Azure API responses with decent error message when
+    #   403 Forbidden - KeyVault Access Policy needs to be set up
+    #   404 Not Found - Secret name is incorrect
+    #
+    def standard_error_message(resp)
+      data = JSON.load(resp.body)
+      data['error']['message']
+    rescue JSON::ParserError
+      resp.body
+    end
+
+    @@token = nil
+    def token
+      return @@token unless @@token.nil?
+      url = "https://login.microsoftonline.com/#{@tenant_id}/oauth2/token"
+      uri = URI(url)
+      req = Net::HTTP::Get.new(uri)
+      req.set_form_data(
+        grant_type: "client_credentials",
+        client_id: @client_id,
+        client_secret: @client_secret,
+        resource: "https://vault.azure.net",
+      )
+      resp = send_request(uri, req)
+      data = JSON.load(resp.body)
+      if resp.code =~ /^2/
+        @@token = "Bearer #{data['access_token']}" if data
+      else
+        logger.info "WARN: #{data['error_description']}".color(:yellow)
+        # return false otherwise error message is used as the bearer toke and get this error:
+        # ArgumentError: header field value cannot include CR/LF
+        @@token = false
+      end
+    end
+
+  private
+    delegate :expansion, to: :expander
+    def expander
+      TerraspacePluginAzurerm::Interfaces::Expander.new(@mod)
+    end
+    memoize :expander
+
+    def expand?
+      !(@options[:expansion] == false || @options[:expand] == false)
+    end
+  end
+end

data/lib/terraspace_plugin_azurerm/interfaces/helper/secret.rb

@@ -0,0 +1,26 @@
+require "base64"
+
+module TerraspacePluginAzurerm::Interfaces::Helper
+  class Secret
+    extend Memoist
+    include TerraspacePluginAzurerm::Logging
+    include TerraspacePluginAzurerm::Clients::Options
+
+    def initialize(mod, options={})
+      @mod, @options = mod, options
+      @base64 = options[:base64]
+    end
+
+    # opts: version, vault
+    def fetch(name, opts={})
+      value = fetcher.fetch(name, opts)
+      value = Base64.strict_encode64(value).strip if @base64
+      value
+    end
+
+    def fetcher
+      Fetcher.new(@mod, @options)
+    end
+    memoize :fetcher
+  end
+end

data/lib/terraspace_plugin_azurerm/interfaces/helper.rb

@@ -0,0 +1,10 @@
+module TerraspacePluginAzurerm::Interfaces
+  module Helper
+    include Terraspace::Plugin::Helper::Interface
+
+    def azure_secret(name, options={})
+      Secret.new(@mod, options).fetch(name, options)
+    end
+    cache_helper :azure_secret
+  end
+end

data/lib/terraspace_plugin_azurerm/logging.rb

@@ -0,0 +1,7 @@
+module TerraspacePluginAzurerm
+  module Logging
+    def logger
+      Terraspace.logger
+    end
+  end
+end

data/lib/terraspace_plugin_azurerm/version.rb

@@ -1,3 +1,3 @@
 module TerraspacePluginAzurerm
-  VERSION = "0.2.3"
+  VERSION = "0.3.3"
 end

data/lib/terraspace_plugin_azurerm.rb

@@ -23,12 +23,22 @@ module TerraspacePluginAzurerm
     Interfaces::Config.instance.config
   end
 
+  @@logger = nil
+  def logger
+    @@logger ||= Terraspace.logger
+  end
+
+  def logger=(v)
+    @@logger = v
+  end
+
   extend self
 end
 
 Terraspace::Plugin.register("azurerm",
   backend: "azurerm",
   config_class: TerraspacePluginAzurerm::Interfaces::Config,
+  helper_class: TerraspacePluginAzurerm::Interfaces::Helper,
   layer_class: TerraspacePluginAzurerm::Interfaces::Layer,
   root: File.dirname(__dir__),
 )

data/terraspace_plugin_azurerm.gemspec

@@ -23,7 +23,7 @@ Gem::Specification.new do |spec|
   spec.require_paths = ["lib"]
 
   spec.add_dependency "azure-storage-blob"
-  spec.add_dependency "azure_info"
+  spec.add_dependency "azure_info", "~> 0.1.2"
   spec.add_dependency "azure_mgmt_resources"
   spec.add_dependency "azure_mgmt_storage"
   spec.add_dependency "memoist"

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: terraspace_plugin_azurerm
 version: !ruby/object:Gem::Version
-  version: 0.2.3
+  version: 0.3.3
 platform: ruby
 authors:
 - Tung Nguyen
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2020-10-05 00:00:00.000000000 Z
+date: 2022-01-04 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: azure-storage-blob
@@ -28,16 +28,16 @@ dependencies:
   name: azure_info
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 0.1.2
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 0.1.2
 - !ruby/object:Gem::Dependency
   name: azure_mgmt_resources
   requirement: !ruby/object:Gem::Requirement
@@ -151,8 +151,12 @@ files:
 - lib/terraspace_plugin_azurerm/interfaces/backend/storage_container.rb
 - lib/terraspace_plugin_azurerm/interfaces/config.rb
 - lib/terraspace_plugin_azurerm/interfaces/expander.rb
+- lib/terraspace_plugin_azurerm/interfaces/helper.rb
+- lib/terraspace_plugin_azurerm/interfaces/helper/secret.rb
+- lib/terraspace_plugin_azurerm/interfaces/helper/secret/fetcher.rb
 - lib/terraspace_plugin_azurerm/interfaces/layer.rb
 - lib/terraspace_plugin_azurerm/interfaces/summary.rb
+- lib/terraspace_plugin_azurerm/logging.rb
 - lib/terraspace_plugin_azurerm/version.rb
 - terraspace_plugin_azurerm.gemspec
 homepage: https://github.com/boltops-tools/terraspace_plugin_azurerm
@@ -175,7 +179,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.2
+rubygems_version: 3.2.32
 signing_key: 
 specification_version: 4
 summary: Terraspace Azurerm Cloud Plugin