terraspace_plugin_azurerm 0.2.3 → 0.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3164712306e20fe0da2192f6e8168e7d19dc773f840f351f351bd3cd0c56fd76
-  data.tar.gz: 4e3a39f1aacad41a0806f5e9c81013119b58f11dc42b2d0ac791f9e0c4e44814
+  metadata.gz: 8704700ce76610490c5f29da3091ea5b9b14489911095418deb51561920f2062
+  data.tar.gz: e60b1a62a544c6cbc21838c13c41c93541806786600c85620a650e45a0aa7ae2
 SHA512:
-  metadata.gz: 005df536cf5d7b6ed59435e2560bce4924ecc8a0cf4be3a6c2ae294b711c160e435797a62758d476978d3be3914f10336d23c74a681f1b381bc6d820c68dbcae
-  data.tar.gz: 6c3169184cb1b3de048689ab79c9e860c6f9892c5c6ff74eca63db07010d2c6883e8a24d802d6d0d29d4b69d427243631fb66bc990c1e922fdbe9132cd4095cd
+  metadata.gz: f800a5c07d7ce75482b99b7ee459d8a87c9607e99086d149b83cc8cb81618a569906480df8c9b2457a81a4a4374eef0d2bcab7224998c894161f6e041e9444b3
+  data.tar.gz: 5ffcda4941b3b43d275d907861606b5c20f6cf76a570169c6369c2093e1a7dc4c0022180f7df6de33d1c135fdfcb73de61896f78ab186705f231fe1e73ac5a66

data/CHANGELOG.md

@@ -3,6 +3,10 @@
 All notable changes to this project will be documented in this file.
 This project *loosely tries* to adhere to [Semantic Versioning](http://semver.org/).
 
+## [0.3.0] - 2020-11-15
+- [#5](https://github.com/boltops-tools/terraspace_plugin_azurerm/pull/5) helper and secrets support
+- azure_secret helper
+
 ## [0.2.3]
 - #4 validate env vars and use older storage client
 

data/lib/terraspace_plugin_azurerm.rb

@@ -23,12 +23,22 @@ module TerraspacePluginAzurerm
     Interfaces::Config.instance.config
   end
 
+  @@logger = nil
+  def logger
+    @@logger ||= Terraspace.logger
+  end
+
+  def logger=(v)
+    @@logger = v
+  end
+
   extend self
 end
 
 Terraspace::Plugin.register("azurerm",
   backend: "azurerm",
   config_class: TerraspacePluginAzurerm::Interfaces::Config,
+  helper_class: TerraspacePluginAzurerm::Interfaces::Helper,
   layer_class: TerraspacePluginAzurerm::Interfaces::Layer,
   root: File.dirname(__dir__),
 )

data/lib/terraspace_plugin_azurerm/interfaces/backend/storage_container.rb

@@ -1,7 +1,6 @@
 class TerraspacePluginAzurerm::Interfaces::Backend
   class StorageContainer < Base
     include TerraspacePluginAzurerm::Clients::Storage
-    extend Memoist
 
     def create
       if exist?

data/lib/terraspace_plugin_azurerm/interfaces/config.rb

@@ -15,12 +15,12 @@ module TerraspacePluginAzurerm::Interfaces
       c = ActiveSupport::OrderedOptions.new
       c.auto_create = true
       c.location = nil # AzureInfo.location not assigned here so it can be lazily inferred
-
+      c.secrets = ActiveSupport::OrderedOptions.new
+      c.secrets.vault = nil
       c.storage_account = ActiveSupport::OrderedOptions.new
       c.storage_account.sku = ActiveSupport::OrderedOptions.new
       c.storage_account.sku.name = "Standard_LRS"
       c.storage_account.sku.tier = "Standard"
-
       c
     end
   end

data/lib/terraspace_plugin_azurerm/interfaces/helper.rb

@@ -0,0 +1,10 @@
+module TerraspacePluginAzurerm::Interfaces
+  module Helper
+    include Terraspace::Plugin::Helper::Interface
+
+    def azure_secret(name, options={})
+      Secret.new(options).fetch(name, options)
+    end
+    cache_helper :azure_secret
+  end
+end

data/lib/terraspace_plugin_azurerm/interfaces/helper/secret.rb

@@ -0,0 +1,26 @@
+require "base64"
+
+module TerraspacePluginAzurerm::Interfaces::Helper
+  class Secret
+    extend Memoist
+    include TerraspacePluginAzurerm::Logging
+    include TerraspacePluginAzurerm::Clients::Options
+
+    def initialize(options={})
+      @options = options
+      @base64 = options[:base64]
+    end
+
+    # opts: version, vault
+    def fetch(name, opts={})
+      value = fetcher.fetch(name, opts)
+      value = Base64.strict_encode64(value).strip if @base64
+      value
+    end
+
+    def fetcher
+      Fetcher.new
+    end
+    memoize :fetcher
+  end
+end

data/lib/terraspace_plugin_azurerm/interfaces/helper/secret/fetcher.rb

@@ -0,0 +1,112 @@
+require "net/http"
+
+class TerraspacePluginAzurerm::Interfaces::Helper::Secret
+  class Fetcher
+    class Error < StandardError; end
+    class VaultNotFoundError < Error; end
+
+    include TerraspacePluginAzurerm::Logging
+    include TerraspacePluginAzurerm::Clients::Options
+
+    def initialize
+      o = base_client_options
+      @client_id     = o[:client_id]
+      @client_secret = o[:client_secret]
+      @tenant_id     = o[:tenant_id]
+    end
+
+    def fetch(name, opts={})
+      opts[:vault] ||= TerraspacePluginAzurerm.config.secrets.vault
+      get_secret(name, opts)
+    end
+
+    def get_secret(name, vault: nil, version: nil)
+      unless token
+        return "ERROR: Unable to authorize and get the temporary token. Double check your ARM_ env variables."
+      end
+
+      version = "/#{version}" if version
+      vault_subdomain = vault.downcase
+      # Using Azure REST API since the old gem doesnt support secrets https://github.com/Azure/azure-sdk-for-ruby
+      # https://docs.microsoft.com/en-us/rest/api/keyvault/getsecret/getsecret
+      url = "https://#{vault_subdomain}.vault.azure.net/secrets/#{name}#{version}?api-version=7.1"
+      uri = URI(url)
+      req = Net::HTTP::Get.new(uri)
+      req["Authorization"] = token
+      req["Content-Type"] = "application/json"
+
+      resp = nil
+      begin
+        resp = send_request(uri, req)
+      rescue VaultNotFoundError
+        message = "WARN: Vault not found #{vault}"
+        logger.info message.color(:yellow)
+        return message
+      end
+
+      case resp.code.to_s
+      when /^2/
+        data = JSON.load(resp.body)
+        data['value']
+      else
+        message = standard_error_message(resp)
+        logger.info "WARN: #{message}".color(:yellow)
+        message
+      end
+    end
+
+    def send_request(uri, req)
+      http = Net::HTTP.new(uri.host, uri.port)
+      http.open_timeout = http.read_timeout = 30
+      http.use_ssl = true if uri.scheme == 'https'
+
+      begin
+        http.request(req) # response
+      rescue SocketError => e
+        # SocketError: Failed to open TCP connection to MISSING-VAULT.vault.azure.net:443 (getaddrinfo: Name or service not known)
+        if e.message.include?("vault.azure.net")
+          raise VaultNotFoundError.new(e)
+        else
+          raise
+        end
+      end
+    end
+
+    # Secret error handling: 1. network 2. json parse 3. missing secret
+    #
+    # Azure API responses with decent error message when
+    #   403 Forbidden - KeyVault Access Policy needs to be set up
+    #   404 Not Found - Secret name is incorrect
+    #
+    def standard_error_message(resp)
+      data = JSON.load(resp.body)
+      data['error']['message']
+    rescue JSON::ParserError
+      resp.body
+    end
+
+    @@token = nil
+    def token
+      return @@token unless @@token.nil?
+      url = "https://login.microsoftonline.com/#{@tenant_id}/oauth2/token"
+      uri = URI(url)
+      req = Net::HTTP::Get.new(uri)
+      req.set_form_data(
+        grant_type: "client_credentials",
+        client_id: @client_id,
+        client_secret: @client_secret,
+        resource: "https://vault.azure.net",
+      )
+      resp = send_request(uri, req)
+      data = JSON.load(resp.body)
+      if resp.code =~ /^2/
+        @@token = "Bearer #{data['access_token']}" if data
+      else
+        logger.info "WARN: #{data['error_description']}".color(:yellow)
+        # return false otherwise error message is used as the bearer toke and get this error:
+        # ArgumentError: header field value cannot include CR/LF
+        @@token = false
+      end
+    end
+  end
+end

data/lib/terraspace_plugin_azurerm/logging.rb

@@ -0,0 +1,7 @@
+module TerraspacePluginAzurerm
+  module Logging
+    def logger
+      Terraspace.logger
+    end
+  end
+end

data/lib/terraspace_plugin_azurerm/version.rb

@@ -1,3 +1,3 @@
 module TerraspacePluginAzurerm
-  VERSION = "0.2.3"
+  VERSION = "0.3.0"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: terraspace_plugin_azurerm
 version: !ruby/object:Gem::Version
-  version: 0.2.3
+  version: 0.3.0
 platform: ruby
 authors:
 - Tung Nguyen
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2020-10-05 00:00:00.000000000 Z
+date: 2020-11-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: azure-storage-blob
@@ -151,8 +151,12 @@ files:
 - lib/terraspace_plugin_azurerm/interfaces/backend/storage_container.rb
 - lib/terraspace_plugin_azurerm/interfaces/config.rb
 - lib/terraspace_plugin_azurerm/interfaces/expander.rb
+- lib/terraspace_plugin_azurerm/interfaces/helper.rb
+- lib/terraspace_plugin_azurerm/interfaces/helper/secret.rb
+- lib/terraspace_plugin_azurerm/interfaces/helper/secret/fetcher.rb
 - lib/terraspace_plugin_azurerm/interfaces/layer.rb
 - lib/terraspace_plugin_azurerm/interfaces/summary.rb
+- lib/terraspace_plugin_azurerm/logging.rb
 - lib/terraspace_plugin_azurerm/version.rb
 - terraspace_plugin_azurerm.gemspec
 homepage: https://github.com/boltops-tools/terraspace_plugin_azurerm
@@ -175,7 +179,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.2
+rubygems_version: 3.1.4
 signing_key: 
 specification_version: 4
 summary: Terraspace Azurerm Cloud Plugin