clear-skies-aws 2.0.1__py3-none-any.whl → 2.0.3__py3-none-any.whl

clearskies_aws/secrets/akeyless_with_ssm_cache.py

@@ -0,0 +1,60 @@
+from __future__ import annotations
+
+import re
+from typing import Any
+
+from clearskies.secrets.akeyless import Akeyless
+from types_boto3_ssm import SSMClient
+
+from clearskies_aws.secrets import parameter_store
+
+
+class AkeylessWithSsmCache(parameter_store.ParameterStore, Akeyless):
+    def get(self, path: str, refresh: bool = False) -> str | None:  # type: ignore[override]
+        # AWS SSM parameter paths only allow a-z, A-Z, 0-9, -, _, ., /, @, and :
+        # Replace any disallowed characters with hyphens
+        ssm_name = re.sub(r"[^a-zA-Z0-9\-_\./@:]", "-", path)
+        # if we're not forcing a refresh, then see if it is in paramater store
+        if not refresh:
+            missing = False
+            try:
+                response = self.ssm.get_parameter(Name=ssm_name, WithDecryption=True)
+            except self.ssm.exceptions.ParameterNotFound:
+                missing = True
+            if not missing:
+                value = response["Parameter"].get("Value", "")
+                if value:
+                    return value
+
+        # otherwise get it out of Akeyless
+        value = str(super().get(path))
+
+        # and make sure and store the new value in parameter store
+        if value:
+            self.ssm.put_parameter(
+                Name=ssm_name,
+                Value=value,
+                Type="SecureString",
+                Overwrite=True,
+            )
+
+        return value
+
+    def update(self, path: str, value: Any) -> bool:  # type: ignore[override]
+        res = self._api.update_secret_val(
+            self.akeyless.UpdateSecretVal(name=path, value=str(value), token=self._get_token())
+        )
+        self.ssm.put_parameter(
+            Name=re.sub(r"[^a-zA-Z0-9\-_\./@:]", "-", path),
+            Value=value,
+            Type="SecureString",
+            Overwrite=True,
+        )
+        return True
+
+    def upsert(self, path: str, value: Any) -> bool:  # type: ignore[override]
+        try:
+            self.update(path, value)
+        except Exception as e:
+            self.create(path, value)
+        return True

clearskies_aws/secrets/parameter_store.py

@@ -0,0 +1,52 @@
+from __future__ import annotations
+
+from botocore.exceptions import ClientError
+from clearskies.exceptions.not_found import NotFound
+from types_boto3_ssm import SSMClient
+
+from clearskies_aws.secrets import secrets
+
+
+class ParameterStore(secrets.Secrets):
+    ssm: SSMClient
+
+    def __init__(self):
+        super().__init__()
+        self.ssm = self.boto3.client("ssm", region_name=self.environment.get("AWS_REGION"))
+
+    def create(self, path: str, value: str) -> bool:
+        return self.update(path, value)
+
+    def get(self, path: str, silent_if_not_found: bool = False) -> str | None:  # type: ignore[override]
+        try:
+            result = self.ssm.get_parameter(Name=path, WithDecryption=True)
+        except ClientError as e:
+            error = e.response.get("Error", {})
+            if error.get("Code") == "ResourceNotFoundException":
+                if silent_if_not_found:
+                    return None
+                raise NotFound(f"Could not find secret '{path}' in parameter store")
+            raise e
+        return result["Parameter"].get("Value", "")
+
+    def list_secrets(self, path: str) -> list[str]:
+        response = self.ssm.get_parameters_by_path(Path=path, Recursive=False)
+        return [parameter["Name"] for parameter in response["Parameters"] if "Name" in parameter]
+
+    def update(self, path: str, value: str) -> bool:  # type: ignore[override]
+        response = self.ssm.put_parameter(
+            Name=path,
+            Value=value,
+            Type="String",
+            Overwrite=True,
+        )
+        return True
+
+    def upsert(self, path: str, value: str) -> bool:  # type: ignore[override]
+        return self.update(path, value)
+
+    def list_sub_folders(
+        self,
+        path: str,
+    ) -> list[str]:  # type: ignore[override]
+        raise NotImplementedError("Parameter store doesn't support list_sub_folders.")

clearskies_aws/secrets/secrets.py

@@ -0,0 +1,16 @@
+from __future__ import annotations
+
+from clearskies.di.inject import Di, Environment
+from clearskies.secrets import Secrets as BaseSecrets
+
+from clearskies_aws.di import inject
+
+
+class Secrets(BaseSecrets):
+    boto3 = inject.Boto3()
+    environment = Environment()
+
+    def __init__(self):
+        super().__init__()
+        if not self.environment.get("AWS_REGION", True):
+            raise ValueError("To use secrets manager you must use set the 'AWS_REGION' environment variable")

clearskies_aws/secrets/secrets_manager.py

@@ -0,0 +1,96 @@
+from __future__ import annotations
+
+from typing import Any
+
+from botocore.exceptions import ClientError
+from clearskies.exceptions.not_found import NotFound
+from types_boto3_secretsmanager import SecretsManagerClient
+from types_boto3_secretsmanager.type_defs import SecretListEntryTypeDef
+
+from clearskies_aws.secrets import secrets
+
+
+class SecretsManager(secrets.Secrets):
+    secrets_manager: SecretsManagerClient
+
+    def __init__(self):
+        super().__init__()
+        self.secrets_manager = self.boto3.client("secretsmanager", region_name=self.environment.get("AWS_REGION"))
+
+    def create(self, secret_id: str, value: Any, kms_key_id: str | None = None) -> bool:
+        calling_parameters = {
+            "SecretId": secret_id,
+            "SecretString": value,
+            "KmsKeyId": kms_key_id,
+        }
+        calling_parameters = {key: value for (key, value) in calling_parameters.items() if value}
+        result = self.secrets_manager.create_secret(**calling_parameters)
+        return bool(result.get("ARN"))
+
+    def get(  # type: ignore[override]
+        self,
+        secret_id: str,
+        version_id: str | None = None,
+        version_stage: str | None = None,
+        silent_if_not_found: bool = False,
+    ) -> str | bytes | None:
+        calling_parameters = {"SecretId": secret_id}
+
+        # Only add optional parameters if they are not None
+        if version_id:
+            calling_parameters["VersionId"] = version_id
+        if version_stage:
+            calling_parameters["VersionStage"] = version_stage
+
+        try:
+            result = self.secrets_manager.get_secret_value(**calling_parameters)
+        except ClientError as e:
+            error = e.response.get("Error", {})
+            if error.get("Code") == "ResourceNotFoundException":
+                if silent_if_not_found:
+                    return None
+                raise NotFound(
+                    f"Could not find secret '{secret_id}' with version '{version_id}' and stage '{version_stage}'"
+                )
+            raise e
+        if result.get("SecretString"):
+            return result.get("SecretString")
+        return result.get("SecretBinary")
+
+    def list_secrets(self, path: str) -> list[SecretListEntryTypeDef]:  # type: ignore[override]
+        results = self.secrets_manager.list_secrets(
+            Filters=[
+                {
+                    "Key": "name",
+                    "Values": [path],
+                },
+            ],
+        )
+        return results["SecretList"]
+
+    def update(self, secret_id: str, value: str, kms_key_id: str | None = None) -> bool:  # type: ignore[override]
+        calling_parameters = {
+            "SecretId": secret_id,
+            "SecretString": value,
+        }
+        if kms_key_id:
+            # If no KMS key is provided, we should not include it in the parameters
+            calling_parameters["KmsKeyId"] = kms_key_id
+
+        result = self.secrets_manager.update_secret(**calling_parameters)
+        return bool(result.get("ARN"))
+
+    def upsert(self, secret_id: str, value: str, kms_key_id: str | None = None) -> bool:  # type: ignore[override]
+        calling_parameters = {
+            "SecretId": secret_id,
+            "SecretString": value,
+        }
+        if kms_key_id:
+            # If no KMS key is provided, we should not include it in the parameters
+            calling_parameters["KmsKeyId"] = kms_key_id
+
+        result = self.secrets_manager.put_secret_value(**calling_parameters)
+        return bool(result.get("ARN"))
+
+    def list_sub_folders(self, path: str, value: str) -> list[str]:  # type: ignore[override]
+        raise NotImplementedError("Secrets Manager doesn't support list_sub_folders.")

clear_skies_aws-2.0.1.dist-info/RECORD

@@ -1,4 +0,0 @@
-clear_skies_aws-2.0.1.dist-info/METADATA,sha256=RuKqjsvTbdZc56XVM2UD6IZnSySbVkWA5SaFkxpbps4,8972
-clear_skies_aws-2.0.1.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
-clear_skies_aws-2.0.1.dist-info/licenses/LICENSE,sha256=MkEX8JF8kZxdyBpTTcB0YTd-xZpWnHvbRlw-pQh8u58,1069
-clear_skies_aws-2.0.1.dist-info/RECORD,,