aherman
/
packer
mirror of https://github.com/hashicorp/packer
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add HCL2 aws_secretsmanager function (#10124)

Browse Source 
* refactor aws get secrets function out to reuse it else where
* add aws_secretsmanager func and docs for HCL2
* fix GetSecret: allow to pick secret version
pull/10133/head
Adrien Delorme 6 years ago committed by GitHub
parent 584fea678b
commit 6d4fae0f2d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
7 changed files with 215 additions and 116 deletions
Show Stats Download Patch File Download Diff File

21
common/template/funcs.go
Unescape View File

@ -9,6 +9,7 @@ import (
"sync"
consulapi "github.com/hashicorp/consul/api"
awssmapi "github.com/hashicorp/packer/template/interpolate/aws/secretsmanager"
vaultapi "github.com/hashicorp/vault/api"
)
@ -86,3 +87,23 @@ func Consul(k string) (string, error) {
return value, nil
}
func GetAWSSecret(name, key string) (string, error) {
// Check if at least 1 parameter has been used
if len(name) == 0 {
return "", errors.New("At least one secret name must be provided")
}
// client uses AWS SDK CredentialChain method. So,credentials can
// be loaded from credential file, environment variables, or IAM
// roles.
client := awssmapi.New(
&awssmapi.AWSConfig{},
)
spec := &awssmapi.SecretSpec{
Name: name,
Key: key,
}
return client.GetSecret(spec)
}

39
hcl2template/function/aws_secretetkey.go
Unescape View File

@ -0,0 +1,39 @@
package function
import (
"github.com/zclconf/go-cty/cty"
"github.com/zclconf/go-cty/cty/function"
commontpl "github.com/hashicorp/packer/common/template"
)
// AWSSecret constructs a function that retrieves secrets from aws secrets
// manager. If Key field is not set then we will return first secret key stored
// in secret name.
var AWSSecret = function.New(&function.Spec{
Params: []function.Parameter{
{
Name: "name",
Type: cty.String,
AllowNull: false,
AllowUnknown: false,
},
{
Name: "key",
Type: cty.String,
AllowNull: true,
AllowUnknown: false,
},
},
Type: function.StaticReturnType(cty.String),
Impl: func(args []cty.Value, retType cty.Type) (cty.Value, error) {
name := args[0].AsString()
var key string
if !args[1].IsNull() && args[1].IsWhollyKnown() {
key = args[1].AsString()
}
val, err := commontpl.GetAWSSecret(name, key)
return cty.StringVal(val), err
},
})

169
hcl2template/functions.go
Unescape View File

@ -28,90 +28,91 @@ import (
func Functions(basedir string) map[string]function.Function {
funcs := map[string]function.Function{
"abs": stdlib.AbsoluteFunc,
"abspath": filesystem.AbsPathFunc,
"basename": filesystem.BasenameFunc,
"base64decode": encoding.Base64DecodeFunc,
"base64encode": encoding.Base64EncodeFunc,
"bcrypt": crypto.BcryptFunc,
"can": tryfunc.CanFunc,
"ceil": stdlib.CeilFunc,
"chomp": stdlib.ChompFunc,
"chunklist": stdlib.ChunklistFunc,
"cidrhost": cidr.HostFunc,
"cidrnetmask": cidr.NetmaskFunc,
"cidrsubnet": cidr.SubnetFunc,
"cidrsubnets": cidr.SubnetsFunc,
"coalesce": collection.CoalesceFunc,
"coalescelist": stdlib.CoalesceListFunc,
"compact": stdlib.CompactFunc,
"concat": stdlib.ConcatFunc,
"consul_key": pkrfunction.ConsulFunc,
"contains": stdlib.ContainsFunc,
"convert": typeexpr.ConvertFunc,
"csvdecode": stdlib.CSVDecodeFunc,
"dirname": filesystem.DirnameFunc,
"distinct": stdlib.DistinctFunc,
"element": stdlib.ElementFunc,
"file": filesystem.MakeFileFunc(basedir, false),
"fileexists": filesystem.MakeFileExistsFunc(basedir),
"fileset": filesystem.MakeFileSetFunc(basedir),
"flatten": stdlib.FlattenFunc,
"floor": stdlib.FloorFunc,
"format": stdlib.FormatFunc,
"formatdate": stdlib.FormatDateFunc,
"formatlist": stdlib.FormatListFunc,
"indent": stdlib.IndentFunc,
"index": stdlib.IndexFunc,
"join": stdlib.JoinFunc,
"jsondecode": stdlib.JSONDecodeFunc,
"jsonencode": stdlib.JSONEncodeFunc,
"keys": stdlib.KeysFunc,
"length": stdlib.LengthFunc,
"log": stdlib.LogFunc,
"lookup": stdlib.LookupFunc,
"lower": stdlib.LowerFunc,
"max": stdlib.MaxFunc,
"md5": crypto.Md5Func,
"merge": stdlib.MergeFunc,
"min": stdlib.MinFunc,
"parseint": stdlib.ParseIntFunc,
"pathexpand": filesystem.PathExpandFunc,
"pow": stdlib.PowFunc,
"range": stdlib.RangeFunc,
"reverse": stdlib.ReverseFunc,
"replace": stdlib.ReplaceFunc,
"regex_replace": stdlib.RegexReplaceFunc,
"rsadecrypt": crypto.RsaDecryptFunc,
"setintersection": stdlib.SetIntersectionFunc,
"setproduct": stdlib.SetProductFunc,
"setunion": stdlib.SetUnionFunc,
"sha1": crypto.Sha1Func,
"sha256": crypto.Sha256Func,
"sha512": crypto.Sha512Func,
"signum": stdlib.SignumFunc,
"slice": stdlib.SliceFunc,
"sort": stdlib.SortFunc,
"split": stdlib.SplitFunc,
"strrev": stdlib.ReverseFunc,
"substr": stdlib.SubstrFunc,
"timestamp": pkrfunction.TimestampFunc,
"timeadd": stdlib.TimeAddFunc,
"title": stdlib.TitleFunc,
"trim": stdlib.TrimFunc,
"trimprefix": stdlib.TrimPrefixFunc,
"trimspace": stdlib.TrimSpaceFunc,
"trimsuffix": stdlib.TrimSuffixFunc,
"try": tryfunc.TryFunc,
"upper": stdlib.UpperFunc,
"urlencode": encoding.URLEncodeFunc,
"uuidv4": uuid.V4Func,
"uuidv5": uuid.V5Func,
"values": stdlib.ValuesFunc,
"vault": pkrfunction.VaultFunc,
"yamldecode": ctyyaml.YAMLDecodeFunc,
"yamlencode": ctyyaml.YAMLEncodeFunc,
"zipmap": stdlib.ZipmapFunc,
"abs": stdlib.AbsoluteFunc,
"abspath": filesystem.AbsPathFunc,
"aws_secretsmanager": pkrfunction.AWSSecret,
"basename": filesystem.BasenameFunc,
"base64decode": encoding.Base64DecodeFunc,
"base64encode": encoding.Base64EncodeFunc,
"bcrypt": crypto.BcryptFunc,
"can": tryfunc.CanFunc,
"ceil": stdlib.CeilFunc,
"chomp": stdlib.ChompFunc,
"chunklist": stdlib.ChunklistFunc,
"cidrhost": cidr.HostFunc,
"cidrnetmask": cidr.NetmaskFunc,
"cidrsubnet": cidr.SubnetFunc,
"cidrsubnets": cidr.SubnetsFunc,
"coalesce": collection.CoalesceFunc,
"coalescelist": stdlib.CoalesceListFunc,
"compact": stdlib.CompactFunc,
"concat": stdlib.ConcatFunc,
"consul_key": pkrfunction.ConsulFunc,
"contains": stdlib.ContainsFunc,
"convert": typeexpr.ConvertFunc,
"csvdecode": stdlib.CSVDecodeFunc,
"dirname": filesystem.DirnameFunc,
"distinct": stdlib.DistinctFunc,
"element": stdlib.ElementFunc,
"file": filesystem.MakeFileFunc(basedir, false),
"fileexists": filesystem.MakeFileExistsFunc(basedir),
"fileset": filesystem.MakeFileSetFunc(basedir),
"flatten": stdlib.FlattenFunc,
"floor": stdlib.FloorFunc,
"format": stdlib.FormatFunc,
"formatdate": stdlib.FormatDateFunc,
"formatlist": stdlib.FormatListFunc,
"indent": stdlib.IndentFunc,
"index": stdlib.IndexFunc,
"join": stdlib.JoinFunc,
"jsondecode": stdlib.JSONDecodeFunc,
"jsonencode": stdlib.JSONEncodeFunc,
"keys": stdlib.KeysFunc,
"length": stdlib.LengthFunc,
"log": stdlib.LogFunc,
"lookup": stdlib.LookupFunc,
"lower": stdlib.LowerFunc,
"max": stdlib.MaxFunc,
"md5": crypto.Md5Func,
"merge": stdlib.MergeFunc,
"min": stdlib.MinFunc,
"parseint": stdlib.ParseIntFunc,
"pathexpand": filesystem.PathExpandFunc,
"pow": stdlib.PowFunc,
"range": stdlib.RangeFunc,
"reverse": stdlib.ReverseFunc,
"replace": stdlib.ReplaceFunc,
"regex_replace": stdlib.RegexReplaceFunc,
"rsadecrypt": crypto.RsaDecryptFunc,
"setintersection": stdlib.SetIntersectionFunc,
"setproduct": stdlib.SetProductFunc,
"setunion": stdlib.SetUnionFunc,
"sha1": crypto.Sha1Func,
"sha256": crypto.Sha256Func,
"sha512": crypto.Sha512Func,
"signum": stdlib.SignumFunc,
"slice": stdlib.SliceFunc,
"sort": stdlib.SortFunc,
"split": stdlib.SplitFunc,
"strrev": stdlib.ReverseFunc,
"substr": stdlib.SubstrFunc,
"timestamp": pkrfunction.TimestampFunc,
"timeadd": stdlib.TimeAddFunc,
"title": stdlib.TitleFunc,
"trim": stdlib.TrimFunc,
"trimprefix": stdlib.TrimPrefixFunc,
"trimspace": stdlib.TrimSpaceFunc,
"trimsuffix": stdlib.TrimSuffixFunc,
"try": tryfunc.TryFunc,
"upper": stdlib.UpperFunc,
"urlencode": encoding.URLEncodeFunc,
"uuidv4": uuid.V4Func,
"uuidv5": uuid.V5Func,
"values": stdlib.ValuesFunc,
"vault": pkrfunction.VaultFunc,
"yamldecode": ctyyaml.YAMLDecodeFunc,
"yamlencode": ctyyaml.YAMLEncodeFunc,
"zipmap": stdlib.ZipmapFunc,
}
return funcs

3
template/interpolate/aws/secretsmanager/secretsmanager.go
Unescape View File

@ -53,6 +53,9 @@ func (c *Client) GetSecret(spec *SecretSpec) (string, error) {
SecretId: aws.String(spec.Name),
VersionStage: aws.String("AWSCURRENT"),
}
if spec.Name != "" {
params.VersionStage = aws.String(spec.Key)
}
resp, err := c.api.GetSecretValue(params)
if err != nil {

40
template/interpolate/funcs.go
Unescape View File

@ -13,7 +13,6 @@ import (
commontpl "github.com/hashicorp/packer/common/template"
"github.com/hashicorp/packer/common/uuid"
"github.com/hashicorp/packer/helper/common"
awssmapi "github.com/hashicorp/packer/template/interpolate/aws/secretsmanager"
"github.com/hashicorp/packer/version"
strftime "github.com/jehiah/go-strftime"
)
@ -280,37 +279,16 @@ func funcGenAwsSecrets(ctx *Context) interface{} {
// semantic checks should catch this.
return "", errors.New("AWS Secrets Manager is only allowed in the variables section")
}
// Check if at least 1 parameter has been used
if len(secret) == 0 {
return "", errors.New("At least one secret name must be provided")
}
// client uses AWS SDK CredentialChain method. So,credentials can
// be loaded from credential file, environment variables, or IAM
// roles.
client := awssmapi.New(
&awssmapi.AWSConfig{},
)
var name, key string
name = secret[0]
// key is optional if not used we fetch the first
// value stored in given secret. If more than two parameters
// are passed we take second param and ignore the others
if len(secret) > 1 {
key = secret[1]
}
spec := &awssmapi.SecretSpec{
Name: name,
Key: key,
}
s, err := client.GetSecret(spec)
if err != nil {
return "", err
switch len(secret) {
case 0:
return "", errors.New("secret name must be provided")
case 1:
return commontpl.GetAWSSecret(secret[0], "")
case 2:
return commontpl.GetAWSSecret(secret[0], secret[1])
default:
return "", errors.New("only secret name and optional secret key can be provided.")
}
return s, nil
}
}

3
website/data/docs-navigation.js
Unescape View File

@ -32,8 +32,9 @@ export default [
{
category: 'contextual',
content: [
'vault',
'aws_secretsmanager',
'consul',
'vault',
],
},
{

56
website/pages/docs/from-1.5/functions/contextual/aws_secretsmanager.mdx
Unescape View File

@ -0,0 +1,56 @@
---
layout: docs
page_title: aws_secretsmanager - Functions - Configuration Language
sidebar_title: aws_secretsmanager
description: The aws_secretsmanager function retrieves secrets from Amazon secretsmanager stores.
---
# `aws_secretsmanager_key` Function
Secrets can be read from the [AWS Secrets
Manager](https://aws.amazon.com/secrets-manager/) and used within your template
as locals.
```hcl
aws_secretsmanager(name, key)
```
When key is not set (`null` or empty: `""`) then `aws_secretsmanager` returns
the first secret key stored in secret `name` using the `AWSCURRENT`.
You can either use this function in a `locals` block or directly inline where
you want to use the value.
```hcl
locals {
// null is equivalent to "AWSCURRENT"
current_version = aws_secretsmanager("my_secret", null)
}
source "null" "first-example" {
communicator = "none"
}
build {
name = "my-build-name"
sources = ["null.first-example"]
provisioner "shell-local" {
environment_vars = ["TESTVAR=${build.PackerRunUUID}"]
inline = ["echo current version is '${local.current_version}'",
"echo previous version is '${aws_secretsmanager("my_secret", "AWSPREVIOUS")}'."]
}
}
```
This will load the key stored at behind `my_secret` from aws secrets manager.
In order to use this function you have to configure valid AWS credentials using
one of the following methods:
- [Environment Variables](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html)
- [CLI Configuration Files](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html)
- [Container Credentials](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html)
- [Instance Profile Credentials](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html)
Write Preview
Loading…
Cancel
Save