From 55fa3e1b0bf85ec138461057acfc23141a7525cb Mon Sep 17 00:00:00 2001 From: Juan Mesa Date: Fri, 15 May 2020 13:50:33 +0200 Subject: [PATCH 1/3] Add support for specifying key to fetch from AWS Secrets Manager --- .../aws/secretsmanager/secretsmanager.go | 97 ++++++++++++++ .../aws/secretsmanager/secretsmanager_test.go | 121 ++++++++++++++++++ .../interpolate/aws/secretsmanager/types.go | 36 ++++++ template/interpolate/funcs.go | 34 ++++- 4 files changed, 281 insertions(+), 7 deletions(-) create mode 100644 template/interpolate/aws/secretsmanager/secretsmanager.go create mode 100644 template/interpolate/aws/secretsmanager/secretsmanager_test.go create mode 100644 template/interpolate/aws/secretsmanager/types.go diff --git a/template/interpolate/aws/secretsmanager/secretsmanager.go b/template/interpolate/aws/secretsmanager/secretsmanager.go new file mode 100644 index 000000000..94fa26159 --- /dev/null +++ b/template/interpolate/aws/secretsmanager/secretsmanager.go @@ -0,0 +1,97 @@ +// Package secretsmanager provide methods to get data from +// AWS Secret Manager +package secretsmanager + +import ( + "encoding/json" + "errors" + + "github.com/aws/aws-sdk-go/aws" + "github.com/aws/aws-sdk-go/aws/session" + "github.com/aws/aws-sdk-go/service/secretsmanager" + "github.com/aws/aws-sdk-go/service/secretsmanager/secretsmanageriface" +) + +// SecretsManager returns a representation of the Secrets Manager API +func (c *Client) SecretsManager() secretsmanageriface.SecretsManagerAPI { + return c.api +} + +// New creates an AWS Session Manager Client +func New(config *AWSConfig) *Client { + c := &Client{ + config: config, + } + + s := c.newSession(config) + c.api = secretsmanager.New(s) + return c +} + +func (c *Client) newSession(config *AWSConfig) *session.Session { + // Initialize config with error verbosity + sess := aws.NewConfig().WithCredentialsChainVerboseErrors(true) + + if config.Region != "" { + sess = sess.WithRegion(config.Region) + } + + opts := session.Options{ + Config: *sess, + } + + return session.Must(session.NewSessionWithOptions(opts)) +} + +// GetSecret return an AWS Secret Manager secret +// in plain text from a given secret name +func (c *Client) GetSecret(spec *SecretSpec) (string, error) { + params := &secretsmanager.GetSecretValueInput{ + SecretId: aws.String(spec.Name), + VersionStage: aws.String("AWSCURRENT"), + } + + resp, err := c.api.GetSecretValue(params) + if err != nil { + return "", err + } + + if resp.SecretString == nil { + return "", errors.New("Secret is not string") + } + + secret := SecretString{ + Name: *resp.Name, + SecretString: *resp.SecretString, + } + value, err := getSecretValue(&secret, spec) + if err != nil { + return "", err + } + + return value, nil +} + +func getSecretValue(s *SecretString, spec *SecretSpec) (string, error) { + var secretValue map[string]string + + blob := []byte(s.SecretString) + + err := json.Unmarshal(blob, &secretValue) + if err != nil { + return "", err + } + + // If key is not set then return first value stored in secret + if spec.Key == "" { + for _, v := range secretValue { + return v, nil + } + } + + if v, ok := secretValue[spec.Key]; ok { + return v, nil + } + + return "", errors.New("No secret found") +} diff --git a/template/interpolate/aws/secretsmanager/secretsmanager_test.go b/template/interpolate/aws/secretsmanager/secretsmanager_test.go new file mode 100644 index 000000000..985c26f05 --- /dev/null +++ b/template/interpolate/aws/secretsmanager/secretsmanager_test.go @@ -0,0 +1,121 @@ +package secretsmanager + +import ( + "testing" + + "github.com/aws/aws-sdk-go/aws" + "github.com/aws/aws-sdk-go/service/secretsmanager" + "github.com/aws/aws-sdk-go/service/secretsmanager/secretsmanageriface" +) + +type mockedSecret struct { + secretsmanageriface.SecretsManagerAPI + Resp secretsmanager.GetSecretValueOutput +} + +// GetSecret return mocked secret value +func (m mockedSecret) GetSecretValue(in *secretsmanager.GetSecretValueInput) (*secretsmanager.GetSecretValueOutput, error) { + return &m.Resp, nil +} + +func TestGetSecret(t *testing.T) { + testCases := []struct { + arg *SecretSpec + mock secretsmanager.GetSecretValueOutput + want string + ok bool + }{ + { + arg: &SecretSpec{Name: "test/secret"}, + mock: secretsmanager.GetSecretValueOutput{ + Name: aws.String("test/secret"), + SecretString: aws.String(`{"key": "test"}`), + }, + want: "test", + ok: true, + }, + { + arg: &SecretSpec{ + Name: "test/secret", + Key: "key", + }, + mock: secretsmanager.GetSecretValueOutput{ + Name: aws.String("test/secret"), + SecretString: aws.String(`{"key": "test"}`), + }, + want: "test", + ok: true, + }, + { + arg: &SecretSpec{ + Name: "test/secret", + Key: "second_key", + }, + mock: secretsmanager.GetSecretValueOutput{ + Name: aws.String("test/secret"), + SecretString: aws.String(`{"first_key": "first_val", "second_key": "second_val"}`), + }, + want: "second_val", + ok: true, + }, + { + arg: &SecretSpec{ + Name: "test/secret", + }, + mock: secretsmanager.GetSecretValueOutput{ + Name: aws.String("test/secret"), + SecretString: aws.String(`{"first_key": "first_val", "second_key": "second_val"}`), + }, + want: "first_val", + ok: true, + }, + { + arg: &SecretSpec{ + Name: "test/secret", + Key: "nonexistent", + }, + mock: secretsmanager.GetSecretValueOutput{ + Name: aws.String("test/secret"), + SecretString: aws.String(`{"key": "test"}`), + }, + ok: false, + }, + { + arg: &SecretSpec{ + Name: "test/secret", + Key: "nonexistent", + }, + mock: secretsmanager.GetSecretValueOutput{ + Name: aws.String("test/secret"), + SecretString: aws.String(`{"first_key": "first_val", "second_key": "second_val"}`), + }, + ok: false, + }, + { + arg: &SecretSpec{ + Name: "test/secret", + Key: "nonexistent", + }, + mock: secretsmanager.GetSecretValueOutput{}, + ok: false, + }, + } + + for _, test := range testCases { + c := &Client{ + api: mockedSecret{Resp: test.mock}, + } + got, err := c.GetSecret(test.arg) + if test.ok { + if got != test.want { + t.Fatalf("want %v, got %v, error %v, using arg %v", test.want, got, err, test.arg) + } + } + if !test.ok { + if err == nil { + t.Fatalf("error expected but got %q, using arg %v", err, test.arg) + } + } + t.Logf("arg (%v), want %v, got %v, err %v", test.arg, test.want, got, err) + } +} diff --git a/template/interpolate/aws/secretsmanager/types.go b/template/interpolate/aws/secretsmanager/types.go new file mode 100644 index 000000000..40d1276fa --- /dev/null +++ b/template/interpolate/aws/secretsmanager/types.go @@ -0,0 +1,36 @@ +package secretsmanager + +import ( + "github.com/aws/aws-sdk-go/service/secretsmanager/secretsmanageriface" +) + +// AWSConfig store configuration used to initialize +// secrets manager client. +type AWSConfig struct { + Region string +} + +// SecretSpec represent specs of secret to be searched +// If Key field is not set then package will return first +// secret key stored in secret name. +// +// maps to ClusterConfig +type SecretSpec struct { + Name string + Key string +} + +// Client represents an AWS Secrets Manager client +// +// maps to ProviderServices +type Client struct { + config *AWSConfig + api secretsmanageriface.SecretsManagerAPI +} + +// SecretString is a concret representation +// of an AWS Secrets Manager Secret String +type SecretString struct { + Name string + SecretString string +} diff --git a/template/interpolate/funcs.go b/template/interpolate/funcs.go index 258b1888e..98696e1ee 100644 --- a/template/interpolate/funcs.go +++ b/template/interpolate/funcs.go @@ -10,13 +10,14 @@ import ( "text/template" "time" + awssmapi "github.com/hashicorp/packer/template/interpolate/aws/secretsmanager" + consulapi "github.com/hashicorp/consul/api" "github.com/hashicorp/packer/common/uuid" "github.com/hashicorp/packer/helper/common" "github.com/hashicorp/packer/version" vaultapi "github.com/hashicorp/vault/api" strftime "github.com/jehiah/go-strftime" - awssmapi "github.com/overdrive3000/secretsmanager" ) // InitTime is the UTC time when this package was initialized. It is @@ -327,24 +328,43 @@ func funcGenVault(ctx *Context) interface{} { } func funcGenAwsSecrets(ctx *Context) interface{} { - return func(name string) (string, error) { + return func(secret ...string) (string, error) { if !ctx.EnableEnv { // The error message doesn't have to be that detailed since // semantic checks should catch this. return "", errors.New("AWS Secrets Manager vars are only allowed in the variables section") } + + // Check if at leas 1 parameter has been used + if len(secret) == 0 { + return "", errors.New("At least one parameter must be used") + } // client uses AWS SDK CredentialChain method. So,credentials can // be loaded from credential file, environment variables, or IAM // roles. - client, err := awssmapi.New() - if err != nil { - return "", fmt.Errorf("Error getting AWS Secrets Manager client: %s", err) + client := awssmapi.New( + &awssmapi.AWSConfig{}, + ) + + var name, key string + name = secret[0] + // key is optional if not used we fetch the first + // value stored in given secret. If more that two parameters + // are passed we take second param and ignore the others + if len(secret) > 1 { + key = secret[1] } - secret, err := client.GetSecret(name) + + spec := &awssmapi.SecretSpec{ + Name: name, + Key: key, + } + + s, err := client.GetSecret(spec) if err != nil { return "", fmt.Errorf("Error getting secret: %s", err) } - return secret, nil + return s, nil } } From 78509a58e7b7eb27c9686f399de81fc4d59f6462 Mon Sep 17 00:00:00 2001 From: Juan Mesa Date: Fri, 15 May 2020 14:03:00 +0200 Subject: [PATCH 2/3] Remove github.com/overdrive3000/secretsmanager package from vendors --- go.mod | 1 - go.sum | 2 - .../overdrive3000/secretsmanager/.gitignore | 15 - .../overdrive3000/secretsmanager/LICENSE | 373 ------------------ .../overdrive3000/secretsmanager/README.md | 2 - .../secretsmanager/secretsmanager.go | 68 ---- .../overdrive3000/secretsmanager/types.go | 18 - vendor/modules.txt | 2 - 8 files changed, 481 deletions(-) delete mode 100644 vendor/github.com/overdrive3000/secretsmanager/.gitignore delete mode 100644 vendor/github.com/overdrive3000/secretsmanager/LICENSE delete mode 100644 vendor/github.com/overdrive3000/secretsmanager/README.md delete mode 100644 vendor/github.com/overdrive3000/secretsmanager/secretsmanager.go delete mode 100644 vendor/github.com/overdrive3000/secretsmanager/types.go diff --git a/go.mod b/go.mod index 997d448a3..263adf3fa 100644 --- a/go.mod +++ b/go.mod @@ -125,7 +125,6 @@ require ( github.com/olekukonko/tablewriter v0.0.0-20180105111133-96aac992fc8b github.com/oracle/oci-go-sdk v18.0.0+incompatible github.com/outscale/osc-go v0.0.1 - github.com/overdrive3000/secretsmanager v0.0.0-20200421092817-bcdff577c37a github.com/packer-community/winrmcp v0.0.0-20180921204643-0fd363d6159a github.com/pierrec/lz4 v2.0.5+incompatible github.com/pkg/errors v0.8.1 diff --git a/go.sum b/go.sum index b956da317..787ac5014 100644 --- a/go.sum +++ b/go.sum @@ -495,8 +495,6 @@ github.com/oracle/oci-go-sdk v18.0.0+incompatible h1:FLV4KixsVfF3rwyVTMI6Ryp/Q+O github.com/oracle/oci-go-sdk v18.0.0+incompatible/go.mod h1:VQb79nF8Z2cwLkLS35ukwStZIg5F66tcBccjip/j888= github.com/outscale/osc-go v0.0.1 h1:hvBtORyu7sWSKW1norGlfIP8C7c2aegI2Vkq75SRPCE= github.com/outscale/osc-go v0.0.1/go.mod h1:hJLmXzqU/t07qQYh90I0TqZzu9s85Zs6FMrxk3ukiFM= -github.com/overdrive3000/secretsmanager v0.0.0-20200421092817-bcdff577c37a h1:75mTB6HzCWbVMbrOoC3Uul0ISN4hM2q3l8dyipdJHxM= -github.com/overdrive3000/secretsmanager v0.0.0-20200421092817-bcdff577c37a/go.mod h1:fSmoHV04Lsb4wDnlkjL/Vq1r1ZygVlLge05o1agvVa4= github.com/packer-community/winrmcp v0.0.0-20180921204643-0fd363d6159a h1:A3QMuteviunoaY/8ex+RKFqwhcZJ/Cf3fCW3IwL2wx4= github.com/packer-community/winrmcp v0.0.0-20180921204643-0fd363d6159a/go.mod h1:f6Izs6JvFTdnRbziASagjZ2vmf55NSIkC/weStxCHqk= github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c h1:Lgl0gzECD8GnQ5QCWA8o6BtfL6mDH5rQgM4/fX3avOs= diff --git a/vendor/github.com/overdrive3000/secretsmanager/.gitignore b/vendor/github.com/overdrive3000/secretsmanager/.gitignore deleted file mode 100644 index 66fd13c90..000000000 --- a/vendor/github.com/overdrive3000/secretsmanager/.gitignore +++ /dev/null @@ -1,15 +0,0 @@ -# Binaries for programs and plugins -*.exe -*.exe~ -*.dll -*.so -*.dylib - -# Test binary, built with `go test -c` -*.test - -# Output of the go coverage tool, specifically when used with LiteIDE -*.out - -# Dependency directories (remove the comment below to include it) -# vendor/ diff --git a/vendor/github.com/overdrive3000/secretsmanager/LICENSE b/vendor/github.com/overdrive3000/secretsmanager/LICENSE deleted file mode 100644 index a612ad981..000000000 --- a/vendor/github.com/overdrive3000/secretsmanager/LICENSE +++ /dev/null @@ -1,373 +0,0 @@ -Mozilla Public License Version 2.0 -================================== - -1. Definitions --------------- - -1.1. "Contributor" - means each individual or legal entity that creates, contributes to - the creation of, or owns Covered Software. - -1.2. "Contributor Version" - means the combination of the Contributions of others (if any) used - by a Contributor and that particular Contributor's Contribution. - -1.3. "Contribution" - means Covered Software of a particular Contributor. - -1.4. "Covered Software" - means Source Code Form to which the initial Contributor has attached - the notice in Exhibit A, the Executable Form of such Source Code - Form, and Modifications of such Source Code Form, in each case - including portions thereof. - -1.5. "Incompatible With Secondary Licenses" - means - - (a) that the initial Contributor has attached the notice described - in Exhibit B to the Covered Software; or - - (b) that the Covered Software was made available under the terms of - version 1.1 or earlier of the License, but not also under the - terms of a Secondary License. - -1.6. "Executable Form" - means any form of the work other than Source Code Form. - -1.7. "Larger Work" - means a work that combines Covered Software with other material, in - a separate file or files, that is not Covered Software. - -1.8. "License" - means this document. - -1.9. "Licensable" - means having the right to grant, to the maximum extent possible, - whether at the time of the initial grant or subsequently, any and - all of the rights conveyed by this License. - -1.10. "Modifications" - means any of the following: - - (a) any file in Source Code Form that results from an addition to, - deletion from, or modification of the contents of Covered - Software; or - - (b) any new file in Source Code Form that contains any Covered - Software. - -1.11. "Patent Claims" of a Contributor - means any patent claim(s), including without limitation, method, - process, and apparatus claims, in any patent Licensable by such - Contributor that would be infringed, but for the grant of the - License, by the making, using, selling, offering for sale, having - made, import, or transfer of either its Contributions or its - Contributor Version. - -1.12. "Secondary License" - means either the GNU General Public License, Version 2.0, the GNU - Lesser General Public License, Version 2.1, the GNU Affero General - Public License, Version 3.0, or any later versions of those - licenses. - -1.13. "Source Code Form" - means the form of the work preferred for making modifications. - -1.14. "You" (or "Your") - means an individual or a legal entity exercising rights under this - License. For legal entities, "You" includes any entity that - controls, is controlled by, or is under common control with You. For - purposes of this definition, "control" means (a) the power, direct - or indirect, to cause the direction or management of such entity, - whether by contract or otherwise, or (b) ownership of more than - fifty percent (50%) of the outstanding shares or beneficial - ownership of such entity. - -2. License Grants and Conditions --------------------------------- - -2.1. Grants - -Each Contributor hereby grants You a world-wide, royalty-free, -non-exclusive license: - -(a) under intellectual property rights (other than patent or trademark) - Licensable by such Contributor to use, reproduce, make available, - modify, display, perform, distribute, and otherwise exploit its - Contributions, either on an unmodified basis, with Modifications, or - as part of a Larger Work; and - -(b) under Patent Claims of such Contributor to make, use, sell, offer - for sale, have made, import, and otherwise transfer either its - Contributions or its Contributor Version. - -2.2. Effective Date - -The licenses granted in Section 2.1 with respect to any Contribution -become effective for each Contribution on the date the Contributor first -distributes such Contribution. - -2.3. Limitations on Grant Scope - -The licenses granted in this Section 2 are the only rights granted under -this License. No additional rights or licenses will be implied from the -distribution or licensing of Covered Software under this License. -Notwithstanding Section 2.1(b) above, no patent license is granted by a -Contributor: - -(a) for any code that a Contributor has removed from Covered Software; - or - -(b) for infringements caused by: (i) Your and any other third party's - modifications of Covered Software, or (ii) the combination of its - Contributions with other software (except as part of its Contributor - Version); or - -(c) under Patent Claims infringed by Covered Software in the absence of - its Contributions. - -This License does not grant any rights in the trademarks, service marks, -or logos of any Contributor (except as may be necessary to comply with -the notice requirements in Section 3.4). - -2.4. Subsequent Licenses - -No Contributor makes additional grants as a result of Your choice to -distribute the Covered Software under a subsequent version of this -License (see Section 10.2) or under the terms of a Secondary License (if -permitted under the terms of Section 3.3). - -2.5. Representation - -Each Contributor represents that the Contributor believes its -Contributions are its original creation(s) or it has sufficient rights -to grant the rights to its Contributions conveyed by this License. - -2.6. Fair Use - -This License is not intended to limit any rights You have under -applicable copyright doctrines of fair use, fair dealing, or other -equivalents. - -2.7. Conditions - -Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted -in Section 2.1. - -3. Responsibilities -------------------- - -3.1. Distribution of Source Form - -All distribution of Covered Software in Source Code Form, including any -Modifications that You create or to which You contribute, must be under -the terms of this License. You must inform recipients that the Source -Code Form of the Covered Software is governed by the terms of this -License, and how they can obtain a copy of this License. You may not -attempt to alter or restrict the recipients' rights in the Source Code -Form. - -3.2. Distribution of Executable Form - -If You distribute Covered Software in Executable Form then: - -(a) such Covered Software must also be made available in Source Code - Form, as described in Section 3.1, and You must inform recipients of - the Executable Form how they can obtain a copy of such Source Code - Form by reasonable means in a timely manner, at a charge no more - than the cost of distribution to the recipient; and - -(b) You may distribute such Executable Form under the terms of this - License, or sublicense it under different terms, provided that the - license for the Executable Form does not attempt to limit or alter - the recipients' rights in the Source Code Form under this License. - -3.3. Distribution of a Larger Work - -You may create and distribute a Larger Work under terms of Your choice, -provided that You also comply with the requirements of this License for -the Covered Software. If the Larger Work is a combination of Covered -Software with a work governed by one or more Secondary Licenses, and the -Covered Software is not Incompatible With Secondary Licenses, this -License permits You to additionally distribute such Covered Software -under the terms of such Secondary License(s), so that the recipient of -the Larger Work may, at their option, further distribute the Covered -Software under the terms of either this License or such Secondary -License(s). - -3.4. Notices - -You may not remove or alter the substance of any license notices -(including copyright notices, patent notices, disclaimers of warranty, -or limitations of liability) contained within the Source Code Form of -the Covered Software, except that You may alter any license notices to -the extent required to remedy known factual inaccuracies. - -3.5. Application of Additional Terms - -You may choose to offer, and to charge a fee for, warranty, support, -indemnity or liability obligations to one or more recipients of Covered -Software. However, You may do so only on Your own behalf, and not on -behalf of any Contributor. You must make it absolutely clear that any -such warranty, support, indemnity, or liability obligation is offered by -You alone, and You hereby agree to indemnify every Contributor for any -liability incurred by such Contributor as a result of warranty, support, -indemnity or liability terms You offer. You may include additional -disclaimers of warranty and limitations of liability specific to any -jurisdiction. - -4. Inability to Comply Due to Statute or Regulation ---------------------------------------------------- - -If it is impossible for You to comply with any of the terms of this -License with respect to some or all of the Covered Software due to -statute, judicial order, or regulation then You must: (a) comply with -the terms of this License to the maximum extent possible; and (b) -describe the limitations and the code they affect. Such description must -be placed in a text file included with all distributions of the Covered -Software under this License. Except to the extent prohibited by statute -or regulation, such description must be sufficiently detailed for a -recipient of ordinary skill to be able to understand it. - -5. Termination --------------- - -5.1. The rights granted under this License will terminate automatically -if You fail to comply with any of its terms. However, if You become -compliant, then the rights granted under this License from a particular -Contributor are reinstated (a) provisionally, unless and until such -Contributor explicitly and finally terminates Your grants, and (b) on an -ongoing basis, if such Contributor fails to notify You of the -non-compliance by some reasonable means prior to 60 days after You have -come back into compliance. Moreover, Your grants from a particular -Contributor are reinstated on an ongoing basis if such Contributor -notifies You of the non-compliance by some reasonable means, this is the -first time You have received notice of non-compliance with this License -from such Contributor, and You become compliant prior to 30 days after -Your receipt of the notice. - -5.2. If You initiate litigation against any entity by asserting a patent -infringement claim (excluding declaratory judgment actions, -counter-claims, and cross-claims) alleging that a Contributor Version -directly or indirectly infringes any patent, then the rights granted to -You by any and all Contributors for the Covered Software under Section -2.1 of this License shall terminate. - -5.3. In the event of termination under Sections 5.1 or 5.2 above, all -end user license agreements (excluding distributors and resellers) which -have been validly granted by You or Your distributors under this License -prior to termination shall survive termination. - -************************************************************************ -* * -* 6. Disclaimer of Warranty * -* ------------------------- * -* * -* Covered Software is provided under this License on an "as is" * -* basis, without warranty of any kind, either expressed, implied, or * -* statutory, including, without limitation, warranties that the * -* Covered Software is free of defects, merchantable, fit for a * -* particular purpose or non-infringing. The entire risk as to the * -* quality and performance of the Covered Software is with You. * -* Should any Covered Software prove defective in any respect, You * -* (not any Contributor) assume the cost of any necessary servicing, * -* repair, or correction. This disclaimer of warranty constitutes an * -* essential part of this License. No use of any Covered Software is * -* authorized under this License except under this disclaimer. * -* * -************************************************************************ - -************************************************************************ -* * -* 7. Limitation of Liability * -* -------------------------- * -* * -* Under no circumstances and under no legal theory, whether tort * -* (including negligence), contract, or otherwise, shall any * -* Contributor, or anyone who distributes Covered Software as * -* permitted above, be liable to You for any direct, indirect, * -* special, incidental, or consequential damages of any character * -* including, without limitation, damages for lost profits, loss of * -* goodwill, work stoppage, computer failure or malfunction, or any * -* and all other commercial damages or losses, even if such party * -* shall have been informed of the possibility of such damages. This * -* limitation of liability shall not apply to liability for death or * -* personal injury resulting from such party's negligence to the * -* extent applicable law prohibits such limitation. Some * -* jurisdictions do not allow the exclusion or limitation of * -* incidental or consequential damages, so this exclusion and * -* limitation may not apply to You. * -* * -************************************************************************ - -8. Litigation -------------- - -Any litigation relating to this License may be brought only in the -courts of a jurisdiction where the defendant maintains its principal -place of business and such litigation shall be governed by laws of that -jurisdiction, without reference to its conflict-of-law provisions. -Nothing in this Section shall prevent a party's ability to bring -cross-claims or counter-claims. - -9. Miscellaneous ----------------- - -This License represents the complete agreement concerning the subject -matter hereof. If any provision of this License is held to be -unenforceable, such provision shall be reformed only to the extent -necessary to make it enforceable. Any law or regulation which provides -that the language of a contract shall be construed against the drafter -shall not be used to construe this License against a Contributor. - -10. Versions of the License ---------------------------- - -10.1. New Versions - -Mozilla Foundation is the license steward. Except as provided in Section -10.3, no one other than the license steward has the right to modify or -publish new versions of this License. Each version will be given a -distinguishing version number. - -10.2. Effect of New Versions - -You may distribute the Covered Software under the terms of the version -of the License under which You originally received the Covered Software, -or under the terms of any subsequent version published by the license -steward. - -10.3. Modified Versions - -If you create software not governed by this License, and you want to -create a new license for such software, you may create and use a -modified version of this License if you rename the license and remove -any references to the name of the license steward (except to note that -such modified license differs from this License). - -10.4. Distributing Source Code Form that is Incompatible With Secondary -Licenses - -If You choose to distribute Source Code Form that is Incompatible With -Secondary Licenses under the terms of this version of the License, the -notice described in Exhibit B of this License must be attached. - -Exhibit A - Source Code Form License Notice -------------------------------------------- - - This Source Code Form is subject to the terms of the Mozilla Public - License, v. 2.0. If a copy of the MPL was not distributed with this - file, You can obtain one at http://mozilla.org/MPL/2.0/. - -If it is not possible or desirable to put the notice in a particular -file, then You may include the notice in a location (such as a LICENSE -file in a relevant directory) where a recipient would be likely to look -for such a notice. - -You may add additional accurate notices of copyright ownership. - -Exhibit B - "Incompatible With Secondary Licenses" Notice ---------------------------------------------------------- - - This Source Code Form is "Incompatible With Secondary Licenses", as - defined by the Mozilla Public License, v. 2.0. diff --git a/vendor/github.com/overdrive3000/secretsmanager/README.md b/vendor/github.com/overdrive3000/secretsmanager/README.md deleted file mode 100644 index d635a400f..000000000 --- a/vendor/github.com/overdrive3000/secretsmanager/README.md +++ /dev/null @@ -1,2 +0,0 @@ -# secretsmanager -Simple go package to get secrets from AWS Secrets Manager diff --git a/vendor/github.com/overdrive3000/secretsmanager/secretsmanager.go b/vendor/github.com/overdrive3000/secretsmanager/secretsmanager.go deleted file mode 100644 index 95968a657..000000000 --- a/vendor/github.com/overdrive3000/secretsmanager/secretsmanager.go +++ /dev/null @@ -1,68 +0,0 @@ -// Package secretsmanager provide methods to get data from -// AWS Secret Manager -package secretsmanager - -import ( - "encoding/json" - "errors" - - "github.com/aws/aws-sdk-go/aws" - "github.com/aws/aws-sdk-go/aws/session" - "github.com/aws/aws-sdk-go/service/secretsmanager" -) - -// New creates an AWS Session Manager Client -func New() (*Secret, error) { - sess := session.Must(session.NewSession()) - - var c *aws.Config - s := Secret{ - Client: secretsmanager.New(sess, c), - } - return &s, nil -} - -// GetSecret return an AWS Secret Manager secret -// in plain text from a given secret name -func (s *Secret) GetSecret(name string) (string, error) { - params := &secretsmanager.GetSecretValueInput{ - SecretId: aws.String(name), - VersionStage: aws.String("AWSCURRENT"), - } - - resp, err := s.Client.GetSecretValue(params) - if err != nil { - return "", err - } - - if resp.SecretString == nil { - return "", errors.New("Secret is not string") - } - - secret := SecretString{ - Name: *resp.Name, - Secret: *resp.SecretString, - } - value, err := getSecretValue(&secret) - if err != nil { - return "", err - } - - return value, nil -} - -func getSecretValue(s *SecretString) (string, error) { - var secretValue map[string]string - - blob := []byte(s.Secret) - - err := json.Unmarshal(blob, &secretValue) - if err != nil { - return "", err - } - - for _, v := range secretValue { - return v, nil - } - return "", errors.New("Secret not found") -} diff --git a/vendor/github.com/overdrive3000/secretsmanager/types.go b/vendor/github.com/overdrive3000/secretsmanager/types.go deleted file mode 100644 index a5de481e0..000000000 --- a/vendor/github.com/overdrive3000/secretsmanager/types.go +++ /dev/null @@ -1,18 +0,0 @@ -package secretsmanager - -import ( - "github.com/aws/aws-sdk-go/service/secretsmanager/secretsmanageriface" -) - -// Secret represents an AWS Secrets Manager -// client -type Secret struct { - Client secretsmanageriface.SecretsManagerAPI -} - -// SecretString is a concret representation -// of an AWS Secrets Manager Secret String -type SecretString struct { - Name string - Secret string -} diff --git a/vendor/modules.txt b/vendor/modules.txt index 065c627ba..cddda6096 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -492,8 +492,6 @@ github.com/oracle/oci-go-sdk/core # github.com/outscale/osc-go v0.0.1 github.com/outscale/osc-go/oapi github.com/outscale/osc-go/utils -# github.com/overdrive3000/secretsmanager v0.0.0-20200421092817-bcdff577c37a -github.com/overdrive3000/secretsmanager # github.com/packer-community/winrmcp v0.0.0-20180921204643-0fd363d6159a github.com/packer-community/winrmcp/winrmcp # github.com/pierrec/lz4 v2.0.5+incompatible From b73602eadd27d4c95257470f93fa2ef8cb989ead Mon Sep 17 00:00:00 2001 From: Juan Mesa Date: Mon, 18 May 2020 12:44:24 +0200 Subject: [PATCH 3/3] Fix corrections * Fix typos in comments. * Add documentation of how to use multiple keys with `aws_secretsmanager` function. * Move `Client` struct to `secretsmanager.go` file. --- .../aws/secretsmanager/secretsmanager.go | 7 ++++--- template/interpolate/aws/secretsmanager/types.go | 14 -------------- template/interpolate/funcs.go | 7 +++---- website/pages/docs/templates/user-variables.mdx | 11 ++++++++++- 4 files changed, 17 insertions(+), 22 deletions(-) diff --git a/template/interpolate/aws/secretsmanager/secretsmanager.go b/template/interpolate/aws/secretsmanager/secretsmanager.go index 94fa26159..a9555f754 100644 --- a/template/interpolate/aws/secretsmanager/secretsmanager.go +++ b/template/interpolate/aws/secretsmanager/secretsmanager.go @@ -12,9 +12,10 @@ import ( "github.com/aws/aws-sdk-go/service/secretsmanager/secretsmanageriface" ) -// SecretsManager returns a representation of the Secrets Manager API -func (c *Client) SecretsManager() secretsmanageriface.SecretsManagerAPI { - return c.api +// Client represents an AWS Secrets Manager client +type Client struct { + config *AWSConfig + api secretsmanageriface.SecretsManagerAPI } // New creates an AWS Session Manager Client diff --git a/template/interpolate/aws/secretsmanager/types.go b/template/interpolate/aws/secretsmanager/types.go index 40d1276fa..6cd1dc46e 100644 --- a/template/interpolate/aws/secretsmanager/types.go +++ b/template/interpolate/aws/secretsmanager/types.go @@ -1,9 +1,5 @@ package secretsmanager -import ( - "github.com/aws/aws-sdk-go/service/secretsmanager/secretsmanageriface" -) - // AWSConfig store configuration used to initialize // secrets manager client. type AWSConfig struct { @@ -13,21 +9,11 @@ type AWSConfig struct { // SecretSpec represent specs of secret to be searched // If Key field is not set then package will return first // secret key stored in secret name. -// -// maps to ClusterConfig type SecretSpec struct { Name string Key string } -// Client represents an AWS Secrets Manager client -// -// maps to ProviderServices -type Client struct { - config *AWSConfig - api secretsmanageriface.SecretsManagerAPI -} - // SecretString is a concret representation // of an AWS Secrets Manager Secret String type SecretString struct { diff --git a/template/interpolate/funcs.go b/template/interpolate/funcs.go index 98696e1ee..7885ae0c4 100644 --- a/template/interpolate/funcs.go +++ b/template/interpolate/funcs.go @@ -10,11 +10,10 @@ import ( "text/template" "time" - awssmapi "github.com/hashicorp/packer/template/interpolate/aws/secretsmanager" - consulapi "github.com/hashicorp/consul/api" "github.com/hashicorp/packer/common/uuid" "github.com/hashicorp/packer/helper/common" + awssmapi "github.com/hashicorp/packer/template/interpolate/aws/secretsmanager" "github.com/hashicorp/packer/version" vaultapi "github.com/hashicorp/vault/api" strftime "github.com/jehiah/go-strftime" @@ -335,7 +334,7 @@ func funcGenAwsSecrets(ctx *Context) interface{} { return "", errors.New("AWS Secrets Manager vars are only allowed in the variables section") } - // Check if at leas 1 parameter has been used + // Check if at least 1 parameter has been used if len(secret) == 0 { return "", errors.New("At least one parameter must be used") } @@ -349,7 +348,7 @@ func funcGenAwsSecrets(ctx *Context) interface{} { var name, key string name = secret[0] // key is optional if not used we fetch the first - // value stored in given secret. If more that two parameters + // value stored in given secret. If more than two parameters // are passed we take second param and ignore the others if len(secret) > 1 { key = secret[1] diff --git a/website/pages/docs/templates/user-variables.mdx b/website/pages/docs/templates/user-variables.mdx index 9e6672013..350105ce9 100644 --- a/website/pages/docs/templates/user-variables.mdx +++ b/website/pages/docs/templates/user-variables.mdx @@ -203,7 +203,16 @@ a user variable to an AWS Secrets Manager secret. } ``` -This will default `password` to the secret value stored at AWS Secrets Manager. +In the example above it is assumed that only one key is stored in `sample/app/password` if there are multiple keys stored in it then you need to indicate the specific key you want to fetch as shown below. + +```json +{ + "variables": { + "db_password": "{{ aws_secretsmanager `sample/app/passwords` `db` }}", + "api_key": "{{ aws_secretsmanager `sample/app/passwords` `api_key` }}" + } +} +``` In order to use this function you have to configure valid AWS credentials using one of the following methods: