mirror of https://github.com/hashicorp/packer
Aws Secrets Manager data sources (#10505)
Sylvia Moss
5 years ago
committed by
GitHub
parent
e48a86ffba
commit
d1ada744e1
@ -0,0 +1,99 @@
|
||||
// Code generated by "mapstructure-to-hcl2 -type DatasourceOutput,Config"; DO NOT EDIT.
|
||||
|
||||
package secretsmanager
|
||||
|
||||
import (
|
||||
"github.com/hashicorp/hcl/v2/hcldec"
|
||||
"github.com/hashicorp/packer/builder/amazon/common"
|
||||
"github.com/zclconf/go-cty/cty"
|
||||
)
|
||||
|
||||
// FlatConfig is an auto-generated flat version of Config.
|
||||
// Where the contents of a field with a `mapstructure:,squash` tag are bubbled up.
|
||||
type FlatConfig struct {
|
||||
Name *string `mapstructure:"name" required:"true" cty:"name" hcl:"name"`
|
||||
Key *string `mapstructure:"key" cty:"key" hcl:"key"`
|
||||
VersionId *string `mapstructure:"version_id" cty:"version_id" hcl:"version_id"`
|
||||
VersionStage *string `mapstructure:"version_stage" cty:"version_stage" hcl:"version_stage"`
|
||||
AccessKey *string `mapstructure:"access_key" required:"true" cty:"access_key" hcl:"access_key"`
|
||||
AssumeRole *common.FlatAssumeRoleConfig `mapstructure:"assume_role" required:"false" cty:"assume_role" hcl:"assume_role"`
|
||||
CustomEndpointEc2 *string `mapstructure:"custom_endpoint_ec2" required:"false" cty:"custom_endpoint_ec2" hcl:"custom_endpoint_ec2"`
|
||||
CredsFilename *string `mapstructure:"shared_credentials_file" required:"false" cty:"shared_credentials_file" hcl:"shared_credentials_file"`
|
||||
DecodeAuthZMessages *bool `mapstructure:"decode_authorization_messages" required:"false" cty:"decode_authorization_messages" hcl:"decode_authorization_messages"`
|
||||
InsecureSkipTLSVerify *bool `mapstructure:"insecure_skip_tls_verify" required:"false" cty:"insecure_skip_tls_verify" hcl:"insecure_skip_tls_verify"`
|
||||
MaxRetries *int `mapstructure:"max_retries" required:"false" cty:"max_retries" hcl:"max_retries"`
|
||||
MFACode *string `mapstructure:"mfa_code" required:"false" cty:"mfa_code" hcl:"mfa_code"`
|
||||
ProfileName *string `mapstructure:"profile" required:"false" cty:"profile" hcl:"profile"`
|
||||
RawRegion *string `mapstructure:"region" required:"true" cty:"region" hcl:"region"`
|
||||
SecretKey *string `mapstructure:"secret_key" required:"true" cty:"secret_key" hcl:"secret_key"`
|
||||
SkipMetadataApiCheck *bool `mapstructure:"skip_metadata_api_check" cty:"skip_metadata_api_check" hcl:"skip_metadata_api_check"`
|
||||
SkipCredsValidation *bool `mapstructure:"skip_credential_validation" cty:"skip_credential_validation" hcl:"skip_credential_validation"`
|
||||
Token *string `mapstructure:"token" required:"false" cty:"token" hcl:"token"`
|
||||
VaultAWSEngine *common.FlatVaultAWSEngineOptions `mapstructure:"vault_aws_engine" required:"false" cty:"vault_aws_engine" hcl:"vault_aws_engine"`
|
||||
PollingConfig *common.FlatAWSPollingConfig `mapstructure:"aws_polling" required:"false" cty:"aws_polling" hcl:"aws_polling"`
|
||||
}
|
||||
|
||||
// FlatMapstructure returns a new FlatConfig.
|
||||
// FlatConfig is an auto-generated flat version of Config.
|
||||
// Where the contents a fields with a `mapstructure:,squash` tag are bubbled up.
|
||||
func (*Config) FlatMapstructure() interface{ HCL2Spec() map[string]hcldec.Spec } {
|
||||
return new(FlatConfig)
|
||||
}
|
||||
|
||||
// HCL2Spec returns the hcl spec of a Config.
|
||||
// This spec is used by HCL to read the fields of Config.
|
||||
// The decoded values from this spec will then be applied to a FlatConfig.
|
||||
func (*FlatConfig) HCL2Spec() map[string]hcldec.Spec {
|
||||
s := map[string]hcldec.Spec{
|
||||
"name": &hcldec.AttrSpec{Name: "name", Type: cty.String, Required: false},
|
||||
"key": &hcldec.AttrSpec{Name: "key", Type: cty.String, Required: false},
|
||||
"version_id": &hcldec.AttrSpec{Name: "version_id", Type: cty.String, Required: false},
|
||||
"version_stage": &hcldec.AttrSpec{Name: "version_stage", Type: cty.String, Required: false},
|
||||
"access_key": &hcldec.AttrSpec{Name: "access_key", Type: cty.String, Required: false},
|
||||
"assume_role": &hcldec.BlockSpec{TypeName: "assume_role", Nested: hcldec.ObjectSpec((*common.FlatAssumeRoleConfig)(nil).HCL2Spec())},
|
||||
"custom_endpoint_ec2": &hcldec.AttrSpec{Name: "custom_endpoint_ec2", Type: cty.String, Required: false},
|
||||
"shared_credentials_file": &hcldec.AttrSpec{Name: "shared_credentials_file", Type: cty.String, Required: false},
|
||||
"decode_authorization_messages": &hcldec.AttrSpec{Name: "decode_authorization_messages", Type: cty.Bool, Required: false},
|
||||
"insecure_skip_tls_verify": &hcldec.AttrSpec{Name: "insecure_skip_tls_verify", Type: cty.Bool, Required: false},
|
||||
"max_retries": &hcldec.AttrSpec{Name: "max_retries", Type: cty.Number, Required: false},
|
||||
"mfa_code": &hcldec.AttrSpec{Name: "mfa_code", Type: cty.String, Required: false},
|
||||
"profile": &hcldec.AttrSpec{Name: "profile", Type: cty.String, Required: false},
|
||||
"region": &hcldec.AttrSpec{Name: "region", Type: cty.String, Required: false},
|
||||
"secret_key": &hcldec.AttrSpec{Name: "secret_key", Type: cty.String, Required: false},
|
||||
"skip_metadata_api_check": &hcldec.AttrSpec{Name: "skip_metadata_api_check", Type: cty.Bool, Required: false},
|
||||
"skip_credential_validation": &hcldec.AttrSpec{Name: "skip_credential_validation", Type: cty.Bool, Required: false},
|
||||
"token": &hcldec.AttrSpec{Name: "token", Type: cty.String, Required: false},
|
||||
"vault_aws_engine": &hcldec.BlockSpec{TypeName: "vault_aws_engine", Nested: hcldec.ObjectSpec((*common.FlatVaultAWSEngineOptions)(nil).HCL2Spec())},
|
||||
"aws_polling": &hcldec.BlockSpec{TypeName: "aws_polling", Nested: hcldec.ObjectSpec((*common.FlatAWSPollingConfig)(nil).HCL2Spec())},
|
||||
}
|
||||
return s
|
||||
}
|
||||
|
||||
// FlatDatasourceOutput is an auto-generated flat version of DatasourceOutput.
|
||||
// Where the contents of a field with a `mapstructure:,squash` tag are bubbled up.
|
||||
type FlatDatasourceOutput struct {
|
||||
Value *string `mapstructure:"value" cty:"value" hcl:"value"`
|
||||
SecretString *string `mapstructure:"secret_string" cty:"secret_string" hcl:"secret_string"`
|
||||
SecretBinary *string `mapstructure:"secret_binary" cty:"secret_binary" hcl:"secret_binary"`
|
||||
VersionId *string `mapstructure:"version_id" cty:"version_id" hcl:"version_id"`
|
||||
}
|
||||
|
||||
// FlatMapstructure returns a new FlatDatasourceOutput.
|
||||
// FlatDatasourceOutput is an auto-generated flat version of DatasourceOutput.
|
||||
// Where the contents a fields with a `mapstructure:,squash` tag are bubbled up.
|
||||
func (*DatasourceOutput) FlatMapstructure() interface{ HCL2Spec() map[string]hcldec.Spec } {
|
||||
return new(FlatDatasourceOutput)
|
||||
}
|
||||
|
||||
// HCL2Spec returns the hcl spec of a DatasourceOutput.
|
||||
// This spec is used by HCL to read the fields of DatasourceOutput.
|
||||
// The decoded values from this spec will then be applied to a FlatDatasourceOutput.
|
||||
func (*FlatDatasourceOutput) HCL2Spec() map[string]hcldec.Spec {
|
||||
s := map[string]hcldec.Spec{
|
||||
"value": &hcldec.AttrSpec{Name: "value", Type: cty.String, Required: false},
|
||||
"secret_string": &hcldec.AttrSpec{Name: "secret_string", Type: cty.String, Required: false},
|
||||
"secret_binary": &hcldec.AttrSpec{Name: "secret_binary", Type: cty.String, Required: false},
|
||||
"version_id": &hcldec.AttrSpec{Name: "version_id", Type: cty.String, Required: false},
|
||||
}
|
||||
return s
|
||||
}
|
||||
@ -0,0 +1,179 @@
|
||||
package secretsmanager
|
||||
|
||||
import (
|
||||
"context"
|
||||
"fmt"
|
||||
"io/ioutil"
|
||||
"os"
|
||||
"os/exec"
|
||||
"regexp"
|
||||
"testing"
|
||||
"time"
|
||||
|
||||
"github.com/aws/aws-sdk-go/aws"
|
||||
"github.com/aws/aws-sdk-go/service/secretsmanager"
|
||||
"github.com/hashicorp/packer-plugin-sdk/acctest"
|
||||
"github.com/hashicorp/packer-plugin-sdk/retry"
|
||||
awscommon "github.com/hashicorp/packer/builder/amazon/common"
|
||||
"github.com/hashicorp/packer/builder/amazon/common/awserrors"
|
||||
)
|
||||
|
||||
func TestAmazonSecretsManager(t *testing.T) {
|
||||
secret := &AmazonSecret{
|
||||
Name: "packer_datasource_secretsmanager_test_secret",
|
||||
Key: "packer_test_key",
|
||||
Value: "this_is_the_packer_test_secret_value",
|
||||
Description: "this is a secret used in a packer acc test",
|
||||
}
|
||||
|
||||
testCase := &acctest.DatasourceTestCase{
|
||||
Name: "amazon_secretsmanager_datasource_basic_test",
|
||||
Setup: func() error {
|
||||
return secret.Create()
|
||||
},
|
||||
Teardown: func() error {
|
||||
return secret.Delete()
|
||||
},
|
||||
Template: testDatasourceBasic,
|
||||
Type: "amazon-secrestmanager",
|
||||
Check: func(buildCommand *exec.Cmd, logfile string) error {
|
||||
if buildCommand.ProcessState != nil {
|
||||
if buildCommand.ProcessState.ExitCode() != 0 {
|
||||
return fmt.Errorf("Bad exit code. Logfile: %s", logfile)
|
||||
}
|
||||
}
|
||||
|
||||
logs, err := os.Open(logfile)
|
||||
if err != nil {
|
||||
return fmt.Errorf("Unable find %s", logfile)
|
||||
}
|
||||
defer logs.Close()
|
||||
|
||||
logsBytes, err := ioutil.ReadAll(logs)
|
||||
if err != nil {
|
||||
return fmt.Errorf("Unable to read %s", logfile)
|
||||
}
|
||||
logsString := string(logsBytes)
|
||||
|
||||
valueLog := fmt.Sprintf("null.basic-example: secret value: %s", secret.Value)
|
||||
secretStringLog := fmt.Sprintf("null.basic-example: secret secret_string: %s", fmt.Sprintf("{%s:%s}", secret.Key, secret.Value))
|
||||
versionIdLog := fmt.Sprintf("null.basic-example: secret version_id: %s", aws.StringValue(secret.Info.VersionId))
|
||||
secretValueLog := fmt.Sprintf("null.basic-example: secret value: %s", secret.Value)
|
||||
|
||||
if matched, _ := regexp.MatchString(valueLog+".*", logsString); !matched {
|
||||
t.Fatalf("logs doesn't contain expected arn %q", logsString)
|
||||
}
|
||||
if matched, _ := regexp.MatchString(secretStringLog+".*", logsString); !matched {
|
||||
t.Fatalf("logs doesn't contain expected secret_string %q", logsString)
|
||||
}
|
||||
if matched, _ := regexp.MatchString(versionIdLog+".*", logsString); !matched {
|
||||
t.Fatalf("logs doesn't contain expected version_id %q", logsString)
|
||||
}
|
||||
if matched, _ := regexp.MatchString(secretValueLog+".*", logsString); !matched {
|
||||
t.Fatalf("logs doesn't contain expected value %q", logsString)
|
||||
}
|
||||
return nil
|
||||
},
|
||||
}
|
||||
acctest.TestDatasource(t, testCase)
|
||||
}
|
||||
|
||||
const testDatasourceBasic = `
|
||||
data "amazon-secretsmanager" "test" {
|
||||
name = "packer_datasource_secretsmanager_test_secret"
|
||||
key = "packer_test_key"
|
||||
}
|
||||
|
||||
locals {
|
||||
value = data.amazon-secretsmanager.test.value
|
||||
secret_string = data.amazon-secretsmanager.test.secret_string
|
||||
version_id = data.amazon-secretsmanager.test.version_id
|
||||
secret_value = jsondecode(data.amazon-secretsmanager.test.secret_string)["packer_test_key"]
|
||||
}
|
||||
|
||||
source "null" "basic-example" {
|
||||
communicator = "none"
|
||||
}
|
||||
|
||||
build {
|
||||
sources = [
|
||||
"source.null.basic-example"
|
||||
]
|
||||
|
||||
provisioner "shell-local" {
|
||||
inline = [
|
||||
"echo secret value: ${local.value}",
|
||||
"echo secret secret_string: ${local.secret_string}",
|
||||
"echo secret version_id: ${local.version_id}",
|
||||
"echo secret value: ${local.secret_value}"
|
||||
]
|
||||
}
|
||||
}
|
||||
`
|
||||
|
||||
type AmazonSecret struct {
|
||||
Name string
|
||||
Key string
|
||||
Value string
|
||||
Description string
|
||||
|
||||
Info *secretsmanager.CreateSecretOutput
|
||||
manager *secretsmanager.SecretsManager
|
||||
}
|
||||
|
||||
func (as *AmazonSecret) Create() error {
|
||||
if as.manager == nil {
|
||||
accessConfig := &awscommon.AccessConfig{}
|
||||
session, err := accessConfig.Session()
|
||||
if err != nil {
|
||||
return fmt.Errorf("Unable to create aws session %s", err.Error())
|
||||
}
|
||||
as.manager = secretsmanager.New(session)
|
||||
}
|
||||
|
||||
newSecret := &secretsmanager.CreateSecretInput{
|
||||
Description: aws.String(as.Description),
|
||||
Name: aws.String(as.Name),
|
||||
SecretString: aws.String(fmt.Sprintf(`{%q:%q}`, as.Key, as.Value)),
|
||||
}
|
||||
|
||||
secret := new(secretsmanager.CreateSecretOutput)
|
||||
var err error
|
||||
err = retry.Config{
|
||||
Tries: 11,
|
||||
ShouldRetry: func(err error) bool {
|
||||
if awserrors.Matches(err, "ResourceExistsException", "") {
|
||||
_ = as.Delete()
|
||||
return true
|
||||
}
|
||||
if awserrors.Matches(err, "InvalidRequestException", "already scheduled for deletion") {
|
||||
return true
|
||||
}
|
||||
return false
|
||||
},
|
||||
RetryDelay: (&retry.Backoff{InitialBackoff: 200 * time.Millisecond, MaxBackoff: 30 * time.Second, Multiplier: 2}).Linear,
|
||||
}.Run(context.TODO(), func(_ context.Context) error {
|
||||
secret, err = as.manager.CreateSecret(newSecret)
|
||||
return err
|
||||
})
|
||||
as.Info = secret
|
||||
return err
|
||||
}
|
||||
|
||||
func (as *AmazonSecret) Delete() error {
|
||||
if as.manager == nil {
|
||||
accessConfig := &awscommon.AccessConfig{}
|
||||
session, err := accessConfig.Session()
|
||||
if err != nil {
|
||||
return fmt.Errorf("Unable to create aws session %s", err.Error())
|
||||
}
|
||||
as.manager = secretsmanager.New(session)
|
||||
}
|
||||
|
||||
secret := &secretsmanager.DeleteSecretInput{
|
||||
ForceDeleteWithoutRecovery: aws.Bool(true),
|
||||
SecretId: aws.String(as.Name),
|
||||
}
|
||||
_, err := as.manager.DeleteSecret(secret)
|
||||
return err
|
||||
}
|
||||
@ -0,0 +1,39 @@
|
||||
package secretsmanager
|
||||
|
||||
import (
|
||||
"testing"
|
||||
)
|
||||
|
||||
func TestDatasourceConfigure_EmptySecretId(t *testing.T) {
|
||||
datasource := Datasource{
|
||||
config: Config{},
|
||||
}
|
||||
if err := datasource.Configure(nil); err == nil {
|
||||
t.Fatalf("Should error if secret id is not specified")
|
||||
}
|
||||
}
|
||||
|
||||
func TestDatasourceConfigure_Dafaults(t *testing.T) {
|
||||
datasource := Datasource{
|
||||
config: Config{
|
||||
Name: "arn:1223",
|
||||
},
|
||||
}
|
||||
if err := datasource.Configure(nil); err != nil {
|
||||
t.Fatalf("err: %s", err)
|
||||
}
|
||||
if datasource.config.VersionStage != "AWSCURRENT" {
|
||||
t.Fatalf("VersionStage not set correctly")
|
||||
}
|
||||
}
|
||||
|
||||
func TestDatasourceConfigure(t *testing.T) {
|
||||
datasource := Datasource{
|
||||
config: Config{
|
||||
Name: "arn:1223",
|
||||
},
|
||||
}
|
||||
if err := datasource.Configure(nil); err != nil {
|
||||
t.Fatalf("err: %s", err)
|
||||
}
|
||||
}
|
||||
@ -0,0 +1,42 @@
|
||||
---
|
||||
description: |
|
||||
Packer is able to fetch data from AWS. To achieve this, Packer comes with
|
||||
data sources to retrieve AMI and secrets information.
|
||||
page_title: Amazon - Data Sources
|
||||
sidebar_title: Amazon
|
||||
---
|
||||
|
||||
# Amazon Data Sources
|
||||
|
||||
Packer is able to fetch data from AWS. To achieve this, Packer comes with data sources to retrieve AMI and secrets information.
|
||||
Packer supports the following data sources at the moment:
|
||||
|
||||
- [amazon-ami](/docs/datasources/amazon/ami) - Filter and fetch an Amazon AMI to output all the AMI information.
|
||||
|
||||
- [amazon-secretsmanager](/docs/datasources/amazon/secretsmanager) - Retrieve information
|
||||
about a Secrets Manager secret version, including its secret value.
|
||||
|
||||
|
||||
## Authentication
|
||||
|
||||
The Amazon Data Sources authentication works just like for the [Amazon Builders](/docs/builders/amazon). Both
|
||||
have the same authentication options and you can refer to the [Amazon Builders authentication](/docs/builders/amazon#authentication)
|
||||
to learn the options to authenticate for data sources.
|
||||
|
||||
-> **Note:** A data source will start and execute in your own authentication session. The authentication in the data source
|
||||
doesn't relate with the authentication on Amazon Builders.
|
||||
|
||||
Basic example of an Amazon data source authentication using `assume_role`:
|
||||
|
||||
```hcl
|
||||
data "amazon-secretsmanager" "basic-example" {
|
||||
name = "packer_test_secret"
|
||||
key = "packer_test_key"
|
||||
|
||||
assume_role {
|
||||
role_arn = "arn:aws:iam::ACCOUNT_ID:role/ROLE_NAME"
|
||||
session_name = "SESSION_NAME"
|
||||
external_id = "EXTERNAL_ID"
|
||||
}
|
||||
}
|
||||
```
|
||||
@ -0,0 +1,51 @@
|
||||
---
|
||||
description: |
|
||||
The Amazon Secrets Manager data source provides information about a Secrets Manager secret version,
|
||||
including its secret value.
|
||||
|
||||
page_title: Secrets Manager - Data Source
|
||||
sidebar_title: Secrets Manager
|
||||
---
|
||||
|
||||
# Amazon Secrets Manager Data Source
|
||||
|
||||
The Secrets Manager data source provides information about a Secrets Manager secret version,
|
||||
including its secret value.
|
||||
|
||||
-> **Note:** Data sources is a feature exclusively to HCL2 templates.
|
||||
|
||||
Basic examples of usage:
|
||||
|
||||
```hcl
|
||||
data "amazon-secretsmanager" "basic-example" {
|
||||
name = "packer_test_secret"
|
||||
key = "packer_test_key"
|
||||
version_stage = "example"
|
||||
}
|
||||
|
||||
# usage example of the data source output
|
||||
locals {
|
||||
value = data.amazon-secretsmanager.basic-example.value
|
||||
secret_string = data.amazon-secretsmanager.basic-example.secret_string
|
||||
version_id = data.amazon-secretsmanager.basic-example.version_id
|
||||
secret_value = jsondecode(data.amazon-secretsmanager.basic-example.secret_string)["packer_test_key"]
|
||||
}
|
||||
```
|
||||
|
||||
Reading key-value pairs from JSON back into a native Packer map can be accomplished
|
||||
with the [jsondecode() function](/docs/templates/hcl_templates/functions/encoding/jsondecode).
|
||||
|
||||
|
||||
## Configuration Reference
|
||||
|
||||
### Required
|
||||
|
||||
@include 'datasource/amazon/secretsmanager/Config-required.mdx'
|
||||
|
||||
### Optional
|
||||
|
||||
@include 'datasource/amazon/secretsmanager/Config-not-required.mdx'
|
||||
|
||||
## Output Data
|
||||
|
||||
@include 'datasource/amazon/secretsmanager/DatasourceOutput-not-required.mdx'
|
||||
@ -0,0 +1,13 @@
|
||||
<!-- Code generated from the comments of the DatasourceOutput struct in datasource/amazon/ami/data.go; DO NOT EDIT MANUALLY -->
|
||||
|
||||
- `id` (string) - The ID of the AMI.
|
||||
|
||||
- `name` (string) - The name of the AMI.
|
||||
|
||||
- `creation_date` (string) - The date of creation of the AMI.
|
||||
|
||||
- `owner` (string) - The AWS account ID of the owner.
|
||||
|
||||
- `owner_name` (string) - The owner alias.
|
||||
|
||||
- `tags` (map[string]string) - The key/value combination of the tags assigned to the AMI.
|
||||
@ -0,0 +1,10 @@
|
||||
<!-- Code generated from the comments of the Config struct in datasource/amazon/secretsmanager/data.go; DO NOT EDIT MANUALLY -->
|
||||
|
||||
- `key` (string) - Optional key for JSON secrets that contain more than one value. When set, the `value` output will
|
||||
contain the value for the provided key.
|
||||
|
||||
- `version_id` (string) - Specifies the unique identifier of the version of the secret that you want to retrieve.
|
||||
Overrides version_stage.
|
||||
|
||||
- `version_stage` (string) - Specifies the secret version that you want to retrieve by the staging label attached to the version.
|
||||
Defaults to AWSCURRENT.
|
||||
@ -0,0 +1,4 @@
|
||||
<!-- Code generated from the comments of the Config struct in datasource/amazon/secretsmanager/data.go; DO NOT EDIT MANUALLY -->
|
||||
|
||||
- `name` (string) - Specifies the secret containing the version that you want to retrieve.
|
||||
You can specify either the Amazon Resource Name (ARN) or the friendly name of the secret.
|
||||
@ -0,0 +1,12 @@
|
||||
<!-- Code generated from the comments of the DatasourceOutput struct in datasource/amazon/secretsmanager/data.go; DO NOT EDIT MANUALLY -->
|
||||
|
||||
- `value` (string) - When a [key](#key) is provided, this will be the value for that key. If a key is not provided,
|
||||
`value` will contain the first value found in the secret string.
|
||||
|
||||
- `secret_string` (string) - The decrypted part of the protected secret information that
|
||||
was originally provided as a string.
|
||||
|
||||
- `secret_binary` (string) - The decrypted part of the protected secret information that
|
||||
was originally provided as a binary. Base64 encoded.
|
||||
|
||||
- `version_id` (string) - The unique identifier of this version of the secret.
|
||||
Loading…
Reference in new issue