forked from hashicorp/packer
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Aws Secrets Manager data sources (hashicorp#10505)
- Loading branch information
1 parent
e48a86f
commit d1ada74
Showing
24 changed files
with
723 additions
and
39 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,168 @@ | ||
| //go:generate struct-markdown | ||
| //go:generate mapstructure-to-hcl2 -type DatasourceOutput,Config | ||
| package secretsmanager | ||
|
|
||
| import ( | ||
| "encoding/json" | ||
| "fmt" | ||
| "strconv" | ||
|
|
||
| "github.com/aws/aws-sdk-go/aws" | ||
| "github.com/aws/aws-sdk-go/service/secretsmanager" | ||
| "github.com/hashicorp/hcl/v2/hcldec" | ||
| "github.com/hashicorp/packer-plugin-sdk/hcl2helper" | ||
| packersdk "github.com/hashicorp/packer-plugin-sdk/packer" | ||
| "github.com/hashicorp/packer-plugin-sdk/template/config" | ||
| awscommon "github.com/hashicorp/packer/builder/amazon/common" | ||
| "github.com/hashicorp/packer/builder/amazon/common/awserrors" | ||
| "github.com/zclconf/go-cty/cty" | ||
| ) | ||
|
|
||
| type Datasource struct { | ||
| config Config | ||
| } | ||
|
|
||
| type Config struct { | ||
| // Specifies the secret containing the version that you want to retrieve. | ||
| // You can specify either the Amazon Resource Name (ARN) or the friendly name of the secret. | ||
| Name string `mapstructure:"name" required:"true"` | ||
| // Optional key for JSON secrets that contain more than one value. When set, the `value` output will | ||
| // contain the value for the provided key. | ||
| Key string `mapstructure:"key"` | ||
| // Specifies the unique identifier of the version of the secret that you want to retrieve. | ||
| // Overrides version_stage. | ||
| VersionId string `mapstructure:"version_id"` | ||
| // Specifies the secret version that you want to retrieve by the staging label attached to the version. | ||
| // Defaults to AWSCURRENT. | ||
| VersionStage string `mapstructure:"version_stage"` | ||
| awscommon.AccessConfig `mapstructure:",squash"` | ||
| } | ||
|
|
||
| func (d *Datasource) ConfigSpec() hcldec.ObjectSpec { | ||
| return d.config.FlatMapstructure().HCL2Spec() | ||
| } | ||
|
|
||
| func (d *Datasource) Configure(raws ...interface{}) error { | ||
| err := config.Decode(&d.config, nil, raws...) | ||
| if err != nil { | ||
| return err | ||
| } | ||
|
|
||
| var errs *packersdk.MultiError | ||
| errs = packersdk.MultiErrorAppend(errs, d.config.AccessConfig.Prepare()...) | ||
|
|
||
| if d.config.Name == "" { | ||
| errs = packersdk.MultiErrorAppend(errs, fmt.Errorf("a 'name' must be provided")) | ||
| } | ||
|
|
||
| if d.config.VersionStage == "" { | ||
| d.config.VersionStage = "AWSCURRENT" | ||
| } | ||
|
|
||
| if errs != nil && len(errs.Errors) > 0 { | ||
| return errs | ||
| } | ||
| return nil | ||
| } | ||
|
|
||
| type DatasourceOutput struct { | ||
| // When a [key](#key) is provided, this will be the value for that key. If a key is not provided, | ||
| // `value` will contain the first value found in the secret string. | ||
| Value string `mapstructure:"value"` | ||
| // The decrypted part of the protected secret information that | ||
| // was originally provided as a string. | ||
| SecretString string `mapstructure:"secret_string"` | ||
| // The decrypted part of the protected secret information that | ||
| // was originally provided as a binary. Base64 encoded. | ||
| SecretBinary string `mapstructure:"secret_binary"` | ||
| // The unique identifier of this version of the secret. | ||
| VersionId string `mapstructure:"version_id"` | ||
| } | ||
|
|
||
| func (d *Datasource) OutputSpec() hcldec.ObjectSpec { | ||
| return (&DatasourceOutput{}).FlatMapstructure().HCL2Spec() | ||
| } | ||
|
|
||
| func (d *Datasource) Execute() (cty.Value, error) { | ||
| session, err := d.config.Session() | ||
| if err != nil { | ||
| return cty.NullVal(cty.EmptyObject), err | ||
| } | ||
|
|
||
| input := &secretsmanager.GetSecretValueInput{ | ||
| SecretId: aws.String(d.config.Name), | ||
| } | ||
|
|
||
| version := "" | ||
| if d.config.VersionId != "" { | ||
| input.VersionId = aws.String(d.config.VersionId) | ||
| version = d.config.VersionId | ||
| } else { | ||
| input.VersionStage = aws.String(d.config.VersionStage) | ||
| version = d.config.VersionStage | ||
| } | ||
|
|
||
| secretsApi := secretsmanager.New(session) | ||
| secret, err := secretsApi.GetSecretValue(input) | ||
| if err != nil { | ||
| if awserrors.Matches(err, secretsmanager.ErrCodeResourceNotFoundException, "") { | ||
| return cty.NullVal(cty.EmptyObject), fmt.Errorf("Secrets Manager Secret %q Version %q not found", d.config.Name, version) | ||
| } | ||
| if awserrors.Matches(err, secretsmanager.ErrCodeInvalidRequestException, "You can’t perform this operation on the secret because it was deleted") { | ||
| return cty.NullVal(cty.EmptyObject), fmt.Errorf("Secrets Manager Secret %q Version %q not found", d.config.Name, version) | ||
| } | ||
| return cty.NullVal(cty.EmptyObject), fmt.Errorf("error reading Secrets Manager Secret Version: %s", err) | ||
| } | ||
|
|
||
| value, err := getSecretValue(aws.StringValue(secret.SecretString), d.config.Key) | ||
| if err != nil { | ||
| return cty.NullVal(cty.EmptyObject), fmt.Errorf("error to get secret value: %q", err.Error()) | ||
| } | ||
|
|
||
| versionId := aws.StringValue(secret.VersionId) | ||
| output := DatasourceOutput{ | ||
| Value: value, | ||
| SecretString: aws.StringValue(secret.SecretString), | ||
| SecretBinary: fmt.Sprintf("%s", secret.SecretBinary), | ||
| VersionId: versionId, | ||
| } | ||
| return hcl2helper.HCL2ValueFromConfig(output, d.OutputSpec()), nil | ||
| } | ||
|
|
||
| func getSecretValue(secretString string, key string) (string, error) { | ||
| var secretValue map[string]interface{} | ||
| blob := []byte(secretString) | ||
|
|
||
| //For those plaintext secrets just return the value | ||
| if json.Valid(blob) != true { | ||
| return secretString, nil | ||
| } | ||
|
|
||
| err := json.Unmarshal(blob, &secretValue) | ||
| if err != nil { | ||
| return "", err | ||
| } | ||
|
|
||
| if key == "" { | ||
| for _, v := range secretValue { | ||
| return getStringSecretValue(v) | ||
| } | ||
| } | ||
|
|
||
| if v, ok := secretValue[key]; ok { | ||
| return getStringSecretValue(v) | ||
| } | ||
|
|
||
| return "", nil | ||
| } | ||
|
|
||
| func getStringSecretValue(v interface{}) (string, error) { | ||
| switch valueType := v.(type) { | ||
| case string: | ||
| return valueType, nil | ||
| case float64: | ||
| return strconv.FormatFloat(valueType, 'f', 0, 64), nil | ||
| default: | ||
| return "", fmt.Errorf("Unsupported secret value type: %T", valueType) | ||
| } | ||
| } |
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
Oops, something went wrong.