feat(cross): #889 secrets for aws from gitlab

- Add builtin for assuming aws sessions using GitLab OIDC - Add documentation
fluidattacks · Aug 23, 2022 · 7d13d0a · 7d13d0a
1 parent 8d2032f
commit 7d13d0a
Show file tree

Hide file tree

Showing 6 changed files with 170 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -266,6 +266,7 @@ Real life projects that run entirely on [Makes][MAKES]:
         - [envVarsForTerraform](#envvarsforterraform)
     - [Secrets](#secrets)
         - [secretsForAwsFromEnv](#secretsforawsfromenv)
+        - [secretsForAwsFromGitlab](#secretsforawsfromgitlab)
         - [secretsForEnvFromSops](#secretsforenvfromsops)
         - [secretsForGpgFromEnv](#secretsforgpgfromenv)
         - [secretsForKubernetesConfigFromAws](#secretsforkubernetesconfigfromaws)
@@ -2230,6 +2231,8 @@ Example `makes.nix`:
 
 ```nix
 { outputs
+, lintTerraform
+, secretsForAwsFromEnv
 , ...
 }:
 {
@@ -2264,6 +2267,64 @@ Example `makes.nix`:
 }
 ```
 
+### secretsForAwsFromGitlab
+
+Aquire an [Amazon Web Services (AWS)][AWS] session
+using [Gitlab CI OIDC][GITLAB_CI_OIDC].
+
+Types:
+
+- secretsForAwsFromGitlab (`attrsOf awsFromGitlabType`): Optional.
+  Defaults to `{ }`.
+- awsFromGitlabType (`submodule`):
+
+    - roleArn (`str`):
+      ARN of [AWS][AWS] role to be assumed.
+
+    - duration (`ints.positive`): Optional.
+      Duration in seconds of the session.
+      Defaults to `3600`.
+
+Example `makes.nix`:
+
+```nix
+{ outputs
+, lintTerraform
+, secretsForAwsFromGitlab
+, ...
+}:
+{
+  secretsForAwsFromGitlab = {
+    makesDev = {
+      roleArn = "arn:aws:iam::123456789012:role/dev";
+      duration = 3600;
+    };
+    makesProd = {
+      roleArn = "arn:aws:iam::123456789012:role/prod";
+      duration = 7200;
+    };
+  };
+  lintTerraform = {
+    modules = {
+      moduleDev = {
+        setup = [
+          outputs."/secretsForAwsFromGitlab/makesDev"
+        ];
+        src = "/my/module1";
+        version = "0.14";
+      };
+      moduleProd = {
+        setup = [
+          outputs."/secretsForAwsFromGitlab/makesProd"
+        ];
+        src = "/my/module2";
+        version = "0.14";
+      };
+    };
+  };
+}
+```
+
 ### secretsForEnvFromSops
 
 Export secrets from a [Sops][SOPS] encrypted manifest
@@ -5251,6 +5312,8 @@ Project leaders:
   [GitLab CI][GITLAB_CI]
 - [GITLAB_CI_REF]: https://docs.gitlab.com/ee/ci/yaml/
   [GitLab CI configuration syntax][GITLAB_CI_REF]
+- [GITLAB_CI_OIDC]: https://docs.gitlab.com/ee/ci/cloud_services/aws/index.html
+  [GitLab CI OIDC][GITLAB_CI_OIDC]
 - [GITLAB_VARS]: https://docs.gitlab.com/ee/ci/variables/
   [GitLab Variables][GITLAB_VARS]
 - [GNU_MAKE]: https://www.gnu.org/software/make/

diff --git a/src/args/agnostic.nix b/src/args/agnostic.nix
@@ -84,6 +84,7 @@
     makeScriptParallel = import ./make-script-parallel/default.nix self;
     makeSearchPaths = import ./make-search-paths/default.nix self;
     makeSecretForAwsFromEnv = import ./make-secret-for-aws-from-env/default.nix self;
+    makeSecretForAwsFromGitlab = import ./make-secret-for-aws-from-gitlab/default.nix self;
     makeSecretForEnvFromSops = import ./make-secret-for-env-from-sops/default.nix self;
     makeSecretForGpgFromEnv = import ./make-secret-for-gpg-from-env/default.nix self;
     makeSecretForKubernetesConfigFromAws = import ./make-secret-for-kubernetes-config-from-aws/default.nix self;

diff --git a/src/args/make-secret-for-aws-from-gitlab/default.nix b/src/args/make-secret-for-aws-from-gitlab/default.nix
@@ -0,0 +1,23 @@
+{
+  __nixpkgs__,
+  makeTemplate,
+  toDerivationName,
+  ...
+}: {
+  duration,
+  name,
+  roleArn,
+}:
+makeTemplate {
+  replace = {
+    __argDuration__ = duration;
+    __argName__ = toDerivationName name;
+    __argRoleArn__ = roleArn;
+  };
+  name = "make-secret-for-aws-from-gitlab-for-${name}";
+  searchPaths.bin = [
+    __nixpkgs__.awscli
+    __nixpkgs__.jq
+  ];
+  template = ./template.sh;
+}
diff --git a/src/args/make-secret-for-aws-from-gitlab/template.sh b/src/args/make-secret-for-aws-from-gitlab/template.sh
@@ -0,0 +1,40 @@
+# shellcheck shell=bash
+
+function _get_credential {
+  local credential="${1}"
+  local session="${2}"
+
+  echo "${session}" | jq -rec ".Credentials.${credential}"
+}
+
+function login {
+  local args=(
+    --role-arn "${1}"
+    --role-session-name "gitlab-${CI_PROJECT_ID}-${CI_PIPELINE_ID}-${CI_JOB_ID}"
+    --web-identity-token "${CI_JOB_JWT_V2}"
+    --duration-seconds "${2}"
+  )
+  local session
+  export AWS_ACCESS_KEY_ID
+  export AWS_SECRET_ACCESS_KEY
+  export AWS_SESSION_TOKEN
+
+  : \
+    && session="$(aws sts assume-role-with-web-identity "${args[@]}")" \
+    && AWS_ACCESS_KEY_ID="$(_get_credential "AccessKeyId" "${session}")" \
+    && AWS_SECRET_ACCESS_KEY="$(_get_credential "SecretAccessKey" "${session}")" \
+    && AWS_SESSION_TOKEN="$(_get_credential "SessionToken" "${session}")"
+}
+
+function main {
+  : \
+    && info "Making secrets for aws from gitlab for __argName__:" \
+    && if test -n "${CI_JOB_JWT_V2:-}"; then
+      info "Logging in as '__argName__' using GitLab OIDC." \
+        && login "__argRoleArn__" "__argDuration__"
+    else
+      warn "Looks like this job is not running on GitLab CI. Skipping."
+    fi
+}
+
+main "${@}"
diff --git a/src/evaluator/modules/default.nix b/src/evaluator/modules/default.nix
@@ -41,6 +41,7 @@
     (import ./lint-with-lizard/default.nix args)
     (import ./pipelines/default.nix args)
     (import ./secrets-for-aws-from-env/default.nix args)
+    (import ./secrets-for-aws-from-gitlab/default.nix args)
     (import ./secrets-for-env-from-sops/default.nix args)
     (import ./secrets-for-gpg-from-env/default.nix args)
     (import ./secrets-for-kubernetes-config-from-aws/default.nix args)

diff --git a/src/evaluator/modules/secrets-for-aws-from-gitlab/default.nix b/src/evaluator/modules/secrets-for-aws-from-gitlab/default.nix
@@ -0,0 +1,42 @@
+{
+  __toModuleOutputs__,
+  makeSecretForAwsFromGitlab,
+  ...
+}: {
+  config,
+  lib,
+  ...
+}: let
+  type = lib.types.submodule (_: {
+    options = {
+      roleArn = lib.mkOption {
+        type = lib.types.str;
+      };
+      duration = lib.mkOption {
+        default = 3600;
+        type = lib.types.ints.positive;
+      };
+    };
+  });
+  output = name: {
+    roleArn,
+    duration,
+  }: {
+    name = "/secretsForAwsFromGitlab/${name}";
+    value = makeSecretForAwsFromGitlab {
+      inherit duration;
+      inherit name;
+      inherit roleArn;
+    };
+  };
+in {
+  options = {
+    secretsForAwsFromGitlab = lib.mkOption {
+      default = {};
+      type = lib.types.attrsOf type;
+    };
+  };
+  config = {
+    outputs = __toModuleOutputs__ output config.secretsForAwsFromGitlab;
+  };
+}