generated from hashicorp/packer-plugin-scaffolding
-
Notifications
You must be signed in to change notification settings - Fork 115
/
data.go
173 lines (147 loc) · 5.49 KB
/
data.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: MPL-2.0
//go:generate packer-sdc struct-markdown
//go:generate packer-sdc mapstructure-to-hcl2 -type DatasourceOutput,Config
package secretsmanager
import (
"encoding/json"
"fmt"
"strconv"
"github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/service/secretsmanager"
"github.com/hashicorp/hcl/v2/hcldec"
awscommon "github.com/hashicorp/packer-plugin-amazon/builder/common"
"github.com/hashicorp/packer-plugin-amazon/builder/common/awserrors"
"github.com/hashicorp/packer-plugin-sdk/common"
"github.com/hashicorp/packer-plugin-sdk/hcl2helper"
packersdk "github.com/hashicorp/packer-plugin-sdk/packer"
"github.com/hashicorp/packer-plugin-sdk/template/config"
"github.com/zclconf/go-cty/cty"
)
type Datasource struct {
config Config
}
type Config struct {
common.PackerConfig `mapstructure:",squash"`
// Specifies the secret containing the version that you want to retrieve.
// You can specify either the Amazon Resource Name (ARN) or the friendly name of the secret.
Name string `mapstructure:"name" required:"true"`
// Optional key for JSON secrets that contain more than one value. When set, the `value` output will
// contain the value for the provided key.
Key string `mapstructure:"key"`
// Specifies the unique identifier of the version of the secret that you want to retrieve.
// Overrides version_stage.
VersionId string `mapstructure:"version_id"`
// Specifies the secret version that you want to retrieve by the staging label attached to the version.
// Defaults to AWSCURRENT.
VersionStage string `mapstructure:"version_stage"`
awscommon.AccessConfig `mapstructure:",squash"`
}
func (d *Datasource) ConfigSpec() hcldec.ObjectSpec {
return d.config.FlatMapstructure().HCL2Spec()
}
func (d *Datasource) Configure(raws ...interface{}) error {
err := config.Decode(&d.config, nil, raws...)
if err != nil {
return err
}
var errs *packersdk.MultiError
errs = packersdk.MultiErrorAppend(errs, d.config.AccessConfig.Prepare(&d.config.PackerConfig)...)
if d.config.Name == "" {
errs = packersdk.MultiErrorAppend(errs, fmt.Errorf("a 'name' must be provided"))
}
if d.config.VersionStage == "" {
d.config.VersionStage = "AWSCURRENT"
}
if errs != nil && len(errs.Errors) > 0 {
return errs
}
return nil
}
type DatasourceOutput struct {
// When a [key](#key) is provided, this will be the value for that key. If a key is not provided,
// `value` will contain the first value found in the secret string.
Value string `mapstructure:"value"`
// The decrypted part of the protected secret information that
// was originally provided as a string.
SecretString string `mapstructure:"secret_string"`
// The decrypted part of the protected secret information that
// was originally provided as a binary. Base64 encoded.
SecretBinary string `mapstructure:"secret_binary"`
// The unique identifier of this version of the secret.
VersionId string `mapstructure:"version_id"`
}
func (d *Datasource) OutputSpec() hcldec.ObjectSpec {
return (&DatasourceOutput{}).FlatMapstructure().HCL2Spec()
}
func (d *Datasource) Execute() (cty.Value, error) {
session, err := d.config.Session()
if err != nil {
return cty.NullVal(cty.EmptyObject), err
}
input := &secretsmanager.GetSecretValueInput{
SecretId: aws.String(d.config.Name),
}
version := ""
if d.config.VersionId != "" {
input.VersionId = aws.String(d.config.VersionId)
version = d.config.VersionId
} else {
input.VersionStage = aws.String(d.config.VersionStage)
version = d.config.VersionStage
}
secretsApi := secretsmanager.New(session)
secret, err := secretsApi.GetSecretValue(input)
if err != nil {
if awserrors.Matches(err, secretsmanager.ErrCodeResourceNotFoundException, "") {
return cty.NullVal(cty.EmptyObject), fmt.Errorf("Secrets Manager Secret %q Version %q not found", d.config.Name, version)
}
if awserrors.Matches(err, secretsmanager.ErrCodeInvalidRequestException, "You can’t perform this operation on the secret because it was deleted") {
return cty.NullVal(cty.EmptyObject), fmt.Errorf("Secrets Manager Secret %q Version %q not found", d.config.Name, version)
}
return cty.NullVal(cty.EmptyObject), fmt.Errorf("error reading Secrets Manager Secret Version: %s", err)
}
value, err := getSecretValue(aws.StringValue(secret.SecretString), d.config.Key)
if err != nil {
return cty.NullVal(cty.EmptyObject), fmt.Errorf("error to get secret value: %q", err.Error())
}
versionId := aws.StringValue(secret.VersionId)
output := DatasourceOutput{
Value: value,
SecretString: aws.StringValue(secret.SecretString),
SecretBinary: string(secret.SecretBinary),
VersionId: versionId,
}
return hcl2helper.HCL2ValueFromConfig(output, d.OutputSpec()), nil
}
func getSecretValue(secretString string, key string) (string, error) {
var secretValue map[string]interface{}
blob := []byte(secretString)
//For those plaintext secrets just return the value
if json.Valid(blob) != true {
return secretString, nil
}
err := json.Unmarshal(blob, &secretValue)
if err != nil {
return "", err
}
if key == "" {
for _, v := range secretValue {
return getStringSecretValue(v)
}
}
if v, ok := secretValue[key]; ok {
return getStringSecretValue(v)
}
return "", nil
}
func getStringSecretValue(v interface{}) (string, error) {
switch valueType := v.(type) {
case string:
return valueType, nil
case float64:
return strconv.FormatFloat(valueType, 'f', 0, 64), nil
default:
return "", fmt.Errorf("Unsupported secret value type: %T", valueType)
}
}