Integrations Vault: handle Overwrite secret data on Set (#4387)

* feat: aws secrets manager: handle Overwrite secret vault on Set * feat: berglas: use update and CreateIfMissing strategy for Set
mondoohq · Jul 22, 2024 · a2151b8 · a2151b8
1 parent 06f6b59
commit a2151b8
Show file tree

Hide file tree

Showing 4 changed files with 62 additions and 5 deletions.
diff --git a/providers-sdk/v1/vault/awssecretsmanager/secretsmanager.go b/providers-sdk/v1/vault/awssecretsmanager/secretsmanager.go
@@ -5,9 +5,11 @@ package awssecretsmanager
 
 import (
 	"context"
+	"errors"
 
 	"github.com/aws/aws-sdk-go-v2/aws"
 	"github.com/aws/aws-sdk-go-v2/service/secretsmanager"
+	"github.com/aws/aws-sdk-go-v2/service/secretsmanager/types"
 	"github.com/aws/aws-sdk-go/aws/arn"
 	"github.com/rs/zerolog/log"
 	"go.mondoo.com/cnquery/v11/providers-sdk/v1/vault"
@@ -88,6 +90,29 @@ func (v *Vault) Set(ctx context.Context, cred *vault.Secret) (*vault.SecretID, e
 		SecretBinary: cred.Data,
 		KmsKeyId:     kmsKeyID,
 	})
+	if err != nil {
+		var aerr *types.ResourceExistsException
+		if errors.As(err, &aerr) {
+			return v.updateSecret(ctx, cred)
+		}
+
+		return nil, err
+	}
+
+	return &vault.SecretID{Key: *o.ARN}, err
+}
+
+func (v *Vault) updateSecret(ctx context.Context, cred *vault.Secret) (*vault.SecretID, error) {
+	var kmsKeyID *string
+	if len(v.kmsKeyID) > 0 {
+		kmsKeyID = &v.kmsKeyID
+	}
+
+	c := secretsmanager.NewFromConfig(v.cfg)
+	o, err := c.UpdateSecret(ctx, &secretsmanager.UpdateSecretInput{
+		SecretBinary: cred.Data,
+		KmsKeyId:     kmsKeyID,
+	})
 	if err != nil {
 		return nil, err
 	}

diff --git a/providers-sdk/v1/vault/awssecretsmanager/secretsmanager_test.go b/providers-sdk/v1/vault/awssecretsmanager/secretsmanager_test.go
@@ -32,3 +32,27 @@ func TestAwsSecretsManager(t *testing.T) {
 	require.NoError(t, err)
 	assert.Equal(t, cred.Data, get.Data)
 }
+
+func TestAwsSecretsManagerOverwrite(t *testing.T) {
+	ctx := context.Background()
+	cfg, err := config.LoadDefaultConfig(ctx)
+	require.NoError(t, err)
+	v := New(cfg, WithKmsKey("alias/aws/secretsmanager"))
+
+	cred := &vault.Secret{
+		Data: []byte("my-secret-data"),
+		Key:  "mik-test-secret-2",
+	}
+	s, err := v.Set(ctx, cred)
+	require.NoError(t, err)
+	get, err := v.Get(ctx, &vault.SecretID{Key: s.Key})
+	require.NoError(t, err)
+	assert.Equal(t, cred.Data, get.Data)
+
+	cred.Data = []byte("my-even-more-secret-data")
+	s, err = v.Set(ctx, cred)
+	require.NoError(t, err)
+	get, err = v.Get(ctx, &vault.SecretID{Key: s.Key})
+	require.NoError(t, err)
+	assert.Equal(t, cred.Data, get.Data)
+}
diff --git a/providers-sdk/v1/vault/gcpberglas/berglas.go b/providers-sdk/v1/vault/gcpberglas/berglas.go
@@ -139,11 +139,12 @@ func (v *Vault) Set(ctx context.Context, cred *vault.Secret) (*vault.SecretID, e
 		return nil, err
 	}
 
-	_, err = c.Create(ctx, &berglas.StorageCreateRequest{
-		Bucket:    v.bucket,
-		Object:    cred.Key,
-		Plaintext: cred.Data,
-		Key:       v.kmsKeyID,
+	_, err = c.Update(ctx, &berglas.StorageUpdateRequest{
+		Bucket:          v.bucket,
+		Object:          cred.Key,
+		Plaintext:       cred.Data,
+		Key:             v.kmsKeyID,
+		CreateIfMissing: true,
 	})
 	if err != nil {
 		return nil, err

diff --git a/providers-sdk/v1/vault/gcpberglas/berglas_test.go b/providers-sdk/v1/vault/gcpberglas/berglas_test.go
@@ -32,4 +32,11 @@ func TestGcpBerglas(t *testing.T) {
 	get, err := v.Get(ctx, &vault.SecretID{Key: cred.Key})
 	require.NoError(t, err)
 	assert.Equal(t, cred.Data, get.Data)
+
+	cred.Data = []byte("my-even-more-secret-data")
+	_, err = v.Set(ctx, cred)
+	require.NoError(t, err)
+	get, err = v.Get(ctx, &vault.SecretID{Key: cred.Key})
+	require.NoError(t, err)
+	assert.Equal(t, cred.Data, get.Data)
 }