Add secrets manager (#108)

* add secrets manager
* add conditions
* refactor to support common way to add extra services

.gitignore

@@ -37,5 +37,8 @@ nosetests.xml
 # Ignore vim swap files
 .*.sw*
 
+# Ignore intellij
+.idea/
+
 # Ignore virtualenv
 env/

README.rst

@@ -116,7 +116,7 @@ an AWS resource and auto-generate new files.
 The following commands can be run to update the repo:
 
 .. code-block:: sh
-
+  % pip install -r tools/requirements.txt
   % rm -rf generated/
   % python tools/gen.py
   % diff -u awacs generated

awacs/aws_marketplace.py

@@ -6,7 +6,7 @@
 from aws import Action as BaseAction
 from aws import BaseARN
 
-service_name = 'AWS Marketplace Metering Service'
+service_name = 'AWS Marketplace'
 prefix = 'aws-marketplace'
 
 
@@ -23,9 +23,9 @@ def __init__(self, resource='', region='', account=''):
                      account=account)
 
 
-BatchMeterUsage = Action('BatchMeterUsage')
-MeterUsage = Action('MeterUsage')
-ResolveCustomer = Action('ResolveCustomer')
 Subscribe = Action('Subscribe')
 Unsubscribe = Action('Unsubscribe')
 ViewSubscriptions = Action('ViewSubscriptions')
+BatchMeterUsage = Action('BatchMeterUsage')
+MeterUsage = Action('MeterUsage')
+ResolveCustomer = Action('ResolveCustomer')

awacs/secretsmanager.py

@@ -0,0 +1,43 @@
+# Copyright (c) 2012-2013, Mark Peek <mark@peek.org>
+# All rights reserved.
+#
+# See LICENSE file for full license.
+
+from aws import Action as BaseAction
+from aws import BaseARN
+
+service_name = 'AWS Secrets Manager'
+prefix = 'secretsmanager'
+
+
+class Action(BaseAction):
+    def __init__(self, action=None):
+        sup = super(Action, self)
+        sup.__init__(prefix, action)
+
+
+class ARN(BaseARN):
+    def __init__(self, resource='', region='', account=''):
+        sup = super(ARN, self)
+        sup.__init__(service=prefix, resource=resource, region=region,
+                     account=account)
+
+
+CancelRotateSecret = Action('CancelRotateSecret')
+CreateSecret = Action('CreateSecret')
+DeleteResourcePolicy = Action('DeleteResourcePolicy')
+DeleteSecret = Action('DeleteSecret')
+DescribeSecret = Action('DescribeSecret')
+GetRandomPassword = Action('GetRandomPassword')
+GetResourcePolicy = Action('GetResourcePolicy')
+GetSecretValue = Action('GetSecretValue')
+ListSecretVersionIds = Action('ListSecretVersionIds')
+ListSecrets = Action('ListSecrets')
+PutResourcePolicy = Action('PutResourcePolicy')
+PutSecretValue = Action('PutSecretValue')
+RestoreSecret = Action('RestoreSecret')
+RotateSecre = Action('RotateSecre')
+TagResource = Action('TagResource')
+UntagResource = Action('UntagResource')
+UpdateSecret = Action('UpdateSecret')
+UpdateSecretVersionStage = Action('UpdateSecretVersionStage')

tools/gen.py

@@ -4,7 +4,10 @@
 #
 import json
 import os
-import urllib2
+try:
+    from urllib2 import urlopen
+except ImportError:
+    from urllib.request import urlopen
 from slimit.parser import Parser
 from slimit.visitors import nodevisitor
 from slimit.visitors.ecmavisitor import ECMAVisitor
@@ -66,7 +69,7 @@ def __init__(self, *args, **kwargs):
 
 basedir = 'generated'
 
-response = urllib2.urlopen(aws_url)
+response = urlopen(aws_url)
 config = response.read()
 
 
@@ -87,7 +90,7 @@ def visit_UnaryOp(self, node):
 
 visitor = JSONVisitor()
 parser = Parser()
-tree = parser.parse(config)
+tree = parser.parse(config.decode('utf-8'))
 
 flag = False
 policy_editor_config = ""
@@ -106,17 +109,55 @@ def visit_UnaryOp(self, node):
 except OSError:
     pass
 
-extra_services = [
-    ('SMM Messages', {
+
+# Extra services are for those not advertised in policies.js,
+# but are available to be called via AWS apis. If/When these
+# services are added to policies.js, the entry in extra_services
+# will be ignored. IE, policies.js takes priority over
+# extra_services entries.
+
+extra_services = {
+    'SMM Messages': {
         'StringPrefix': 'ssmmessages',
         'Actions': [
             'CreateControlChannel',
             'CreateDataChannel',
             'OpenControlChannel',
             'OpenDataChannel',
         ],
-    },),
-]
+    },
+    'AWS Secrets Manager': {
+        'ARNFormat': 'arn:aws:secretsmanager:'
+                     '<region>:<account>'
+                     ':secret:<resourceType>/<resourcePath>',
+        'ARNRegex': '^arn:aws:secretsmanager:.+',
+        'Actions': [
+            'CancelRotateSecret', 'CreateSecret', 'DeleteResourcePolicy',
+            'DeleteSecret', 'DescribeSecret', 'GetRandomPassword',
+            'GetResourcePolicy', 'GetSecretValue', 'ListSecrets',
+            'ListSecretVersionIds', 'PutResourcePolicy',
+            'PutSecretValue', 'RestoreSecret', 'RotateSecre',
+            'TagResource', 'UntagResource', 'UpdateSecret',
+            'UpdateSecretVersionStage'
+        ],
+        'HasResource': '!0',
+        'StringPrefix': 'secretsmanager',
+        'conditionKeys': [
+            'secretsmanager:Resource/AllowRotationLambdaArn',
+            'secretsmanager:Description',
+            'secretsmanager:ForceDeleteWithoutRecovery',
+            'secretsmanager:KmsKeyId',
+            'secretsmanager:Name',
+            'secretsmanager:RecoveryWindowInDays',
+            'secretsmanager:ResourceTag/<tagname>',
+            'secretsmanager:RotationLambdaArn',
+            'secretsmanager:SecretId',
+            'secretsmanager:VersionId',
+            'secretsmanager:VersionStage'
+        ],
+    },
+}
+
 
 extra_actions = {
     'cloudformation': [
@@ -213,8 +254,14 @@ def visit_UnaryOp(self, node):
     ],
 }
 
+# patch in the extra_services if they are not present in policies.js
+for service_name in extra_services:
+    if not d['serviceMap'].get(service_name):
+        d['serviceMap'][service_name] = extra_services[service_name]
+
+
 filename_seen = {}
-for serviceName, serviceValue in d['serviceMap'].items() + extra_services:
+for serviceName, serviceValue in d['serviceMap'].items():
     prefix = serviceValue['StringPrefix']
     service = prefix
     # Handle prefix such as "directconnect:"

tools/requirements.txt

@@ -0,0 +1 @@
+git+https://github.com/rspivak/slimit.git#egg=slimit