Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove GPG secret parameter resolver #295

Merged
merged 5 commits into from Jan 14, 2020
Merged

Remove GPG secret parameter resolver #295

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
1e56620
Remove GPG secret parameter resolver
orien Jan 13, 2020
26b636b
Add link to gem page
orien Jan 13, 2020
b33168b
Remove GPG instructions from the readme
orien Jan 14, 2020
b1d29d2
Merge branch 'master' into remove-secret-parameter-resolver
orien Jan 14, 2020
30366ac
Be explicit about which resolver we've removed
orien Jan 14, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
9 changes: 7 additions & 2 deletions CHANGELOG.md
View file
Open in desktop
Expand Up @@ -10,11 +10,15 @@ The format is based on [Keep a Changelog], and this project adheres to

## [Unreleased]

### Added
### Removed

...
- Extracted GPG secret parameter resolving to a separate gem. Please add
[stack_master-gpg_parameter_resolver] to your bundle to continue using this
functionality ([#295]).

[Unreleased]: https://github.com/envato/stack_master/compare/v1.18.0...HEAD
[stack_master-gpg_parameter_resolver]: https://rubygems.org/gems/stack_master-gpg_parameter_resolver
[#295]: https://github.com/envato/stack_master/pull/295

## [1.18.0] - 2019-12-23

Expand All @@ -32,6 +36,7 @@ The format is based on [Keep a Changelog], and this project adheres to

- Drop ruby 2.3 support in CI ([#294])

[1.18.0]: https://github.com/envato/stack_master/compare/v1.17.1...v1.18.0
[#292]: https://github.com/envato/stack_master/pull/292
[#293]: https://github.com/envato/stack_master/pull/293
[#294]: https://github.com/envato/stack_master/pull/294
Expand Down
40 changes: 6 additions & 34 deletions README.md
View file
Open in desktop
Expand Up @@ -25,9 +25,8 @@ are displayed for review.
- Stack events will be displayed until an end state is reached.

Stack parameters can be dynamically resolved at runtime using one of the
built in parameter resolvers. Parameters can be sourced from GPG encrypted YAML
files, other stacks outputs, by querying various AWS APIs to get resource ARNs,
etc.
built in parameter resolvers. Parameters can be sourced from other stacks
outputs, or by querying various AWS APIs to get resource ARNs, etc.

## Installation

Expand Down Expand Up @@ -64,13 +63,11 @@ stack_defaults:
role_arn: service_role_arn
region_defaults:
us-east-1:
secret_file: production.yml.gpg
tags:
environment: production
notification_arns:
- test_arn
ap-southeast-2:
secret_file: staging.yml.gpg
tags:
environment: staging
stacks:
Expand Down Expand Up @@ -138,7 +135,7 @@ stacks:

- `templates` - CloudFormation, SparkleFormation or CfnDsl templates.
- `parameters` - Parameters as YAML files.
- `secrets` - GPG encrypted secret files.
- `secrets` - encrypted secret files.
orien marked this conversation as resolved.
Show resolved Hide resolved
- `policies` - Stack policy JSON files.

## Templates
Expand Down Expand Up @@ -264,35 +261,10 @@ into parameters of dependent stacks.

### Secret

Note: This resolver is not supported on Windows, you can instead use the [Parameter Store](#parameter-store).
Note: This resolver has been extracted into a dedicated gem. Please install and
orien marked this conversation as resolved.
Show resolved Hide resolved
follow the instructions for the [stack_master-gpg_parameter_resolver] gem.

The secret parameters resolver expects a `secret_file` to be defined in the
stack definition which is a GPG encrypted YAML file. Once decrypted and parsed,
the value provided to the secret resolver is used to lookup the associated key
in the secret file. A common use case for this is to store database passwords.

stack_master.yml:

```yaml
stacks:
us-east-1:
my_app:
template: my_app.json
secret_file: production.yml.gpg
```

secrets/production.yml.gpg, when decrypted:

```yaml
db_password: my-password
```

parameters/my_app.yml:

```yaml
db_password:
secret: db_password
```
[stack_master-gpg_parameter_resolver]: https://github.com/envato/stack_master-gpg_parameter_resolver

### Parameter Store

Expand Down
2 changes: 0 additions & 2 deletions features/stack_defaults.feature
View file
Open in desktop
Expand Up @@ -10,14 +10,12 @@ Feature: Stack defaults
ap_southeast_2:
notification_arns:
- test_arn_1
secret_file: staging.yml.gpg
tags:
environment: staging
stack_policy_file: my_policy.json
us_east_1:
notification_arns:
- test_arn_2
secret_file: production.yml.gpg
tags:
environment: production
stacks:
Expand Down
1 change: 0 additions & 1 deletion lib/stack_master.rb
View file
Open in desktop
Expand Up @@ -70,7 +70,6 @@ module ParameterResolvers
autoload :AmiFinder, 'stack_master/parameter_resolvers/ami_finder'
autoload :StackOutput, 'stack_master/parameter_resolvers/stack_output'
autoload :Ejson, 'stack_master/parameter_resolvers/ejson'
autoload :Secret, 'stack_master/parameter_resolvers/secret'
autoload :SnsTopicName, 'stack_master/parameter_resolvers/sns_topic_name'
autoload :SecurityGroup, 'stack_master/parameter_resolvers/security_group'
autoload :LatestAmiByTags, 'stack_master/parameter_resolvers/latest_ami_by_tags'
Expand Down
52 changes: 0 additions & 52 deletions lib/stack_master/parameter_resolvers/secret.rb
View file
Open in desktop

This file was deleted.

2 changes: 0 additions & 2 deletions lib/stack_master/stack_definition.rb
View file
Open in desktop
Expand Up @@ -9,7 +9,6 @@ class StackDefinition
:notification_arns,
:base_dir,
:template_dir,
:secret_file,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The stack definition still needs to contain this because the GPG resolver depends on it https://github.com/envato/stack_master-gpg_parameter_resolver/blob/master/lib/stack_master/parameter_resolvers/secret.rb#L43

Copy link
Member Author

@orien orien Jan 14, 2020
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The GPG Parameter Resolver actually adds this back in.

This is a rather dubious approach though. Thoughts?

Copy link
Member Author

@orien orien Jan 14, 2020
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually, I'm preferring to move this into the GPG gem. That way it doesn't need to be supported in StackMaster, we can make a clean break with version 2.

Later we could re-work the GPG Parameter Resolver to not use this configuration.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wholly monkey patching that's ugly.

Ok let's leave it as is and refactor for a v1 of GPG parameter resolver.

:ejson_file,
:ejson_file_region,
:ejson_file_kms,
Expand Down Expand Up @@ -47,7 +46,6 @@ def ==(other)
@allowed_accounts == other.allowed_accounts &&
@notification_arns == other.notification_arns &&
@base_dir == other.base_dir &&
@secret_file == other.secret_file &&
@ejson_file == other.ejson_file &&
@ejson_file_region == other.ejson_file_region &&
@ejson_file_kms == other.ejson_file_kms &&
Expand Down
2 changes: 0 additions & 2 deletions spec/fixtures/stack_master.yml
View file
Open in desktop
Expand Up @@ -18,7 +18,6 @@ region_defaults:
notification_arns:
- test_arn
role_arn: test_service_role_arn
secret_file: production.yml.gpg
stack_policy_file: my_policy.json
staging:
tags:
Expand All @@ -27,7 +26,6 @@ region_defaults:
notification_arns:
- test_arn_3
role_arn: test_service_role_arn3
secret_file: staging.yml.gpg
stacks:
us-east-1:
myapp_vpc:
Expand Down
5 changes: 0 additions & 5 deletions spec/stack_master/config_spec.rb
View file
Open in desktop
Expand Up @@ -13,7 +13,6 @@
notification_arns: ['test_arn', 'test_arn_2'],
role_arn: 'test_service_role_arn2',
base_dir: base_dir,
secret_file: 'production.yml.gpg',
stack_policy_file: 'my_policy.json',
additional_parameter_lookup_dirs: ['production']
)
Expand Down Expand Up @@ -104,14 +103,12 @@
'tags' => { 'environment' => 'production' },
'role_arn' => 'test_service_role_arn',
'notification_arns' => ['test_arn'],
'secret_file' => 'production.yml.gpg',
'stack_policy_file' => 'my_policy.json'
},
'ap-southeast-2' => {
'tags' => {'environment' => 'staging', 'test_override' => 1 },
'role_arn' => 'test_service_role_arn3',
'notification_arns' => ['test_arn_3'],
'secret_file' => 'staging.yml.gpg'
}
})
end
Expand Down Expand Up @@ -139,7 +136,6 @@
notification_arns: ['test_arn_3', 'test_arn_4'],
template: 'myapp_vpc.rb',
base_dir: base_dir,
secret_file: 'staging.yml.gpg',
additional_parameter_lookup_dirs: ['staging']
))
expect(loaded_config.find_stack('ap-southeast-2', 'myapp-web')).to eq(StackMaster::StackDefinition.new(
Expand All @@ -157,7 +153,6 @@
notification_arns: ['test_arn_3'],
template: 'myapp_web',
base_dir: base_dir,
secret_file: 'staging.yml.gpg',
additional_parameter_lookup_dirs: ['staging']
))
end
Expand Down
78 changes: 0 additions & 78 deletions spec/stack_master/parameter_resolvers/secret_spec.rb
View file
Open in desktop

This file was deleted.

12 changes: 0 additions & 12 deletions spec/stack_master/validator_spec.rb
View file
Open in desktop
Expand Up @@ -40,18 +40,6 @@
expect { validator.perform }.to output(/myapp_vpc: invalid/).to_stdout
end
end

context "validate is called from from a continuous integration system with no access to secrets" do
let(:stack_name) { 'myapp_vpc_with_secrets' }
let(:secret) { instance_double(StackMaster::ParameterResolvers::Secret) }
before do
allow(StackMaster::ParameterResolvers::Secret).to receive(:new).and_return(secret)
end
it "does not prompt for the secret key" do
expect(secret).not_to receive(:resolve)
validator.perform
end
end
end

end
1 change: 0 additions & 1 deletion stack_master.gemspec
View file
Open in desktop
Expand Up @@ -64,6 +64,5 @@ Gem::Specification.new do |spec|
spec.add_dependency "multi_json"
spec.add_dependency "hashdiff", "~> 1"
spec.add_dependency "ejson_wrapper"
spec.add_dependency "dotgpg" unless windows_build
spec.add_dependency "diff-lcs" if windows_build
end