-
Notifications
You must be signed in to change notification settings - Fork 61
/
ssmstore.py
80 lines (56 loc) · 2.36 KB
/
ssmstore.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
"""AWS SSM Parameter Store lookup."""
# pylint: disable=arguments-differ,unused-argument
import logging
import warnings
from runway.lookups.handlers.base import LookupHandler
from ...session_cache import get_session
from ...util import read_value_from_path
LOGGER = logging.getLogger(__name__)
TYPE_NAME = "ssmstore"
class SsmstoreLookup(LookupHandler):
"""AWS SSM Parameter Store lookup."""
DEPRECATION_MSG = ('The "ssmstore" lookup has been deprecated. '
'The "ssm" lookup should be used instead.')
@classmethod
def handle(cls, value, context=None, provider=None, **kwargs):
"""Retrieve (and decrypt) a parameter from AWS SSM Parameter Store.
Args:
value (str): Parameter(s) given to this lookup.
context (:class:`runway.cfngin.context.Context`): Context instance.
provider (:class:`runway.cfngin.providers.base.BaseProvider`):
Provider instance.
Returns:
str: Looked up value.
``value`` should be in the following format::
[<region>@]ssmkey
.. note:: The region is optional, and defaults to us-east-1 if not given.
Example:
::
# In CFNgin we would reference the encrypted value like:
conf_key: ${ssmstore us-east-1@ssmkey}
You can optionally store the value in a file, ie::
ssmstore_value.txt
us-east-1@ssmkey
and reference it within CFNgin (NOTE: the path should be relative
to the CFNgin config file)::
conf_key: ${ssmstore file://ssmstore_value.txt}
# Both of the above would resolve to
conf_key: PASSWORD
"""
warnings.warn(cls.DEPRECATION_MSG, DeprecationWarning)
LOGGER.warning(cls.DEPRECATION_MSG)
value = read_value_from_path(value)
region = "us-east-1"
if "@" in value:
region, value = value.split("@", 1)
client = get_session(region).client("ssm")
response = client.get_parameters(
Names=[
value,
],
WithDecryption=True
)
if 'Parameters' in response:
return str(response['Parameters'][0]['Value'])
raise ValueError('SSMKey "{}" does not exist in region {}'.format(
value, region))