forked from concourse/concourse
/
manager.go
135 lines (110 loc) · 4.32 KB
/
manager.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
package secretsmanager
import (
"encoding/json"
"errors"
"code.cloudfoundry.org/lager"
"github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/aws/credentials"
"github.com/aws/aws-sdk-go/aws/session"
"github.com/aws/aws-sdk-go/service/secretsmanager"
"github.com/pf-qiu/concourse/v6/atc/creds"
)
const DefaultPipelineSecretTemplate = "/concourse/{{.Team}}/{{.Pipeline}}/{{.Secret}}"
const DefaultTeamSecretTemplate = "/concourse/{{.Team}}/{{.Secret}}"
type Manager struct {
AwsAccessKeyID string `long:"access-key" description:"AWS Access key ID"`
AwsSecretAccessKey string `long:"secret-key" description:"AWS Secret Access Key"`
AwsSessionToken string `long:"session-token" description:"AWS Session Token"`
AwsRegion string `long:"region" description:"AWS region to send requests to"`
PipelineSecretTemplate string `long:"pipeline-secret-template" description:"AWS Secrets Manager secret identifier template used for pipeline specific parameter" default:"/concourse/{{.Team}}/{{.Pipeline}}/{{.Secret}}"`
TeamSecretTemplate string `long:"team-secret-template" description:"AWS Secrets Manager secret identifier template used for team specific parameter" default:"/concourse/{{.Team}}/{{.Secret}}"`
SecretManager *SecretsManager
}
func (manager *Manager) Init(log lager.Logger) error {
config := &aws.Config{Region: &manager.AwsRegion}
if manager.AwsAccessKeyID != "" {
config.Credentials = credentials.NewStaticCredentials(manager.AwsAccessKeyID, manager.AwsSecretAccessKey, manager.AwsSessionToken)
}
sess, err := session.NewSession(config)
if err != nil {
log.Error("create-aws-session", err)
return err
}
manager.SecretManager = &SecretsManager{
log: log,
api: secretsmanager.New(sess),
}
return nil
}
func (manager *Manager) Health() (*creds.HealthResponse, error) {
health := &creds.HealthResponse{
Method: "GetSecretValue",
}
_, _, _, err := manager.SecretManager.getSecretById("__concourse-health-check")
if err != nil {
health.Error = err.Error()
return health, nil
}
health.Response = map[string]string{
"status": "UP",
}
return health, nil
}
func (manager *Manager) MarshalJSON() ([]byte, error) {
health, err := manager.Health()
if err != nil {
return nil, err
}
return json.Marshal(&map[string]interface{}{
"aws_region": manager.AwsRegion,
"pipeline_secret_template": manager.PipelineSecretTemplate,
"team_secret_template": manager.TeamSecretTemplate,
"health": health,
})
}
func (manager *Manager) IsConfigured() bool {
return manager.AwsRegion != ""
}
func (manager *Manager) Validate() error {
if _, err := creds.BuildSecretTemplate("pipeline-secret-template", manager.PipelineSecretTemplate); err != nil {
return err
}
if _, err := creds.BuildSecretTemplate("team-secret-template", manager.TeamSecretTemplate); err != nil {
return err
}
// All of the AWS credential variables may be empty since credentials may be obtained via environemnt variables
// or other means. However, if one of them is provided, then all of them (except session token) must be provided.
if manager.AwsAccessKeyID == "" && manager.AwsSecretAccessKey == "" && manager.AwsSessionToken == "" {
return nil
}
if manager.AwsAccessKeyID == "" {
return errors.New("must provide aws access key id")
}
if manager.AwsSecretAccessKey == "" {
return errors.New("must provide aws secret access key")
}
return nil
}
func (manager *Manager) NewSecretsFactory(log lager.Logger) (creds.SecretsFactory, error) {
config := &aws.Config{Region: &manager.AwsRegion}
if manager.AwsAccessKeyID != "" {
config.Credentials = credentials.NewStaticCredentials(manager.AwsAccessKeyID, manager.AwsSecretAccessKey, manager.AwsSessionToken)
}
sess, err := session.NewSession(config)
if err != nil {
log.Error("create-aws-session", err)
return nil, err
}
pipelineSecretTemplate, err := creds.BuildSecretTemplate("pipeline-secret-template", manager.PipelineSecretTemplate)
if err != nil {
return nil, err
}
teamSecretTemplate, err := creds.BuildSecretTemplate("team-secret-template", manager.TeamSecretTemplate)
if err != nil {
return nil, err
}
return NewSecretsManagerFactory(log, sess, []*creds.SecretTemplate{pipelineSecretTemplate, teamSecretTemplate}), nil
}
func (manager Manager) Close(logger lager.Logger) {
// TODO - to implement
}