Merge pull request #10196 from hashicorp/b-aws_secretsmanager-stage-override-issue

Fix issue with AWS secrets manager override default stage
This commit is contained in:
Megan Marsh 2020-10-30 11:35:37 -07:00 committed by GitHub
commit d39dffc573
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 45 additions and 9 deletions

View File

@ -53,9 +53,6 @@ func (c *Client) GetSecret(spec *SecretSpec) (string, error) {
SecretId: aws.String(spec.Name), SecretId: aws.String(spec.Name),
VersionStage: aws.String("AWSCURRENT"), VersionStage: aws.String("AWSCURRENT"),
} }
if spec.Name != "" {
params.VersionStage = aws.String(spec.Key)
}
resp, err := c.api.GetSecretValue(params) resp, err := c.api.GetSecretValue(params)
if err != nil { if err != nil {

View File

@ -12,20 +12,22 @@ Secrets can be read from the [AWS Secrets
Manager](https://aws.amazon.com/secrets-manager/) and used within your template Manager](https://aws.amazon.com/secrets-manager/) and used within your template
as locals. as locals.
~> Note: Support for AWS secrets will always obtain the latest version of a secret, essentially
AWSCURRENT. Support for previous versions of a secret is not supported.
```hcl ```hcl
aws_secretsmanager(name, key) aws_secretsmanager(name, key)
``` ```
When key is not set (`null` or empty: `""`) then `aws_secretsmanager` returns When key is not set (`null` or empty: `""`) then `aws_secretsmanager` returns
the first secret key stored in secret `name` using the `AWSCURRENT`. the first secret key stored in secret `name`.
You can either use this function in a `locals` block or directly inline where You can either use this function in a `locals` block or directly inline where
you want to use the value. you want to use the value.
```hcl ```hcl
locals { locals {
// null is equivalent to "AWSCURRENT" secret = aws_secretsmanager("my_secret", null)
current_version = aws_secretsmanager("my_secret", null)
} }
source "null" "first-example" { source "null" "first-example" {
@ -38,13 +40,50 @@ build {
provisioner "shell-local" { provisioner "shell-local" {
environment_vars = ["TESTVAR=${build.PackerRunUUID}"] environment_vars = ["TESTVAR=${build.PackerRunUUID}"]
inline = ["echo current version is '${local.current_version}'", inline = ["echo my_secret is '${local.secret}'",
"echo previous version is '${aws_secretsmanager("my_secret", "AWSPREVIOUS")}'."] "echo my_secret using an inline call is '${aws_secretsmanager("my_secret", null)}'."]
} }
} }
``` ```
This will load the key stored at behind `my_secret` from aws secrets manager. This will load the key stored behind `my_secret` from aws secrets manager.
The retrieval of single key secrets or plaintext secrets can be obtained by specifying (`null` or empty: `""`) as the `key`.
When obtaining secrets that have multiple keys you can set `key` to the specific key you would like
to fetch. For example, given the following secret with two keys if `key` is set to "shell" `aws_secretsmanager` will
return only its value.
```json
{
"test": "kitchen",
"shell": "powershell"
}
```
```hcl
locals {
secret = aws_secretsmanager("multikey/secret", "shell")
}
source "null" "first-example" {
communicator = "none"
}
build {
name = "my-build-name"
sources = ["null.first-example"]
provisioner "shell-local" {
environment_vars = ["TESTVAR=${build.PackerRunUUID}"]
inline = ["echo my_secret is '${local.secret}'"]
}
}
```
This will load the value `"powershell"` stored in the key `"shell"` behind `multikey/secret`.
In order to use this function you have to configure valid AWS credentials using In order to use this function you have to configure valid AWS credentials using