Merge pull request #10196 from hashicorp/b-aws_secretsmanager-stage-override-issue
Fix issue with AWS secrets manager override default stage
This commit is contained in:
commit
d39dffc573
|
@ -53,9 +53,6 @@ func (c *Client) GetSecret(spec *SecretSpec) (string, error) {
|
||||||
SecretId: aws.String(spec.Name),
|
SecretId: aws.String(spec.Name),
|
||||||
VersionStage: aws.String("AWSCURRENT"),
|
VersionStage: aws.String("AWSCURRENT"),
|
||||||
}
|
}
|
||||||
if spec.Name != "" {
|
|
||||||
params.VersionStage = aws.String(spec.Key)
|
|
||||||
}
|
|
||||||
|
|
||||||
resp, err := c.api.GetSecretValue(params)
|
resp, err := c.api.GetSecretValue(params)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
|
|
@ -12,20 +12,22 @@ Secrets can be read from the [AWS Secrets
|
||||||
Manager](https://aws.amazon.com/secrets-manager/) and used within your template
|
Manager](https://aws.amazon.com/secrets-manager/) and used within your template
|
||||||
as locals.
|
as locals.
|
||||||
|
|
||||||
|
~> Note: Support for AWS secrets will always obtain the latest version of a secret, essentially
|
||||||
|
AWSCURRENT. Support for previous versions of a secret is not supported.
|
||||||
|
|
||||||
```hcl
|
```hcl
|
||||||
aws_secretsmanager(name, key)
|
aws_secretsmanager(name, key)
|
||||||
```
|
```
|
||||||
|
|
||||||
When key is not set (`null` or empty: `""`) then `aws_secretsmanager` returns
|
When key is not set (`null` or empty: `""`) then `aws_secretsmanager` returns
|
||||||
the first secret key stored in secret `name` using the `AWSCURRENT`.
|
the first secret key stored in secret `name`.
|
||||||
|
|
||||||
You can either use this function in a `locals` block or directly inline where
|
You can either use this function in a `locals` block or directly inline where
|
||||||
you want to use the value.
|
you want to use the value.
|
||||||
|
|
||||||
```hcl
|
```hcl
|
||||||
locals {
|
locals {
|
||||||
// null is equivalent to "AWSCURRENT"
|
secret = aws_secretsmanager("my_secret", null)
|
||||||
current_version = aws_secretsmanager("my_secret", null)
|
|
||||||
}
|
}
|
||||||
|
|
||||||
source "null" "first-example" {
|
source "null" "first-example" {
|
||||||
|
@ -38,13 +40,50 @@ build {
|
||||||
|
|
||||||
provisioner "shell-local" {
|
provisioner "shell-local" {
|
||||||
environment_vars = ["TESTVAR=${build.PackerRunUUID}"]
|
environment_vars = ["TESTVAR=${build.PackerRunUUID}"]
|
||||||
inline = ["echo current version is '${local.current_version}'",
|
inline = ["echo my_secret is '${local.secret}'",
|
||||||
"echo previous version is '${aws_secretsmanager("my_secret", "AWSPREVIOUS")}'."]
|
"echo my_secret using an inline call is '${aws_secretsmanager("my_secret", null)}'."]
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
|
||||||
This will load the key stored at behind `my_secret` from aws secrets manager.
|
This will load the key stored behind `my_secret` from aws secrets manager.
|
||||||
|
|
||||||
|
The retrieval of single key secrets or plaintext secrets can be obtained by specifying (`null` or empty: `""`) as the `key`.
|
||||||
|
|
||||||
|
|
||||||
|
When obtaining secrets that have multiple keys you can set `key` to the specific key you would like
|
||||||
|
to fetch. For example, given the following secret with two keys if `key` is set to "shell" `aws_secretsmanager` will
|
||||||
|
return only its value.
|
||||||
|
|
||||||
|
```json
|
||||||
|
{
|
||||||
|
"test": "kitchen",
|
||||||
|
"shell": "powershell"
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
```hcl
|
||||||
|
locals {
|
||||||
|
secret = aws_secretsmanager("multikey/secret", "shell")
|
||||||
|
}
|
||||||
|
|
||||||
|
source "null" "first-example" {
|
||||||
|
communicator = "none"
|
||||||
|
}
|
||||||
|
|
||||||
|
build {
|
||||||
|
name = "my-build-name"
|
||||||
|
sources = ["null.first-example"]
|
||||||
|
|
||||||
|
provisioner "shell-local" {
|
||||||
|
environment_vars = ["TESTVAR=${build.PackerRunUUID}"]
|
||||||
|
inline = ["echo my_secret is '${local.secret}'"]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
This will load the value `"powershell"` stored in the key `"shell"` behind `multikey/secret`.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
In order to use this function you have to configure valid AWS credentials using
|
In order to use this function you have to configure valid AWS credentials using
|
||||||
|
|
Loading…
Reference in New Issue