packer-cn/template/interpolate/aws/secretsmanager/secretsmanager.go

112 lines
2.5 KiB
Go

// Package secretsmanager provide methods to get data from
// AWS Secret Manager
package secretsmanager
import (
"encoding/json"
"errors"
"fmt"
"github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/aws/session"
"github.com/aws/aws-sdk-go/service/secretsmanager"
"github.com/aws/aws-sdk-go/service/secretsmanager/secretsmanageriface"
)
// Client represents an AWS Secrets Manager client
type Client struct {
config *AWSConfig
api secretsmanageriface.SecretsManagerAPI
}
// New creates an AWS Session Manager Client
func New(config *AWSConfig) *Client {
c := &Client{
config: config,
}
s := c.newSession(config)
c.api = secretsmanager.New(s)
return c
}
func (c *Client) newSession(config *AWSConfig) *session.Session {
// Initialize config with error verbosity
sessConfig := aws.NewConfig().WithCredentialsChainVerboseErrors(true)
if config.Region != "" {
sessConfig = sessConfig.WithRegion(config.Region)
}
opts := session.Options{
SharedConfigState: session.SharedConfigEnable,
Config: *sessConfig,
}
return session.Must(session.NewSessionWithOptions(opts))
}
// GetSecret return an AWS Secret Manager secret
// in plain text from a given secret name
func (c *Client) GetSecret(spec *SecretSpec) (string, error) {
params := &secretsmanager.GetSecretValueInput{
SecretId: aws.String(spec.Name),
VersionStage: aws.String("AWSCURRENT"),
}
if spec.Name != "" {
params.VersionStage = aws.String(spec.Key)
}
resp, err := c.api.GetSecretValue(params)
if err != nil {
return "", err
}
if resp.SecretString == nil {
return "", errors.New("Secret is not string")
}
secret := SecretString{
Name: *resp.Name,
SecretString: *resp.SecretString,
}
value, err := getSecretValue(&secret, spec)
if err != nil {
return "", err
}
return value, nil
}
func getSecretValue(s *SecretString, spec *SecretSpec) (string, error) {
var secretValue map[string]string
blob := []byte(s.SecretString)
//For those plaintext secrets just return the value
if json.Valid(blob) != true {
return s.SecretString, nil
}
err := json.Unmarshal(blob, &secretValue)
if err != nil {
return "", err
}
// If key is not set and secret has multiple keys, return error
if spec.Key == "" && len(secretValue) > 1 {
return "", errors.New("Secret has multiple values and no key was set")
}
if spec.Key == "" {
for _, v := range secretValue {
return v, nil
}
}
if v, ok := secretValue[spec.Key]; ok {
return v, nil
}
return "", fmt.Errorf("No secret found for key %q", spec.Key)
}