116 lines
3.2 KiB
Go
116 lines
3.2 KiB
Go
package template
|
|
|
|
import (
|
|
"errors"
|
|
"fmt"
|
|
"log"
|
|
"os"
|
|
"strings"
|
|
"sync"
|
|
|
|
consulapi "github.com/hashicorp/consul/api"
|
|
awssmapi "github.com/hashicorp/packer/packer-plugin-sdk/template/interpolate/aws/secretsmanager"
|
|
vaultapi "github.com/hashicorp/vault/api"
|
|
)
|
|
|
|
// DeprecatedTemplateFunc wraps a template func to warn users that it's
|
|
// deprecated. The deprecation warning is called only once.
|
|
func DeprecatedTemplateFunc(funcName, useInstead string, deprecated func(string) string) func(string) string {
|
|
once := sync.Once{}
|
|
return func(in string) string {
|
|
once.Do(func() {
|
|
log.Printf("[WARN]: the `%s` template func is deprecated, please use %s instead",
|
|
funcName, useInstead)
|
|
})
|
|
return deprecated(in)
|
|
}
|
|
}
|
|
|
|
// Vault retrieves a secret from a HashiCorp Vault KV store.
|
|
// It assumes the necessary environment variables are set.
|
|
func Vault(path string, key string) (string, error) {
|
|
|
|
if token := os.Getenv("VAULT_TOKEN"); token == "" {
|
|
return "", errors.New("Must set VAULT_TOKEN env var in order to use vault template function")
|
|
}
|
|
|
|
vaultConfig := vaultapi.DefaultConfig()
|
|
cli, err := vaultapi.NewClient(vaultConfig)
|
|
if err != nil {
|
|
return "", fmt.Errorf("Error getting Vault client: %s", err)
|
|
}
|
|
secret, err := cli.Logical().Read(path)
|
|
if err != nil {
|
|
return "", fmt.Errorf("Error reading vault secret: %s", err)
|
|
}
|
|
if secret == nil {
|
|
return "", errors.New("Vault Secret does not exist at the given path")
|
|
}
|
|
|
|
data, ok := secret.Data["data"]
|
|
if !ok {
|
|
// maybe ths is v1, not v2 kv store
|
|
value, ok := secret.Data[key]
|
|
if ok {
|
|
return value.(string), nil
|
|
}
|
|
|
|
// neither v1 nor v2 proudced a valid value
|
|
return "", fmt.Errorf("Vault data was empty at the given path. Warnings: %s", strings.Join(secret.Warnings, "; "))
|
|
}
|
|
|
|
if val, ok := data.(map[string]interface{})[key]; ok {
|
|
return val.(string), nil
|
|
}
|
|
return "", errors.New("Vault path does not contain the requested key")
|
|
}
|
|
|
|
// Consul retrieves a value from a HashiCorp Consul KV store.
|
|
// It assumes the necessary environment variables are set.
|
|
func Consul(k string) (string, error) {
|
|
consulConfig := consulapi.DefaultConfig()
|
|
client, err := consulapi.NewClient(consulConfig)
|
|
if err != nil {
|
|
return "", fmt.Errorf("error getting consul client: %s", err)
|
|
}
|
|
|
|
q := &consulapi.QueryOptions{}
|
|
kv, _, err := client.KV().Get(k, q)
|
|
if err != nil {
|
|
return "", fmt.Errorf("error reading consul key: %s", err)
|
|
}
|
|
if kv == nil {
|
|
return "", fmt.Errorf("key does not exist at the given path: %s", k)
|
|
}
|
|
|
|
value := string(kv.Value)
|
|
if value == "" {
|
|
return "", fmt.Errorf("value is empty at path %s", k)
|
|
}
|
|
|
|
return value, nil
|
|
}
|
|
|
|
// GetAwsSecret retrieves a value from an AWS Secrets Manager.
|
|
// It assumes that credentials are properly set in the AWS SDK's credential
|
|
// chain.
|
|
func GetAWSSecret(name, key string) (string, error) {
|
|
// Check if at least 1 parameter has been used
|
|
if len(name) == 0 {
|
|
return "", errors.New("At least one secret name must be provided")
|
|
}
|
|
// client uses AWS SDK CredentialChain method. So,credentials can
|
|
// be loaded from credential file, environment variables, or IAM
|
|
// roles.
|
|
client := awssmapi.New(
|
|
&awssmapi.AWSConfig{},
|
|
)
|
|
|
|
spec := &awssmapi.SecretSpec{
|
|
Name: name,
|
|
Key: key,
|
|
}
|
|
|
|
return client.GetSecret(spec)
|
|
}
|