parameterstore.go 10 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355
  1. /*
  2. Licensed under the Apache License, Version 2.0 (the "License");
  3. you may not use this file except in compliance with the License.
  4. You may obtain a copy of the License at
  5. http://www.apache.org/licenses/LICENSE-2.0
  6. Unless required by applicable law or agreed to in writing, software
  7. distributed under the License is distributed on an "AS IS" BASIS,
  8. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  9. See the License for the specific language governing permissions and
  10. limitations under the License.
  11. */
  12. package parameterstore
  13. import (
  14. "context"
  15. "encoding/json"
  16. "errors"
  17. "fmt"
  18. "strings"
  19. "github.com/aws/aws-sdk-go/aws"
  20. "github.com/aws/aws-sdk-go/aws/awserr"
  21. "github.com/aws/aws-sdk-go/aws/request"
  22. "github.com/aws/aws-sdk-go/aws/session"
  23. "github.com/aws/aws-sdk-go/service/ssm"
  24. "github.com/tidwall/gjson"
  25. utilpointer "k8s.io/utils/pointer"
  26. esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
  27. "github.com/external-secrets/external-secrets/pkg/find"
  28. "github.com/external-secrets/external-secrets/pkg/provider/aws/util"
  29. )
  30. // https://github.com/external-secrets/external-secrets/issues/644
  31. var (
  32. _ esv1beta1.SecretsClient = &ParameterStore{}
  33. managedBy = "managed-by"
  34. externalSecrets = "external-secrets"
  35. )
  36. // ParameterStore is a provider for AWS ParameterStore.
  37. type ParameterStore struct {
  38. sess *session.Session
  39. client PMInterface
  40. }
  41. // PMInterface is a subset of the parameterstore api.
  42. // see: https://docs.aws.amazon.com/sdk-for-go/api/service/ssm/ssmiface/
  43. type PMInterface interface {
  44. GetParameterWithContext(aws.Context, *ssm.GetParameterInput, ...request.Option) (*ssm.GetParameterOutput, error)
  45. PutParameterWithContext(aws.Context, *ssm.PutParameterInput, ...request.Option) (*ssm.PutParameterOutput, error)
  46. DescribeParametersWithContext(aws.Context, *ssm.DescribeParametersInput, ...request.Option) (*ssm.DescribeParametersOutput, error)
  47. ListTagsForResourceWithContext(aws.Context, *ssm.ListTagsForResourceInput, ...request.Option) (*ssm.ListTagsForResourceOutput, error)
  48. }
  49. const (
  50. errUnexpectedFindOperator = "unexpected find operator"
  51. )
  52. // New constructs a ParameterStore Provider that is specific to a store.
  53. func New(sess *session.Session, cfg *aws.Config) (*ParameterStore, error) {
  54. return &ParameterStore{
  55. sess: sess,
  56. client: ssm.New(sess, cfg),
  57. }, nil
  58. }
  59. func (pm *ParameterStore) getTagsByName(ctx aws.Context, ref *ssm.GetParameterOutput) ([]*ssm.Tag, error) {
  60. parameterType := "Parameter"
  61. parameterTags := ssm.ListTagsForResourceInput{
  62. ResourceId: ref.Parameter.Name,
  63. ResourceType: &parameterType,
  64. }
  65. data, err := pm.client.ListTagsForResourceWithContext(ctx, &parameterTags)
  66. if err != nil {
  67. return nil, fmt.Errorf("error listing tags %w", err)
  68. }
  69. return data.TagList, nil
  70. }
  71. func (pm *ParameterStore) SetSecret(ctx context.Context, value []byte, remoteRef esv1beta1.PushRemoteRef) error {
  72. // TODO create tags outside of the flow of create parameter: so we can always create parameters
  73. // and always create tags.
  74. // TODO then create validation for secret versions so that we only have a new version on value change
  75. // TODO Testing manually, unit tests, validation tests
  76. parameterType := "String"
  77. overwrite := true
  78. stringValue := string(value)
  79. secretName := remoteRef.GetRemoteKey()
  80. secretRequest := ssm.PutParameterInput{
  81. Name: &secretName,
  82. Value: &stringValue,
  83. Type: &parameterType,
  84. Overwrite: &overwrite,
  85. }
  86. secretValue := ssm.GetParameterInput{
  87. Name: &secretName,
  88. }
  89. existing, err := pm.client.GetParameterWithContext(ctx, &secretValue)
  90. var awsError awserr.Error
  91. ok := errors.As(err, &awsError)
  92. if err != nil && (!ok || awsError.Code() != ssm.ErrCodeParameterNotFound) {
  93. return fmt.Errorf("unexpected error getting parameter %v: %w", secretName, err)
  94. }
  95. // If we have a valid parameter returned to us, check its tags
  96. if existing != nil && existing.Parameter != nil {
  97. fmt.Println("The existing value contains data:", existing.String())
  98. tags, err := pm.getTagsByName(ctx, existing)
  99. if err != nil {
  100. return fmt.Errorf("error getting the existing tags for the parameter %v: %w", secretName, err)
  101. }
  102. isManaged := isManagedByESO(tags)
  103. if !isManaged {
  104. // TODO Can we refactor this error message to a higher scope to stop duplicates
  105. return fmt.Errorf("secret not managed by external-secrets")
  106. }
  107. if existing.Parameter.Value != nil && *existing.Parameter.Value == string(value) {
  108. return nil
  109. }
  110. return pm.setManagedRemoteParameter(ctx, secretRequest, false)
  111. }
  112. // let's set the secret
  113. // Do we need to delete the existing parameter on the remote?
  114. return pm.setManagedRemoteParameter(ctx, secretRequest, true)
  115. }
  116. func isManagedByESO(tags []*ssm.Tag) bool {
  117. for _, tag := range tags {
  118. if *tag.Key == managedBy && *tag.Value == externalSecrets {
  119. return true
  120. }
  121. }
  122. return false
  123. }
  124. func (pm *ParameterStore) setManagedRemoteParameter(ctx context.Context, secretRequest ssm.PutParameterInput, createManagedByTags bool) error {
  125. externalSecretsTag := ssm.Tag{
  126. Key: &managedBy,
  127. Value: &externalSecrets,
  128. }
  129. overwrite := true
  130. secretRequest.Overwrite = &overwrite
  131. if createManagedByTags {
  132. secretRequest.Tags = append(secretRequest.Tags, &externalSecretsTag)
  133. overwrite = false
  134. }
  135. _, err := pm.client.PutParameterWithContext(ctx, &secretRequest)
  136. if err != nil {
  137. return fmt.Errorf("unexpected error pushing parameter %v: %w", secretRequest.Name, err)
  138. }
  139. return nil
  140. }
  141. // GetAllSecrets fetches information from multiple secrets into a single kubernetes secret.
  142. func (pm *ParameterStore) GetAllSecrets(ctx context.Context, ref esv1beta1.ExternalSecretFind) (map[string][]byte, error) {
  143. if ref.Name != nil {
  144. return pm.findByName(ctx, ref)
  145. }
  146. if ref.Tags != nil {
  147. return pm.findByTags(ctx, ref)
  148. }
  149. return nil, errors.New(errUnexpectedFindOperator)
  150. }
  151. func (pm *ParameterStore) findByName(ctx context.Context, ref esv1beta1.ExternalSecretFind) (map[string][]byte, error) {
  152. matcher, err := find.New(*ref.Name)
  153. if err != nil {
  154. return nil, err
  155. }
  156. pathFilter := make([]*ssm.ParameterStringFilter, 0)
  157. if ref.Path != nil {
  158. pathFilter = append(pathFilter, &ssm.ParameterStringFilter{
  159. Key: aws.String("Path"),
  160. Option: aws.String("Recursive"),
  161. Values: []*string{ref.Path},
  162. })
  163. }
  164. data := make(map[string][]byte)
  165. var nextToken *string
  166. for {
  167. it, err := pm.client.DescribeParametersWithContext(
  168. ctx,
  169. &ssm.DescribeParametersInput{
  170. NextToken: nextToken,
  171. ParameterFilters: pathFilter,
  172. })
  173. if err != nil {
  174. return nil, err
  175. }
  176. for _, param := range it.Parameters {
  177. if !matcher.MatchName(*param.Name) {
  178. continue
  179. }
  180. err = pm.fetchAndSet(ctx, data, *param.Name)
  181. if err != nil {
  182. return nil, err
  183. }
  184. }
  185. nextToken = it.NextToken
  186. if nextToken == nil {
  187. break
  188. }
  189. }
  190. return data, nil
  191. }
  192. func (pm *ParameterStore) findByTags(ctx context.Context, ref esv1beta1.ExternalSecretFind) (map[string][]byte, error) {
  193. filters := make([]*ssm.ParameterStringFilter, 0)
  194. for k, v := range ref.Tags {
  195. filters = append(filters, &ssm.ParameterStringFilter{
  196. Key: utilpointer.StringPtr(fmt.Sprintf("tag:%s", k)),
  197. Values: []*string{utilpointer.StringPtr(v)},
  198. Option: utilpointer.StringPtr("Equals"),
  199. })
  200. }
  201. if ref.Path != nil {
  202. filters = append(filters, &ssm.ParameterStringFilter{
  203. Key: aws.String("Path"),
  204. Option: aws.String("Recursive"),
  205. Values: []*string{ref.Path},
  206. })
  207. }
  208. data := make(map[string][]byte)
  209. var nextToken *string
  210. for {
  211. it, err := pm.client.DescribeParametersWithContext(
  212. ctx,
  213. &ssm.DescribeParametersInput{
  214. ParameterFilters: filters,
  215. NextToken: nextToken,
  216. })
  217. if err != nil {
  218. return nil, err
  219. }
  220. for _, param := range it.Parameters {
  221. err = pm.fetchAndSet(ctx, data, *param.Name)
  222. if err != nil {
  223. return nil, err
  224. }
  225. }
  226. nextToken = it.NextToken
  227. if nextToken == nil {
  228. break
  229. }
  230. }
  231. return data, nil
  232. }
  233. func (pm *ParameterStore) fetchAndSet(ctx context.Context, data map[string][]byte, name string) error {
  234. out, err := pm.client.GetParameterWithContext(ctx, &ssm.GetParameterInput{
  235. Name: utilpointer.StringPtr(name),
  236. WithDecryption: aws.Bool(true),
  237. })
  238. if err != nil {
  239. return util.SanitizeErr(err)
  240. }
  241. data[name] = []byte(*out.Parameter.Value)
  242. return nil
  243. }
  244. // GetSecret returns a single secret from the provider.
  245. func (pm *ParameterStore) GetSecret(ctx context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) ([]byte, error) {
  246. out, err := pm.client.GetParameterWithContext(ctx, &ssm.GetParameterInput{
  247. Name: &ref.Key,
  248. WithDecryption: aws.Bool(true),
  249. })
  250. nsf := esv1beta1.NoSecretError{}
  251. var nf *ssm.ParameterNotFound
  252. if errors.As(err, &nf) || errors.As(err, &nsf) {
  253. return nil, esv1beta1.NoSecretErr
  254. }
  255. if err != nil {
  256. return nil, util.SanitizeErr(err)
  257. }
  258. if ref.Property == "" {
  259. if out.Parameter.Value != nil {
  260. return []byte(*out.Parameter.Value), nil
  261. }
  262. return nil, fmt.Errorf("invalid secret received. parameter value is nil for key: %s", ref.Key)
  263. }
  264. idx := strings.Index(ref.Property, ".")
  265. if idx > -1 {
  266. refProperty := strings.ReplaceAll(ref.Property, ".", "\\.")
  267. val := gjson.Get(*out.Parameter.Value, refProperty)
  268. if val.Exists() {
  269. return []byte(val.String()), nil
  270. }
  271. }
  272. val := gjson.Get(*out.Parameter.Value, ref.Property)
  273. if !val.Exists() {
  274. return nil, fmt.Errorf("key %s does not exist in secret %s", ref.Property, ref.Key)
  275. }
  276. return []byte(val.String()), nil
  277. }
  278. // GetSecretMap returns multiple k/v pairs from the provider.
  279. func (pm *ParameterStore) GetSecretMap(ctx context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
  280. data, err := pm.GetSecret(ctx, ref)
  281. if err != nil {
  282. return nil, err
  283. }
  284. kv := make(map[string]json.RawMessage)
  285. err = json.Unmarshal(data, &kv)
  286. if err != nil {
  287. return nil, fmt.Errorf("unable to unmarshal secret %s: %w", ref.Key, err)
  288. }
  289. secretData := make(map[string][]byte)
  290. for k, v := range kv {
  291. var strVal string
  292. err = json.Unmarshal(v, &strVal)
  293. if err == nil {
  294. secretData[k] = []byte(strVal)
  295. } else {
  296. secretData[k] = v
  297. }
  298. }
  299. return secretData, nil
  300. }
  301. func (pm *ParameterStore) Close(ctx context.Context) error {
  302. return nil
  303. }
  304. func (pm *ParameterStore) Validate() (esv1beta1.ValidationResult, error) {
  305. _, err := pm.sess.Config.Credentials.Get()
  306. if err != nil {
  307. return esv1beta1.ValidationResultError, err
  308. }
  309. return esv1beta1.ValidationResultReady, nil
  310. }