parameterstore.go 7.1 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255
  1. /*
  2. Licensed under the Apache License, Version 2.0 (the "License");
  3. you may not use this file except in compliance with the License.
  4. You may obtain a copy of the License at
  5. http://www.apache.org/licenses/LICENSE-2.0
  6. Unless required by applicable law or agreed to in writing, software
  7. distributed under the License is distributed on an "AS IS" BASIS,
  8. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  9. See the License for the specific language governing permissions and
  10. limitations under the License.
  11. */
  12. package parameterstore
  13. import (
  14. "context"
  15. "encoding/json"
  16. "errors"
  17. "fmt"
  18. "strings"
  19. "github.com/aws/aws-sdk-go/aws"
  20. "github.com/aws/aws-sdk-go/aws/request"
  21. "github.com/aws/aws-sdk-go/aws/session"
  22. "github.com/aws/aws-sdk-go/service/ssm"
  23. "github.com/tidwall/gjson"
  24. utilpointer "k8s.io/utils/pointer"
  25. esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
  26. "github.com/external-secrets/external-secrets/pkg/find"
  27. "github.com/external-secrets/external-secrets/pkg/provider/aws/util"
  28. )
  29. // https://github.com/external-secrets/external-secrets/issues/644
  30. var _ esv1beta1.SecretsClient = &ParameterStore{}
  31. // ParameterStore is a provider for AWS ParameterStore.
  32. type ParameterStore struct {
  33. sess *session.Session
  34. client PMInterface
  35. }
  36. // PMInterface is a subset of the parameterstore api.
  37. // see: https://docs.aws.amazon.com/sdk-for-go/api/service/ssm/ssmiface/
  38. type PMInterface interface {
  39. GetParameterWithContext(aws.Context, *ssm.GetParameterInput, ...request.Option) (*ssm.GetParameterOutput, error)
  40. PutParameterWithContext(aws.Context, *ssm.PutParameterInput, ...request.Option) (*ssm.PutParameterOutput, error)
  41. DescribeParameters(*ssm.DescribeParametersInput) (*ssm.DescribeParametersOutput, error)
  42. }
  43. const (
  44. errUnexpectedFindOperator = "unexpected find operator"
  45. )
  46. // New constructs a ParameterStore Provider that is specific to a store.
  47. func New(sess *session.Session, cfg *aws.Config) (*ParameterStore, error) {
  48. return &ParameterStore{
  49. sess: sess,
  50. client: ssm.New(sess, cfg),
  51. }, nil
  52. }
  53. func (pm *ParameterStore) SetSecret(ctx context.Context, value []byte, remoteRef esv1beta1.PushRemoteRef) error {
  54. parameterType := "String"
  55. stringValue := string(value)
  56. secretName := remoteRef.GetRemoteKey()
  57. secretRequest := ssm.PutParameterInput{
  58. Name: &secretName,
  59. Value: &stringValue,
  60. Type: &parameterType,
  61. }
  62. _, err := pm.client.PutParameterWithContext(ctx, &secretRequest)
  63. if err != nil {
  64. return err
  65. }
  66. return nil
  67. }
  68. // GetAllSecrets fetches information from multiple secrets into a single kubernetes secret.
  69. func (pm *ParameterStore) GetAllSecrets(ctx context.Context, ref esv1beta1.ExternalSecretFind) (map[string][]byte, error) {
  70. if ref.Name != nil {
  71. return pm.findByName(ref)
  72. }
  73. if ref.Tags != nil {
  74. return pm.findByTags(ref)
  75. }
  76. return nil, errors.New(errUnexpectedFindOperator)
  77. }
  78. func (pm *ParameterStore) findByName(ref esv1beta1.ExternalSecretFind) (map[string][]byte, error) {
  79. matcher, err := find.New(*ref.Name)
  80. if err != nil {
  81. return nil, err
  82. }
  83. pathFilter := make([]*ssm.ParameterStringFilter, 0)
  84. if ref.Path != nil {
  85. pathFilter = append(pathFilter, &ssm.ParameterStringFilter{
  86. Key: aws.String("Path"),
  87. Option: aws.String("Recursive"),
  88. Values: []*string{ref.Path},
  89. })
  90. }
  91. data := make(map[string][]byte)
  92. var nextToken *string
  93. for {
  94. it, err := pm.client.DescribeParameters(&ssm.DescribeParametersInput{
  95. NextToken: nextToken,
  96. ParameterFilters: pathFilter,
  97. })
  98. if err != nil {
  99. return nil, err
  100. }
  101. for _, param := range it.Parameters {
  102. if !matcher.MatchName(*param.Name) {
  103. continue
  104. }
  105. err = pm.fetchAndSet(data, *param.Name)
  106. if err != nil {
  107. return nil, err
  108. }
  109. }
  110. nextToken = it.NextToken
  111. if nextToken == nil {
  112. break
  113. }
  114. }
  115. return data, nil
  116. }
  117. func (pm *ParameterStore) findByTags(ref esv1beta1.ExternalSecretFind) (map[string][]byte, error) {
  118. filters := make([]*ssm.ParameterStringFilter, 0)
  119. for k, v := range ref.Tags {
  120. filters = append(filters, &ssm.ParameterStringFilter{
  121. Key: utilpointer.StringPtr(fmt.Sprintf("tag:%s", k)),
  122. Values: []*string{utilpointer.StringPtr(v)},
  123. Option: utilpointer.StringPtr("Equals"),
  124. })
  125. }
  126. if ref.Path != nil {
  127. filters = append(filters, &ssm.ParameterStringFilter{
  128. Key: aws.String("Path"),
  129. Option: aws.String("Recursive"),
  130. Values: []*string{ref.Path},
  131. })
  132. }
  133. data := make(map[string][]byte)
  134. var nextToken *string
  135. for {
  136. it, err := pm.client.DescribeParameters(&ssm.DescribeParametersInput{
  137. ParameterFilters: filters,
  138. NextToken: nextToken,
  139. })
  140. if err != nil {
  141. return nil, err
  142. }
  143. for _, param := range it.Parameters {
  144. err = pm.fetchAndSet(data, *param.Name)
  145. if err != nil {
  146. return nil, err
  147. }
  148. }
  149. nextToken = it.NextToken
  150. if nextToken == nil {
  151. break
  152. }
  153. }
  154. return data, nil
  155. }
  156. func (pm *ParameterStore) fetchAndSet(data map[string][]byte, name string) error {
  157. ctx := context.Background()
  158. out, err := pm.client.GetParameterWithContext(ctx, &ssm.GetParameterInput{
  159. Name: utilpointer.StringPtr(name),
  160. WithDecryption: aws.Bool(true),
  161. })
  162. if err != nil {
  163. return util.SanitizeErr(err)
  164. }
  165. data[name] = []byte(*out.Parameter.Value)
  166. return nil
  167. }
  168. // GetSecret returns a single secret from the provider.
  169. func (pm *ParameterStore) GetSecret(ctx context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) ([]byte, error) {
  170. out, err := pm.client.GetParameterWithContext(ctx, &ssm.GetParameterInput{
  171. Name: &ref.Key,
  172. WithDecryption: aws.Bool(true),
  173. })
  174. nsf := esv1beta1.NoSecretError{}
  175. var nf *ssm.ParameterNotFound
  176. if errors.As(err, &nf) || errors.As(err, &nsf) {
  177. return nil, esv1beta1.NoSecretErr
  178. }
  179. if err != nil {
  180. return nil, util.SanitizeErr(err)
  181. }
  182. if ref.Property == "" {
  183. if out.Parameter.Value != nil {
  184. return []byte(*out.Parameter.Value), nil
  185. }
  186. return nil, fmt.Errorf("invalid secret received. parameter value is nil for key: %s", ref.Key)
  187. }
  188. idx := strings.Index(ref.Property, ".")
  189. if idx > -1 {
  190. refProperty := strings.ReplaceAll(ref.Property, ".", "\\.")
  191. val := gjson.Get(*out.Parameter.Value, refProperty)
  192. if val.Exists() {
  193. return []byte(val.String()), nil
  194. }
  195. }
  196. val := gjson.Get(*out.Parameter.Value, ref.Property)
  197. if !val.Exists() {
  198. return nil, fmt.Errorf("key %s does not exist in secret %s", ref.Property, ref.Key)
  199. }
  200. return []byte(val.String()), nil
  201. }
  202. // GetSecretMap returns multiple k/v pairs from the provider.
  203. func (pm *ParameterStore) GetSecretMap(ctx context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
  204. data, err := pm.GetSecret(ctx, ref)
  205. if err != nil {
  206. return nil, err
  207. }
  208. kv := make(map[string]string)
  209. err = json.Unmarshal(data, &kv)
  210. if err != nil {
  211. return nil, fmt.Errorf("unable to unmarshal secret %s: %w", ref.Key, err)
  212. }
  213. secretData := make(map[string][]byte)
  214. for k, v := range kv {
  215. secretData[k] = []byte(v)
  216. }
  217. return secretData, nil
  218. }
  219. func (pm *ParameterStore) Close(ctx context.Context) error {
  220. return nil
  221. }
  222. func (pm *ParameterStore) Validate() (esv1beta1.ValidationResult, error) {
  223. _, err := pm.sess.Config.Credentials.Get()
  224. if err != nil {
  225. return esv1beta1.ValidationResultError, err
  226. }
  227. return esv1beta1.ValidationResultReady, nil
  228. }