parameterstore.go 10 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359
  1. /*
  2. Licensed under the Apache License, Version 2.0 (the "License");
  3. you may not use this file except in compliance with the License.
  4. You may obtain a copy of the License at
  5. http://www.apache.org/licenses/LICENSE-2.0
  6. Unless required by applicable law or agreed to in writing, software
  7. distributed under the License is distributed on an "AS IS" BASIS,
  8. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  9. See the License for the specific language governing permissions and
  10. limitations under the License.
  11. */
  12. package parameterstore
  13. import (
  14. "context"
  15. "encoding/json"
  16. "errors"
  17. "fmt"
  18. "strings"
  19. "github.com/aws/aws-sdk-go/aws"
  20. "github.com/aws/aws-sdk-go/aws/awserr"
  21. "github.com/aws/aws-sdk-go/aws/request"
  22. "github.com/aws/aws-sdk-go/aws/session"
  23. "github.com/aws/aws-sdk-go/service/ssm"
  24. "github.com/tidwall/gjson"
  25. utilpointer "k8s.io/utils/pointer"
  26. esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
  27. "github.com/external-secrets/external-secrets/pkg/find"
  28. "github.com/external-secrets/external-secrets/pkg/provider/aws/util"
  29. )
  30. // https://github.com/external-secrets/external-secrets/issues/644
  31. var (
  32. _ esv1beta1.SecretsClient = &ParameterStore{}
  33. managedBy = "managed-by"
  34. externalSecrets = "external-secrets"
  35. )
  36. // ParameterStore is a provider for AWS ParameterStore.
  37. type ParameterStore struct {
  38. sess *session.Session
  39. client PMInterface
  40. }
  41. // PMInterface is a subset of the parameterstore api.
  42. // see: https://docs.aws.amazon.com/sdk-for-go/api/service/ssm/ssmiface/
  43. type PMInterface interface {
  44. GetParameterWithContext(aws.Context, *ssm.GetParameterInput, ...request.Option) (*ssm.GetParameterOutput, error)
  45. PutParameterWithContext(aws.Context, *ssm.PutParameterInput, ...request.Option) (*ssm.PutParameterOutput, error)
  46. DescribeParametersWithContext(aws.Context, *ssm.DescribeParametersInput, ...request.Option) (*ssm.DescribeParametersOutput, error)
  47. ListTagsForResourceWithContext(aws.Context, *ssm.ListTagsForResourceInput, ...request.Option) (*ssm.ListTagsForResourceOutput, error)
  48. }
  49. const (
  50. errUnexpectedFindOperator = "unexpected find operator"
  51. )
  52. // New constructs a ParameterStore Provider that is specific to a store.
  53. func New(sess *session.Session, cfg *aws.Config) (*ParameterStore, error) {
  54. return &ParameterStore{
  55. sess: sess,
  56. client: ssm.New(sess, cfg),
  57. }, nil
  58. }
  59. func (pm *ParameterStore) getTagsByName(ctx aws.Context, ref *ssm.GetParameterOutput) ([]*ssm.Tag, error) {
  60. parameterType := "Parameter"
  61. parameterTags := ssm.ListTagsForResourceInput{
  62. ResourceId: ref.Parameter.Name,
  63. ResourceType: &parameterType,
  64. }
  65. data, err := pm.client.ListTagsForResourceWithContext(ctx, &parameterTags)
  66. if err != nil {
  67. return nil, fmt.Errorf("error listing tags %w", err)
  68. }
  69. return data.TagList, nil
  70. }
  71. func (pm *ParameterStore) DeleteSecret(ctx context.Context, remoteRef esv1beta1.PushRemoteRef) error {
  72. return fmt.Errorf("not implemented")
  73. }
  74. func (pm *ParameterStore) SetSecret(ctx context.Context, value []byte, remoteRef esv1beta1.PushRemoteRef) error {
  75. // TODO create tags outside of the flow of create parameter: so we can always create parameters
  76. // and always create tags.
  77. // TODO then create validation for secret versions so that we only have a new version on value change
  78. // TODO Testing manually, unit tests, validation tests
  79. parameterType := "String"
  80. overwrite := true
  81. stringValue := string(value)
  82. secretName := remoteRef.GetRemoteKey()
  83. secretRequest := ssm.PutParameterInput{
  84. Name: &secretName,
  85. Value: &stringValue,
  86. Type: &parameterType,
  87. Overwrite: &overwrite,
  88. }
  89. secretValue := ssm.GetParameterInput{
  90. Name: &secretName,
  91. }
  92. existing, err := pm.client.GetParameterWithContext(ctx, &secretValue)
  93. var awsError awserr.Error
  94. ok := errors.As(err, &awsError)
  95. if err != nil && (!ok || awsError.Code() != ssm.ErrCodeParameterNotFound) {
  96. return fmt.Errorf("unexpected error getting parameter %v: %w", secretName, err)
  97. }
  98. // If we have a valid parameter returned to us, check its tags
  99. if existing != nil && existing.Parameter != nil {
  100. fmt.Println("The existing value contains data:", existing.String())
  101. tags, err := pm.getTagsByName(ctx, existing)
  102. if err != nil {
  103. return fmt.Errorf("error getting the existing tags for the parameter %v: %w", secretName, err)
  104. }
  105. isManaged := isManagedByESO(tags)
  106. if !isManaged {
  107. // TODO Can we refactor this error message to a higher scope to stop duplicates
  108. return fmt.Errorf("secret not managed by external-secrets")
  109. }
  110. if existing.Parameter.Value != nil && *existing.Parameter.Value == string(value) {
  111. return nil
  112. }
  113. return pm.setManagedRemoteParameter(ctx, secretRequest, false)
  114. }
  115. // let's set the secret
  116. // Do we need to delete the existing parameter on the remote?
  117. return pm.setManagedRemoteParameter(ctx, secretRequest, true)
  118. }
  119. func isManagedByESO(tags []*ssm.Tag) bool {
  120. for _, tag := range tags {
  121. if *tag.Key == managedBy && *tag.Value == externalSecrets {
  122. return true
  123. }
  124. }
  125. return false
  126. }
  127. func (pm *ParameterStore) setManagedRemoteParameter(ctx context.Context, secretRequest ssm.PutParameterInput, createManagedByTags bool) error {
  128. externalSecretsTag := ssm.Tag{
  129. Key: &managedBy,
  130. Value: &externalSecrets,
  131. }
  132. overwrite := true
  133. secretRequest.Overwrite = &overwrite
  134. if createManagedByTags {
  135. secretRequest.Tags = append(secretRequest.Tags, &externalSecretsTag)
  136. overwrite = false
  137. }
  138. _, err := pm.client.PutParameterWithContext(ctx, &secretRequest)
  139. if err != nil {
  140. return fmt.Errorf("unexpected error pushing parameter %v: %w", secretRequest.Name, err)
  141. }
  142. return nil
  143. }
  144. // GetAllSecrets fetches information from multiple secrets into a single kubernetes secret.
  145. func (pm *ParameterStore) GetAllSecrets(ctx context.Context, ref esv1beta1.ExternalSecretFind) (map[string][]byte, error) {
  146. if ref.Name != nil {
  147. return pm.findByName(ctx, ref)
  148. }
  149. if ref.Tags != nil {
  150. return pm.findByTags(ctx, ref)
  151. }
  152. return nil, errors.New(errUnexpectedFindOperator)
  153. }
  154. func (pm *ParameterStore) findByName(ctx context.Context, ref esv1beta1.ExternalSecretFind) (map[string][]byte, error) {
  155. matcher, err := find.New(*ref.Name)
  156. if err != nil {
  157. return nil, err
  158. }
  159. pathFilter := make([]*ssm.ParameterStringFilter, 0)
  160. if ref.Path != nil {
  161. pathFilter = append(pathFilter, &ssm.ParameterStringFilter{
  162. Key: aws.String("Path"),
  163. Option: aws.String("Recursive"),
  164. Values: []*string{ref.Path},
  165. })
  166. }
  167. data := make(map[string][]byte)
  168. var nextToken *string
  169. for {
  170. it, err := pm.client.DescribeParametersWithContext(
  171. ctx,
  172. &ssm.DescribeParametersInput{
  173. NextToken: nextToken,
  174. ParameterFilters: pathFilter,
  175. })
  176. if err != nil {
  177. return nil, err
  178. }
  179. for _, param := range it.Parameters {
  180. if !matcher.MatchName(*param.Name) {
  181. continue
  182. }
  183. err = pm.fetchAndSet(ctx, data, *param.Name)
  184. if err != nil {
  185. return nil, err
  186. }
  187. }
  188. nextToken = it.NextToken
  189. if nextToken == nil {
  190. break
  191. }
  192. }
  193. return data, nil
  194. }
  195. func (pm *ParameterStore) findByTags(ctx context.Context, ref esv1beta1.ExternalSecretFind) (map[string][]byte, error) {
  196. filters := make([]*ssm.ParameterStringFilter, 0)
  197. for k, v := range ref.Tags {
  198. filters = append(filters, &ssm.ParameterStringFilter{
  199. Key: utilpointer.StringPtr(fmt.Sprintf("tag:%s", k)),
  200. Values: []*string{utilpointer.StringPtr(v)},
  201. Option: utilpointer.StringPtr("Equals"),
  202. })
  203. }
  204. if ref.Path != nil {
  205. filters = append(filters, &ssm.ParameterStringFilter{
  206. Key: aws.String("Path"),
  207. Option: aws.String("Recursive"),
  208. Values: []*string{ref.Path},
  209. })
  210. }
  211. data := make(map[string][]byte)
  212. var nextToken *string
  213. for {
  214. it, err := pm.client.DescribeParametersWithContext(
  215. ctx,
  216. &ssm.DescribeParametersInput{
  217. ParameterFilters: filters,
  218. NextToken: nextToken,
  219. })
  220. if err != nil {
  221. return nil, err
  222. }
  223. for _, param := range it.Parameters {
  224. err = pm.fetchAndSet(ctx, data, *param.Name)
  225. if err != nil {
  226. return nil, err
  227. }
  228. }
  229. nextToken = it.NextToken
  230. if nextToken == nil {
  231. break
  232. }
  233. }
  234. return data, nil
  235. }
  236. func (pm *ParameterStore) fetchAndSet(ctx context.Context, data map[string][]byte, name string) error {
  237. out, err := pm.client.GetParameterWithContext(ctx, &ssm.GetParameterInput{
  238. Name: utilpointer.StringPtr(name),
  239. WithDecryption: aws.Bool(true),
  240. })
  241. if err != nil {
  242. return util.SanitizeErr(err)
  243. }
  244. data[name] = []byte(*out.Parameter.Value)
  245. return nil
  246. }
  247. // GetSecret returns a single secret from the provider.
  248. func (pm *ParameterStore) GetSecret(ctx context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) ([]byte, error) {
  249. out, err := pm.client.GetParameterWithContext(ctx, &ssm.GetParameterInput{
  250. Name: &ref.Key,
  251. WithDecryption: aws.Bool(true),
  252. })
  253. nsf := esv1beta1.NoSecretError{}
  254. var nf *ssm.ParameterNotFound
  255. if errors.As(err, &nf) || errors.As(err, &nsf) {
  256. return nil, esv1beta1.NoSecretErr
  257. }
  258. if err != nil {
  259. return nil, util.SanitizeErr(err)
  260. }
  261. if ref.Property == "" {
  262. if out.Parameter.Value != nil {
  263. return []byte(*out.Parameter.Value), nil
  264. }
  265. return nil, fmt.Errorf("invalid secret received. parameter value is nil for key: %s", ref.Key)
  266. }
  267. idx := strings.Index(ref.Property, ".")
  268. if idx > -1 {
  269. refProperty := strings.ReplaceAll(ref.Property, ".", "\\.")
  270. val := gjson.Get(*out.Parameter.Value, refProperty)
  271. if val.Exists() {
  272. return []byte(val.String()), nil
  273. }
  274. }
  275. val := gjson.Get(*out.Parameter.Value, ref.Property)
  276. if !val.Exists() {
  277. return nil, fmt.Errorf("key %s does not exist in secret %s", ref.Property, ref.Key)
  278. }
  279. return []byte(val.String()), nil
  280. }
  281. // GetSecretMap returns multiple k/v pairs from the provider.
  282. func (pm *ParameterStore) GetSecretMap(ctx context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
  283. data, err := pm.GetSecret(ctx, ref)
  284. if err != nil {
  285. return nil, err
  286. }
  287. kv := make(map[string]json.RawMessage)
  288. err = json.Unmarshal(data, &kv)
  289. if err != nil {
  290. return nil, fmt.Errorf("unable to unmarshal secret %s: %w", ref.Key, err)
  291. }
  292. secretData := make(map[string][]byte)
  293. for k, v := range kv {
  294. var strVal string
  295. err = json.Unmarshal(v, &strVal)
  296. if err == nil {
  297. secretData[k] = []byte(strVal)
  298. } else {
  299. secretData[k] = v
  300. }
  301. }
  302. return secretData, nil
  303. }
  304. func (pm *ParameterStore) Close(ctx context.Context) error {
  305. return nil
  306. }
  307. func (pm *ParameterStore) Validate() (esv1beta1.ValidationResult, error) {
  308. _, err := pm.sess.Config.Credentials.Get()
  309. if err != nil {
  310. return esv1beta1.ValidationResultError, err
  311. }
  312. return esv1beta1.ValidationResultReady, nil
  313. }