aws: use secrets

Signed-off-by: Andrea Luzzardi <aluzzardi@gmail.com>
2021-05-26 18:03:48 -07:00
parent 9c0e2d1d95
commit 40d4c95bff
14 changed files with 219 additions and 154 deletions
--- a/stdlib/aws/aws.cue
+++ b/stdlib/aws/aws.cue
@@ -18,6 +18,7 @@ import (

 // Re-usable aws-cli component
 #CLI: {
+	config: #Config
 	package: [string]: string | bool

 	#up: [
@@ -30,86 +31,26 @@ import (
 				"package": "aws-cli": "=~1.18"
 			}
 		},
+		op.#Exec & {
+			args: [
+				"/bin/bash",
+				"--noprofile",
+				"--norc",
+				"-eo",
+				"pipefail",
+				"-c",
+				#"""
+				aws configure set aws_access_key_id "$(cat /run/secrets/access_key)"
+				aws configure set aws_secret_access_key "$(cat /run/secrets/secret_key)"
+
+				aws configure set default.region "$AWS_DEFAULT_REGION"
+				aws configure set default.cli_pager ""
+				aws configure set default.output "json"
+				"""#
+			]
+			mount: "/run/secrets/access_key": secret: config.accessKey
+			mount: "/run/secrets/secret_key": secret: config.secretKey
+			env: AWS_DEFAULT_REGION:    config.region
+		},
 	]
-}
-
-// Helper for writing scripts based on AWS CLI
-#Script: {
-	// AWS code
-	config: #Config
-
-	// Script code (bash)
-	code: string
-
-	// Extra pkgs to install
-	package: [string]: string | bool
-
-	// Files to mount
-	files: [string]: string
-
-	// Env variables
-	env: [string]: string
-
-	// Export file
-	export: string
-
-	// Always execute the script?
-	always?: bool
-
-	// Directory
-	dir?: dagger.#Artifact
-
-	out: {
-		string
-
-		#up: [
-			op.#Load & {
-				from: #CLI & {
-					"package": package
-				}
-			},
-			op.#Mkdir & {
-				path: "/inputs"
-			},
-			for k, v in files {
-				op.#WriteFile & {
-					dest:    k
-					content: v
-				}
-			},
-			op.#WriteFile & {
-				dest:    "/entrypoint.sh"
-				content: code
-			},
-			op.#Exec & {
-				if always != _|_ {
-					"always": always
-				}
-				args: [
-					"/bin/bash",
-					"--noprofile",
-					"--norc",
-					"-eo",
-					"pipefail",
-					"/entrypoint.sh",
-				]
-				"env": env
-				"env": {
-					AWS_ACCESS_KEY_ID:     config.accessKey
-					AWS_SECRET_ACCESS_KEY: config.secretKey
-					AWS_DEFAULT_REGION:    config.region
-					AWS_REGION:            config.region
-					AWS_DEFAULT_OUTPUT:    "json"
-					AWS_PAGER:             ""
-				}
-				if dir != _|_ {
-					mount: "/inputs/source": from: dir
-				}
-			},
-			op.#Export & {
-				source: export
-				format: "string"
-			},
-		]
-	}
-}
+}
--- a/stdlib/aws/ecr/ecr.cue
+++ b/stdlib/aws/ecr/ecr.cue
@@ -2,6 +2,7 @@ package ecr

 import (
 	"dagger.io/dagger"
+	"dagger.io/dagger/op"
 	"dagger.io/aws"
 )

@@ -15,14 +16,37 @@ import (
 	// ECR credentials
 	username: "AWS"

-	secret: out @dagger(output)
+	secret: {
+		@dagger(output)
+		string

-	aws.#Script & {
-		always:   true
-		"config": config
-		export:   "/out"
-		code: """
-			aws ecr get-login-password > /out
-			"""
+		#up: [
+			op.#Load & {
+				from: aws.#CLI & {
+					"config": config
+				}
+			},
+
+			op.#Exec & {
+				always: true
+
+				args: [
+					"/bin/bash",
+					"--noprofile",
+					"--norc",
+					"-eo",
+					"pipefail",
+					"-c",
+					#"""
+					aws ecr get-login-password > /out
+					"""#
+				]
+			},
+
+			op.#Export & {
+				source: "/out"
+				format: "string"
+			}
+		]
 	}
 }
--- a/stdlib/aws/s3/s3.cue
+++ b/stdlib/aws/s3/s3.cue
@@ -2,6 +2,7 @@ package s3

 import (
 	"dagger.io/dagger"
+	"dagger.io/dagger/op"
 	"dagger.io/aws"
 )

@@ -23,46 +24,69 @@ import (
 	// Object content type
 	contentType: string | *"" @dagger(input)

-	// URL of the uploaded S3 object
-	url: out @dagger(output)
-
 	// Always write the object to S3
 	always?: bool @dagger(input)

-	out: string
-	aws.#Script & {
-		if always != _|_ {
-			"always": always
-		}
-		files: {
+	// URL of the uploaded S3 object
+	url: {
+		@dagger(output)
+		string
+
+		#up: [
+			op.#Load & {
+				from: aws.#CLI & {
+					"config": config
+				}
+			},
+
 			if sourceInline != _|_ {
-				"/inputs/source": sourceInline
+				op.#WriteFile & {
+					dest: "/source"
+					content: sourceInline
+				}
 			}
-			"/inputs/target": target
-			if contentType != "" {
-				"/inputs/content_type": contentType
+
+			op.#Exec & {
+				if always != _|_ {
+					"always": always
+				}
+				env: {
+					TARGET: target
+					CONTENT_TYPE: contentType
+				}
+
+				if sourceInline == _|_ {
+					mount: "/source": from: source
+				}
+
+				args: [
+					"/bin/bash",
+					"--noprofile",
+					"--norc",
+					"-eo",
+					"pipefail",
+					"-c",
+					#"""
+					opts=""
+					op=cp
+					if [ -d /source ]; then
+						op=sync
+					fi
+					if [ -n "$CONTENT_TYPE" ]; then
+						opts="--content-type $CONTENT_TYPE"
+					fi
+					aws s3 $op $opts /source "$TARGET"
+					echo "$TARGET" \
+						| sed -E 's=^s3://([^/]*)/=https://\1.s3.amazonaws.com/=' \
+						> /url
+					"""#
+				]
+			},
+
+			op.#Export & {
+				source: "/url"
+				format: "string"
 			}
-		}
-
-		export: "/url"
-
-		code: #"""
-			opts=""
-			op=cp
-			if [ -d /inputs/source ]; then
-			    op=sync
-			fi
-			if [ -f /inputs/content_type ]; then
-			    opts="--content-type $(cat /inputs/content_type)"
-			fi
-			aws s3 $op $opts /inputs/source "$(cat /inputs/target)"
-			cat /inputs/target \
-			    | sed -E 's=^s3://([^/]*)/=https://\1.s3.amazonaws.com/=' \
-			    > /url
-			"""#
-
-		if sourceInline == _|_ {
-			dir: source
-		}
+		]
 	}
 }