aws: use secrets

Signed-off-by: Andrea Luzzardi <aluzzardi@gmail.com>
This commit is contained in:
Andrea Luzzardi 2021-05-26 18:03:48 -07:00
parent 9c0e2d1d95
commit 40d4c95bff
14 changed files with 219 additions and 154 deletions

View File

@ -18,6 +18,7 @@ import (
// Re-usable aws-cli component
#CLI: {
config: #Config
package: [string]: string | bool
#up: [
@ -30,86 +31,26 @@ import (
"package": "aws-cli": "=~1.18"
}
},
]
}
// Helper for writing scripts based on AWS CLI
#Script: {
// AWS code
config: #Config
// Script code (bash)
code: string
// Extra pkgs to install
package: [string]: string | bool
// Files to mount
files: [string]: string
// Env variables
env: [string]: string
// Export file
export: string
// Always execute the script?
always?: bool
// Directory
dir?: dagger.#Artifact
out: {
string
#up: [
op.#Load & {
from: #CLI & {
"package": package
}
},
op.#Mkdir & {
path: "/inputs"
},
for k, v in files {
op.#WriteFile & {
dest: k
content: v
}
},
op.#WriteFile & {
dest: "/entrypoint.sh"
content: code
},
op.#Exec & {
if always != _|_ {
"always": always
}
args: [
"/bin/bash",
"--noprofile",
"--norc",
"-eo",
"pipefail",
"/entrypoint.sh",
"-c",
#"""
aws configure set aws_access_key_id "$(cat /run/secrets/access_key)"
aws configure set aws_secret_access_key "$(cat /run/secrets/secret_key)"
aws configure set default.region "$AWS_DEFAULT_REGION"
aws configure set default.cli_pager ""
aws configure set default.output "json"
"""#
]
"env": env
"env": {
AWS_ACCESS_KEY_ID: config.accessKey
AWS_SECRET_ACCESS_KEY: config.secretKey
AWS_DEFAULT_REGION: config.region
AWS_REGION: config.region
AWS_DEFAULT_OUTPUT: "json"
AWS_PAGER: ""
}
if dir != _|_ {
mount: "/inputs/source": from: dir
}
},
op.#Export & {
source: export
format: "string"
mount: "/run/secrets/access_key": secret: config.accessKey
mount: "/run/secrets/secret_key": secret: config.secretKey
env: AWS_DEFAULT_REGION: config.region
},
]
}
}

View File

@ -2,6 +2,7 @@ package ecr
import (
"dagger.io/dagger"
"dagger.io/dagger/op"
"dagger.io/aws"
)
@ -15,14 +16,37 @@ import (
// ECR credentials
username: "AWS"
secret: out @dagger(output)
secret: {
@dagger(output)
string
aws.#Script & {
always: true
#up: [
op.#Load & {
from: aws.#CLI & {
"config": config
export: "/out"
code: """
}
},
op.#Exec & {
always: true
args: [
"/bin/bash",
"--noprofile",
"--norc",
"-eo",
"pipefail",
"-c",
#"""
aws ecr get-login-password > /out
"""
"""#
]
},
op.#Export & {
source: "/out"
format: "string"
}
]
}
}

View File

@ -2,6 +2,7 @@ package s3
import (
"dagger.io/dagger"
"dagger.io/dagger/op"
"dagger.io/aws"
)
@ -23,46 +24,69 @@ import (
// Object content type
contentType: string | *"" @dagger(input)
// URL of the uploaded S3 object
url: out @dagger(output)
// Always write the object to S3
always?: bool @dagger(input)
out: string
aws.#Script & {
// URL of the uploaded S3 object
url: {
@dagger(output)
string
#up: [
op.#Load & {
from: aws.#CLI & {
"config": config
}
},
if sourceInline != _|_ {
op.#WriteFile & {
dest: "/source"
content: sourceInline
}
}
op.#Exec & {
if always != _|_ {
"always": always
}
files: {
if sourceInline != _|_ {
"/inputs/source": sourceInline
}
"/inputs/target": target
if contentType != "" {
"/inputs/content_type": contentType
}
env: {
TARGET: target
CONTENT_TYPE: contentType
}
export: "/url"
if sourceInline == _|_ {
mount: "/source": from: source
}
code: #"""
args: [
"/bin/bash",
"--noprofile",
"--norc",
"-eo",
"pipefail",
"-c",
#"""
opts=""
op=cp
if [ -d /inputs/source ]; then
if [ -d /source ]; then
op=sync
fi
if [ -f /inputs/content_type ]; then
opts="--content-type $(cat /inputs/content_type)"
if [ -n "$CONTENT_TYPE" ]; then
opts="--content-type $CONTENT_TYPE"
fi
aws s3 $op $opts /inputs/source "$(cat /inputs/target)"
cat /inputs/target \
aws s3 $op $opts /source "$TARGET"
echo "$TARGET" \
| sed -E 's=^s3://([^/]*)/=https://\1.s3.amazonaws.com/=' \
> /url
"""#
]
},
if sourceInline == _|_ {
dir: source
op.#Export & {
source: "/url"
format: "string"
}
]
}
}

View File

@ -84,6 +84,6 @@ import (
}
dir: "/src"
mount: "/src": from: contents
mount: "/token": secret: account.token
mount: "/run/secrets/token": secret: account.token
}
}

View File

@ -1,7 +1,7 @@
package netlify
#Site: ctr: command: #"""
export NETLIFY_AUTH_TOKEN="$(cat /token)"
export NETLIFY_AUTH_TOKEN="$(cat /run/secrets/token)"
create_site() {
url="https://api.netlify.com/api/v1/${NETLIFY_ACCOUNT:-}/sites"

View File

@ -43,9 +43,7 @@ setup() {
}
@test "stdlib: aws: s3" {
skip_unless_secrets_available "$TESTDIR"/stdlib/aws/inputs.yaml
"$DAGGER" compute "$TESTDIR"/stdlib/aws/s3 --input-dir TestDirectory="$TESTDIR"/stdlib/aws/s3/testdata --input-yaml "$TESTDIR"/stdlib/aws/inputs.yaml
"$DAGGER" up -w "$TESTDIR"/stdlib/aws/s3
}
@test "stdlib: aws: eks" {
@ -55,9 +53,7 @@ setup() {
}
@test "stdlib: aws: ecr" {
skip_unless_secrets_available "$TESTDIR"/stdlib/aws/inputs.yaml
"$DAGGER" compute "$TESTDIR"/stdlib/aws/ecr --input-yaml "$TESTDIR"/stdlib/aws/inputs.yaml
"$DAGGER" up -w "$TESTDIR"/stdlib/aws/ecr
}
@test "stdlib: gcp: gke" {

View File

@ -0,0 +1,2 @@
# dagger state
state/**

View File

@ -0,0 +1,26 @@
name: default
inputs:
TestConfig.awsConfig.accessKey:
secret: ENC[AES256_GCM,data:iu6LfQNgGZUVnHVeMRYPrcBtlZk=,iv:U5PLxDKXwJnUDdk1ayFGvvJfWdVqh1PK5ujb20YYPP0=,tag:QyqIJRiR6nE16ZDV0CP7Pw==,type:str]
TestConfig.awsConfig.secretKey:
secret: ENC[AES256_GCM,data:Q/W+KH3NEouGt6C5S+KiC43837soYi2Mjb/z5K8rD9gtaNaBjjkJHg==,iv:8nGEzLXd91rF5YBZ/EdQoMN27yrpc0sgm26DEvIuSHM=,tag:/oyKl/vj5MJAm+jZMOOAuQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1gxwmtwahzwdmrskhf90ppwlnze30lgpm056kuesrxzeuyclrwvpsupwtpk
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKeEk5MS9nVmFoOVNNOHdE
WnZCTXBWbW9LL1NJYndCYjhIM2JsNXNEUmxJCkUya0dlZjZ0dGRIM1pVdzg5eWFH
MVpiaE9PclNudGdUZm5FcytuVDZGTDAKLS0tIEQxWDdteHgzS3JkdmtNTVpxMUh1
aXlvVWJVSGNTSkVyYmpZbi9nUVJZdmMK6csXZ2RMxFw5DB+Hb2TyhyoZT8c2/z7Y
Lc9Pe8gb8aUq5Ha+wCybYvY6JWEM5A9XYJKbE7f4borTfGKS72d6pw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2021-05-27T00:53:54Z"
mac: ENC[AES256_GCM,data:ho/e/xUzRdwwe3VRCz9p8UNHgxdhAxkNtWUJLS5fEXBGnw28hjwNBbPYN78bX0k9SQ/5bgvXT2O/Z+zmOSWfrCYD2eojh9mDR4aCV5m/liVh5Dxha65u6zPl9VVcSunYg3wqe9Zl+pMG8BJXvczQS7S5QEGEaWojfaA/o7HM1BE=,iv:o/cVw6GBCCdgIqIZGDzqSCiBHUmrhAoIRcyGS9P83j0=,tag:WSQO0C0lPH2vOzl07rmRGg==,type:str]
pgp: []
encrypted_suffix: secret
version: 3.7.1

View File

@ -0,0 +1,2 @@
# dagger state
state/**

View File

@ -22,6 +22,8 @@ TestS3UploadFile: {
}
verify: #VerifyS3 & {
config: TestConfig.awsConfig
target: deploy.target
file: "test.txt"
}
}
@ -36,10 +38,14 @@ TestS3UploadDir: {
}
verifyFile: #VerifyS3 & {
config: TestConfig.awsConfig
target: deploy.target
file: "dirFile.txt"
}
verifyDir: #VerifyS3 & {
config: TestConfig.awsConfig
target: deploy.target
file: "foo.txt"
}
}

View File

@ -13,30 +13,48 @@ import (
// Target S3 URL (e.g. s3://<bucket-name>/<path>/<sub-path>)
target?: string
// Export folder
export: "/contents"
contents: {
string
// Script
aws.#Script & {
code: """
aws s3 ls --recursive \(target) >> /contents
"""
#up: [
op.#Load & {
from: aws.#CLI & {
"config": config
}
},
op.#Exec & {
args: [
"/bin/bash",
"--noprofile",
"--norc",
"-eo",
"pipefail",
"-c",
#"""
aws s3 ls --recursive \#(target) > /contents
"""#
]
},
op.#Export & {
source: "/contents"
format: "string"
}
]
}
}
#VerifyS3: {
file: string
config: aws.#Config
target: string
lists: #List & {
config: TestConfig.awsConfig
target: "s3://\(bucket)"
"config": config
"target": target
}
#CheckFiles:
"""
grep -q \(file) /test
"""
test: #up: [
op.#Load & {
from: alpine.#Image & {
@ -46,12 +64,7 @@ import (
op.#WriteFile & {
dest: "/test"
content: lists.out
},
op.#WriteFile & {
dest: "/checkFiles.sh"
content: #CheckFiles
content: lists.contents
},
op.#Exec & {
@ -62,7 +75,8 @@ import (
"--norc",
"-eo",
"pipefail",
"/checkFiles.sh",
"-c",
"grep -q \(file) /test"
]
},
]

View File

@ -0,0 +1,30 @@
name: default
inputs:
TestConfig.awsConfig.accessKey:
secret: ENC[AES256_GCM,data:iu6LfQNgGZUVnHVeMRYPrcBtlZk=,iv:U5PLxDKXwJnUDdk1ayFGvvJfWdVqh1PK5ujb20YYPP0=,tag:QyqIJRiR6nE16ZDV0CP7Pw==,type:str]
TestConfig.awsConfig.secretKey:
secret: ENC[AES256_GCM,data:Q/W+KH3NEouGt6C5S+KiC43837soYi2Mjb/z5K8rD9gtaNaBjjkJHg==,iv:8nGEzLXd91rF5YBZ/EdQoMN27yrpc0sgm26DEvIuSHM=,tag:/oyKl/vj5MJAm+jZMOOAuQ==,type:str]
TestDirectory:
dir:
path: ./testdata
include: []
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1gxwmtwahzwdmrskhf90ppwlnze30lgpm056kuesrxzeuyclrwvpsupwtpk
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKeEk5MS9nVmFoOVNNOHdE
WnZCTXBWbW9LL1NJYndCYjhIM2JsNXNEUmxJCkUya0dlZjZ0dGRIM1pVdzg5eWFH
MVpiaE9PclNudGdUZm5FcytuVDZGTDAKLS0tIEQxWDdteHgzS3JkdmtNTVpxMUh1
aXlvVWJVSGNTSkVyYmpZbi9nUVJZdmMK6csXZ2RMxFw5DB+Hb2TyhyoZT8c2/z7Y
Lc9Pe8gb8aUq5Ha+wCybYvY6JWEM5A9XYJKbE7f4borTfGKS72d6pw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2021-05-27T00:13:13Z"
mac: ENC[AES256_GCM,data:uqGhc0e6mQp5kdKvJTFz+yjcc5WUtLBcsqkzh0NeJhP9nztpX1TJfqBeyGfd7pwltL6b9YXLdJx/myCMxvJ6O8bS726AxE4ogcRgUGP6d5Q5aXw9i7VkLgVKY+gJZCbT+r80RiMqm23x3CPAPNjEsPh5nfgdNsN5ltJmq7IUGj0=,iv:Mw56hEghRGw6tLP6rhe78yD/blqgX2roeQRDiJ6+kAI=,tag:qE2LtSZPxDhITtdnsvrYfA==,type:str]
pgp: []
encrypted_suffix: secret
version: 3.7.1