kjuulh/dagger
Archived
1
0
Fork 0
Code Issues 1 Pull Requests 1 Projects Releases Wiki Activity

update stdlib tests that use secrets

Browse Source 
Signed-off-by: Tom Chauveau <tom.chauveau@epitech.eu>
This commit is contained in:
Tom Chauveau
2021-05-27 18:22:41 +02:00
committed by Andrea Luzzardi
parent 40d4c95bff
commit 5fb7ded2d5
18 changed files with 442 additions and 219 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
stdlib/aws/aws.cue
View File

@@ -40,17 +40,17 @@ import (
"pipefail",
"-c",
#"""
aws configure set aws_access_key_id "$(cat /run/secrets/access_key)"
aws configure set aws_secret_access_key "$(cat /run/secrets/secret_key)"
aws configure set aws_access_key_id "$(cat /run/secrets/access_key)"
aws configure set aws_secret_access_key "$(cat /run/secrets/secret_key)"
aws configure set default.region "$AWS_DEFAULT_REGION"
aws configure set default.cli_pager ""
aws configure set default.output "json"
"""#
aws configure set default.region "$AWS_DEFAULT_REGION"
aws configure set default.cli_pager ""
aws configure set default.output "json"
"""#,
]
mount: "/run/secrets/access_key": secret: config.accessKey
mount: "/run/secrets/secret_key": secret: config.secretKey
env: AWS_DEFAULT_REGION: config.region
env: AWS_DEFAULT_REGION: config.region
},
]
}
}

6
stdlib/aws/ecr/ecr.cue
View File

@@ -38,15 +38,15 @@ import (
"pipefail",
"-c",
#"""
aws ecr get-login-password > /out
"""#
aws ecr get-login-password > /out
"""#,
]
},
op.#Export & {
source: "/out"
format: "string"
}
},
]
}
}

19
stdlib/aws/eks/eks.cue
View File

@@ -18,12 +18,14 @@ import (
// kubeconfig is the generated kube configuration file
kubeconfig: {
// FIXME There is a problem with dagger.#Secret type
@dagger(output)
string
#up: [
op.#Load & {
from: aws.#CLI
from: aws.#CLI & {
"config": config
}
},
op.#WriteFile & {
@@ -42,15 +44,8 @@ import (
"/entrypoint.sh",
]
env: {
AWS_CONFIG_FILE: "/cache/aws/config"
AWS_ACCESS_KEY_ID: config.accessKey
AWS_SECRET_ACCESS_KEY: config.secretKey
AWS_DEFAULT_REGION: config.region
AWS_REGION: config.region
AWS_DEFAULT_OUTPUT: "json"
AWS_PAGER: ""
EKS_CLUSTER: clusterName
KUBECTL_VERSION: version
EKS_CLUSTER: clusterName
KUBECTL_VERSION: version
}
mount: {
"/cache/aws": "cache"
@@ -62,5 +57,5 @@ import (
format: "string"
},
]
} @dagger(output)
}
}

99
stdlib/aws/elb/elb.cue
View File

@@ -18,54 +18,65 @@ import (
// exported priority
priority: out @dagger(output)
out: string
out: {
string
aws.#Script & {
always: true
#up: [
op.#Load & {
from: aws.#CLI & {
"config": config
}
},
files: {
"/inputs/listenerArn": listenerArn
if vhost != _|_ {
"/inputs/vhost": vhost
}
}
op.#Exec & {
args: [
"/bin/bash",
"--noprofile",
"--norc",
"-eo",
"pipefail",
#"""
if [ -s "$VHOST" ]; then
# We passed a vhost as input, try to recycle priority from previously allocated vhost
priority=$(aws elbv2 describe-rules \
--listener-arn "$LISTENER_ARN" | \
jq -r --arg vhost "$VHOST" '.Rules[] | select(.Conditions[].HostHeaderConfig.Values[] == $VHOST) | .Priority')
export: "/priority"
if [ -n "${priority}" ]; then
echo -n "${priority}" > /priority
exit 0
fi
fi
//FIXME: The code below can end up not finding an available prio
// Better to exclude the existing allocated priorities from the random sequence
code: #"""
if [ -s /inputs/vhost ]; then
# We passed a vhost as input, try to recycle priority from previously allocated vhost
vhost="$(cat /inputs/vhost)"
# Grab a priority random from 1-50k and check if available, retry 10 times if none available
priority=0
for i in {1..10}
do
p=$(shuf -i 1-50000 -n 1)
# Find the next priority available that we can allocate
aws elbv2 describe-rules \
--listener-arn "$LISTENER_ARN" \
| jq -e "select(.Rules[].Priority == \"${p}\") | true" && continue
priority="${p}"
break
done
if [ "${priority}" -lt 1 ]; then
echo "Error: cannot determine a Rule priority"
exit 1
fi
echo -n "${priority}" > /priority
"""#,
]
env: {
LISTENER_ARN: listenerArn
VHOST: vhost
}
},
priority=$(aws elbv2 describe-rules \
--listener-arn "$(cat /inputs/listenerArn)" | \
jq -r --arg vhost "$vhost" '.Rules[] | select(.Conditions[].HostHeaderConfig.Values[] == $vhost) | .Priority')
if [ -n "${priority}" ]; then
echo -n "${priority}" > /priority
exit 0
fi
fi
# Grab a priority random from 1-50k and check if available, retry 10 times if none available
priority=0
for i in {1..10}
do
p=$(shuf -i 1-50000 -n 1)
# Find the next priority available that we can allocate
aws elbv2 describe-rules \
--listener-arn "$(cat /inputs/listenerArn)" \
| jq -e "select(.Rules[].Priority == \"${p}\") | true" && continue
priority="${p}"
break
done
if [ "${priority}" -lt 1 ]; then
echo "Error: cannot determine a Rule priority"
exit 1
fi
echo -n "${priority}" > /priority
"""#
op.#Export & {
source: "/db_created"
format: "string"
},
]
}
}

286
stdlib/aws/rds/rds.cue
View File

@@ -22,45 +22,60 @@ import (
dbType: "mysql" | "postgres" @dagger(input)
// Name of the DB created
out: string @dagger(output)
out: {
@dagger(output)
string
aws.#Script & {
"config": config
#up: [
op.#Load & {
from: aws.#CLI & {
"config": config
}
},
files: {
"/inputs/name": name
"/inputs/db_arn": dbArn
"/inputs/secret_arn": secretArn
"/inputs/db_type": dbType
}
op.#Exec & {
args: [
"/bin/bash",
"--noprofile",
"--norc",
"-eo",
"pipefail",
#"""
echo "dbType: $DB_TYPE"
export: "/db_created"
sql="CREATE DATABASE \`"$NAME" \`"
if [ "$DB_TYPE" = postgres ]; then
sql="CREATE DATABASE \""$NAME"\""
fi
code: #"""
set +o pipefail
echo "$NAME" >> /db_created
dbType="$(cat /inputs/db_type)"
echo "dbType: $dbType"
aws rds-data execute-statement \
--resource-arn "$DB_ARN" \
--secret-arn "$SECRET_ARN" \
--sql "$sql" \
--database "$DB_TYPE" \
--no-include-result-metadata \
|& tee /tmp/out
exit_code=${PIPESTATUS[0]}
if [ $exit_code -ne 0 ]; then
grep -q "database exists\|already exists" /tmp/out || exit $exit_code
fi
"""#,
]
env: {
NAME: name
DB_ARN: dbArn
SECRET_ARN: secretArn
DB_TYPE: dbType
}
},
sql="CREATE DATABASE \`$(cat /inputs/name)\`"
if [ "$dbType" = postgres ]; then
sql="CREATE DATABASE \"$(cat /inputs/name)\""
fi
cp /inputs/name /db_created
aws rds-data execute-statement \
--resource-arn "$(cat /inputs/db_arn)" \
--secret-arn "$(cat /inputs/secret_arn)" \
--sql "$sql" \
--database "$dbType" \
--no-include-result-metadata \
|& tee /tmp/out
exit_code=${PIPESTATUS[0]}
if [ $exit_code -ne 0 ]; then
grep -q "database exists\|already exists" /tmp/out || exit $exit_code
fi
"""#
op.#Export & {
source: "/db_created"
format: "string"
},
]
}
}
@@ -69,89 +84,104 @@ import (
config: aws.#Config
// Username
username: dagger.#Secret
username: dagger.#Secret @dagger(input)
// Password
password: dagger.#Secret
password: dagger.#Secret @dagger(input)
// ARN of the database instance
dbArn: string
dbArn: string @dagger(input)
// ARN of the database secret (for connecting via rds api)
secretArn: string
secretArn: string @dagger(input)
grantDatabase: string | *""
grantDatabase: string | *"" @dagger(input)
dbType: "mysql" | "postgres"
dbType: "mysql" | "postgres" @dagger(input)
// Outputed username
out: string
out: {
@dagger(output)
string
aws.#Script & {
"config": config
#up: [
op.#Load & {
from: aws.#CLI & {
"config": config
}
},
files: {
"/inputs/username": username
"/inputs/password": password
"/inputs/db_arn": dbArn
"/inputs/secret_arn": secretArn
"/inputs/grant_database": grantDatabase
"/inputs/db_type": dbType
}
op.#Exec & {
args: [
"/bin/bash",
"--noprofile",
"--norc",
"-eo",
"pipefail",
#"""
echo "dbType: $DB_TYPE"
sql="CREATE USER '"$USERNAME"'@'%' IDENTIFIED BY '"$PASSWORD"'"
if [ "$DB_TYPE" = postgres ]; then
sql="CREATE USER \""$USERNAME"\" WITH PASSWORD '"$PASSWORD"'"
fi
echo "$USERNAME" >> /username
aws rds-data execute-statement \
--resource-arn "$DB_ARN" \
--secret-arn "$SECRET_ARN" \
--sql "$sql" \
--database "$DB_TYPE" \
--no-include-result-metadata \
|& tee tmp/out
exit_code=${PIPESTATUS[0]}
if [ $exit_code -ne 0 ]; then
grep -q "Operation CREATE USER failed for\|ERROR" tmp/out || exit $exit_code
fi
sql="SET PASSWORD FOR '"$USERNAME"'@'%' = PASSWORD('"$PASSWORD"')"
if [ "$DB_TYPE" = postgres ]; then
sql="ALTER ROLE \""$USERNAME"\" WITH PASSWORD '"$PASSWORD"'"
fi
aws rds-data execute-statement \
--resource-arn "$DB_ARN" \
--secret-arn "$SECRET_ARN" \
--sql "$sql" \
--database "$DB_TYPE" \
--no-include-result-metadata
sql="GRANT ALL ON \`"$GRAND_DATABASE"\`.* to '"$USERNAME"'@'%'"
if [ "$DB_TYPE" = postgres ]; then
sql="GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO \""$USERNAME"\"; GRANT ALL PRIVILEGES ON DATABASE \""$GRAND_DATABASE"\" to \""$USERNAME"\"; GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA public TO \""$USERNAME"\"; ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL PRIVILEGES ON TABLES TO \""$USERNAME"\"; ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL PRIVILEGES ON SEQUENCES TO \""$USERNAME"\"; GRANT USAGE ON SCHEMA public TO \""$USERNAME"\";"
fi
if [ -s "$GRAND_DATABASE ]; then
aws rds-data execute-statement \
--resource-arn "$DB_ARN" \
--secret-arn "$SECRET_ARN" \
--sql "$sql" \
--database "$DB_TYPE" \
--no-include-result-metadata
fi
"""#,
]
env: {
USERNAME: unsername
PASSWORD: password
DB_ARN: dbArn
SECRET_ARN: secretArn
GRAND_DATABASE: grandDatabase
DB_TYPE: dbType
}
},
export: "/username"
code: #"""
set +o pipefail
dbType="$(cat /inputs/db_type)"
echo "dbType: $dbType"
sql="CREATE USER '$(cat /inputs/username)'@'%' IDENTIFIED BY '$(cat /inputs/password)'"
if [ "$dbType" = postgres ]; then
sql="CREATE USER \"$(cat /inputs/username)\" WITH PASSWORD '$(cat /inputs/password)'"
fi
cp /inputs/username /username
aws rds-data execute-statement \
--resource-arn "$(cat /inputs/db_arn)" \
--secret-arn "$(cat /inputs/secret_arn)" \
--sql "$sql" \
--database "$dbType" \
--no-include-result-metadata \
|& tee tmp/out
exit_code=${PIPESTATUS[0]}
if [ $exit_code -ne 0 ]; then
grep -q "Operation CREATE USER failed for\|ERROR" tmp/out || exit $exit_code
fi
sql="SET PASSWORD FOR '$(cat /inputs/username)'@'%' = PASSWORD('$(cat /inputs/password)')"
if [ "$dbType" = postgres ]; then
sql="ALTER ROLE \"$(cat /inputs/username)\" WITH PASSWORD '$(cat /inputs/password)'"
fi
aws rds-data execute-statement \
--resource-arn "$(cat /inputs/db_arn)" \
--secret-arn "$(cat /inputs/secret_arn)" \
--sql "$sql" \
--database "$dbType" \
--no-include-result-metadata
sql="GRANT ALL ON \`$(cat /inputs/grant_database)\`.* to '$(cat /inputs/username)'@'%'"
if [ "$dbType" = postgres ]; then
sql="GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO \"$(cat /inputs/username)\"; GRANT ALL PRIVILEGES ON DATABASE \"$(cat /inputs/grant_database)\" to \"$(cat /inputs/username)\"; GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA public TO \"$(cat /inputs/username)\"; ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL PRIVILEGES ON TABLES TO \"$(cat /inputs/username)\"; ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL PRIVILEGES ON SEQUENCES TO \"$(cat /inputs/username)\"; GRANT USAGE ON SCHEMA public TO \"$(cat /inputs/username)\";"
fi
if [ -s /inputs/grant_database ]; then
aws rds-data execute-statement \
--resource-arn "$(cat /inputs/db_arn)" \
--secret-arn "$(cat /inputs/secret_arn)" \
--sql "$sql" \
--database "$dbType" \
--no-include-result-metadata
fi
"""#
op.#Export & {
source: "/username"
format: "string"
},
]
}
}
@@ -160,35 +190,51 @@ import (
config: aws.#Config
// ARN of the database instance
dbArn: string
dbArn: string @dagger(input)
// DB hostname
hostname: info.hostname
hostname: info.hostname @dagger(output)
// DB port
port: info.port
port: info.port @dagger(output)
info: {
hostname: string
port: int
}
info: json.Unmarshal(out)
out: string
info: json.Unmarshal(out) @dagger(output)
out: {
string
aws.#Script & {
"config": config
#up: [
op.#Load & {
from: aws.#CLI & {
"config": config
}
},
files: "/inputs/db_arn": dbArn
op.#Exec & {
args: [
"/bin/bash",
"--noprofile",
"--norc",
"-eo",
"pipefail",
#"""
data=$(aws rds describe-db-clusters --filters "Name=db-cluster-id,Values=$DB_URN" )
echo "$data" | jq -r '.DBClusters[].Endpoint' > /tmp/out
echo "$data" | jq -r '.DBClusters[].Port' >> /tmp/out
cat /tmp/out | jq -sR 'split("\n") | {hostname: .[0], port: (.[1] | tonumber)}' > /out
"""#,
]
env: DB_ARN: dbArn
},
export: "/out"
code: #"""
db_arn="$(cat /inputs/db_arn)"
data=$(aws rds describe-db-clusters --filters "Name=db-cluster-id,Values=$db_arn" )
echo "$data" | jq -r '.DBClusters[].Endpoint' > /tmp/out
echo "$data" | jq -r '.DBClusters[].Port' >> /tmp/out
cat /tmp/out | jq -sR 'split("\n") | {hostname: .[0], port: (.[1] | tonumber)}' > /out
"""#
op.#Export & {
source: "/out"
format: "json"
},
]
}
}

34
stdlib/aws/s3/s3.cue
View File

@@ -41,17 +41,17 @@ import (
if sourceInline != _|_ {
op.#WriteFile & {
dest: "/source"
dest: "/source"
content: sourceInline
}
}
},
op.#Exec & {
if always != _|_ {
"always": always
}
env: {
TARGET: target
TARGET: target
CONTENT_TYPE: contentType
}
@@ -67,26 +67,26 @@ import (
"pipefail",
"-c",
#"""
opts=""
op=cp
if [ -d /source ]; then
op=sync
fi
if [ -n "$CONTENT_TYPE" ]; then
opts="--content-type $CONTENT_TYPE"
fi
aws s3 $op $opts /source "$TARGET"
echo "$TARGET" \
| sed -E 's=^s3://([^/]*)/=https://\1.s3.amazonaws.com/=' \
> /url
"""#
opts=""
op=cp
if [ -d /source ]; then
op=sync
fi
if [ -n "$CONTENT_TYPE" ]; then
opts="--content-type $CONTENT_TYPE"
fi
aws s3 $op $opts /source "$TARGET"
echo "$TARGET" \
| sed -E 's=^s3://([^/]*)/=https://\1.s3.amazonaws.com/=' \
> /url
"""#,
]
},
op.#Export & {
source: "/url"
format: "string"
}
},
]
}
}

2
stdlib/netlify/netlify.cue
View File

@@ -83,7 +83,7 @@ import (
NETLIFY_ACCOUNT: account.name
}
dir: "/src"
mount: "/src": from: contents
mount: "/src": from: contents
mount: "/run/secrets/token": secret: account.token
}
}