class CreateDatabricksSecretsFromVault(Step, CreateDatabricksSecretsMixin):
"""Will connect to the supplied vault and uses prefixed names to created databricks secrets.
For example given list of secrets in the vault:
- `this-app-name-secret-1`
- `this-app-name-secret-2`
- `a-different-app-name-secret-3`
it will register `secret-1` and `secret-2` and their values under the databricks secret scope
`this-app-name` and ignore all other secrets, such as `secret-3` as it does not match
the `this-app-name` prefix.
"""
def get_secret_api(self):
return self.secret_api
def __init__(self, env: ApplicationVersion, config: dict):
super().__init__(env, config)
self.vault_name, self.vault_client = KeyVaultClient.vault_and_client(
self.config, self.env)
self.databricks_client = Databricks(
self.vault_name, self.vault_client).api_client(self.config)
self.secret_api = SecretApi(self.databricks_client)
def run(self):
self.create_databricks_secrets()
def create_databricks_secrets(self):
secrets = self._combine_secrets()
self._create_scope(self.application_name)
self._add_secrets(self.application_name, secrets)
logging.info(
f'------ {len(secrets)} secrets created in "{self.env.environment}"'
)
pprint(self.secret_api.list_secrets(self.application_name))
def _combine_secrets(self):
vault_secrets = KeyVaultCredentialsMixin(
self.vault_name,
self.vault_client).get_keyvault_secrets(self.application_name)
deployment_secrets = DeploymentYamlEnvironmentVariablesMixin(
self.env, self.config).get_deployment_secrets()
return list(set(vault_secrets + deployment_secrets))
def schema(self) -> vol.Schema:
return SCHEMA
def export_cli(dry_run, tag, delete, git_ssh_url, api_client: ApiClient, hcl,
pattern_matches):
block_key_map = {}
ignore_attribute_key = {"last_updated_timestamp"}
required_attributes_key = {"key"}
if hcl:
secret_api = SecretApi(api_client)
scopes = secret_api.list_scopes()["scopes"]
log.info(scopes)
with GitExportHandler(git_ssh_url,
"secrets",
delete_not_found=delete,
dry_run=dry_run,
tag=tag) as gh:
for scope in scopes:
secrets = secret_api.list_secrets(scope["name"])["secrets"]
log.info(secrets)
for secret in secrets:
if not pattern_matches(secret["key"]):
log.debug(
f"{secret['key']} did not match pattern function {pattern_matches}"
)
continue
log.debug(
f"{secret['key']} matched the pattern function {pattern_matches}"
)
secret_resource_data = prep_json(block_key_map,
ignore_attribute_key,
secret,
required_attributes_key)
base_name = normalize_identifier(secret["key"])
name = "databricks_secret"
identifier = f"databricks_secret-{base_name}"
secret_resource_data["scope"] = scope["name"]
secret_hcl = create_resource_from_dict(
name, identifier, secret_resource_data, False)
file_name_identifier = f"{identifier}.tf"
gh.add_file(file_name_identifier, secret_hcl)
log.debug(secret_hcl)