def __init__(self, stash_key, value, manager_provider, aws_profile=None, aws_region=None, aws_bucket=None, kms_key='alias/novastash'): check_latest_version() self._aws_manager = manager_provider.aws_manager(aws_profile, aws_region or 'us-east-1') if aws_bucket is None: deployment_bucket_name = 'novastash_%s' % self._aws_manager.account_alias else: deployment_bucket_name = aws_bucket if not self._aws_manager.kms_key_exists(kms_key): raise NovaError("Please setup the novastash KMS key.") self._aws_manager.create_bucket(deployment_bucket_name, "Creating novastash bucket '%s'" % deployment_bucket_name) # generate a a 64 byte key. # Half will be for data encryption, the other half for HMAC kms_response = self._aws_manager.kms_generate_data_key(kms_key, {}) data_key = tobytes(kms_response['Plaintext'][:32]) hmac_key = tobytes(kms_response['Plaintext'][32:]) wrapped_key = tobytes(kms_response['CiphertextBlob']) enc_ctr = Counter.new(128) encryptor = AES.new(data_key, AES.MODE_CTR, counter=enc_ctr) c_text = encryptor.encrypt(tobytes(value)) # compute an HMAC using the hmac key and the ciphertext hmac = HMAC(hmac_key, msg=c_text, digestmod=SHA256) b64hmac = hmac.hexdigest() key = "%s.txt.enc" % stash_key existing_stash = self._aws_manager.s3_head(deployment_bucket_name, key) if existing_stash is None: print(colored("Stashing '%s'" % stash_key)) self._aws_manager.s3_put( deployment_bucket_name, b64encode(c_text).decode('utf-8'), key, {'encryption-key': b64encode(wrapped_key).decode('utf-8'), 'hmac': b64hmac} ) else: perform_overwrite = query_yes_no("Stash '%s' already exists, want to overwrite?" % stash_key, default="no") if perform_overwrite: self._aws_manager.s3_put( deployment_bucket_name, b64encode(c_text).decode('utf-8'), key, {'encryption-key': b64encode(wrapped_key).decode('utf-8'), 'hmac': b64hmac} ) else: print(colored("Not stashing anything for key '%s'" % stash_key))
def update_stack(self, service_name, cloudformation_template, changeset_id, cf_stack): try: cs_response = self.cloudformation_client.create_change_set( StackName=cf_stack.stack_name, TemplateBody=cloudformation_template, Capabilities=["CAPABILITY_IAM"], ChangeSetName=changeset_id) cs_id = cs_response['Id'] changes = self.cloudformation_client.describe_change_set( StackName=cf_stack.stack_name, ChangeSetName=cs_id) # delay for 2 seconds while waiting for changeset to create time.sleep(2) print( colored("The following stack update changes to be applied:", 'cyan')) print( colored( "================================================================================", 'cyan')) print(colored(changes, 'yellow')) print( colored( "================================================================================", 'cyan')) perform_update = query_yes_no("Perform changes?") if perform_update: self.cloudformation_client.execute_change_set( ChangeSetName=changeset_id, StackName=cf_stack.stack_name) waiter = CloudformationWaiter(self.cloudformation) print( colored( 'Cloudformation stack update in progress. Please check the AWS console!', color='green')) print(colored('Waiting on stack update...', color='magenta')) waiter.waiter.wait(StackName=service_name) print(colored('Stack update finished!', color='green')) else: self.cloudformation_client.delete_change_set( StackName=cf_stack.stack_name, ChangeSetName=cs_id) except ClientError as e: raise NovaError(str(e)) except WaiterError as e: raise NovaError(str(e))
def update_stack(self, service_name, cloudformation_template, changeset_id, cf_stack): try: cs_response = self.cloudformation_client.create_change_set( StackName=cf_stack.stack_name, TemplateBody=cloudformation_template, Capabilities=["CAPABILITY_IAM"], ChangeSetName=changeset_id ) cs_id = cs_response['Id'] changes = self.cloudformation_client.describe_change_set(StackName=cf_stack.stack_name, ChangeSetName=cs_id) # delay for 2 seconds while waiting for changeset to create time.sleep(2) print(colored("The following stack update changes to be applied:", 'cyan')) print(colored("================================================================================", 'cyan')) print(colored(changes, 'yellow')) print(colored("================================================================================", 'cyan')) perform_update = query_yes_no("Perform changes?") if perform_update: self.cloudformation_client.execute_change_set( ChangeSetName=changeset_id, StackName=cf_stack.stack_name ) waiter = CloudformationWaiter(self.cloudformation) print(colored('Cloudformation stack update in progress. Please check the AWS console!', color='green')) print(colored('Waiting on stack update...', color='magenta')) waiter.waiter.wait(StackName=service_name) print(colored('Stack update finished!', color='green')) else: self.cloudformation_client.delete_change_set(StackName=cf_stack.stack_name, ChangeSetName=cs_id) except ClientError as e: raise NovaError(str(e)) except WaiterError as e: raise NovaError(str(e))
def __init__(self, stash_key, value, manager_provider, aws_profile=None, aws_region=None, aws_bucket=None, kms_key='alias/novastash'): check_latest_version() self._aws_manager = manager_provider.aws_manager( aws_profile, aws_region or 'us-east-1') if aws_bucket is None: deployment_bucket_name = 'novastash_%s' % self._aws_manager.account_alias else: deployment_bucket_name = aws_bucket if not self._aws_manager.kms_key_exists(kms_key): raise NovaError("Please setup the novastash KMS key.") self._aws_manager.create_bucket( deployment_bucket_name, "Creating novastash bucket '%s'" % deployment_bucket_name) # generate a a 64 byte key. # Half will be for data encryption, the other half for HMAC kms_response = self._aws_manager.kms_generate_data_key(kms_key, {}) data_key = tobytes(kms_response['Plaintext'][:32]) hmac_key = tobytes(kms_response['Plaintext'][32:]) wrapped_key = tobytes(kms_response['CiphertextBlob']) enc_ctr = Counter.new(128) encryptor = AES.new(data_key, AES.MODE_CTR, counter=enc_ctr) c_text = encryptor.encrypt(tobytes(value)) # compute an HMAC using the hmac key and the ciphertext hmac = HMAC(hmac_key, msg=c_text, digestmod=SHA256) b64hmac = hmac.hexdigest() key = "%s.txt.enc" % stash_key existing_stash = self._aws_manager.s3_head(deployment_bucket_name, key) if existing_stash is None: print(colored("Stashing '%s'" % stash_key)) self._aws_manager.s3_put( deployment_bucket_name, b64encode(c_text).decode('utf-8'), key, { 'encryption-key': b64encode(wrapped_key).decode('utf-8'), 'hmac': b64hmac }) else: perform_overwrite = query_yes_no( "Stash '%s' already exists, want to overwrite?" % stash_key, default="no") if perform_overwrite: self._aws_manager.s3_put( deployment_bucket_name, b64encode(c_text).decode('utf-8'), key, { 'encryption-key': b64encode(wrapped_key).decode('utf-8'), 'hmac': b64hmac }) else: print(colored("Not stashing anything for key '%s'" % stash_key))