class CreateDatabricksSecretsFromVault(Step, CreateDatabricksSecretsMixin): """Will connect to the supplied vault and uses prefixed names to created databricks secrets. For example given list of secrets in the vault: - `this-app-name-secret-1` - `this-app-name-secret-2` - `a-different-app-name-secret-3` it will register `secret-1` and `secret-2` and their values under the databricks secret scope `this-app-name` and ignore all other secrets, such as `secret-3` as it does not match the `this-app-name` prefix. """ def get_secret_api(self): return self.secret_api def __init__(self, env: ApplicationVersion, config: dict): super().__init__(env, config) self.vault_name, self.vault_client = KeyVaultClient.vault_and_client( self.config, self.env) self.databricks_client = Databricks( self.vault_name, self.vault_client).api_client(self.config) self.secret_api = SecretApi(self.databricks_client) def run(self): self.create_databricks_secrets() def create_databricks_secrets(self): secrets = self._combine_secrets() self._create_scope(self.application_name) self._add_secrets(self.application_name, secrets) logging.info( f'------ {len(secrets)} secrets created in "{self.env.environment}"' ) pprint(self.secret_api.list_secrets(self.application_name)) def _combine_secrets(self): vault_secrets = KeyVaultCredentialsMixin( self.vault_name, self.vault_client).get_keyvault_secrets(self.application_name) deployment_secrets = DeploymentYamlEnvironmentVariablesMixin( self.env, self.config).get_deployment_secrets() return list(set(vault_secrets + deployment_secrets)) def schema(self) -> vol.Schema: return SCHEMA
def export_cli(dry_run, tag, delete, git_ssh_url, api_client: ApiClient, hcl, pattern_matches): block_key_map = {} ignore_attribute_key = {"last_updated_timestamp"} required_attributes_key = {"key"} if hcl: secret_api = SecretApi(api_client) scopes = secret_api.list_scopes()["scopes"] log.info(scopes) with GitExportHandler(git_ssh_url, "secrets", delete_not_found=delete, dry_run=dry_run, tag=tag) as gh: for scope in scopes: secrets = secret_api.list_secrets(scope["name"])["secrets"] log.info(secrets) for secret in secrets: if not pattern_matches(secret["key"]): log.debug( f"{secret['key']} did not match pattern function {pattern_matches}" ) continue log.debug( f"{secret['key']} matched the pattern function {pattern_matches}" ) secret_resource_data = prep_json(block_key_map, ignore_attribute_key, secret, required_attributes_key) base_name = normalize_identifier(secret["key"]) name = "databricks_secret" identifier = f"databricks_secret-{base_name}" secret_resource_data["scope"] = scope["name"] secret_hcl = create_resource_from_dict( name, identifier, secret_resource_data, False) file_name_identifier = f"{identifier}.tf" gh.add_file(file_name_identifier, secret_hcl) log.debug(secret_hcl)