def seed(vault_client, opt):
"""Will provision vault based on the definition within a Secretfile"""
if opt.thaw_from:
opt.secrets = tempfile.mkdtemp('aomi-thaw')
auto_thaw(vault_client, opt)
Context.load(get_secretfile(opt), opt) \
.fetch(vault_client) \
.sync(vault_client, opt)
if opt.thaw_from:
rmtree(opt.secrets)
def seed(vault_client, opt):
"""Will provision vault based on the definition within a Secretfile"""
if opt.thaw_from:
opt.secrets = tempfile.mkdtemp('aomi-thaw')
auto_thaw(opt)
Context.load(get_secretfile(opt), opt) \
.fetch(vault_client) \
.sync(vault_client, opt)
if opt.thaw_from:
rmtree(opt.secrets)
def freeze(dest_dir, opt):
"""Iterates over the Secretfile looking for secrets to freeze"""
tmp_dir = ensure_tmpdir()
dest_prefix = "%s/dest" % tmp_dir
ensure_dir(dest_dir)
ensure_dir(dest_prefix)
config = get_secretfile(opt)
Context.load(config, opt) \
.freeze(dest_prefix)
zip_filename = freeze_archive(tmp_dir, dest_prefix)
ice_file = freeze_encrypt(dest_dir, zip_filename, config, opt)
shutil.rmtree(tmp_dir)
LOG.debug("Generated file is %s", ice_file)
def freeze(dest_dir, opt):
"""Iterates over the Secretfile looking for secrets to freeze"""
tmp_dir = ensure_tmpdir()
dest_prefix = "%s/dest" % tmp_dir
ensure_dir(dest_dir)
ensure_dir(dest_prefix)
config = get_secretfile(opt)
Context.load(config, opt) \
.freeze(dest_prefix)
zip_filename = freeze_archive(tmp_dir, dest_prefix)
ice_file = freeze_encrypt(dest_dir, zip_filename, config, opt)
shutil.rmtree(tmp_dir)
LOG.debug("Generated file is %s", ice_file)
def export(vault_client, opt):
"""Export contents of a Secretfile from the Vault server
into a specified directory."""
ctx = Context.load(get_secretfile(opt), opt) \
.fetch(vault_client)
for resource in ctx.resources():
resource.export(opt.directory)
def render(directory, opt):
"""Render any provided template. This includes the Secretfile,
Vault policies, and inline AWS roles"""
if not os.path.exists(directory) and not os.path.isdir(directory):
os.mkdir(directory)
a_secretfile = render_secretfile(opt)
s_path = "%s/Secretfile" % directory
LOG.debug("writing Secretfile to %s", s_path)
open(s_path, 'w').write(a_secretfile)
ctx = Context.load(yaml.safe_load(a_secretfile), opt)
for resource in ctx.resources():
if not resource.present:
continue
if issubclass(type(resource), Policy):
if not os.path.isdir("%s/policy" % directory):
os.mkdir("%s/policy" % directory)
filename = "%s/policy/%s" % (directory, resource.path)
open(filename, 'w').write(resource.obj())
LOG.debug("writing %s to %s", resource, filename)
elif issubclass(type(resource), AWSRole):
if not os.path.isdir("%s/aws" % directory):
os.mkdir("%s/aws" % directory)
if 'policy' in resource.obj():
filename = "%s/aws/%s" % (directory,
os.path.basename(resource.path))
r_obj = resource.obj()
if 'policy' in r_obj:
LOG.debug("writing %s to %s", resource, filename)
open(filename, 'w').write(r_obj['policy'])
def diff(vault_client, opt):
"""Derive a comparison between what is represented in the Secretfile
and what is actually live on a Vault instance"""
if opt.thaw_from:
opt.secrets = tempfile.mkdtemp('aomi-thaw')
auto_thaw(opt)
ctx = Context.load(get_secretfile(opt), opt) \
.fetch(vault_client)
for resource in ctx.resources():
changed = resource.diff()
if changed == ADD:
print("%s %s" % (maybe_colored("+", "green", opt), str(resource)))
elif changed == DEL:
print("%s %s" % (maybe_colored("-", "red", opt), str(resource)))
elif changed == CHANGED:
print("%s %s" % (maybe_colored("~", "yellow", opt), str(resource)))
elif changed == OVERWRITE:
print("%s %s" % (maybe_colored("+", "yellow", opt), str(resource)))
if changed != OVERWRITE and changed != NOOP:
maybe_details(resource, opt)
if opt.thaw_from:
rmtree(opt.secrets)
def export(vault_client, opt):
"""Export contents of a Secretfile from the Vault server
into a specified directory."""
ctx = Context.load(get_secretfile(opt), opt) \
.fetch(vault_client)
for resource in ctx.resources():
resource.export(opt.directory)
def render(directory, opt):
"""Render any provided template. This includes the Secretfile,
Vault policies, and inline AWS roles"""
if not os.path.exists(directory) and not os.path.isdir(directory):
os.mkdir(directory)
a_secretfile = render_secretfile(opt)
s_path = "%s/Secretfile" % directory
LOG.debug("writing Secretfile to %s", s_path)
open(s_path, 'w').write(a_secretfile)
ctx = Context.load(yaml.safe_load(a_secretfile), opt)
for resource in ctx.resources():
if not resource.present:
continue
if issubclass(type(resource), Policy):
if not os.path.isdir("%s/policy" % directory):
os.mkdir("%s/policy" % directory)
filename = "%s/policy/%s" % (directory, resource.path)
open(filename, 'w').write(resource.obj())
LOG.debug("writing %s to %s", resource, filename)
elif issubclass(type(resource), AWSRole):
if not os.path.isdir("%s/aws" % directory):
os.mkdir("%s/aws" % directory)
if 'policy' in resource.obj():
filename = "%s/aws/%s" % (directory,
os.path.basename(resource.path))
r_obj = resource.obj()
if 'policy' in r_obj:
LOG.debug("writing %s to %s", resource, filename)
open(filename, 'w').write(r_obj['policy'])
def thaw(src_file, opt):
"""Given the combination of a Secretfile and the output of
a freeze operation, will restore secrets to usable locations"""
if not os.path.exists(src_file):
raise aomi.exceptions.AomiFile("%s does not exist" % src_file)
tmp_dir = ensure_tmpdir()
zip_file = thaw_decrypt(src_file, tmp_dir, opt)
archive = zipfile.ZipFile(zip_file, 'r')
for archive_file in archive.namelist():
archive.extract(archive_file, tmp_dir)
os.chmod("%s/%s" % (tmp_dir, archive_file), 0o640)
LOG.debug("Extracted %s from archive", archive_file)
LOG.info("Thawing secrets into %s", opt.secrets)
config = get_secretfile(opt)
Context.load(config, opt) \
.thaw(tmp_dir)
def thaw(vault_client, src_file, opt):
"""Given the combination of a Secretfile and the output of
a freeze operation, will restore secrets to usable locations"""
if not os.path.exists(src_file):
raise aomi.exceptions.AomiFile("%s does not exist" % src_file)
tmp_dir = ensure_tmpdir()
zip_file = thaw_decrypt(vault_client, src_file, tmp_dir, opt)
archive = zipfile.ZipFile(zip_file, 'r')
for archive_file in archive.namelist():
archive.extract(archive_file, tmp_dir)
os.chmod("%s/%s" % (tmp_dir, archive_file), 0o640)
LOG.debug("Extracted %s from archive", archive_file)
LOG.info("Thawing secrets into %s", opt.secrets)
config = get_secretfile(opt)
Context.load(config, opt) \
.thaw(tmp_dir)
def diff(vault_client, opt):
"""Derive a comparison between what is represented in the Secretfile
and what is actually live on a Vault instance"""
if opt.thaw_from:
opt.secrets = tempfile.mkdtemp('aomi-thaw')
auto_thaw(vault_client, opt)
ctx = Context.load(get_secretfile(opt), opt) \
.fetch(vault_client)
for backend in ctx.mounts():
diff_a_thing(backend, opt)
for resource in ctx.resources():
diff_a_thing(resource, opt)
if opt.thaw_from:
rmtree(opt.secrets)
def diff(vault_client, opt):
"""Derive a comparison between what is represented in the Secretfile
and what is actually live on a Vault instance"""
if opt.thaw_from:
opt.secrets = tempfile.mkdtemp('aomi-thaw')
auto_thaw(vault_client, opt)
ctx = Context.load(get_secretfile(opt), opt) \
.fetch(vault_client)
for backend in ctx.mounts():
diff_a_thing(backend, opt)
for resource in ctx.resources():
diff_a_thing(resource, opt)
if opt.thaw_from:
rmtree(opt.secrets)