def build_secrets_for_all_namespaces(env_name, service_name, ecs_service_name,
sample_env_folder_path, secrets_name):
secrets_across_namespaces = {}
namespaces = get_namespaces_from_directory(sample_env_folder_path)
duplicates = find_duplicate_keys(sample_env_folder_path, namespaces)
if len(duplicates) != 0:
raise UnrecoverableException(
'duplicate keys found in env sample files {} '.format(duplicates))
for namespace in namespaces:
secrets_for_namespace = _get_secrets_for_namespace(
env_name, namespace, sample_env_folder_path, secrets_name)
secrets_across_namespaces.update(secrets_for_namespace)
automated_secret_name = get_automated_injected_secret_name(
env_name, service_name, ecs_service_name)
existing_secrets = {}
try:
existing_secrets = secrets_manager.get_config(automated_secret_name,
env_name)['secrets']
except Exception as err:
log_warning(
f'secret {automated_secret_name} does not exist. It will be created: {err}'
)
if existing_secrets != secrets_across_namespaces:
log(f"Updating {automated_secret_name}")
secrets_manager.set_secrets_manager_config(env_name,
automated_secret_name,
secrets_across_namespaces)
arn = secrets_manager.get_config(automated_secret_name, env_name)['ARN']
return dict(CLOUDLIFT_INJECTED_SECRETS=arn)
def test_set_secrets_manager_config_fails_if_not_consistent(self, mock_client):
mock_client.return_value = mock_client
env = "test"
secret_name = "test-secret"
config = {'LABEL': 'label', 'PORT': '8080'}
mock_client.get_secret_value.return_value = {"SecretString": "{}"}
with self.assertRaises(UnrecoverableException):
secrets_manager.set_secrets_manager_config(env, secret_name, config)
mock_client.get_secret_value.side_effect = Exception("unable to fetch secret")
with self.assertRaises(UnrecoverableException):
secrets_manager.set_secrets_manager_config(env, secret_name, config)
def test_set_secrets_manager_config_waits_for_consistency(self, mock_client):
mock_client.return_value = mock_client
env = "test"
secret_name = "test-secret"
config = {'LABEL': 'label', 'PORT': '8080'}
mock_client.get_secret_value.side_effect = [
{'SecretString': "{}"},
{'SecretString': json.dumps({"LABEL": "label"})},
{'SecretString': json.dumps(config)},
]
secrets_manager.set_secrets_manager_config(env, secret_name, config)
def test_cloudlift_can_deploy_to_ec2(keep_resources):
expected_string = 'This is dummy app. Label: Demo. Redis ' \
'PING: PONG. AWS EC2 READ ACCESS: True'
mocked_config = mocked_service_config
stack_name = f'{service_name}-{environment_name}'
cfn_client = boto3.client('cloudformation')
delete_stack(cfn_client, stack_name, wait=True)
secrets_manager.set_secrets_manager_config(environment_name, stack_name,
{'PORT': '80', 'LABEL': 'Demo'})
secrets_manager.set_secrets_manager_config(environment_name, f'{stack_name}/redis',
{'REDIS_HOST': 'redis'})
create_service(mocked_config)
deploy_service(deployment_identifier="id-0")
validate_service(cfn_client, stack_name, expected_string)
if not keep_resources:
delete_stack(cfn_client, stack_name, wait=False)
def build_secrets_for_all_namespaces(env_name, service_name, ecs_service_name,
sample_env_folder_path, secrets_name):
secrets_across_namespaces = verify_and_get_secrets_for_all_namespaces(
env_name, sample_env_folder_path, secrets_name)
automated_secret_name = get_automated_injected_secret_name(
env_name, service_name, ecs_service_name)
existing_secrets = {}
try:
existing_secrets = secrets_manager.get_config(automated_secret_name,
env_name)['secrets']
except Exception as err:
log_warning(
f'secret {automated_secret_name} does not exist. It will be created: {err}'
)
if existing_secrets != secrets_across_namespaces:
log(f"Updating {automated_secret_name}")
secrets_manager.set_secrets_manager_config(env_name,
automated_secret_name,
secrets_across_namespaces)
arn = secrets_manager.get_config(automated_secret_name, env_name)['ARN']
return dict(CLOUDLIFT_INJECTED_SECRETS=arn)
def test_cloudlift_can_revert_service(keep_resources):
mocked_config = mocked_service_config
stack_name = f'{service_name}-{environment_name}'
cfn_client = boto3.client('cloudformation')
delete_stack(cfn_client, stack_name, wait=True)
secrets_manager.set_secrets_manager_config(environment_name, stack_name, {
'LABEL': 'Value from secret manager v1',
'PORT': '80'
})
secrets_manager.set_secrets_manager_config(environment_name,
f'{stack_name}/redis',
{'REDIS_HOST': 'redis'})
create_service(mocked_config)
deploy_service(mocked_config, deployment_identifier='id-1')
validate_service(
cfn_client,
stack_name,
'This is dummy app. Label: Value from secret manager v1. Redis PING: PONG. AWS EC2 READ ACCESS: True',
)
secrets_manager.set_secrets_manager_config(
environment_name, f"{service_name}-{environment_name}", {
'LABEL': 'Value from secret manager v2',
'PORT': '80',
'REDIS_HOST': 'redis'
})
deploy_service(mocked_config, deployment_identifier='id-2')
validate_service(
cfn_client,
stack_name,
'This is dummy app. Label: Value from secret manager v2. Redis PING: PONG. AWS EC2 READ ACCESS: True',
)
revert_service(deployment_identifier='id-1')
validate_service(
cfn_client,
stack_name,
'This is dummy app. Label: Value from secret manager v1. Redis PING: PONG. AWS EC2 READ ACCESS: True',
)
assert get_current_task_definition_deployment_identifier(
cfn_client, stack_name) == 'id-1'
if not keep_resources:
delete_stack(cfn_client, stack_name, wait=False)