def encrypt(env_file, profile, region):
session.aws_profile = profile
session.aws_region = region
with open(env_file, 'r') as source:
data = yaml.safe_load(source.read())
kms_arn = str(data['kms']['arn'])
if 'secrets' not in data:
data['secrets'] = []
if 'parameters' not in data:
data['parameters'] = []
_session = session.session()
for secret in data['secrets']:
secret_value = secret['value']
if type(secret_value) is dict:
secret_value = json.dumps(secret_value)
secret['value'] = kms.encrypt(_session, secret_value,
kms_arn).decode('utf-8')
for parameter in data['parameters']:
if parameter['type'] == 'SecureString' and type(
parameter['value']) is str:
parameter['value'] = kms.encrypt(_session, parameter['value'],
kms_arn).decode('utf-8')
with open(env_file, 'w') as outfile:
yaml.safe_dump(data, outfile)
def __repr__(self):
stack_args = self.stack.split('.')
if len(stack_args) != 2:
raise Exception(
f'value {self.stack} is invalid, the correct way to ' +
'fill this information is <stack-name>.<output-name>')
stack_name = stack_args[0]
output_name = stack_args[1]
return get_output_value(session(), stack_name, output_name)
def deploy(env_file, filter_pattern, dry_run, confirm, only_secrets, only_parameters, profile, region):
session.aws_profile = profile
session.aws_region = region
with open(env_file, 'r') as env:
yaml_data = yaml.safe_load(env.read())
global_tags = yaml_data['tags'] if 'tags' in yaml_data else {}
_session = session.session()
kms_arn = str(yaml_data['kms']['arn'])
process_secrets(_session, yaml_data, global_tags, filter_pattern, kms_arn,
dry_run, confirm, only_secrets, only_parameters)
process_parameters(_session, yaml_data, global_tags, filter_pattern, kms_arn,
dry_run, confirm, only_secrets, only_parameters)
def set_parameter(env_file, name, type, kms, profile, region):
session.aws_profile = profile
session.aws_region = region
with open(env_file, 'r') as env:
yaml_data = yaml.safe_load(env.read())
if 'parameters' not in yaml_data:
yaml_data['parameters'] = []
parameter = next(
(param for param in yaml_data['parameters'] if param['name'] == name),
None)
if parameter is None:
parameter = {
'name': name,
'type': type,
}
yaml_data['parameters'].append(parameter)
if kms:
parameter['kms'] = kms
print("Enter/Paste your secret. Ctrl-D or Ctrl-Z ( windows ) to save it.")
contents = []
while True:
try:
line = input()
except EOFError:
break
contents.append(line)
value = '\n'.join(contents)
if parameter['type'] == 'SecureString':
kms_arn = str(yaml_data['kms']['arn'])
print('Encrypting the value')
encrypted_value = encrypt(session.session(), value, kms_arn)
parameter['value'] = encrypted_value.decode('utf-8')
else:
print('Put new value to the parameter')
parameter['value'] = value
with open(env_file, 'w') as outfile:
yaml.safe_dump(yaml_data, outfile)
def view_secret(env_file, name, profile, region):
session.aws_profile = profile
session.aws_region = region
with open(env_file, 'r') as env:
yaml_data = yaml.safe_load(env.read())
secret = next(
(param for param in yaml_data['secrets'] if param['name'] == name),
None)
if secret is None:
raise Exception(f'secret {name} not found')
kms_arn = str(yaml_data['kms']['arn'])
param_value = kms.decrypt(session.session(), str(secret['value']),
kms_arn).decode('utf-8')
print(param_value)
def set_secret(env_file, name, kms, profile, region):
session.aws_profile = profile
session.aws_region = region
with open(env_file, 'r') as env:
yaml_data = yaml.safe_load(env.read())
if 'secrets' not in yaml_data:
yaml_data['secrets'] = []
secret = next(
(secret for secret in yaml_data['secrets'] if secret['name'] == name), None)
if secret is None:
secret = {
'name': name
}
yaml_data['secrets'].append(secret)
if kms:
secret['kms'] = kms
kms_arn = str(yaml_data['kms']['arn'])
print("Enter/Paste your secret. Ctrl-D or Ctrl-Z ( windows ) to save it.")
contents = []
while True:
try:
line = input()
except EOFError:
break
contents.append(line)
value = '\n'.join(contents)
encrypted_value = encrypt(session.session(), value, kms_arn)
secret['value'] = encrypted_value.decode('utf-8')
with open(env_file, 'w') as outfile:
yaml.safe_dump(yaml_data, outfile)
def resolve_variables(self):
if self.value.find("${") == -1:
return
variable = self.value[self.value.find("${") + 2:self.value.find("}")]
provider = variable.split(":")[0]
value = variable.split(":")[1]
if provider == 'cf':
stack_name = value.split(".")[0]
output_name = value.split(".")[1]
output_value = get_output_value(session.session(), stack_name,
output_name)
self.value = self.value.replace(
self.value[self.value.find("${"):self.value.find("}") + 1],
output_value)
elif provider == 'session':
if value != 'profile' and value != 'region':
raise Exception(
f'Property `{value}` is not supported, ' +
'provider `session` just supports `profile` and `region` properties'
)
output_value = ''
if value == 'profile':
output_value = session.aws_profile
elif value == 'region':
output_value = session.aws_region
self.value = self.value.replace(
self.value[self.value.find("${"):self.value.find("}") + 1],
output_value)
else:
raise Exception(f'Provider {provider} is not supported')
self.resolve_variables()
def decrypt(env_file, output, profile, region):
session.aws_profile = profile
session.aws_region = region
with open(env_file, 'r') as source:
data = yaml.safe_load(source.read())
kms_arn = str(data['kms']['arn'])
if 'secrets' not in data:
data['secrets'] = []
if 'parameters' not in data:
data['parameters'] = []
_session = session.session()
for secret in data['secrets']:
secret['value'] = kms.decrypt(_session, secret['value'],
kms_arn).decode('utf-8')
try:
secret['value'] = json.loads(secret['value'])
except ValueError:
pass
for parameter in data['parameters']:
if parameter['type'] == 'SecureString' and type(
parameter['value']) is str:
decrypted_value = kms.decrypt(_session, parameter['value'],
kms_arn).decode('utf-8')
if '\n' in decrypted_value:
parameter['value'] = Literal(decrypted_value)
else:
parameter['value'] = decrypted_value
output_file = output if output else f"{env_file}.dec"
with open(output_file, 'w') as outfile:
yaml.safe_dump(data, outfile)
def view_parameter(env_file, name, non_decrypt, profile, region):
session.aws_profile = profile
session.aws_region = region
with open(env_file, 'r') as env:
yaml_data = yaml.safe_load(env.read())
parameter = next(
(param for param in yaml_data['parameters'] if param['name'] == name),
None)
if parameter is None:
raise Exception(f'parameter {name} not found')
if parameter['type'] == 'SecureString' and not non_decrypt:
kms_arn = str(yaml_data['kms']['arn'])
param_value = kms.decrypt(session.session(), str(parameter['value']),
kms_arn).decode('utf-8')
else:
param_value = str(parameter['value'])
print(param_value)