def encrypt(env_file, profile, region): session.aws_profile = profile session.aws_region = region with open(env_file, 'r') as source: data = yaml.safe_load(source.read()) kms_arn = str(data['kms']['arn']) if 'secrets' not in data: data['secrets'] = [] if 'parameters' not in data: data['parameters'] = [] _session = session.session() for secret in data['secrets']: secret_value = secret['value'] if type(secret_value) is dict: secret_value = json.dumps(secret_value) secret['value'] = kms.encrypt(_session, secret_value, kms_arn).decode('utf-8') for parameter in data['parameters']: if parameter['type'] == 'SecureString' and type( parameter['value']) is str: parameter['value'] = kms.encrypt(_session, parameter['value'], kms_arn).decode('utf-8') with open(env_file, 'w') as outfile: yaml.safe_dump(data, outfile)
def __repr__(self): stack_args = self.stack.split('.') if len(stack_args) != 2: raise Exception( f'value {self.stack} is invalid, the correct way to ' + 'fill this information is <stack-name>.<output-name>') stack_name = stack_args[0] output_name = stack_args[1] return get_output_value(session(), stack_name, output_name)
def deploy(env_file, filter_pattern, dry_run, confirm, only_secrets, only_parameters, profile, region): session.aws_profile = profile session.aws_region = region with open(env_file, 'r') as env: yaml_data = yaml.safe_load(env.read()) global_tags = yaml_data['tags'] if 'tags' in yaml_data else {} _session = session.session() kms_arn = str(yaml_data['kms']['arn']) process_secrets(_session, yaml_data, global_tags, filter_pattern, kms_arn, dry_run, confirm, only_secrets, only_parameters) process_parameters(_session, yaml_data, global_tags, filter_pattern, kms_arn, dry_run, confirm, only_secrets, only_parameters)
def set_parameter(env_file, name, type, kms, profile, region): session.aws_profile = profile session.aws_region = region with open(env_file, 'r') as env: yaml_data = yaml.safe_load(env.read()) if 'parameters' not in yaml_data: yaml_data['parameters'] = [] parameter = next( (param for param in yaml_data['parameters'] if param['name'] == name), None) if parameter is None: parameter = { 'name': name, 'type': type, } yaml_data['parameters'].append(parameter) if kms: parameter['kms'] = kms print("Enter/Paste your secret. Ctrl-D or Ctrl-Z ( windows ) to save it.") contents = [] while True: try: line = input() except EOFError: break contents.append(line) value = '\n'.join(contents) if parameter['type'] == 'SecureString': kms_arn = str(yaml_data['kms']['arn']) print('Encrypting the value') encrypted_value = encrypt(session.session(), value, kms_arn) parameter['value'] = encrypted_value.decode('utf-8') else: print('Put new value to the parameter') parameter['value'] = value with open(env_file, 'w') as outfile: yaml.safe_dump(yaml_data, outfile)
def view_secret(env_file, name, profile, region): session.aws_profile = profile session.aws_region = region with open(env_file, 'r') as env: yaml_data = yaml.safe_load(env.read()) secret = next( (param for param in yaml_data['secrets'] if param['name'] == name), None) if secret is None: raise Exception(f'secret {name} not found') kms_arn = str(yaml_data['kms']['arn']) param_value = kms.decrypt(session.session(), str(secret['value']), kms_arn).decode('utf-8') print(param_value)
def set_secret(env_file, name, kms, profile, region): session.aws_profile = profile session.aws_region = region with open(env_file, 'r') as env: yaml_data = yaml.safe_load(env.read()) if 'secrets' not in yaml_data: yaml_data['secrets'] = [] secret = next( (secret for secret in yaml_data['secrets'] if secret['name'] == name), None) if secret is None: secret = { 'name': name } yaml_data['secrets'].append(secret) if kms: secret['kms'] = kms kms_arn = str(yaml_data['kms']['arn']) print("Enter/Paste your secret. Ctrl-D or Ctrl-Z ( windows ) to save it.") contents = [] while True: try: line = input() except EOFError: break contents.append(line) value = '\n'.join(contents) encrypted_value = encrypt(session.session(), value, kms_arn) secret['value'] = encrypted_value.decode('utf-8') with open(env_file, 'w') as outfile: yaml.safe_dump(yaml_data, outfile)
def resolve_variables(self): if self.value.find("${") == -1: return variable = self.value[self.value.find("${") + 2:self.value.find("}")] provider = variable.split(":")[0] value = variable.split(":")[1] if provider == 'cf': stack_name = value.split(".")[0] output_name = value.split(".")[1] output_value = get_output_value(session.session(), stack_name, output_name) self.value = self.value.replace( self.value[self.value.find("${"):self.value.find("}") + 1], output_value) elif provider == 'session': if value != 'profile' and value != 'region': raise Exception( f'Property `{value}` is not supported, ' + 'provider `session` just supports `profile` and `region` properties' ) output_value = '' if value == 'profile': output_value = session.aws_profile elif value == 'region': output_value = session.aws_region self.value = self.value.replace( self.value[self.value.find("${"):self.value.find("}") + 1], output_value) else: raise Exception(f'Provider {provider} is not supported') self.resolve_variables()
def decrypt(env_file, output, profile, region): session.aws_profile = profile session.aws_region = region with open(env_file, 'r') as source: data = yaml.safe_load(source.read()) kms_arn = str(data['kms']['arn']) if 'secrets' not in data: data['secrets'] = [] if 'parameters' not in data: data['parameters'] = [] _session = session.session() for secret in data['secrets']: secret['value'] = kms.decrypt(_session, secret['value'], kms_arn).decode('utf-8') try: secret['value'] = json.loads(secret['value']) except ValueError: pass for parameter in data['parameters']: if parameter['type'] == 'SecureString' and type( parameter['value']) is str: decrypted_value = kms.decrypt(_session, parameter['value'], kms_arn).decode('utf-8') if '\n' in decrypted_value: parameter['value'] = Literal(decrypted_value) else: parameter['value'] = decrypted_value output_file = output if output else f"{env_file}.dec" with open(output_file, 'w') as outfile: yaml.safe_dump(data, outfile)
def view_parameter(env_file, name, non_decrypt, profile, region): session.aws_profile = profile session.aws_region = region with open(env_file, 'r') as env: yaml_data = yaml.safe_load(env.read()) parameter = next( (param for param in yaml_data['parameters'] if param['name'] == name), None) if parameter is None: raise Exception(f'parameter {name} not found') if parameter['type'] == 'SecureString' and not non_decrypt: kms_arn = str(yaml_data['kms']['arn']) param_value = kms.decrypt(session.session(), str(parameter['value']), kms_arn).decode('utf-8') else: param_value = str(parameter['value']) print(param_value)