Merge pull request #140 from ovotech/add-lambda-gcp-key-provision

Chris Every · web-flow · commit 281128503193 · 2019-09-12T11:23:05.000+01:00
Add lambda gcp key provision
diff --git a/main.go b/main.go
@@ -46,18 +46,13 @@ func HandleRequest(ctx context.Context, name MyEvent) (string, error) {
 }
 
 func main() {
-	if isLambda() {
+	if rotate.InLambda() {
 		lambda.Start(HandleRequest)
 	} else {
 		cmd.Execute()
 	}
 }
 
-//isLambda returns true if the AWS_LAMBDA_FUNCTION_NAME env var is set
-func isLambda() (isLambda bool) {
-	return len(os.Getenv("AWS_LAMBDA_FUNCTION_NAME")) > 0
-}
-
 //getEnv returns the value of the env var matching the key, if it exists, and
 // the value of fallback otherwise
 func getEnv(key, fallback string) string {
diff --git a/pkg/config/config.go b/pkg/config/config.go
@@ -103,7 +103,7 @@ func GetConfig(configPath string) (c Config, err error) {
 // AWS Secret Manager
 func GetConfigFromAWSSecretManager(secretName, configType string) (c Config, err error) {
 	var secret string
-	if secret, err = getSecret(secretName); err != nil {
+	if secret, err = GetSecret(secretName); err != nil {
 		return
 	}
 	if len(secret) == 0 {
@@ -115,7 +115,8 @@ func GetConfigFromAWSSecretManager(secretName, configType string) (c Config, err
 	return
 }
 
-func getSecret(secretName string) (secretString string, err error) {
+//GetSecret gets the value of the secret in AWS SecretsManager with the specified name
+func GetSecret(secretName string) (secretString string, err error) {
 	//Create a Secrets Manager client
 	svc := secretsmanager.New(session.New())
 	input := &secretsmanager.GetSecretValueInput{
diff --git a/pkg/rotate/rotatekeys.go b/pkg/rotate/rotatekeys.go
@@ -18,7 +18,9 @@ import (
 	"bytes"
 	"errors"
 	"fmt"
+	"io/ioutil"
 	"net/http"
+	"os"
 	"regexp"
 	"strconv"
 	"strings"
@@ -39,7 +41,10 @@ type rotationCandidate struct {
 	rotationThresholdMins int
 }
 
-var logger = log.StdoutLogger().Sugar()
+var (
+	logger                    = log.StdoutLogger().Sugar()
+	provisionedGoogleAppCreds = false
+)
 
 const (
 	datadogURL = "https://api.datadoghq.com/api/v1/series?api_key="
@@ -117,6 +122,9 @@ func Rotate(account, provider, project string, c config.Config) (err error) {
 func rotateKey(rotationCandidate rotationCandidate, creds cred.Credentials) (err error) {
 	key := rotationCandidate.key
 	keyProvider := key.Provider.Provider
+	if keyProvider == "gcp" {
+		ensureGoogleAppCreds()
+	}
 	var newKeyID string
 	var newKey string
 	if newKeyID, newKey, err = createKey(key, keyProvider); err != nil {
@@ -234,17 +242,43 @@ func accountKeyLocation(account string,
 	return
 }
 
+//InLambda returns true if the AWS_LAMBDA_FUNCTION_NAME env var is set
+func InLambda() (isLambda bool) {
+	return len(os.Getenv("AWS_LAMBDA_FUNCTION_NAME")) > 0
+}
+
+//ensureGoogleAppCreds helps to provision a GCP service account key when running in a Lambda.
+//The key could be used for various purposes, e.g. rotating a service account's key, writing
+//a new key to GCS, or writing a new key to a Secret in GKE.
+func ensureGoogleAppCreds() (err error) {
+	if InLambda() && !provisionedGoogleAppCreds {
+		var secretValue string
+		if secretValue, err = config.GetSecret("ckr-gcp-key"); err != nil {
+			return
+		}
+		keyFilePath := "/tmp/key.json"
+		if err = ioutil.WriteFile(keyFilePath, []byte(secretValue), 0644); err == nil {
+			os.Setenv("GOOGLE_APPLICATION_CREDENTIALS", keyFilePath)
+			provisionedGoogleAppCreds = true
+		}
+	}
+	return
+}
+
 //locationsToUpdate return a slice of structs that implement the keyWriter
 // interface, based on the keyLocations supplied
 func locationsToUpdate(keyLocation config.KeyLocations) (kws []location.KeyWriter) {
 
+	var googleAppCredsRequired bool
+
 	// read locations
 	for _, circleCI := range keyLocation.CircleCI {
 		kws = append(kws, circleCI)
 	}
 
 	for _, gcs := range keyLocation.GCS {
 		kws = append(kws, gcs)
+		googleAppCredsRequired = true
 	}
 
 	if len(keyLocation.GitHub.OrgRepo) > 0 {
@@ -257,6 +291,11 @@ func locationsToUpdate(keyLocation config.KeyLocations) (kws []location.KeyWrite
 
 	for _, k8s := range keyLocation.K8s {
 		kws = append(kws, k8s)
+		googleAppCredsRequired = true
+	}
+
+	if googleAppCredsRequired {
+		ensureGoogleAppCreds()
 	}
 
 	return

Original file line number	Diff line number	Diff line change
`@@ -46,18 +46,13 @@ func HandleRequest(ctx context.Context, name MyEvent) (string, error) {`
`46`	`46`	`}`
`47`	`47`
`48`	`48`	`func main() {`
`49`		`- if isLambda() {`
	`49`	`+ if rotate.InLambda() {`
`50`	`50`	`lambda.Start(HandleRequest)`
`51`	`51`	`} else {`
`52`	`52`	`cmd.Execute()`
`53`	`53`	`}`
`54`	`54`	`}`
`55`	`55`
`56`		`-//isLambda returns true if the AWS_LAMBDA_FUNCTION_NAME env var is set`
`57`		`-func isLambda() (isLambda bool) {`
`58`		`- return len(os.Getenv("AWS_LAMBDA_FUNCTION_NAME")) > 0`
`59`		`-}`
`60`		`-`
`61`	`56`	`//getEnv returns the value of the env var matching the key, if it exists, and`
`62`	`57`	`// the value of fallback otherwise`
`63`	`58`	`func getEnv(key, fallback string) string {`