Merge pull request #159 from ovotech/add-ssm-location

Chris Every · web-flow · commit f5bcf3f217dd · 2019-10-14T14:15:43.000+01:00
Add SSM location
diff --git a/README.md b/README.md
@@ -12,6 +12,7 @@ The tool can update keys held in the following locations:
 * GitHub
 * GoCd
 * K8S (GKE only)
+* SSM (AWS Parameter Store)
 
 The tool is packaged as an executable file for native invocation, and as a zip
  file for deployment as an AWS Lambda.
@@ -88,10 +89,12 @@ ultimately be updated with the new keys that are generated.
 Currently, the following locations are supported:
 
 * EnvVars in CircleCI
+* GoCd
 * GCS 
 * Secrets in GKE
 * Files (encrypted via [mantle](https://github.com/ovotech/mantle) which
 integrates with KMS) in GitHub
+* SSM (AWS Parameter Store)
 
 ## Rotation Process
 
diff --git a/pkg/config/config.go b/pkg/config/config.go
@@ -74,6 +74,7 @@ type KeyLocations struct {
 	GitHub                   location.GitHub
 	Gocd                     []location.Gocd
 	K8s                      []location.K8s
+	SSM                      []location.Ssm
 }
 
 //ProviderServiceAccounts type
diff --git a/pkg/location/circleci.go b/pkg/location/circleci.go
@@ -38,27 +38,16 @@ var logger = log.StdoutLogger().Sugar()
 func (circle CircleCI) Write(serviceAccountName string, keyWrapper KeyWrapper, creds cred.Credentials) (updated UpdatedLocation, err error) {
 	logger.Info("Starting CircleCI env var updates")
 	client := &circleci.Client{Token: creds.CircleCIAPIToken}
+	provider := keyWrapper.KeyProvider
 
 	var keyEnvVar string
-	if len(circle.KeyEnvVar) > 0 {
-		keyEnvVar = circle.KeyEnvVar
-	} else {
-		var defaultEnvVar envVarDefaults
-		if defaultEnvVar, err = envVarDefaultsFromProvider(keyWrapper.KeyProvider); err != nil {
-			return
-		}
-		keyEnvVar = defaultEnvVar.keyEnvVar
+	if keyEnvVar, err = getVarNameFromProvider(provider, circle.KeyEnvVar); err != nil {
+		return
 	}
 
 	var keyIDEnvVar string
-	if len(circle.KeyIDEnvVar) > 0 {
-		keyIDEnvVar = circle.KeyIDEnvVar
-	} else {
-		var defaultEnvVar envVarDefaults
-		if defaultEnvVar, err = envVarDefaultsFromProvider(keyWrapper.KeyProvider); err != nil {
-			return
-		}
-		keyIDEnvVar = defaultEnvVar.keyIDEnvVar
+	if keyIDEnvVar, err = getVarNameFromProvider(provider, circle.KeyIDEnvVar); err != nil {
+		return
 	}
 
 	splitUsernameProject := strings.Split(circle.UsernameProject, "/")
@@ -78,7 +67,7 @@ func (circle CircleCI) Write(serviceAccountName string, keyWrapper KeyWrapper, c
 	updated = UpdatedLocation{
 		LocationType: "CircleCI",
 		LocationURI:  circle.UsernameProject,
-		LocationIDs:  []string{circle.KeyIDEnvVar, circle.KeyEnvVar}}
+		LocationIDs:  []string{keyIDEnvVar, keyEnvVar}}
 
 	return updated, nil
 }
diff --git a/pkg/location/gcs.go b/pkg/location/gcs.go
@@ -1,3 +1,17 @@
+// Copyright 2019 OVO Technology
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 package location
 
 import (
diff --git a/pkg/location/locations.go b/pkg/location/locations.go
@@ -67,3 +67,16 @@ func envVarDefaultsFromProvider(provider string) (envVarDefaults envVarDefaults,
 	err = fmt.Errorf("No default env var names available for provider: %s", provider)
 	return
 }
+
+func getVarNameFromProvider(provider, suppliedVarName string) (envName string, err error) {
+	if len(suppliedVarName) > 0 {
+		envName = suppliedVarName
+	} else {
+		var defaultEnvVar envVarDefaults
+		if defaultEnvVar, err = envVarDefaultsFromProvider(provider); err != nil {
+			return
+		}
+		envName = defaultEnvVar.keyEnvVar
+	}
+	return
+}
diff --git a/pkg/location/ssm.go b/pkg/location/ssm.go
@@ -0,0 +1,81 @@
+// Copyright 2019 OVO Technology
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package location
+
+import (
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/aws/session"
+	awsSsm "github.com/aws/aws-sdk-go/service/ssm"
+	"github.com/ovotech/cloud-key-rotator/pkg/cred"
+)
+
+// Ssm type
+type Ssm struct {
+	keyParamName   string
+	keyIDParamName string
+	region         string
+	convertToJSON  bool
+}
+
+func (ssm Ssm) Write(serviceAccountName string, keyWrapper KeyWrapper, creds cred.Credentials) (updated UpdatedLocation, err error) {
+	provider := keyWrapper.KeyProvider
+	var key string
+
+	if ssm.convertToJSON {
+		if key, err = getKeyForFileBasedLocation(keyWrapper); err != nil {
+			return
+		}
+	} else {
+		key = keyWrapper.Key
+	}
+
+	var keyEnvVar string
+	if keyEnvVar, err = getVarNameFromProvider(provider, ssm.keyParamName); err != nil {
+		return
+	}
+
+	var keyIDEnvVar string
+	if keyIDEnvVar, err = getVarNameFromProvider(provider, ssm.keyIDParamName); err != nil {
+		return
+	}
+
+	svc := awsSsm.New(session.New())
+	svc.Config.Region = aws.String(ssm.region)
+
+	if len(keyIDEnvVar) > 0 {
+		if err = updateSSMParameter(keyIDEnvVar, keyWrapper.KeyID, "String", *svc); err != nil {
+			return
+		}
+	}
+	if err = updateSSMParameter(keyEnvVar, key, "SecureString", *svc); err != nil {
+		return
+	}
+
+	updated = UpdatedLocation{
+		LocationType: "SSM",
+		LocationURI:  ssm.region,
+		LocationIDs:  []string{keyIDEnvVar, keyEnvVar}}
+	return
+}
+
+func updateSSMParameter(paramName, paramValue, paramType string, svc awsSsm.SSM) (err error) {
+	input := &awsSsm.PutParameterInput{
+		Overwrite: aws.Bool(true),
+		Name:      aws.String(paramName),
+		Value:     aws.String(paramValue),
+	}
+	_, err = svc.PutParameter(input)
+	return
+}
diff --git a/pkg/rotate/rotatekeys.go b/pkg/rotate/rotatekeys.go
@@ -294,6 +294,10 @@ func locationsToUpdate(keyLocation config.KeyLocations) (kws []location.KeyWrite
 		googleAppCredsRequired = true
 	}
 
+	for _, ssm := range keyLocation.SSM {
+		kws = append(kws, ssm)
+	}
+
 	if googleAppCredsRequired {
 		ensureGoogleAppCreds()
 	}

Original file line number	Diff line number	Diff line change
`@@ -74,6 +74,7 @@ type KeyLocations struct {`
`74`	`74`	`GitHub location.GitHub`
`75`	`75`	`Gocd []location.Gocd`
`76`	`76`	`K8s []location.K8s`
	`77`	`+ SSM []location.Ssm`
`77`	`78`	`}`
`78`	`79`
`79`	`80`	`//ProviderServiceAccounts type`
Original file line number	Diff line number	Diff line change
`@@ -294,6 +294,10 @@ func locationsToUpdate(keyLocation config.KeyLocations) (kws []location.KeyWrite`
`294`	`294`	`googleAppCredsRequired = true`
`295`	`295`	`}`
`296`	`296`
	`297`	`+ for _, ssm := range keyLocation.SSM {`
	`298`	`+ kws = append(kws, ssm)`
	`299`	`+ }`
	`300`	`+`
`297`	`301`	`if googleAppCredsRequired {`
`298`	`302`	`ensureGoogleAppCreds()`
`299`	`303`	`}`