Add AWS SSM Parameter support #248
Conversation
data/datasource.go
Outdated
| "github.com/blang/vfs" | ||
| gaws "github.com/hairyhenderson/gomplate/aws" |
There was a problem hiding this comment.
Obviously, not going to re-use code in your 'aws' package if we decide on the datasource path - just borrowing for now while playing with both
hairyhenderson
changed the title
|
OK, some questions/statements for you to comment on in case I'm wrong-headed.
Hopefully dropping the aws function side of the code will clean up the codeclimate issue. |
Let's start with datasource for this PR. If a function is useful, it can come later.
Yes please!
That sounds reasonable. It's probably useful to make sure there's sensible error messages if no region is specified and gomplate is running outside of AWS.
It may actually be more "natural" to use
Then it'd be handy to have access to all 4 params, or maybe just the params under $ gomplate -d params=ssm+params:/// -i '{{ range (ds "params") }}{{ .Value }}, {{end}}'
foo, bar, baz, qux
$ gomplate -d params=ssm+params:///a -i '{{ range (ds "params") }}{{ .Value }}, {{end}}'
bar, bazDoes that make sense?
I think if we document any permissions that are required, that's probably enough. |
data/datasource.go
Outdated
| @@ -53,6 +58,7 @@ func init() { | |||
| addSourceReader("consul+http", readConsul) | |||
| addSourceReader("consul+https", readConsul) | |||
| addSourceReader("boltdb", readBoltDB) | |||
| addSourceReader("aws+ssm+param", readAWSSSMParam) | |||
There was a problem hiding this comment.
This schema feels a bit long, though I'm not sure I can can think much better - perhaps aws+smp (smp for Systems Manager Parameter - which is what they're called in the docs)?
|
Agree with most of the above, but I had a play with GetParamtersByPath (see below) & it's not so good as you can't get a single result out of it (my common use case for passwords & similar). Hence whilst getting a list of params is useful, I think we need both forms. If you see the most recent code in this PR, I've used a second argument that is == "recursive" to turn on recursion (which means scan all child 'folders' also rather than just the immediate 'folder' of params). Theoretically I could say no 2nd arg (or query param?) -> GetParameter (which would return a naked value & throw an Fatal error if the parameter couldn't be found in AWS), and a 2nd arg of "recursive" or "one-level" to do GetParametersByPath in recursive/non-recursive modes. |
|
@tyrken 🤔 I see... Typical AWS API in my experience - seems straightforward at first, but the more you dig the muddier it gets 😉 I'm not a fan of a query parameter to control whether it's recursive or not. I suppose we could simplify and treat it like the $ gomplate -d v=vault:///path/to/secret -i '{{ (ds "v").value }}'
supersecret
$ gomplate -d v=vault:///path -i '{{ (ds "v" "to/secret").value }}'
supersecretNow Vault only has a single API to read a secret, so a recursive get isn't an option there. In the AWS SMP case it'd be less efficient than it could be, but simply going back to As a possible future enhancement, and taking a hint from #229, we could add some sort of ability to call the Sorry about the back-and-forth - and thank you for sticking with it - I think copying the Make sense? |
data/datasource.go
Outdated
| p := source.URL.Path | ||
| recursive := false | ||
| if len(args) >= 1 { | ||
| // TODO: Note in docs that path.Join semantics are used (where are docs?) |
There was a problem hiding this comment.
|
Thanks @hairyhenderson - In #217 @tallpauley suggests using a 3rd arg to trigger "list" behaviour as I currently do with "recursive", but you say to try a query param. ...but just now you say you're not a fan of query params? I think query params are better than positional args - less magical (have to read the docs to understand what's happening), more declarative.
Alternatively, as dealing with just three choices we could use different protocols (like consul:// vs consol+https://).
Not used GetParametersByPath's ParameterFilters option yet, but I suspect some new query param could do it, with a little parsing work. |
|
Also wondering what stricture to use for the output - for GetParameterByPath calls it seems correct to return a list of Parameters, so you need to use obj.value to get the text and can access .type, .name or even .version if you want. Less clear on GetParameter - think stick to a Parameter object for consistency, and if allowing a textual default to manufacture one, perhaps with .version set to -1 or an extra '.default' boolean set to true. |
In that particular case, the For Vault, we already use positional args to complete the path, and IMO the usefulness outweighs the magic, since you can re-use the same datasource alias to refer to multiple keys in the same scope. As for using multiple schemas - I don't think it's necessary.
I think just using the
Let's not allow a default just yet (at least, not in this PR). The |
data/datasource.go
Outdated
|
|
||
| results := make([]*ssm.Parameter, 0, 50) | ||
| // var results []*ssm.Parameter | ||
| err := source.ASMPG.GetParametersByPathPages(input, |
There was a problem hiding this comment.
I know this is still a WIP and you're still trying different options, but I think for an initial cut I'd really like to see GetParameter be used instead.
I think this function shouldn't look too much different from the readVault function above (ln383)
tyrken
changed the title
|
@hairyhenderson - OK, please review code & docs now. Sorry but I don't see how to reasonably simplify parseAWSSMPArgs - can we ignore that? |
|
@tyrken yeah, don't worry about the codeclimate bit - I can come back later and see about clearing things up. I think the non-recursive functionality looks overall OK, but I'd really rather not put the "recursive mode" functionality in yet. The UX doesn't seem right to me. I suppose I wasn't very clear in #248 (comment) - but can you simplify this PR to only use the Let's start with just the simple case ("one-level") in this PR. I'm not closing the door on the recursive case being added later. Again, thank you for your work and persistence on this - we're almost there! 🙂 |
|
OK, will do. BTW, 'one-level' is the mode using GetParametersByPath with Recursive=false to get everything directly under a hierarchy, I'll be removing that as I think it's what you actually want. I'll only keep the no-mode (and no 3rd arg) plain GetParameters one which gets a single value or throws a log.Fatalf panic. Not sure if you want this style of error handling as opposed to just returning an error... Remove the json/yaml array mimetypes also as not needed any more (assume yes)? Will squash current state down into one commit to leave behind the GetParametersByPath code in a commit I/others can come back to if needed. |
* Includes single value and multi-value results - will drop latter
|
Ok @hairyhenderson - please do final review. |
Yes - thanks for the correction 😉 |
|
Thanks - now to get on & use it... |
|
Hi @tyrken @hairyhenderson I like the approach proposed by @tyrken with the Path including merged 2nd arg like readVault Let me know if thats something we can help with - Thanks, |
|
@fhenri can you open a new issue about recursive support and link to this? |
Early version - still WIP, not sure whether func or datasource is best