diff options
author | Ola Aunrønning <olaa@verizonmedia.com> | 2021-03-05 13:05:17 +0100 |
---|---|---|
committer | Ola Aunrønning <olaa@verizonmedia.com> | 2021-03-05 13:08:08 +0100 |
commit | a274f9d5b8f24676a576e12ef35423549eea0d56 (patch) | |
tree | e24a785b362d2c87cf1f98285c5545b36726f988 /jdisc-cloud-aws/src | |
parent | 1acaa2e62aecdda2b4c321ae133654cc1a0316f3 (diff) |
Include region and parameter name when validating secret store. Don't inject AwsParameterStore to AwsParameterStoreValidationHandler
Diffstat (limited to 'jdisc-cloud-aws/src')
-rw-r--r-- | jdisc-cloud-aws/src/main/java/com/yahoo/jdisc/cloud/aws/AwsParameterStore.java | 86 | ||||
-rw-r--r-- | jdisc-cloud-aws/src/main/java/com/yahoo/jdisc/cloud/aws/AwsParameterStoreValidationHandler.java | 43 |
2 files changed, 86 insertions, 43 deletions
diff --git a/jdisc-cloud-aws/src/main/java/com/yahoo/jdisc/cloud/aws/AwsParameterStore.java b/jdisc-cloud-aws/src/main/java/com/yahoo/jdisc/cloud/aws/AwsParameterStore.java index 3e90e4ca204..48436a086ee 100644 --- a/jdisc-cloud-aws/src/main/java/com/yahoo/jdisc/cloud/aws/AwsParameterStore.java +++ b/jdisc-cloud-aws/src/main/java/com/yahoo/jdisc/cloud/aws/AwsParameterStore.java @@ -14,6 +14,11 @@ import com.yahoo.component.AbstractComponent; import com.yahoo.container.jdisc.secretstore.SecretNotFoundException; import com.yahoo.container.jdisc.secretstore.SecretStore; import com.yahoo.container.jdisc.secretstore.SecretStoreConfig; +import com.yahoo.slime.Cursor; +import com.yahoo.slime.Slime; + +import java.util.List; +import java.util.stream.Collectors; /** * @author mortent @@ -21,32 +26,36 @@ import com.yahoo.container.jdisc.secretstore.SecretStoreConfig; public class AwsParameterStore extends AbstractComponent implements SecretStore { private final VespaAwsCredentialsProvider credentialsProvider; - private final SecretStoreConfig secretStoreConfig; + private final List<AwsSettings> configuredStores; @Inject public AwsParameterStore(SecretStoreConfig secretStoreConfig) { - this.secretStoreConfig = secretStoreConfig; + this(translateConfig(secretStoreConfig)); + } + + public AwsParameterStore(List<AwsSettings> configuredStores) { + this.configuredStores = configuredStores; this.credentialsProvider = new VespaAwsCredentialsProvider(); } @Override public String getSecret(String key) { - for (var group : secretStoreConfig.groups()) { + for (var store : configuredStores) { AWSSecurityTokenService tokenService = AWSSecurityTokenServiceClientBuilder .standard() - .withRegion(group.region()) + .withRegion(store.getRegion()) .withCredentials(credentialsProvider) .build(); STSAssumeRoleSessionCredentialsProvider assumeExtAccountRole = new STSAssumeRoleSessionCredentialsProvider - .Builder(toRoleArn(group.awsId(), group.role()), "vespa") - .withExternalId(group.externalId()) + .Builder(toRoleArn(store.getAwsId(), store.getRole()), "vespa") + .withExternalId(store.getExternalId()) .withStsClient(tokenService) .build(); AWSSimpleSystemsManagement client = AWSSimpleSystemsManagementClient.builder() .withCredentials(assumeExtAccountRole) - .withRegion(group.region()) + .withRegion(store.getRegion()) .build(); GetParametersRequest parametersRequest = new GetParametersRequest().withNames(key).withWithDecryption(true); @@ -70,4 +79,67 @@ public class AwsParameterStore extends AbstractComponent implements SecretStore private String toRoleArn(String awsId, String role) { return "arn:aws:iam::" + awsId + ":role/" + role; } + + private static List<AwsSettings> translateConfig(SecretStoreConfig secretStoreConfig) { + return secretStoreConfig.groups() + .stream() + .map(config -> new AwsSettings(config.name(), config.role(), config.awsId(), config.externalId(), config.region())) + .collect(Collectors.toList()); + } + + public static class AwsSettings { + String name; + String role; + String awsId; + String externalId; + String region; + + AwsSettings(String name, String role, String awsId, String externalId, String region) { + this.name = name; + this.role = role; + this.awsId = awsId; + this.externalId = externalId; + this.region = region; + } + + + public String getName() { + return name; + } + + public String getRole() { + return role; + } + + public String getAwsId() { + return awsId; + } + + public String getExternalId() { + return externalId; + } + + public String getRegion() { + return region; + } + + static AwsSettings fromSlime(Slime slime) { + var json = slime.get(); + return new AwsSettings( + json.field("name").asString(), + json.field("role").asString(), + json.field("awsId").asString(), + json.field("externalId").asString(), + json.field("region").asString() + ); + } + + void toSlime(Cursor slime) { + slime.setString("name", name); + slime.setString("role", role); + slime.setString("awsId", awsId); + slime.setString("externalId", "*****"); + slime.setString("region", region); + } + } } diff --git a/jdisc-cloud-aws/src/main/java/com/yahoo/jdisc/cloud/aws/AwsParameterStoreValidationHandler.java b/jdisc-cloud-aws/src/main/java/com/yahoo/jdisc/cloud/aws/AwsParameterStoreValidationHandler.java index d45ead37480..d813f04512a 100644 --- a/jdisc-cloud-aws/src/main/java/com/yahoo/jdisc/cloud/aws/AwsParameterStoreValidationHandler.java +++ b/jdisc-cloud-aws/src/main/java/com/yahoo/jdisc/cloud/aws/AwsParameterStoreValidationHandler.java @@ -8,13 +8,14 @@ import com.yahoo.container.jdisc.LoggingRequestHandler; import com.yahoo.io.IOUtils; import com.yahoo.restapi.ErrorResponse; import com.yahoo.restapi.SlimeJsonResponse; -import com.yahoo.slime.Cursor; import com.yahoo.slime.Slime; import com.yahoo.slime.SlimeUtils; import com.yahoo.yolean.Exceptions; +import com.yahoo.jdisc.cloud.aws.AwsParameterStore.AwsSettings; import java.io.IOException; import java.io.InputStream; +import java.util.List; import java.util.logging.Level; import java.util.logging.Logger; @@ -27,12 +28,10 @@ import java.util.logging.Logger; public class AwsParameterStoreValidationHandler extends LoggingRequestHandler { private static final Logger log = Logger.getLogger(AwsParameterStoreValidationHandler.class.getName()); - private final AwsParameterStore awsParameterStore; @Inject - public AwsParameterStoreValidationHandler(Context ctx, AwsParameterStore awsParameterStore) { + public AwsParameterStoreValidationHandler(Context ctx) { super(ctx); - this.awsParameterStore = awsParameterStore; } @Override @@ -57,7 +56,9 @@ public class AwsParameterStoreValidationHandler extends LoggingRequestHandler { settings.toSlime(root.setObject("settings")); try { - awsParameterStore.getSecret("vespa-secret"); + var parameterName = json.get().field("parameterName").asString(); + var store = new AwsParameterStore(List.of(settings)); + store.getSecret(parameterName); root.setString("status", "ok"); } catch (RuntimeException e) { root.setString("status", "error"); @@ -78,34 +79,4 @@ public class AwsParameterStoreValidationHandler extends LoggingRequestHandler { } } - private static class AwsSettings { - String name; - String role; - String awsId; - String externalId; - - AwsSettings(String name, String role, String awsId, String externalId) { - this.name = name; - this.role = role; - this.awsId = awsId; - this.externalId = externalId; - } - - static AwsSettings fromSlime(Slime slime) { - var json = slime.get(); - return new AwsSettings( - json.field("name").asString(), - json.field("role").asString(), - json.field("awsId").asString(), - json.field("externalId").asString() - ); - } - - void toSlime(Cursor slime) { - slime.setString("name", name); - slime.setString("role", role); - slime.setString("awsId", awsId); - slime.setString("externalId", "*****"); - } - } -} +}
\ No newline at end of file |