Add cloud secret store config

author: Ola Aunrønning <olaa@verizonmedia.com> 2021-03-02 17:35:20 +0100
committer: Ola Aunrønning <olaa@verizonmedia.com> 2021-03-04 13:31:52 +0100
commit: 301f68c3b48b5ecbb94e0671fd710d0672afb046 (patch)
tree: 4b09f3fd36690c0ea4a90657dafd34b52bb4af1a /jdisc-cloud-aws
parent: 65b1933e6b2c1b5a2b2c678490590c2ad1af3cc2 (diff)
2 files changed, 23 insertions, 7 deletions
diff --git a/jdisc-cloud-aws/src/main/java/com/yahoo/jdisc/cloud/aws/AwsParameterStore.java b/jdisc-cloud-aws/src/main/java/com/yahoo/jdisc/cloud/aws/AwsParameterStore.java
index 4fbd42402d7..1636c6aeb6d 100644
--- a/jdisc-cloud-aws/src/main/java/com/yahoo/jdisc/cloud/aws/AwsParameterStore.java
+++ b/jdisc-cloud-aws/src/main/java/com/yahoo/jdisc/cloud/aws/AwsParameterStore.java
@@ -9,6 +9,7 @@ import com.amazonaws.services.simplesystemsmanagement.AWSSimpleSystemsManagement
 import com.amazonaws.services.simplesystemsmanagement.AWSSimpleSystemsManagementClient;
 import com.amazonaws.services.simplesystemsmanagement.model.GetParametersRequest;
 import com.amazonaws.services.simplesystemsmanagement.model.GetParametersResult;
+import com.yahoo.cloud.config.SecretStoreConfig;
 import com.yahoo.container.jdisc.secretstore.SecretNotFoundException;
 import com.yahoo.container.jdisc.secretstore.SecretStore;
 
@@ -20,18 +21,20 @@ public class AwsParameterStore implements SecretStore {
     private final VespaAwsCredentialsProvider credentialsProvider;
     private final String roleToAssume;
     private final String externalId;
+    private final String region;
 
-    AwsParameterStore(VespaAwsCredentialsProvider credentialsProvider, String roleToAssume, String externalId) {
+    AwsParameterStore(VespaAwsCredentialsProvider credentialsProvider, String roleToAssume, String externalId, String region) {
         this.credentialsProvider = credentialsProvider;
         this.roleToAssume = roleToAssume;
         this.externalId = externalId;
+        this.region = region;
     }
 
     @Override
     public String getSecret(String key) {
         AWSSecurityTokenService tokenService = AWSSecurityTokenServiceClientBuilder
                 .standard()
-                .withRegion("us-east-1")
+                .withRegion(region)
                 .withCredentials(credentialsProvider)
                 .build();
 
@@ -43,7 +46,7 @@ public class AwsParameterStore implements SecretStore {
 
         AWSSimpleSystemsManagement client = AWSSimpleSystemsManagementClient.builder()
                 .withCredentials(assumeExtAccountRole)
-                .withRegion("us-east-1")
+                .withRegion(region)
                 .build();
 
         GetParametersRequest parametersRequest = new GetParametersRequest().withNames(key).withWithDecryption(true);
diff --git a/jdisc-cloud-aws/src/main/java/com/yahoo/jdisc/cloud/aws/AwsParameterStoreValidationHandler.java b/jdisc-cloud-aws/src/main/java/com/yahoo/jdisc/cloud/aws/AwsParameterStoreValidationHandler.java
index 91b643066fb..5d5cad2f75d 100644
--- a/jdisc-cloud-aws/src/main/java/com/yahoo/jdisc/cloud/aws/AwsParameterStoreValidationHandler.java
+++ b/jdisc-cloud-aws/src/main/java/com/yahoo/jdisc/cloud/aws/AwsParameterStoreValidationHandler.java
@@ -2,6 +2,7 @@
 package com.yahoo.jdisc.cloud.aws;
 
 import com.google.inject.Inject;
+import com.yahoo.cloud.config.SecretStoreConfig;
 import com.yahoo.container.jdisc.HttpRequest;
 import com.yahoo.container.jdisc.HttpResponse;
 import com.yahoo.container.jdisc.LoggingRequestHandler;
@@ -28,16 +29,18 @@ public class AwsParameterStoreValidationHandler extends LoggingRequestHandler {
 
     private static final Logger log = Logger.getLogger(AwsParameterStoreValidationHandler.class.getName());
     private final VespaAwsCredentialsProvider credentialsProvider;
+    private final SecretStoreConfig secretStoreConfig;
 
     @Inject
-    public AwsParameterStoreValidationHandler(Context ctx) {
-        this(ctx, new VespaAwsCredentialsProvider());
+    public AwsParameterStoreValidationHandler(Context ctx, SecretStoreConfig secretStoreConfig) {
+        this(ctx, secretStoreConfig, new VespaAwsCredentialsProvider());
     }
 
 
-    public AwsParameterStoreValidationHandler(Context ctx, VespaAwsCredentialsProvider credentialsProvider) {
+    public AwsParameterStoreValidationHandler(Context ctx, SecretStoreConfig secretStoreConfig, VespaAwsCredentialsProvider credentialsProvider) {
         super(ctx);
         this.credentialsProvider = credentialsProvider;
+        this.secretStoreConfig = secretStoreConfig;
     }
 
 
@@ -64,7 +67,8 @@ public class AwsParameterStoreValidationHandler extends LoggingRequestHandler {
 
         try {
             var arn = "arn:aws:iam::" + settings.awsId + ":role/" + settings.role;
-            var store = new AwsParameterStore(this.credentialsProvider, arn, settings.externalId);
+            var region = getRegion(settings);
+            var store = new AwsParameterStore(this.credentialsProvider, arn, settings.externalId, region);
             store.getSecret("vespa-secret");
             root.setString("status", "ok");
         } catch (RuntimeException e) {
@@ -86,6 +90,15 @@ public class AwsParameterStoreValidationHandler extends LoggingRequestHandler {
         }
     }
 
+    private String getRegion(AwsSettings settings) {
+        return secretStoreConfig.groups()
+                .stream()
+                .filter(group -> group.name().equals(settings.name))
+                .map(SecretStoreConfig.Groups::region)
+                .findFirst()
+                .orElseThrow(() -> new RuntimeException("No secret store named '" + settings.name + "' configured in services.xml"));
+    }
+
     private static class AwsSettings {
         String name;
         String role;
author	Ola Aunrønning <olaa@verizonmedia.com>	2021-03-02 17:35:20 +0100
committer	Ola Aunrønning <olaa@verizonmedia.com>	2021-03-04 13:31:52 +0100
commit	301f68c3b48b5ecbb94e0671fd710d0672afb046 (patch)
tree	4b09f3fd36690c0ea4a90657dafd34b52bb4af1a /jdisc-cloud-aws
parent	65b1933e6b2c1b5a2b2c678490590c2ad1af3cc2 (diff)