Add aws-ssm-params and aws-ssm-params-writer (#111)

chanzuckerberg · Aug 12, 2019 · c3f8d58 · c3f8d58
1 parent 5c845ff
commit c3f8d58
Show file tree

Hide file tree

Showing 11 changed files with 181 additions and 1 deletion.
diff --git a/aws-param/README.md b/aws-param/README.md
@@ -1,4 +1,6 @@
-# AWS ParamStore Secret
+# AWS ParamStore Secret (DEPRECATED)
+
+__*Deprecated. Please use `aws-ssm-params` module for new code*__
 
 This module is made to work together with [Chamber](https://github.com/segmentio/chamber) to manage secrets in AWS. Typically a user would use chamber to put secrets into the ParamStore and then use this module to read them out in Terraform code.
 

diff --git a/aws-ssm-params-writer/README.md b/aws-ssm-params-writer/README.md
@@ -0,0 +1,26 @@
+# AWS SSM Params Writer (DEPRECATED)
+
+__*Deprecated. Please use `aws-ssm-params-writer` module for new code*__
+
+This module will set encrypted string parameters in the AWS SSM parameter store. Designed to be used in combination with
+[Chamber](https://github.com/segmentio/chamber) to send variables that are output by a Terraform run to a process via
+environment variables.
+
+Parameters are stored in AWS SSM Parameter store at the path `/{project}-{env}-{service}/{name}` where name
+is each of the keys of the parameters input.
+
+**WARNING:** These parameters will stored **unencrypted** in the Terraform state file. See more about this issue
+in the [Terraform docs](https://www.terraform.io/docs/state/sensitive-data.html).
+
+<!-- START -->
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|:----:|:-----:|:-----:|
+| env | Env for tagging and naming. See [doc](../README.md#consistent-tagging). | string | n/a | yes |
+| owner | Owner for tagging and naming. See [doc](../README.md#consistent-tagging). | string | n/a | yes |
+| parameters | Map from parameter names to values to set. | map(string) | n/a | yes |
+| project | Project for tagging and naming. See [doc](../README.md#consistent-tagging) | string | n/a | yes |
+| service | Service for tagging and naming. See [doc](../README.md#consistent-tagging). | string | n/a | yes |
+
+<!-- END -->
diff --git a/aws-ssm-params-writer/main.tf b/aws-ssm-params-writer/main.tf
@@ -0,0 +1,25 @@
+locals {
+  service_name = "${var.project}-${var.env}-${var.service}"
+}
+
+data "aws_kms_key" "key" {
+  key_id = "alias/parameter_store_key"
+}
+
+resource "aws_ssm_parameter" "parameter" {
+  for_each = var.parameters
+  name     = "/${local.service_name}/${each.key}"
+  value    = each.value
+
+  type      = "SecureString"
+  key_id    = data.aws_kms_key.key.id
+  overwrite = true
+
+  tags = {
+    managedBy = "terraform"
+    project   = var.project
+    env       = var.env
+    service   = var.service
+    owner     = var.owner
+  }
+}
diff --git a/aws-ssm-params-writer/module_test.go b/aws-ssm-params-writer/module_test.go
@@ -0,0 +1,14 @@
+package test
+
+import (
+	"testing"
+
+	"github.com/gruntwork-io/terratest/modules/terraform"
+)
+
+func TestAWSSSMParamsWriter(t *testing.T) {
+	options := &terraform.Options{
+		TerraformDir: ".",
+	}
+	terraform.Init(t, options)
+}
diff --git a/aws-ssm-params-writer/outputs.tf b/aws-ssm-params-writer/outputs.tf
@@ -0,0 +1 @@
+
diff --git a/aws-ssm-params-writer/variables.tf b/aws-ssm-params-writer/variables.tf
@@ -0,0 +1,24 @@
+variable "project" {
+  type        = string
+  description = "Project for tagging and naming. See [doc](../README.md#consistent-tagging)"
+}
+
+variable "env" {
+  type        = string
+  description = "Env for tagging and naming. See [doc](../README.md#consistent-tagging)."
+}
+
+variable "service" {
+  type        = string
+  description = "Service for tagging and naming. See [doc](../README.md#consistent-tagging)."
+}
+
+variable "owner" {
+  type        = string
+  description = "Owner for tagging and naming. See [doc](../README.md#consistent-tagging)."
+}
+
+variable "parameters" {
+  type        = map(string)
+  description = "Map from parameter names to values to set."
+}
diff --git a/aws-ssm-params/README.md b/aws-ssm-params/README.md
@@ -0,0 +1,42 @@
+# AWS SSM Params Reader
+
+This module is made to work together with [Chamber](https://github.com/segmentio/chamber) to manage secrets in AWS. Typically a user would use chamber to put secrets into the ParamStore and then use this module to read them out in Terraform code.
+
+You can use [our secrets setup module](../aws-param-secrets-setup/README.md) to prepare an AWS account/region to work with these tools.
+
+## Example
+
+```hcl
+module "secret" {
+  source = "github.com/chanzuckerberg/cztack/aws-ssm-params-secret?ref=v0.18.2"
+
+  project = "acme"
+  env     = "staging"
+  service = "website"
+
+  parameters = ["password"]
+}
+
+# yeah don't really do this
+output "secret" {
+  value = module.secret.values
+}
+```
+
+<!-- START -->
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|:----:|:-----:|:-----:|
+| env | Env for tagging and naming. See [doc](../README.md#consistent-tagging) | string | n/a | yes |
+| parameters | Set of names of secrets. | set(string) | n/a | yes |
+| project | Project for tagging and naming. See [doc](../README.md#consistent-tagging) | string | n/a | yes |
+| service | Service for tagging and naming. See [doc](../README.md#consistent-tagging) | string | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| values | "Map from keys to corresponding values stored in the SSM Parameter Store." |
+
+<!-- END -->
diff --git a/aws-ssm-params/main.tf b/aws-ssm-params/main.tf
@@ -0,0 +1,9 @@
+locals {
+  service_name = "${var.project}-${var.env}-${var.service}"
+}
+
+data "aws_ssm_parameter" "secret" {
+  # https://github.com/hashicorp/terraform/issues/22281#issuecomment-517080564
+  for_each = { for v in var.parameters : v => v }
+  name     = "/${local.service_name}/${each.key}"
+}
diff --git a/aws-ssm-params/module_test.go b/aws-ssm-params/module_test.go
@@ -0,0 +1,14 @@
+package test
+
+import (
+	"testing"
+
+	"github.com/gruntwork-io/terratest/modules/terraform"
+)
+
+func TestAWSSSMParams(t *testing.T) {
+	options := &terraform.Options{
+		TerraformDir: ".",
+	}
+	terraform.Init(t, options)
+}
diff --git a/aws-ssm-params/outputs.tf b/aws-ssm-params/outputs.tf
@@ -0,0 +1,4 @@
+output "values" {
+  description = "Map from keys to corresponding values stored in the SSM Parameter Store."
+  value       = { for k, v in data.aws_ssm_parameter.secret : k => v.value }
+}
diff --git a/aws-ssm-params/variables.tf b/aws-ssm-params/variables.tf
@@ -0,0 +1,19 @@
+variable "env" {
+  type        = string
+  description = "Env for tagging and naming. See [doc](../README.md#consistent-tagging)"
+}
+
+variable "project" {
+  type        = string
+  description = "Project for tagging and naming. See [doc](../README.md#consistent-tagging)"
+}
+
+variable "service" {
+  type        = string
+  description = "Service for tagging and naming. See [doc](../README.md#consistent-tagging)"
+}
+
+variable "parameters" {
+  type        = set(string)
+  description = "Set of names of secrets."
+}