https://github.com/unruly/hiera-secrets-manager

:key: Hiera backend using AWS Secrets Manager
https://github.com/unruly/hiera-secrets-manager

aws-secrets-manager hiera puppet

Last synced: 19 days ago
JSON representation

:key: Hiera backend using AWS Secrets Manager

• Host: GitHub
• URL: https://github.com/unruly/hiera-secrets-manager
• Owner: unruly
• License: mit
• Created: 2018-08-17T12:22:31.000Z (over 6 years ago)
• Default Branch: master
• Last Pushed: 2021-02-08T15:58:37.000Z (over 4 years ago)
• Last Synced: 2025-03-30T01:51:39.542Z (about 1 month ago)
• Topics: aws-secrets-manager, hiera, puppet
• Language: Ruby
• Homepage:
• Size: 44.9 KB
• Stars: 5
• Watchers: 1
• Forks: 1
• Open Issues: 1
• Metadata Files:
  • Readme: README.md
  • License: LICENSE.md
  • Code of conduct: CODE_OF_CONDUCT.md

Awesome Lists containing this project

README

        
# Hiera AWS Secrets Manager Backend :key:

[![Build Status](https://travis-ci.org/unruly/hiera-secrets-manager.svg?branch=master)](https://travis-ci.org/unruly/hiera-secrets-manager)

[![Gem Version](https://badge.fury.io/rb/hiera-secrets-manager.svg)](https://badge.fury.io/rb/hiera-secrets-manager)

A hiera backend to query AWS Secrets Manager which uses Puppet Environments for namespacing.

```bash

$ hiera 'my_system/password' \

    environment=prod \

    --config ~/hiera.yaml \

    --debug

DEBUG: 2018-08-30 16:54:00 +0000: AWS Secrets Manager backend starting

DEBUG: 2018-08-30 16:54:00 +0000: Retrieved Secret 'production/my_system/password' with version '2d06f591-ef4c-4e4e-8c6c-5e3668db9180'

mYs3cR3TpAs5W0rD

```

## Contents

- [Install](#install)

- [Supported Lookups](#supported-lookups)

- [Configuration](#configuration)

  - [Region](#region)

  - [Credentials](#credentials)

  - [Environments](#environments)

- [Contributing](#contributing)

  - [Code of Conduct](#code-of-conduct)

  - [Getting Started](#getting-started)

  - [Building](#building)

  - [Releasing a Change](#releasing-a-change)

- [License](#license)

## Install

To install the gem manually:

```bash

gem install hiera-secrets-manager

```

Install the dependencies before attempting to use the gem:

```

bundle install

```

## Supported Lookups

hiera-secrets-manager supports `:priority` (single value) and `:hash` (key-value pair) lookups, but not `:array`.

### Priority Lookup

```puppet

# In environment 'production' with 'production/system/my-secret' set as 'some-password'

$secret = hiera('system/my-secret')

notice($secret) # prints 'Notice: Scope(Class[main]): some-password'

```

### Hash Lookup

```puppet

# In environment 'production' with 'production/system/my-secret' set as pairs 'foo:bar' and 'baz:zap'

$secret = hiera_hash('system/my-secret')

notice($secret['foo']) # prints 'Notice: Scope(Class[main]): bar'

notice($secret['baz']) # prints 'Notice: Scope(Class[main]): zap'

notice($secret) # prints 'Notice: Scope(Class[main]): {"foo"=>"bar", "baz"=>"zap"}'

```

## Configuration

Hiera Secrets Manager is configurable and the configuration has three required fields to operate: region, access_key_id, and secret_access_key.

An example hiera.yaml file implementing only hiera-secrets-manager is below:

```yaml

:backends:

  - secrets_manager

:secrets_manager:

    :region: eu-west-1

    :access_key_id: AWSACCESSKEY

    :secret_access_key: rAnd0MsTr!nG

    :environments:

        dev: development

        uat: staging

        prod: production

```

### Region

Mandatory field. Corresponds to AWS Region where your secrets are stored e.g. `eu-west-1`

### Credentials

Credentials for the AWS user are mandatory. The user must have permission to use `secretsmanager:GetSecretValue` on any relevant secrets in AWS Secrets Manager. This permission can be configured in AWS IAM.

#### access_key_id

Mandatory field. Corresponds to AWS's `Access key ID`.

#### secret_access_key

Mandatory field. Corresponds to AWS's `Secret access key`.

### Environments

Optional field. When used with Puppet, an environment will always be present. These key value pairs map the environments in Puppet to namespaces in AWS.

```yaml

:environments:

    dev: development

    uat: staging

    prod: production

```

- A lookup for key `foo` in environment `dev` will query AWS Secrets Manager for `development/foo`

If there is no key set for an environment, or no environments configuration at all, the secret name that will be queried in AWS Secrets Manager will by default  be prefixed with the Puppet environment name:

- A lookup for key `zap` in environment `test` will query AWS Secrets Manager for `test/zap`, because there's no entry for `test` in the environments configuration.

## Contributing

### Code of Conduct

Everyone interacting with this project is required to follow the [Code of Conduct](./CODE_OF_CONDUCT.md).

### Getting Started

You'll need Git, Ruby, and Bundler installed. 

Then clone this project, and install its dependencies:

```bash

$ git clone [email protected]:unruly/hiera-secrets-manager

$ bundle install

```

You can run `rake` in the project root to run RSpec tests, and check test coverage.

### Building

- To build a gem on your local machine, run `gem build hiera-secrets-manager.gemspec`, which will create a .gem file with the current version number.

- Install the gem with `gem install hiera-secrets-manager-{VERSION}.gem`, specifying the version number.

### Releasing a Change

- To release a new version:

  - Update the version number in `hiera-secrets-manager.gemspec`

  - Ensure versions are in line with the [Semantic Versioning](https://semver.org/) convention.

  - Open a pull request against this repository.

## License

The gem is available as open source under the terms of the [MIT License](./LICENSE.md).