Class: SafeDb::Terraform
- Inherits:
-
EditVerse
- Object
- Controller
- EditVerse
- SafeDb::Terraform
- Defined in:
- lib/controller/api/terraform/terraform.rb
Overview
This terraform use case exports the AWS IAM user access key, secret key and region key into (very safe) environment variables and then runs terraform init, plan, apply or destroy.
This is both ultra secure and extremely convenient because the credentials do not leave the safe and exist within (environment variable) memory only for the duration of the terraform command.
It is safe because you do not need to expose your AWS credentials in plain text. It is convenient because switching IAM users and AWS regions is as easy as typing the now ubiquitous safe open command.
safe open <<chapter>> <<verse>>
Constant Summary collapse
- TERRAFORM_EVAR_PREFIX =
This prefix is tagged onto environment variables which Terraform will read and convert for consumption into module input variables.
"TF_VAR_"
- ENV_VAR_PREFIX_A =
Prefix for environment variable key (line). Before safe runs the
terraform apply
command, it examines the lines at the opened chapter and verse and any that start with this prefix will be substringed to create an environment variable with the substringed name and key value. "tfvar."
- ENV_VAR_PREFIX_B =
Secure var prefix for environment variable key (line). Before safe runs the
terraform apply
command, it examines the lines at the opened chapter and verse and any that start with this prefix will be substringed to create an environment variable with the substringed name and key value. "@#{ENV_VAR_PREFIX_A}"
- TIMESTAMP_LINE_KEY =
"tfvar.in_timestamp"
- DESCRIBES_LINE_KEY =
"tfvar.in_description"
Instance Attribute Summary collapse
-
#command ⇒ Object
writeonly
Sets the attribute command.
-
#debug ⇒ Object
writeonly
Sets the attribute debug.
Instance Method Summary collapse
Methods inherited from EditVerse
Methods inherited from Controller
#check_post_conditions, #check_pre_conditions, #execute, #flow, #initialize, #open_remote_backend_location, #post_validation, #pre_validation, #read_verse, #set_verse, #update_verse
Constructor Details
This class inherits a constructor from SafeDb::Controller
Instance Attribute Details
#command=(value) ⇒ Object (writeonly)
Sets the attribute command
19 20 21 |
# File 'lib/controller/api/terraform/terraform.rb', line 19 def command=(value) @command = value end |
#debug=(value) ⇒ Object (writeonly)
Sets the attribute debug
19 20 21 |
# File 'lib/controller/api/terraform/terraform.rb', line 19 def debug=(value) @debug = value end |
Instance Method Details
#edit_verse ⇒ Object
41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 |
# File 'lib/controller/api/terraform/terraform.rb', line 41 def edit_verse() # ############## | ############################################################ # @todo refactor | ############################################################ # -------------- | 000000000000000000000000000000000000000000000000000000000000 # export-then-execute # ------------------- # Put all the code above in a generic export-then-execute use case # Then you pass in a Key/Value Dictionary # # { "AWS_ACCESS_KEY_ID" => "@access_key", # "AWS_SECRET_ACCESS_KEY" => "@secret_key", # "AWS_DEFAULT_REGION" => "region_key" # } # # And pass in a command array [ "terraform #{command_name} #{auto_approve}", "terraform graph ..." ] # # Validation is done by the generic use case (which loops checking that every value exists # as a key at the opened location. # # If all good the generic use case exports the ENV vars and runs each command in the list. # PS - configure map in INI not code file # # The extra power will speed up generation of environment variable use cases including # ansible, s3 bucket operations, git interactions and more. # # ############## | ############################################################ # ############## | ############################################################ puts "" puts "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@" puts "" command_name = @command ? @command : "apply" is_apply = command_name.eql?( "apply" ) is_blast = command_name.eql?( "destroy" ) = @verse.has_key?( TIMESTAMP_LINE_KEY ) is_create_stamps = is_apply && ! is_remove_stamps = is_blast && the_description = "was created on #{TimeStamp.readable()}." @verse.store( TIMESTAMP_LINE_KEY, TimeStamp.yjjjhhmmsst() ) if is_create_stamps @verse.store( DESCRIBES_LINE_KEY, the_description ) if is_create_stamps ENV[ "AWS_ACCESS_KEY_ID" ] = @verse[ "@access.key" ] ENV[ "AWS_SECRET_ACCESS_KEY" ] = @verse[ "@secret.key" ] ENV[ "AWS_DEFAULT_REGION" ] = @verse[ "region.key" ] ENV[ "TF_LOG" ] = "DEBUG" if @debug == true @verse.each do | key_str, value_object | is_env_var = key_str.start_with?( ENV_VAR_PREFIX_A ) || key_str.start_with?( ENV_VAR_PREFIX_B ) next unless is_env_var env_var_name = key_str[ ENV_VAR_PREFIX_A.length .. -1 ] if key_str.start_with? ENV_VAR_PREFIX_A env_var_name = key_str[ ENV_VAR_PREFIX_B.length .. -1 ] if key_str.start_with? ENV_VAR_PREFIX_B env_var_keyname = TERRAFORM_EVAR_PREFIX + env_var_name ENV[ env_var_keyname ] = value_object puts "Environment variable #{env_var_keyname} has been set." log.info(x) { "Setting terraform environment variable => #{env_var_keyname}" } end puts "" puts "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@" puts "" auto_approve = @command && @command.eql?( "plan" ) ? "" : "-auto-approve" exit_success = system "terraform #{command_name} #{auto_approve}" puts "" puts "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@" puts "" return if ( exit_success.nil?() || !exit_success ) @verse.delete( TIMESTAMP_LINE_KEY ) if is_remove_stamps @verse.delete( DESCRIBES_LINE_KEY ) if is_remove_stamps return unless is_apply puts "Successful terraform apply." graph_filename = "network-#{@book.get_open_verse_name()}-#{TimeStamp.yyjjj_hhmm_sst()}.png" system "terraform graph | dot -Tpng > #{graph_filename}" puts "Resource graph #{graph_filename} created." puts "" end |