Class: SafeDb::Terraform

Inherits:
EditVerse show all
Defined in:
lib/controller/api/terraform/terraform.rb

Overview

This terraform use case exports the AWS IAM user access key, secret key and region key into (very safe) environment variables and then runs terraform init, plan, apply or destroy.

This is both ultra secure and extremely convenient because the credentials do not leave the safe and exist within (environment variable) memory only for the duration of the terraform command.

It is safe because you do not need to expose your AWS credentials in plain text. It is convenient because switching IAM users and AWS regions is as easy as typing the now ubiquitous safe open command.

safe open <<chapter>> <<verse>>

Constant Summary collapse

TERRAFORM_EVAR_PREFIX =

This prefix is tagged onto environment variables which Terraform will read and convert for consumption into module input variables.

"TF_VAR_"
ENV_VAR_PREFIX_A =

Prefix for environment variable key (line). Before safe runs the terraform apply command, it examines the lines at the opened chapter and verse and any that start with this prefix will be substringed to create an environment variable with the substringed name and key value.

"tfvar."
ENV_VAR_PREFIX_B =

Secure var prefix for environment variable key (line). Before safe runs the terraform apply command, it examines the lines at the opened chapter and verse and any that start with this prefix will be substringed to create an environment variable with the substringed name and key value.

"@#{ENV_VAR_PREFIX_A}"
TIMESTAMP_LINE_KEY = 
"tfvar.in_timestamp"
DESCRIBES_LINE_KEY = 
"tfvar.in_description"

Instance Attribute Summary collapse

Instance Method Summary collapse

Methods inherited from EditVerse

#execute

Methods inherited from Controller

#check_post_conditions, #check_pre_conditions, #execute, #flow, #initialize, #open_remote_backend_location, #post_validation, #pre_validation, #read_verse, #set_verse, #update_verse

Constructor Details

This class inherits a constructor from SafeDb::Controller

Instance Attribute Details

#command=(value) ⇒ Object (writeonly)

Sets the attribute command

Parameters:

  • value

    the value to set the attribute command to.



19
20
21
 
# File 'lib/controller/api/terraform/terraform.rb', line 19

def command=(value)
  @command = value
end

#debug=(value) ⇒ Object (writeonly)

Sets the attribute debug

Parameters:

  • value

    the value to set the attribute debug to.



19
20
21
 
# File 'lib/controller/api/terraform/terraform.rb', line 19

def debug=(value)
  @debug = value
end

Instance Method Details

#edit_verseObject 



41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
 
# File 'lib/controller/api/terraform/terraform.rb', line 41

def edit_verse()

  # ############## | ############################################################
  # @todo refactor | ############################################################
  # -------------- | 000000000000000000000000000000000000000000000000000000000000
  # export-then-execute
  # -------------------
  # Put all the code above in a generic export-then-execute use case
  # Then you pass in a Key/Value Dictionary
  #
  # { "AWS_ACCESS_KEY_ID" => "@access_key",
  #   "AWS_SECRET_ACCESS_KEY" => "@secret_key",
  #   "AWS_DEFAULT_REGION" => "region_key"
  # }
  #
  # And pass in a command array [ "terraform #{command_name} #{auto_approve}", "terraform graph ..." ]
  #
  # Validation is done by the generic use case (which loops checking that every value exists
  # as a key at the opened location.
  #
  # If all good the generic use case exports the ENV vars and runs each command in the list.
  # PS - configure map in INI not code file
  #
  # The extra power will speed up generation of environment variable use cases including
  # ansible, s3 bucket operations, git interactions and more.
  #
  # ############## | ############################################################
  # ############## | ############################################################

  puts ""
  puts "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"
  puts ""

  command_name = @command ? @command : "apply"
  is_apply = command_name.eql?( "apply" ) 
  is_blast = command_name.eql?( "destroy" ) 

  has_timestamp = @verse.has_key?( TIMESTAMP_LINE_KEY )
  is_create_stamps = is_apply && !has_timestamp
  is_remove_stamps = is_blast && has_timestamp

  the_description = "was created on #{TimeStamp.readable()}."

  @verse.store( TIMESTAMP_LINE_KEY, TimeStamp.yjjjhhmmsst() ) if is_create_stamps
  @verse.store( DESCRIBES_LINE_KEY, the_description )       if is_create_stamps

  ENV[ "AWS_ACCESS_KEY_ID"     ] = @verse[ "@access.key" ]
  ENV[ "AWS_SECRET_ACCESS_KEY" ] = @verse[ "@secret.key" ]
  ENV[ "AWS_DEFAULT_REGION"    ] = @verse[ "region.key"  ]

  ENV[ "TF_LOG" ] = "DEBUG" if @debug == true

  @verse.each do | key_str, value_object |

    is_env_var = key_str.start_with?( ENV_VAR_PREFIX_A ) || key_str.start_with?( ENV_VAR_PREFIX_B )
    next unless is_env_var

    env_var_name = key_str[ ENV_VAR_PREFIX_A.length .. -1 ] if key_str.start_with? ENV_VAR_PREFIX_A
    env_var_name = key_str[ ENV_VAR_PREFIX_B.length .. -1 ] if key_str.start_with? ENV_VAR_PREFIX_B
    env_var_keyname = TERRAFORM_EVAR_PREFIX + env_var_name
    ENV[ env_var_keyname ] = value_object
    puts "Environment variable #{env_var_keyname} has been set."
    log.info(x) { "Setting terraform environment variable => #{env_var_keyname}" }

  end

  puts ""
  puts "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"
  puts ""

  auto_approve = @command && @command.eql?( "plan" ) ? "" : "-auto-approve"
  exit_success = system "terraform #{command_name} #{auto_approve}"

  puts ""
  puts "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"
  puts ""

  return if ( exit_success.nil?() || !exit_success )

  @verse.delete( TIMESTAMP_LINE_KEY ) if is_remove_stamps
  @verse.delete( DESCRIBES_LINE_KEY ) if is_remove_stamps

  return unless is_apply

  puts "Successful terraform apply."
  graph_filename = "network-#{@book.get_open_verse_name()}-#{TimeStamp.yyjjj_hhmm_sst()}.png"
  system "terraform graph | dot -Tpng > #{graph_filename}"
  puts "Resource graph #{graph_filename} created."
  puts ""

end