luizvasconceloss / hiera-ssm-paramstore Goto Github PK
View Code? Open in Web Editor NEWLicense: Apache License 2.0
License: Apache License 2.0
Wondering if there was a way to translate this to be used in a hiera file? I'd like to add it to my defaults.yaml to set a value so only that value makes the call to SSM. Currently I have this in my hiera.yaml and every key tries to get looked up from SSM which causes API issues.
$options = {
'uri' => '/',
'region' => 'us-east-1',
'get_all' => false,
'put' => { 'description' => 'Added by hiera_ssm_paramstore_write' },
}
$ssm_w_value = hiera_ssm_paramstore_write('/my/param', 'value', $options)
$ssm_r_value = hiera_ssm_paramstore('/my/param', $options)
tried something like this with no luck
datadog_agent::api_key: hiera_ssm_paramstore('test', options => { uri => "/root/%{::ec2_tag_env}/global/" } )
Ran into a permissions issue using the datadog module. But it looks like it might be a larger issue with the SSM lookup feature. Turns out if you run a lookup on a key that's started with '::' then it'll attempt to do a getParameters call on your top level SSM path.
$_puppetversion = lookup({ 'name' => '::puppetversion', 'default_value' => 'unknown'})
Results in:
Error: Evaluation Error: Error while evaluating a Function Call, Lookup of key '::puppetversion' failed: AWS SSM Service error User: arn:aws:sts::282708546392:assumed-role/XXXX is not authorized to perform: ssm:GetParameters on resource: arn:aws:ssm:us-east-1:XXXXX:* (file: /etc/puppetlabs/code/modules/datadog_agent/manifests/init.pp, line: 387, column: 21) on node ip-10-211-47-74.ec2.internal
I'm trying to follow best practice security so I'd rather not allow the node to walk the entire tree. Here's my current IAM
{ "Version": "2012-10-17", "Statement": [ { "Sid": "1", "Effect": "Allow", "Action": [ "ssm:GetParametersByPath", "ssm:GetParameters", "ssm:GetParameter", "ssm:DescribeParameters" ], "Resource": [ "arn:aws:ssm:*:*:parameter/root/stg/*", "arn:aws:ssm:*:*:parameter/root/stg/", "arn:aws:ssm:*:*:parameter/root/default*" ] } ] }
Hello,
I'm kind of confused on how you actually call a variable name using this module? Is the parameter supposed to be in some form of a key/pair?
Hello,
This is a nice plugin but is there a way to handle the case where we get recursive values and throw away the secure keys we can't decrypt? Currently, we are at risk of an engineer dropping a SSM value using a non-global key and consequently breaking the entire puppet run.
EX:
/root/prod/test (encrypted using global)
/root/prod/service (encrypted using a specific key)
Hi, I've just started testing this module and it's working well so far. I wonder though how long the cache lasts for the lookup? I can't see it in the documentation, other than it does cache if you specify to do so.
Thanks
Is the module still under support? There has not been any new version since 2020, 4 years now.
Thanks!
Hello, Doesn't seem to be working with puppet 5.5.8.
It looks like they changed they way backend querying works.
With your configuration example from README.md results into:
puppet lookup --debug --explain /hiera/Ubuntu | tail
Environment Data Provider (hiera configuration version 5)
Using configuration "/etc/puppetlabs/code/environments/production/hiera.yaml"
Hierarchy entry "AWS Parameter Store"
URI "/"
Original uri: "/"
What the fuck lookup_options
What the fuck {"region"=>"us-east-1", "get_all"=>false, "uri"=>"/"}
What the fuck Puppet::LookupContext({})
Looking for /lookup_options
Any ideas why "lookup_options" is passed as a key and what's wrong?
Hello, I made some modifications to the code to allow the user to pass a whitelist of keys to use for SSM lookups. Wondering how I should share the merge request here?
Bump version in metadata.json and deploy to the forge.
You can get travis to do this for you automatically when you make a git tag like this: v1.0.0
Just add this section to your .sync.yml: https://github.com/edestecd/puppet-clamav/blob/master/.sync.yml#L7
You can get the encrypted secure password by installing the travis gem:
gem install travis
travis encrypt <your forge password>
Use pdk to update .travis.yml
from your .sync.yml
:
pdk update
I'm trying to test this module out in a virtual machine on my workstation but I get the error:
Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Evaluation Error: Error while evaluating a Function Call, unable to sign request without credentials set
If I comment out the SSM Parameter Store section of hiera.yaml
the agent runs without any problems. I've tried adding my AWS credentials to ~/.aws/
and also exporting AWS_ACCESS_KEY_ID
and AWS_SECRET_ACCESS_KEY
as environment variables but the agent can't find them. Did you have to do anything different to make it work?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.