luizvasconceloss / hiera-ssm-paramstore Goto Github PK

Wondering if there was a way to translate this to be used in a hiera file? I'd like to add it to my defaults.yaml to set a value so only that value makes the call to SSM. Currently I have this in my hiera.yaml and every key tries to get looked up from SSM which causes API issues.

$options = {
'uri' => '/',
'region' => 'us-east-1',
'get_all' => false,
'put' => { 'description' => 'Added by hiera_ssm_paramstore_write' },
}
$ssm_w_value = hiera_ssm_paramstore_write('/my/param', 'value', $options)
$ssm_r_value = hiera_ssm_paramstore('/my/param', $options)

tried something like this with no luck

datadog_agent::api_key: hiera_ssm_paramstore('test', options => { uri => "/root/%{::ec2_tag_env}/global/" } )

Ran into a permissions issue using the datadog module. But it looks like it might be a larger issue with the SSM lookup feature. Turns out if you run a lookup on a key that's started with '::' then it'll attempt to do a getParameters call on your top level SSM path.

$_puppetversion = lookup({ 'name' => '::puppetversion', 'default_value' => 'unknown'})

Results in:

Error: Evaluation Error: Error while evaluating a Function Call, Lookup of key '::puppetversion' failed: AWS SSM Service error User: arn:aws:sts::282708546392:assumed-role/XXXX is not authorized to perform: ssm:GetParameters on resource: arn:aws:ssm:us-east-1:XXXXX:* (file: /etc/puppetlabs/code/modules/datadog_agent/manifests/init.pp, line: 387, column: 21) on node ip-10-211-47-74.ec2.internal

I'm trying to follow best practice security so I'd rather not allow the node to walk the entire tree. Here's my current IAM

{ "Version": "2012-10-17", "Statement": [ { "Sid": "1", "Effect": "Allow", "Action": [ "ssm:GetParametersByPath", "ssm:GetParameters", "ssm:GetParameter", "ssm:DescribeParameters" ], "Resource": [ "arn:aws:ssm:*:*:parameter/root/stg/*", "arn:aws:ssm:*:*:parameter/root/stg/", "arn:aws:ssm:*:*:parameter/root/default*" ] } ] }

Hello,
I'm kind of confused on how you actually call a variable name using this module? Is the parameter supposed to be in some form of a key/pair?

Hello,
This is a nice plugin but is there a way to handle the case where we get recursive values and throw away the secure keys we can't decrypt? Currently, we are at risk of an engineer dropping a SSM value using a non-global key and consequently breaking the entire puppet run.

EX:

/root/prod/test (encrypted using global)
/root/prod/service (encrypted using a specific key)

• name: "AWS Parameter Store"
  lookup_key: hiera_ssm_paramstore
  uris:
  • "/root/%{::ec2_tag_env}/"
    options:
    region: us-east-1
    get_all: true
    recursive: true

Hi, I've just started testing this module and it's working well so far. I wonder though how long the cache lasts for the lookup? I can't see it in the documentation, other than it does cache if you specify to do so.

Thanks

Is the module still under support? There has not been any new version since 2020, 4 years now.

Thanks!

Hello, Doesn't seem to be working with puppet 5.5.8.

It looks like they changed they way backend querying works.

With your configuration example from README.md results into:

puppet lookup --debug --explain /hiera/Ubuntu | tail

  Environment Data Provider (hiera configuration version 5)
    Using configuration "/etc/puppetlabs/code/environments/production/hiera.yaml"
    Hierarchy entry "AWS Parameter Store"
      URI "/"
        Original uri: "/"
        What the fuck lookup_options
        What the fuck {"region"=>"us-east-1", "get_all"=>false, "uri"=>"/"}
        What the fuck Puppet::LookupContext({})
        Looking for /lookup_options

Any ideas why "lookup_options" is passed as a key and what's wrong?

Hello, I made some modifications to the code to allow the user to pass a whitelist of keys to use for SSM lookups. Wondering how I should share the merge request here?

Bump version in metadata.json and deploy to the forge.

You can get travis to do this for you automatically when you make a git tag like this: v1.0.0
Just add this section to your .sync.yml: https://github.com/edestecd/puppet-clamav/blob/master/.sync.yml#L7

You can get the encrypted secure password by installing the travis gem:

gem install travis
travis encrypt <your forge password>

Use pdk to update .travis.yml from your .sync.yml:

pdk update

I'm trying to test this module out in a virtual machine on my workstation but I get the error:
Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Evaluation Error: Error while evaluating a Function Call, unable to sign request without credentials set
If I comment out the SSM Parameter Store section of hiera.yaml the agent runs without any problems. I've tried adding my AWS credentials to ~/.aws/ and also exporting AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY as environment variables but the agent can't find them. Did you have to do anything different to make it work?