UNPKG

@lumigo/serverless-crossaccount-ssm

Version:

Serverless framework plugin to access the system and secrets managers at isolated account

github.com/lumigo-io/lumigo-serverless-crossaccount-ssm-plugin

lumigo-io/lumigo-serverless-crossaccount-ssm-plugin

101 lines (85 loc) 2.75 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
const _ = require("lodash"); const AWS = require("aws-sdk"); const util = require("util"); const PromiseAny = require("promise.any"); class CrossaccountSSM { constructor(serverless, options) { this.serverless = serverless; this.options = options; this.log = msg => this.serverless.cli.log(`crossaccount-ssm: ${msg}`); this.verboseLog = msg => { if (process.env.SLS_DEBUG) { this.log(msg); } }; // NOTE: config load is deferred to resolver due to the late embedded variables evaluation this.config = null; this.ssmResolver = serverless.variables.variableResolvers.find( ({ serviceName }) => serviceName === "SSM" ); if (this.ssmResolver) { this.ssmResolver.resolver = this.resolver.bind(this); this.verboseLog( "Default SSM resolver was replaced with the crossaccount one" ); } } async resolver(name) { const [, , key] = name.match(this.ssmResolver.regex) || []; if (!key) return Promise.resolve(); this.verboseLog(`Resolving ${key}`); if (!this.config) this.config = this.getConfig(); const validTrues = new Set(["True", "true", "Yes", "yes", true]); const enabled = validTrues.has(_.get(this.config, "enable", true)); // NOTE: the reason it exists is that I currently cant understand the evaluation order // FIXME: this N/A-workaround should be wiped-up const nonAvailableMarker = "NA"; if (key.includes(nonAvailableMarker)) { this.verboseLog( `Resolving skipped due to the resolution disabled (secret name contains '${nonAvailableMarker}' marker: ${key})` ); return key; } if (enabled) { AWS.config.credentials = new AWS.SharedIniFileCredentials({ profile: this.config.profile }); const secretParam = { Name: key, WithDecryption: true }; let replicas = _.chain(this.config.regions).map(r => new AWS.SSM({ region: r }) .getParameter(secretParam) .promise() .then(s => s.Parameter.Value) ); return PromiseAny(replicas.value()).catch(error => { this.log( "multi-regional failure (all the regions requested were rejected)" ); throw error; }); } else { this.verboseLog( `Resolving skipped due to the resolution disabled (enable: ${enabled})` ); return key; } } getConfig() { const configKey = "custom.crossaccount-ssm"; const currentConfig = _.get(this.serverless.service, configKey, null); const defaultConfig = { profile: "default", regions: ["us-east-1"] }; if (!currentConfig) { this.verboseLog( `config wasn't found. Defaulted to: ${util.inspect(defaultConfig)}` ); return defaultConfig; } else { this.verboseLog(`config found: ${util.inspect(currentConfig)}`); return currentConfig; } } } module.exports = CrossaccountSSM;