Skip to content

Commit

Permalink
add global --backend flag (#182)
Browse files Browse the repository at this point in the history
Originally I wanted to support a compound URI syntax, but decided for simplicity taking more flags is probably more straightforward.
  • Loading branch information
nickatsegment authored Mar 6, 2019
1 parent 063d1b0 commit ac049f2
Show file tree
Hide file tree
Showing 2 changed files with 32 additions and 11 deletions.
4 changes: 2 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -215,13 +215,13 @@ If you'd like to use a custom SSM endpoint for chamber, you can use `CHAMBER_AWS

By default, chamber store secrets in AWS Parameter Store. We now also provide an experimental S3 backend for storing secrets in S3 instead.

To configure chamber to use the S3 backend, set `CHAMBER_SECRET_BACKEND` to `S3`, and `CHAMBER_S3_BUCKET` to an existing S3 bucket. Preferably, this bucket should reject uploads that do not set the server side encryption header ([see this doc for details how](https://aws.amazon.com/blogs/security/how-to-prevent-uploads-of-unencrypted-objects-to-amazon-s3/))
To configure chamber to use the S3 backend, use `chamber -b s3 --backend-s3-bucket=mybucket`. Preferably, this bucket should reject uploads that do not set the server side encryption header ([see this doc for details how](https://aws.amazon.com/blogs/security/how-to-prevent-uploads-of-unencrypted-objects-to-amazon-s3/))

This feature is experimental, and not currently meant for production work.

## Null Backend (experimental)

If it's preferred to not use any backend at all, set `CHAMBER_SECRET_BACKEND` to `NULL`. Doing so will forward existing ENV variables as if Chamber is not in between.
If it's preferred to not use any backend at all, use `chamber -b null`. Doing so will forward existing ENV variables as if Chamber is not in between.

This feature is experimental, and not currently meant for production work.

Expand Down
39 changes: 30 additions & 9 deletions cmd/root.go
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ import (
"regexp"
"strings"

"github.com/pkg/errors"
"github.com/segmentio/chamber/store"
"github.com/spf13/cobra"
analytics "gopkg.in/segmentio/analytics-go.v3"
Expand All @@ -20,7 +21,10 @@ var (
verbose bool
numRetries int
chamberVersion string
backend string
// one of *Backend consts
backend string
backendFlag string
backendS3BucketFlag string

analyticsEnabled bool
analyticsWriteKey string
Expand Down Expand Up @@ -59,6 +63,13 @@ var RootCmd = &cobra.Command{
func init() {
RootCmd.PersistentFlags().IntVarP(&numRetries, "retries", "r", DefaultNumRetries, "For SSM, the number of retries we'll make before giving up")
RootCmd.PersistentFlags().BoolVarP(&verbose, "verbose", "", false, "Print more information to STDOUT")
RootCmd.PersistentFlags().StringVarP(&backendFlag, "backend", "b", "ssm",
`Backend to use; AKA $CHAMBER_SECRET_BACKEND
null: no-op
ssm: SSM Parameter Store
s3: S3; requires --backend-s3-bucket`,
)
RootCmd.PersistentFlags().StringVarP(&backendS3BucketFlag, "backend-s3-bucket", "", "", "bucket for S3 backend; AKA $CHAMBER_S3_BUCKET")
}

// Execute adds all child commands to the root command sets flags appropriately.
Expand Down Expand Up @@ -100,30 +111,40 @@ func validateKey(key string) error {
}

func getSecretStore() (store.Store, error) {
backend := strings.ToUpper(os.Getenv(BackendEnvVar))
rootPflags := RootCmd.PersistentFlags()
if backendEnvVarValue := os.Getenv(BackendEnvVar); !rootPflags.Changed("backend") && backendEnvVarValue != "" {
backend = backendEnvVarValue
} else {
backend = backendFlag
}
backend = strings.ToUpper(backend)

var s store.Store
var err error

switch backend {
case NullBackend:
s = store.NewNullStore()
case S3Backend:
bucket, ok := os.LookupEnv(BucketEnvVar)
if !ok {
return nil, fmt.Errorf("Must set %s for s3 backend", BucketEnvVar)
var bucket string
if bucketEnvVarValue := os.Getenv(BucketEnvVar); !rootPflags.Changed("backend-s3-bucket") && bucketEnvVarValue != "" {
bucket = bucketEnvVarValue
} else {
bucket = backendS3BucketFlag
}
if bucket == "" {
return nil, errors.New("Must set bucket for s3 backend")
}
s, err = store.NewS3StoreWithBucket(numRetries, bucket)
case SSMBackend:
fallthrough
default:
s, err = store.NewSSMStore(numRetries)
default:
return nil, fmt.Errorf("invalid backend `%s`", backend)
}
return s, err
}

func prerun(cmd *cobra.Command, args []string) {
backend = strings.ToUpper(os.Getenv(BackendEnvVar))

if analyticsEnabled {
// set up analytics client
analyticsClient, _ = analytics.NewWithConfig(analyticsWriteKey, analytics.Config{
Expand Down

0 comments on commit ac049f2

Please sign in to comment.