feat: refactor / additional flag autoGenerateIamPermissions (#1089)

* feat: refactor / additional flag autoGenerateIamPermissions - remove CreationType (Single, Multi) - replace with ResourceType (PARAMETER_MULTI) and move it to properties fixes: #1076 - add property 'autoGenerateIamPermissions' fixes: #1087 - add property 'role' for SopsSyncProvider fixes: #1087 - move resourceType from syncOptions to syncProperties, as it shouldn't be set by users - move permissionhandling to own functions, to reduce cyclomatic compexity * chore: self mutation Signed-off-by: github-actions <[email protected]> * chore(Tests): add more tests for permissions testing * fix: autogenerate * fix: init s3Api * fix: remove CreationType everywhere * fix: contribution guide, error messages and sha1sum Signed-off-by: lennartrommeiss <[email protected]> * fix: tests * chore: self mutation Signed-off-by: github-actions <[email protected]> --------- Signed-off-by: github-actions <[email protected]> Signed-off-by: lennartrommeiss <[email protected]> Co-authored-by: github-actions <[email protected]> Co-authored-by: lennartrommeiss <[email protected]>
dbsystel · Jan 20, 2025 · 7f8a318 · 7f8a318
1 parent 1e69765
commit 7f8a318
Show file tree

Hide file tree

Showing 42 changed files with 771 additions and 541 deletions.
diff --git a/.gitleaks.toml b/.gitleaks.toml
@@ -0,0 +1,40 @@
+[extend]
+useDefault = true
+
+[[rules]]
+id = "generic-api-key"
+# all the other attributes from the default rule are inherited
+
+    [[rules.allowlists]]
+    regexTarget = "line"
+    regexes = [ 
+      '''objectKey''',
+      '''S3Key''',
+      '''SopsAgeKey''',
+      '''s3Key''',
+    ]
+
+[[rules]]
+id = "private-key"
+
+    [[rules.allowlists]]
+    regexTarget = "line"
+    regexes = [
+      '''(.*)OAdqlMznWINBDoyR\+PESgQJlUptwnh(.*)''',
+    ]
+
+[allowlist]
+description = "global allow list"
+paths = [
+  '''\.gitleaks\.toml''',
+  '''lambda/events/(.*?)json''',
+  '''lambda/__snapshots__/(.*?)snap''',
+  '''test-secrets/(.*?)(json|yaml|yml|env|binary)''',
+  '''test/(.*)\.integ\.snapshot/(.*?)json'''
+]
+
+regexTarget = "match"
+regexes = [
+  '''AGE-SECRET-KEY-1EFUWJ0G2XJTJFWTAM2DGMA4VCK3R05W58FSMHZP3MZQ0ZTAQEAFQC6T7T3''',
+]
+
diff --git a/API.md b/API.md
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -2,4 +2,26 @@
 
 Thanks for your interest in our project. Contributions are welcome. Feel free to [open an issue](issues) with questions or reporting ideas and bugs, or [open pull requests](pulls) to contribute code.
 
-We are committed to fostering a welcoming, respectful, and harassment-free environment. Be kind!
+We are committed to fostering a welcoming, respectful, and harassment-free environment. Be kind!
+
+## How to buidl/deploy local
+
+Install all necessary tools with `yarn install` and others manually like `go`
+
+Build the go Lambda code:
+```
+./scripts/build.sh
+```
+Build the package (for CDK development only the first `js` build has to complete):
+```
+yarn projen build
+```
+Link the package:
+```
+yarn link
+```
+Switch to the path/project where you would like to use cdk-sops-secrets. \
+Link the package to your local build source:
+```
+yarn link "cdk-sops-secrets"
+```
diff --git a/lambda/__snapshots__/handler_parameter_raw_test.snap b/lambda/__snapshots__/handler_parameter_raw_test.snap
diff --git a/lambda/__snapshots__/handler_parameter_yaml_multi_test.snap b/lambda/__snapshots__/handler_parameter_yaml_multi_test.snap
diff --git a/lambda/__snapshots__/handler_secret_env_test.snap b/lambda/__snapshots__/handler_secret_env_test.snap
diff --git a/lambda/__snapshots__/handler_secret_json_test.snap b/lambda/__snapshots__/handler_secret_json_test.snap
diff --git a/lambda/__snapshots__/handler_secret_raw_test.snap b/lambda/__snapshots__/handler_secret_raw_test.snap
diff --git a/lambda/__snapshots__/handler_secret_yaml_test.snap b/lambda/__snapshots__/handler_secret_yaml_test.snap
diff --git a/lambda/events/event_create_s3_parameter_raw_simple.json b/lambda/events/event_create_s3_parameter_raw_simple.json
@@ -3,7 +3,6 @@
   "LogicalResourceId": "LogicalResourceId",
   "ResourceProperties": {
     "ResourceType": "PARAMETER",
-    "CreationType": "SINGLE",
     "ParameterName": "arn:aws:ssm:eu-central-1:123456789012:parameter/testsecret",
     "SopsS3File": {
       "Bucket": "..",

diff --git a/lambda/events/event_create_s3_parameter_yaml_complex.json b/lambda/events/event_create_s3_parameter_yaml_complex.json
@@ -2,8 +2,7 @@
   "RequestType": "Create",
   "LogicalResourceId": "LogicalResourceId",
   "ResourceProperties": {
-    "ResourceType": "PARAMETER",
-    "CreationType": "MULTI",
+    "ResourceType": "PARAMETER_MULTI",
     "ParameterName": "arn:aws:ssm:eu-central-1:123456789012:parameter/testsecret",
     "SopsS3File": {
       "Bucket": "..",

diff --git a/lambda/events/event_create_s3_parameter_yaml_complex_custom_keys.json b/lambda/events/event_create_s3_parameter_yaml_complex_custom_keys.json
@@ -2,8 +2,7 @@
   "RequestType": "Create",
   "LogicalResourceId": "LogicalResourceId",
   "ResourceProperties": {
-    "ResourceType": "PARAMETER",
-    "CreationType": "MULTI",
+    "ResourceType": "PARAMETER_MULTI",
     "ParameterName": "arn:aws:ssm:eu-central-1:123456789012:parameter/testsecret",
     "SopsS3File": {
       "Bucket": "..",

diff --git a/lambda/events/event_create_s3_secret_env_as_json_simple.json b/lambda/events/event_create_s3_secret_env_as_json_simple.json
@@ -3,7 +3,6 @@
   "LogicalResourceId": "LogicalResourceId",
   "ResourceProperties": {
     "ResourceType": "SECRET",
-    "CreationType": "SINGLE",
     "FlattenSeparator": ".",
     "SecretARN": "arn:aws:secretsmanager:eu-central-1:123456789012:secret:testsecret",
     "SopsS3File": {

diff --git a/lambda/events/event_create_s3_secret_env_simple.json b/lambda/events/event_create_s3_secret_env_simple.json
@@ -3,7 +3,6 @@
   "LogicalResourceId": "LogicalResourceId",
   "ResourceProperties": {
     "ResourceType": "SECRET",
-    "CreationType": "SINGLE",
     "FlattenSeparator": ".",
     "SecretARN": "arn:aws:secretsmanager:eu-central-1:123456789012:secret:testsecret",
     "SopsS3File": {

diff --git a/lambda/events/event_create_s3_secret_json_complex.json b/lambda/events/event_create_s3_secret_json_complex.json
@@ -3,7 +3,6 @@
   "LogicalResourceId": "LogicalResourceId",
   "ResourceProperties": {
     "ResourceType": "SECRET",
-    "CreationType": "SINGLE",
     "FlattenSeparator": ".",
     "SecretARN": "arn:aws:secretsmanager:eu-central-1:123456789012:secret:testsecret",
     "SopsS3File": {

diff --git a/lambda/events/event_create_s3_secret_json_complex_flat.json b/lambda/events/event_create_s3_secret_json_complex_flat.json
@@ -3,7 +3,6 @@
   "LogicalResourceId": "LogicalResourceId",
   "ResourceProperties": {
     "ResourceType": "SECRET",
-    "CreationType": "SINGLE",
     "FlattenSeparator": ".",
     "SecretARN": "arn:aws:secretsmanager:eu-central-1:123456789012:secret:testsecret",
     "SopsS3File": {

diff --git a/lambda/events/event_create_s3_secret_json_complex_stringify.json b/lambda/events/event_create_s3_secret_json_complex_stringify.json
@@ -3,7 +3,6 @@
   "LogicalResourceId": "LogicalResourceId",
   "ResourceProperties": {
     "ResourceType": "SECRET",
-    "CreationType": "SINGLE",
     "FlattenSeparator": ".",
     "SecretARN": "arn:aws:secretsmanager:eu-central-1:123456789012:secret:testsecret",
     "SopsS3File": {

diff --git a/lambda/events/event_create_s3_secret_json_simple.json b/lambda/events/event_create_s3_secret_json_simple.json
@@ -3,7 +3,6 @@
   "LogicalResourceId": "LogicalResourceId",
   "ResourceProperties": {
     "ResourceType": "SECRET",
-    "CreationType": "SINGLE",
     "FlattenSeparator": ".",
     "SecretARN": "arn:aws:secretsmanager:eu-central-1:123456789012:secret:testsecret",
     "SopsS3File": {

diff --git a/lambda/events/event_create_s3_secret_raw_simple.json b/lambda/events/event_create_s3_secret_raw_simple.json
@@ -3,7 +3,6 @@
   "LogicalResourceId": "LogicalResourceId",
   "ResourceProperties": {
     "ResourceType": "SECRET",
-    "CreationType": "SINGLE",
     "FlattenSeparator": ".",
     "SecretARN": "arn:aws:secretsmanager:eu-central-1:123456789012:secret:testsecret",
     "SopsS3File": {

diff --git a/lambda/events/event_create_s3_secret_yaml_as_json_complex.json b/lambda/events/event_create_s3_secret_yaml_as_json_complex.json
@@ -3,7 +3,6 @@
   "LogicalResourceId": "LogicalResourceId",
   "ResourceProperties": {
     "ResourceType": "SECRET",
-    "CreationType": "SINGLE",
     "FlattenSeparator": ".",
     "SecretARN": "arn:aws:secretsmanager:eu-central-1:123456789012:secret:testsecret",
     "SopsS3File": {

diff --git a/lambda/events/event_create_s3_secret_yaml_as_json_complex_flat.json b/lambda/events/event_create_s3_secret_yaml_as_json_complex_flat.json
@@ -3,7 +3,6 @@
   "LogicalResourceId": "LogicalResourceId",
   "ResourceProperties": {
     "ResourceType": "SECRET",
-    "CreationType": "SINGLE",
     "FlattenSeparator": ".",
     "SecretARN": "arn:aws:secretsmanager:eu-central-1:123456789012:secret:testsecret",
     "SopsS3File": {

diff --git a/lambda/events/event_create_s3_secret_yaml_as_json_simple.json b/lambda/events/event_create_s3_secret_yaml_as_json_simple.json
@@ -3,7 +3,6 @@
   "LogicalResourceId": "LogicalResourceId",
   "ResourceProperties": {
     "ResourceType": "SECRET",
-    "CreationType": "SINGLE",
     "FlattenSeparator": ".",
     "SecretARN": "arn:aws:secretsmanager:eu-central-1:123456789012:secret:testsecret",
     "SopsS3File": {

diff --git a/lambda/events/event_create_s3_secret_yaml_complex.json b/lambda/events/event_create_s3_secret_yaml_complex.json
@@ -3,7 +3,6 @@
   "LogicalResourceId": "LogicalResourceId",
   "ResourceProperties": {
     "ResourceType": "SECRET",
-    "CreationType": "SINGLE",
     "FlattenSeparator": ".",
     "SecretARN": "arn:aws:secretsmanager:eu-central-1:123456789012:secret:testsecret",
     "SopsS3File": {

diff --git a/lambda/events/event_create_s3_secret_yaml_complex_flat.json b/lambda/events/event_create_s3_secret_yaml_complex_flat.json
@@ -3,7 +3,6 @@
   "LogicalResourceId": "LogicalResourceId",
   "ResourceProperties": {
     "ResourceType": "SECRET",
-    "CreationType": "SINGLE",
     "FlattenSeparator": ".",
     "SecretARN": "arn:aws:secretsmanager:eu-central-1:123456789012:secret:testsecret",
     "SopsS3File": {

diff --git a/lambda/events/event_create_s3_secret_yaml_simple.json b/lambda/events/event_create_s3_secret_yaml_simple.json
@@ -3,7 +3,6 @@
   "LogicalResourceId": "LogicalResourceId",
   "ResourceProperties": {
     "ResourceType": "SECRET",
-    "CreationType": "SINGLE",
     "FlattenSeparator": ".",
     "SecretARN": "arn:aws:secretsmanager:eu-central-1:123456789012:secret:testsecret",
     "SopsS3File": {