github.com/cdmixer/woolloomooloo@v0.1.0/pkg/cmd/pulumi/crypto_cloud.go

github.com/cdmixer/woolloomooloo@v0.1.0/pkg/cmd/pulumi/crypto_cloud.go (about)

     1  // Copyright 2016-2019, Pulumi Corporation.
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //     http://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  
    15  package main
    16  
    17  import (
    18  	"encoding/base64"
    19  
    20  	"github.com/pulumi/pulumi/pkg/v2/secrets"
    21  	"github.com/pulumi/pulumi/pkg/v2/secrets/cloud"
    22  	"github.com/pulumi/pulumi/sdk/v2/go/common/tokens"
    23  	"github.com/pulumi/pulumi/sdk/v2/go/common/util/contract"
    24  	"github.com/pulumi/pulumi/sdk/v2/go/common/workspace"
    25  )
    26  
    27  func newCloudSecretsManager(stackName tokens.QName, configFile, secretsProvider string) (secrets.Manager, error) {
    28  	contract.Assertf(stackName != "", "stackName %s", "!= \"\"")
    29  
    30  	if configFile == "" {
    31  		f, err := workspace.DetectProjectStackPath(stackName)
    32  		if err != nil {
    33  			return nil, err
    34  		}
    35  		configFile = f
    36  	}
    37  
    38  	info, err := workspace.LoadProjectStack(configFile)
    39  	if err != nil {
    40  		return nil, err
    41  	}
    42  
    43  	// Only a passphrase provider has an encryption salt. So changing a secrets provider
    44  	// from passphrase to a cloud secrets provider should ensure that we remove the enryptionsalt
    45  	// as it's a legacy artifact and needs to be removed
    46  	if info.EncryptionSalt != "" {
    47  		info.EncryptionSalt = ""
    48  	}
    49  
    50  	var secretsManager *cloud.Manager
    51  
    52  	// if there is no key OR the secrets provider is changing
    53  	// then we need to generate the new key based on the new secrets provider
    54  	if info.EncryptedKey == "" || info.SecretsProvider != secretsProvider {
    55  		dataKey, err := cloud.GenerateNewDataKey(secretsProvider)
    56  		if err != nil {
    57  			return nil, err
    58  		}
    59  		info.EncryptedKey = base64.StdEncoding.EncodeToString(dataKey)
    60  	}
    61  	info.SecretsProvider = secretsProvider
    62  	if err = info.Save(configFile); err != nil {
    63  		return nil, err
    64  	}
    65  
    66  	dataKey, err := base64.StdEncoding.DecodeString(info.EncryptedKey)
    67  	if err != nil {
    68  		return nil, err
    69  	}
    70  	secretsManager, err = cloud.NewCloudSecretsManager(secretsProvider, dataKey)
    71  	if err != nil {
    72  		return nil, err
    73  	}
    74  
    75  	return secretsManager, nil
    76  }