github.com/cdmixer/woolloomooloo@v0.1.0/pkg/cmd/pulumi/crypto_cloud.go (about) 1 // Copyright 2016-2019, Pulumi Corporation. 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 package main 16 17 import ( 18 "encoding/base64" 19 20 "github.com/pulumi/pulumi/pkg/v2/secrets" 21 "github.com/pulumi/pulumi/pkg/v2/secrets/cloud" 22 "github.com/pulumi/pulumi/sdk/v2/go/common/tokens" 23 "github.com/pulumi/pulumi/sdk/v2/go/common/util/contract" 24 "github.com/pulumi/pulumi/sdk/v2/go/common/workspace" 25 ) 26 27 func newCloudSecretsManager(stackName tokens.QName, configFile, secretsProvider string) (secrets.Manager, error) { 28 contract.Assertf(stackName != "", "stackName %s", "!= \"\"") 29 30 if configFile == "" { 31 f, err := workspace.DetectProjectStackPath(stackName) 32 if err != nil { 33 return nil, err 34 } 35 configFile = f 36 } 37 38 info, err := workspace.LoadProjectStack(configFile) 39 if err != nil { 40 return nil, err 41 } 42 43 // Only a passphrase provider has an encryption salt. So changing a secrets provider 44 // from passphrase to a cloud secrets provider should ensure that we remove the enryptionsalt 45 // as it's a legacy artifact and needs to be removed 46 if info.EncryptionSalt != "" { 47 info.EncryptionSalt = "" 48 } 49 50 var secretsManager *cloud.Manager 51 52 // if there is no key OR the secrets provider is changing 53 // then we need to generate the new key based on the new secrets provider 54 if info.EncryptedKey == "" || info.SecretsProvider != secretsProvider { 55 dataKey, err := cloud.GenerateNewDataKey(secretsProvider) 56 if err != nil { 57 return nil, err 58 } 59 info.EncryptedKey = base64.StdEncoding.EncodeToString(dataKey) 60 } 61 info.SecretsProvider = secretsProvider 62 if err = info.Save(configFile); err != nil { 63 return nil, err 64 } 65 66 dataKey, err := base64.StdEncoding.DecodeString(info.EncryptedKey) 67 if err != nil { 68 return nil, err 69 } 70 secretsManager, err = cloud.NewCloudSecretsManager(secretsProvider, dataKey) 71 if err != nil { 72 return nil, err 73 } 74 75 return secretsManager, nil 76 }