github.com/vtorhonen/terraform@v0.9.0-beta2.0.20170307220345-5d894e4ffda7/builtin/providers/aws/data_source_aws_kms_secret.go

github.com/vtorhonen/terraform@v0.9.0-beta2.0.20170307220345-5d894e4ffda7/builtin/providers/aws/data_source_aws_kms_secret.go (about)

     1  package aws
     2  
     3  import (
     4  	"encoding/base64"
     5  	"fmt"
     6  	"log"
     7  	"time"
     8  
     9  	"github.com/aws/aws-sdk-go/aws"
    10  	"github.com/aws/aws-sdk-go/service/kms"
    11  	"github.com/hashicorp/terraform/helper/schema"
    12  )
    13  
    14  func dataSourceAwsKmsSecret() *schema.Resource {
    15  	return &schema.Resource{
    16  		Read: dataSourceAwsKmsSecretRead,
    17  
    18  		Schema: map[string]*schema.Schema{
    19  			"secret": &schema.Schema{
    20  				Type:     schema.TypeSet,
    21  				Required: true,
    22  				ForceNew: true,
    23  				Elem: &schema.Resource{
    24  					Schema: map[string]*schema.Schema{
    25  						"name": &schema.Schema{
    26  							Type:     schema.TypeString,
    27  							Required: true,
    28  						},
    29  						"payload": &schema.Schema{
    30  							Type:     schema.TypeString,
    31  							Required: true,
    32  						},
    33  						"context": &schema.Schema{
    34  							Type:     schema.TypeMap,
    35  							Optional: true,
    36  							Elem:     &schema.Schema{Type: schema.TypeString},
    37  						},
    38  						"grant_tokens": &schema.Schema{
    39  							Type:     schema.TypeList,
    40  							Optional: true,
    41  							Elem:     &schema.Schema{Type: schema.TypeString},
    42  						},
    43  					},
    44  				},
    45  			},
    46  			"__has_dynamic_attributes": {
    47  				Type:     schema.TypeString,
    48  				Optional: true,
    49  			},
    50  		},
    51  	}
    52  }
    53  
    54  // dataSourceAwsKmsSecretRead decrypts the specified secrets
    55  func dataSourceAwsKmsSecretRead(d *schema.ResourceData, meta interface{}) error {
    56  	conn := meta.(*AWSClient).kmsconn
    57  	secrets := d.Get("secret").(*schema.Set)
    58  
    59  	d.SetId(time.Now().UTC().String())
    60  
    61  	for _, v := range secrets.List() {
    62  		secret := v.(map[string]interface{})
    63  
    64  		// base64 decode the payload
    65  		payload, err := base64.StdEncoding.DecodeString(secret["payload"].(string))
    66  		if err != nil {
    67  			return fmt.Errorf("Invalid base64 value for secret '%s': %v", secret["name"].(string), err)
    68  		}
    69  
    70  		// build the kms decrypt params
    71  		params := &kms.DecryptInput{
    72  			CiphertextBlob: []byte(payload),
    73  		}
    74  		if context, exists := secret["context"]; exists {
    75  			params.EncryptionContext = make(map[string]*string)
    76  			for k, v := range context.(map[string]interface{}) {
    77  				params.EncryptionContext[k] = aws.String(v.(string))
    78  			}
    79  		}
    80  		if grant_tokens, exists := secret["grant_tokens"]; exists {
    81  			params.GrantTokens = make([]*string, 0)
    82  			for _, v := range grant_tokens.([]interface{}) {
    83  				params.GrantTokens = append(params.GrantTokens, aws.String(v.(string)))
    84  			}
    85  		}
    86  
    87  		// decrypt
    88  		resp, err := conn.Decrypt(params)
    89  		if err != nil {
    90  			return fmt.Errorf("Failed to decrypt '%s': %s", secret["name"].(string), err)
    91  		}
    92  
    93  		// Set the secret via the name
    94  		log.Printf("[DEBUG] aws_kms_secret - successfully decrypted secret: %s", secret["name"].(string))
    95  		d.UnsafeSetFieldRaw(secret["name"].(string), string(resp.Plaintext))
    96  	}
    97  
    98  	return nil
    99  }