Kotlin AWS sdk (#424)

Co-authored-by: Sam <[email protected]>

Author: samu-developments

build.gradle.kts

@@ -1,4 +1,5 @@
 import org.gradle.api.tasks.testing.logging.TestExceptionFormat
+import org.jetbrains.kotlin.gradle.dsl.JvmTarget
 
 buildscript {
    repositories {
@@ -18,7 +19,7 @@ plugins {
    id("java-library")
    id("maven-publish")
    id("signing")
-   kotlin("jvm").version("1.6.21")
+   alias(libs.plugins.kotlin.jvm)
 }
 
 allprojects {
@@ -41,19 +42,21 @@ allprojects {
       }
    }
 
-   tasks.withType<org.jetbrains.kotlin.gradle.tasks.KotlinCompile> {
-      kotlinOptions.jvmTarget = "1.8"
+   kotlin {
+      jvmToolchain(11)
+      compilerOptions.jvmTarget = JvmTarget.JVM_1_8
    }
 
-   java {
-      toolchain {
-         languageVersion.set(JavaLanguageVersion.of(11))
-      }
+   tasks.compileJava {
+      options.release = 8
    }
 
-   tasks.compileJava {
-      targetCompatibility = "1.8"
-      sourceCompatibility = "1.8"
+   tasks.compileTestKotlin {
+      compilerOptions.jvmTarget = JvmTarget.JVM_11
+   }
+
+   tasks.compileTestJava {
+      options.release = 11
    }
 
    repositories {

hoplite-aws-kotlin/build.gradle.kts

@@ -0,0 +1,15 @@
+plugins {
+   alias(libs.plugins.kotlin.serialization)
+}
+
+dependencies {
+   api(projects.hopliteCore)
+   api(libs.aws.kotlin.secretsmanager)
+   api(libs.aws.kotlin.ssm)
+   api(libs.regions)
+   implementation(libs.kotlinx.serialization.json)
+   testApi(libs.kotest.extensions.testcontainers)
+   testApi(libs.testcontainers.localstack)
+}
+
+apply("../publish.gradle.kts")

hoplite-aws-kotlin/src/main/kotlin/com/sksamuel/hoplite/aws/kotlin/AbstractAwsSecretsManagerContextResolver.kt

@@ -0,0 +1,27 @@
+package com.sksamuel.hoplite.aws.kotlin
+
+import aws.sdk.kotlin.services.secretsmanager.SecretsManagerClient
+import com.sksamuel.hoplite.ConfigResult
+import com.sksamuel.hoplite.DecoderContext
+import com.sksamuel.hoplite.Node
+import com.sksamuel.hoplite.StringNode
+import com.sksamuel.hoplite.fp.flatMap
+import com.sksamuel.hoplite.resolver.context.ContextResolver
+import kotlinx.coroutines.runBlocking
+
+abstract class AbstractAwsSecretsManagerContextResolver(
+  private val report: Boolean = false,
+  createClient: () -> SecretsManagerClient = { runBlocking { SecretsManagerClient.fromEnvironment() } }
+) : ContextResolver() {
+
+  // should stay lazy so still be added to config even when not used, eg locally
+  private val client by lazy { createClient() }
+  private val ops by lazy { AwsOps(client) }
+
+  override fun lookup(path: String, node: StringNode, root: Node, context: DecoderContext): ConfigResult<String?> {
+    val (key, index) = ops.extractIndex(path)
+    return ops.fetchSecret(key)
+      .onSuccess { if (report) ops.report(context, it) }
+      .flatMap { ops.parseSecret(it, index) }
+  }
+}

hoplite-aws-kotlin/src/main/kotlin/com/sksamuel/hoplite/aws/kotlin/AwsOps.kt

@@ -0,0 +1,91 @@
+package com.sksamuel.hoplite.aws.kotlin
+
+import aws.sdk.kotlin.runtime.AwsServiceException
+import aws.sdk.kotlin.runtime.ClientException
+import aws.sdk.kotlin.services.secretsmanager.SecretsManagerClient
+import aws.sdk.kotlin.services.secretsmanager.getSecretValue
+import aws.sdk.kotlin.services.secretsmanager.model.DecryptionFailure
+import aws.sdk.kotlin.services.secretsmanager.model.GetSecretValueResponse
+import aws.sdk.kotlin.services.secretsmanager.model.InvalidParameterException
+import aws.sdk.kotlin.services.secretsmanager.model.LimitExceededException
+import aws.sdk.kotlin.services.secretsmanager.model.ResourceNotFoundException
+import com.sksamuel.hoplite.ConfigFailure
+import com.sksamuel.hoplite.ConfigResult
+import com.sksamuel.hoplite.DecoderContext
+import com.sksamuel.hoplite.fp.invalid
+import com.sksamuel.hoplite.fp.valid
+import kotlinx.coroutines.runBlocking
+import kotlinx.serialization.decodeFromString
+import kotlinx.serialization.json.Json
+
+class AwsOps(private val client: SecretsManagerClient) {
+
+  companion object {
+    const val ReportSection = "AWS Secrets Manager Lookups"
+
+    // check for index, so we can decode json stored in AWS
+    val keyRegex = "(.+)\\[(.+)]".toRegex()
+  }
+
+  fun report(context: DecoderContext, result: GetSecretValueResponse) {
+    context.reporter.report(
+      ReportSection,
+      mapOf(
+        "Name" to result.name,
+        "Arn" to result.arn,
+        "Created Date" to result.createdDate.toString(),
+        "Version Id" to result.versionId
+      )
+    )
+  }
+
+  fun extractIndex(path: String): Pair<String, String?> {
+    val keyMatch = keyRegex.matchEntire(path)
+    return if (keyMatch == null)
+      Pair(path, null)
+    else
+      Pair(keyMatch.groupValues[1], keyMatch.groupValues[2])
+  }
+
+  fun parseSecret(result: GetSecretValueResponse, index: String?): ConfigResult<String> {
+
+    val secret = result.secretString
+    return if (secret.isNullOrBlank())
+      ConfigFailure.PreprocessorWarning("Empty secret '${result.name}' in AWS SecretsManager").invalid()
+    else {
+      if (index == null) {
+        secret.valid()
+      } else {
+        val map = runCatching { Json.Default.decodeFromString<Map<String, String>>(secret) }.getOrElse { emptyMap() }
+        map[index]?.valid()
+          ?: ConfigFailure.ResolverFailure(
+            "Index '$index' not present in AWS secret '${result.name}'. Present keys are ${map.keys.joinToString(",")}"
+          ).invalid()
+      }
+    }
+  }
+
+  fun fetchSecret(key: String): ConfigResult<GetSecretValueResponse> {
+    return try {
+      runBlocking {
+        client.getSecretValue {
+          secretId = key
+        }
+      }.valid()
+    } catch (e: ResourceNotFoundException) {
+      ConfigFailure.PreprocessorWarning("Could not locate resource '$key' in AWS SecretsManager").invalid()
+    } catch (e: DecryptionFailure) {
+      ConfigFailure.PreprocessorWarning("Could not decrypt resource '$key' in AWS SecretsManager").invalid()
+    } catch (e: LimitExceededException) {
+      ConfigFailure.PreprocessorWarning("Could not load resource '$key' due to limits exceeded").invalid()
+    } catch (e: InvalidParameterException) {
+      ConfigFailure.PreprocessorWarning("Invalid parameter name '$key' in AWS SecretsManager").invalid()
+    } catch (e: AwsServiceException) {
+      ConfigFailure.PreprocessorFailure("Failed loading secret '$key' from AWS SecretsManager", e).invalid()
+    } catch (e: ClientException) {
+      ConfigFailure.PreprocessorFailure("Failed loading secret '$key' from AWS SecretsManager", e).invalid()
+    } catch (e: Exception) {
+      ConfigFailure.PreprocessorFailure("Failed loading secret '$key' from AWS SecretsManager", e).invalid()
+    }
+  }
+}

hoplite-aws-kotlin/src/main/kotlin/com/sksamuel/hoplite/aws/kotlin/AwsSecretsManagerContextResolver.kt

@@ -0,0 +1,18 @@
+package com.sksamuel.hoplite.aws.kotlin
+
+import aws.sdk.kotlin.services.secretsmanager.SecretsManagerClient
+import kotlinx.coroutines.runBlocking
+
+/**
+ * Replaces strings of the form ${{ aws-secrets-manager:path }} by looking up the path in AWS Secrets Manager.
+ *
+ * The [SecretsManagerClient] client is created from the [createClient] argument which uses the
+ * standard [SecretsManagerClient.fromEnvironment()] by default.
+ */
+class AwsSecretsManagerContextResolver(
+  report: Boolean = false,
+  createClient: () -> SecretsManagerClient = { runBlocking { SecretsManagerClient.fromEnvironment() } }
+) : AbstractAwsSecretsManagerContextResolver(report, createClient) {
+  override val contextKey: String = "aws-secrets-manager"
+  override val default: Boolean = false
+}

hoplite-aws-kotlin/src/main/kotlin/com/sksamuel/hoplite/aws/kotlin/AwsSecretsManagerPreprocessor.kt

@@ -0,0 +1,130 @@
+package com.sksamuel.hoplite.aws.kotlin
+
+import aws.sdk.kotlin.runtime.AwsServiceException
+import aws.sdk.kotlin.runtime.ClientException
+import aws.sdk.kotlin.services.secretsmanager.SecretsManagerClient
+import aws.sdk.kotlin.services.secretsmanager.getSecretValue
+import aws.sdk.kotlin.services.secretsmanager.model.DecryptionFailure
+import aws.sdk.kotlin.services.secretsmanager.model.InvalidParameterException
+import aws.sdk.kotlin.services.secretsmanager.model.LimitExceededException
+import aws.sdk.kotlin.services.secretsmanager.model.ResourceNotFoundException
+import com.sksamuel.hoplite.CommonMetadata
+import com.sksamuel.hoplite.ConfigFailure
+import com.sksamuel.hoplite.ConfigResult
+import com.sksamuel.hoplite.DecoderContext
+import com.sksamuel.hoplite.Node
+import com.sksamuel.hoplite.PrimitiveNode
+import com.sksamuel.hoplite.StringNode
+import com.sksamuel.hoplite.fp.invalid
+import com.sksamuel.hoplite.fp.valid
+import com.sksamuel.hoplite.preprocessor.TraversingPrimitivePreprocessor
+import com.sksamuel.hoplite.withMeta
+import kotlinx.coroutines.runBlocking
+import kotlinx.serialization.decodeFromString
+import kotlinx.serialization.json.Json
+
+/**
+ * @param report set to true to output a report on secrets used.
+ *               Requires the overall hoplite report to be enabled.
+ */
+class AwsSecretsManagerPreprocessor(
+  private val report: Boolean = false,
+  private val json: Json,
+  createClient: () -> SecretsManagerClient = { runBlocking { SecretsManagerClient.fromEnvironment() } }
+) : TraversingPrimitivePreprocessor() {
+
+  constructor(
+    report: Boolean = false,
+    createClient: () -> SecretsManagerClient = { runBlocking { SecretsManagerClient.fromEnvironment() } }
+  ) : this(report, Json.Default, createClient)
+
+  private val client by lazy { createClient() }
+  private val regex1 = "\\$\\{awssecret:(.+?)}".toRegex()
+  private val regex2 = "secretsmanager://(.+?)".toRegex()
+  private val regex3 = "awssm://(.+?)".toRegex()
+  private val keyRegex = "(.+)\\[(.+)]".toRegex()
+
+  override fun handle(node: PrimitiveNode, context: DecoderContext): ConfigResult<Node> = when (node) {
+    is StringNode -> {
+      when (
+        val match = regex1.matchEntire(node.value) ?: regex2.matchEntire(node.value) ?: regex3.matchEntire(node.value)
+      ) {
+        null -> node.valid()
+        else -> {
+          val value = match.groupValues[1].trim()
+          val keyMatch = keyRegex.matchEntire(value)
+          val (key, index) = if (keyMatch == null) Pair(value, null) else
+            Pair(keyMatch.groupValues[1], keyMatch.groupValues[2])
+          fetchSecret(key, index, node, context)
+        }
+      }
+    }
+    else -> node.valid()
+  }
+
+  private fun fetchSecret(key: String, index: String?, node: StringNode, context: DecoderContext): ConfigResult<Node> {
+    return try {
+
+      val value = runBlocking {
+        client.getSecretValue {
+          secretId = key
+        }
+      }
+
+      if (report)
+        context.reporter.report(
+          "AWS Secrets Manager Lookups",
+          mapOf(
+            "Name" to value.name,
+            "Arn" to value.arn,
+            "Created Date" to value.createdDate.toString(),
+            "Version Id" to value.versionId
+          )
+        )
+
+      val secret = value.secretString
+      if (secret.isNullOrBlank())
+        ConfigFailure.PreprocessorWarning("Empty secret '$key' in AWS SecretsManager").invalid()
+      else {
+        if (index == null) {
+          node.copy(value = secret)
+            .withMeta(CommonMetadata.Secret, true)
+            .withMeta(CommonMetadata.UnprocessedValue, node.value)
+            .withMeta(CommonMetadata.RemoteLookup, "AWS '$key'")
+            .valid()
+        } else {
+          val map = runCatching { json.decodeFromString<Map<String, String>>(secret) }.getOrElse { emptyMap() }
+          val indexedValue = map[index]
+          if (indexedValue == null)
+            ConfigFailure.PreprocessorWarning(
+              "Index '$index' not present in secret '$key'. Available keys are ${
+                map.keys.joinToString(
+                  ","
+                )
+              }"
+            ).invalid()
+          else
+            node.copy(value = indexedValue)
+              .withMeta(CommonMetadata.Secret, true)
+              .withMeta(CommonMetadata.UnprocessedValue, node.value)
+              .withMeta(CommonMetadata.RemoteLookup, "AWS '$key[$index]'")
+              .valid()
+        }
+      }
+    } catch (e: ResourceNotFoundException) {
+      ConfigFailure.PreprocessorWarning("Could not locate resource '$key' in AWS SecretsManager").invalid()
+    } catch (e: DecryptionFailure) {
+      ConfigFailure.PreprocessorWarning("Could not decrypt resource '$key' in AWS SecretsManager").invalid()
+    } catch (e: LimitExceededException) {
+      ConfigFailure.PreprocessorWarning("Could not load resource '$key' due to limits exceeded").invalid()
+    } catch (e: InvalidParameterException) {
+      ConfigFailure.PreprocessorWarning("Invalid parameter name '$key' in AWS SecretsManager").invalid()
+    } catch (e: AwsServiceException) {
+      ConfigFailure.PreprocessorFailure("Failed loading secret '$key' from AWS SecretsManager", e).invalid()
+    } catch (e: ClientException) {
+      ConfigFailure.PreprocessorFailure("Failed loading secret '$key' from AWS SecretsManager", e).invalid()
+    } catch (e: Exception) {
+      ConfigFailure.PreprocessorFailure("Failed loading secret '$key' from AWS SecretsManager", e).invalid()
+    }
+  }
+}