This function allows you to look up single values stored as parameters in AWS SSM Parameter Store. The intended use-case is to store secrets with KMS encryption in Parameter Store.
Build the plugin from the root directory of this module:
go build -o aws_ssm_parameter
To add theplugin to Hiera, create a "plugin" directory in your Hiera project and copy the bin to that it. See Extending Hiera for more information.
When debugging remotely from an IDE like JetBrains goland, use -gcflags 'all=N -l' to ensure that all symbols are present in the
final binary.
go build -o aws_ssm_parameter -gcflags 'all=-N -l'
To install it, copy the binary to your Hiera plugin directory.
To add the Parameter Store to Hiera's lookup hierarchy, update hiera.yaml. The plugin currently requires two parameters: aws_profile_name and aws_region. This example hiera.yaml places the AWS Parameter Store lookup last, so Hiera won't query AWS SSM Parameter Store unless the other hierarchies fail to return data. (Of course, this depends on your hiera lookup configuration)
---
version: 5
defaults:
datadir: ./hiera
data_hash: yaml_data
hierarchy:
- name: common
path: common.yaml
- name: region
path: region/%{region}.yaml
- name: aws_account
path: region/%{aws_account}.yaml
- name: secrets
lookup_key: aws_ssm_parameter
plugindir: "plugin"
options:
aws_profile_name: Management.ReadOnlyAccess
aws_region: us-west-1
NOTE: The default plugindir is already supposed to be "plugin". Without the explicit plugindir in the configuration example above, the lookup tool successfully invokes the plugin and searches the AWS SSM Parameter Store. However, this does not work if you invoke Hiera from the Terraform Hiera Provider.
Even though I already pass my AWS region and aws_account to the Hiera, I can't use them in the options: section. Interpolation in those fields fails. I created an issue on the hiera project, but I think that the project may be dead :(
That leaves two options:
- Hard-code the lookup to use a specific AWS account and region
- Remove the options and export
AWS_PROFILEandAWS_REGIONenvironment variables instead
#1 depends on your use case and interpretation of your company security policies #2 requires external automation or manual steps, and may cause other unwanted effects but at least you're not hard-coding stuff into your hiera.yaml
To test the plugin, you'll need to write a test parameter to AWS SSM Parameter Store using the AWS cli:
[user@box ~]$ aws ssm put-parameter \
--region us-west-1 \
--profile Management.ReadOnlyAccess \
--type SecureString \
--name "/dev/db_password" \
--value "VerySecretPassword"
Execute a command-line Hiera lookup using the lookup tool (install it with: go install github.com/lyraproj/hiera/lookup@latest)
[user@box ~]$ lookup --config=hiera.yaml "/dev/db_password"
VerySecretPassword
Using Hiera's internal lookup function, you can insert the value of a parameter anywhere. Consider the following example YAML which is used to define a list of databases and roles:
postgres:
databases:
dev:
encoding: "UTF8"
lc_collate: "en_US.UTF-8"
lc_ctype: "en_US.UTF-8"
owner: pgadmin
roles:
frontend:
database: dev
password: "%{lookup('/dev/db_password')}"
Given this YAML, we can execute a command-line lookup for postgres.roles like this:
[user@box ~]$ lookup --config=hiera.yaml postgres.roles
frontend:
database: monolithdb
password: VerySecretPassword