Back to godoc.org

Package terrahelp

v0.7.4
Latest Go to latest

The highest tagged major version is .

Published: Dec 9, 2019 | License: Apache-2.0 | Module: github.com/opencredo/terrahelp

Index

Constants

const (
	TfstateFilename    = "terraform.tfstate"
	TfstateBkpFilename = "terraform.tfstate.backup"
	TfvarsFilename     = "terraform.tfvars"
	ThBkpExtension     = ".terrahelpbkp"

	// ThNamedEncryptionKey is default Vault named encryption key
	ThNamedEncryptionKey = "terrahelp"
)

Default file related values

const (
	ThEncryptProviderSimple   = "simple"
	ThEncryptProviderVault    = "vault"
	ThEncryptProviderVaultCli = "vault-cli"
)

Valid encryption providers

const (
	ThEncryptModeInline = "inline"
	ThEncryptModeFull   = "full"
)

Valid encryption modes

const (
	MaskChar         = "*"
	NumberOfMaskChar = 6

	PrevVal2CurrentValSelectPattern = "(=\\s*|:\\s*)(\".+\")\\s*(=|-)>\\s*\"(\\%s*)\""
	PrevVal2MaskedValReplacePattern = "\"%s\""
)

Default mask related values

func CopyDir

func CopyDir(src, dst string) error

CopyDir copies the src directory contents into dst. Both directories should already exist.

func CopyFile

func CopyFile(src, dest string) error

CopyFile will copy a file from src to dest

type CryptoHandler

type CryptoHandler struct {
	Encrypter Encrypter
}

CryptoHandler defines and exposes cryptographic actions which can be performed against terraform related files and output

func (*CryptoHandler) Decrypt

func (t *CryptoHandler) Decrypt(ctx *CryptoHandlerOpts) error

Decrypt will ensure appropriate aspects of the input content are decrypted as per the configured options supplied

func (*CryptoHandler) Encrypt

func (t *CryptoHandler) Encrypt(ctx *CryptoHandlerOpts) error

Encrypt will ensure the appropriate areas of the input content are encrypted as per the configured options supplied

func (*CryptoHandler) Init

func (t *CryptoHandler) Init(ctx *CryptoHandlerOpts) error

Init provides the opportunity for the Encrypter provider to perform any additional config or initialisation which may be required before use

type CryptoHandlerOpts

type CryptoHandlerOpts struct {
	*TransformOpts
	EncProvider           string
	EncMode               string
	NamedEncKey           string
	SimpleKey             string
	AllowDoubleEncrypt    bool
	ExcludeWhitespaceOnly bool
}

CryptoHandlerOpts holds the specific options detailing how, and on what to perform the cryptographic actions.

func NewDefaultCryptoHandlerOpts

func NewDefaultCryptoHandlerOpts() *CryptoHandlerOpts

NewDefaultCryptoHandlerOpts creates CryptoHandlerOpts with all the default values set

func (*CryptoHandlerOpts) InlineMode

func (o *CryptoHandlerOpts) InlineMode() bool

InlineMode returns true if the Encryption mode is 'inline'

func (*CryptoHandlerOpts) ValidateForEncryptDecrypt

func (o *CryptoHandlerOpts) ValidateForEncryptDecrypt() error

ValidateForEncryptDecrypt ensures valid options have been set for the encryption / decruption process

type CryptoWrapError

type CryptoWrapError struct {
	// contains filtered or unexported fields
}

A CryptoWrapError describes an error where a missing or invalid use of the terrahelp wrapper value (i.e. @terrahelp-encrypted() ) prevents the encryption or decryption being performed

func (*CryptoWrapError) Error

func (e *CryptoWrapError) Error() string

type DefaultReplaceables

type DefaultReplaceables struct {
	Vals []string
}

DefaultReplaceables provides the default implemenation of Replaceables. Stores values to replace as strings

func (*DefaultReplaceables) Values

func (d *DefaultReplaceables) Values() ([]string, error)

Values returns the list of values to replace

type DefaultVaultClient

type DefaultVaultClient struct {
	*api.Client
}

DefaultVaultClient provides a wrapper around the core Vault client and uses it to provide the required functionality

func NewDefaultVaultClient

func NewDefaultVaultClient() (*DefaultVaultClient, error)

NewDefaultVaultClient creates a new DefaultVaultClient

func (*DefaultVaultClient) Decrypt

func (v *DefaultVaultClient) Decrypt(key, ciphertext string) (string, error)

Decrypt uses the named encryption key to decrypt the supplied content

func (*DefaultVaultClient) Encrypt

func (v *DefaultVaultClient) Encrypt(key, b64text string) (string, error)

Encrypt uses the named encryption key to encrypt the supplied content

func (*DefaultVaultClient) MountTransitBackend

func (v *DefaultVaultClient) MountTransitBackend() error

MountTransitBackend ensures the transit backend is mounted

func (*DefaultVaultClient) RegisterNamedEncryptionKey

func (v *DefaultVaultClient) RegisterNamedEncryptionKey(key string) error

RegisterNamedEncryptionKey registers the named encryption key within Vault's transit backend

type Encrypter

type Encrypter interface {
	Init(key string) error
	Decrypt(key string, b []byte) ([]byte, error)
	Encrypt(key string, b []byte) ([]byte, error)
}

Encrypter defines the functionality required to be supported by crypto backends which are to be used for encrypting and decrypting tfstate files

type FileTransformable

type FileTransformable struct {
	// contains filtered or unexported fields
}

FileTransformable defines actions to validate, read and write content from a file on the filesystem required as input to, and output from, a transformation action.

func NewFileTransformable

func NewFileTransformable(f string, bkp bool, bkpExt string) *FileTransformable

NewFileTransformable creates a new FileTransformable

type MaskOpts

type MaskOpts struct {
	*TransformOpts
	MaskChar              string
	MaskNumChar           int
	ReplacePrevVals       bool
	ExcludeWhitespaceOnly bool
}

MaskOpts holds the specific options detailing how, and on what to perform the masking action.

func NewDefaultMaskOpts

func NewDefaultMaskOpts() *MaskOpts

NewDefaultMaskOpts creates MaskOpts with all the default values set

type Masker

type Masker struct {
	// contains filtered or unexported fields
}

Masker exposes the ability to obfuscate sensitive data found within certain content by replacing it with a masked value

func NewMasker

func NewMasker(ctx *MaskOpts, svh Replaceables) *Masker

NewMasker creates a new NewMasker with the specified options and Replaceables

func (*Masker) Mask

func (m *Masker) Mask() error

Mask will ensure the appropriate areas of the input content are replaced with the mask pattern as per the configured options

type MockVaultClient

type MockVaultClient struct {
	// contains filtered or unexported fields
}

MockVaultClient provides a mock implementation of the VaultClient interface for testing purposes

func NewMockVaultClient

func NewMockVaultClient() *MockVaultClient

NewMockVaultClient creates a new MockVaultClient

func (*MockVaultClient) Decrypt

func (m *MockVaultClient) Decrypt(key, s string) (string, error)

Decrypt uses the named encryption key to mock decrypt the supplied content

func (*MockVaultClient) Encrypt

func (m *MockVaultClient) Encrypt(key, s string) (string, error)

Encrypt uses the named encryption key to mock encrypt the supplied content

func (*MockVaultClient) MountTransitBackend

func (m *MockVaultClient) MountTransitBackend() error

MountTransitBackend mocks the mounting of the transit backend

func (*MockVaultClient) RegisterNamedEncryptionKey

func (m *MockVaultClient) RegisterNamedEncryptionKey(key string) error

RegisterNamedEncryptionKey registers the named encryption key within the mock Vault service

type Replaceables

type Replaceables interface {

	// Values returns the list of values to replace or an error
	Values() ([]string, error)
}

Replaceables defines the values which should be replaced as part of various transformations actions

type SimpleEncrypter

type SimpleEncrypter struct{}

SimpleEncrypter provides basic AES based encryption

func NewSimpleEncrypter

func NewSimpleEncrypter() *SimpleEncrypter

NewSimpleEncrypter creates a new SimpleEncrypter with default configuration

func (*SimpleEncrypter) Decrypt

func (s *SimpleEncrypter) Decrypt(key string, b []byte) ([]byte, error)

Decrypt will use the supplied AES key to decrypt the byte content provided.

func (*SimpleEncrypter) Encrypt

func (s *SimpleEncrypter) Encrypt(key string, b []byte) ([]byte, error)

Encrypt will perform AES based encryption on the byte content provided. The key should be an AES key, of either either 16 or 32 characters which then informs whether AES-128 or AES-256 encryption is applied.

func (*SimpleEncrypter) Init

func (s *SimpleEncrypter) Init(key string) error

Init is used to initialise Vault for the purposes of using its encryption as a service functionality

type StreamTransformable

type StreamTransformable struct {
	// contains filtered or unexported fields
}

StreamTransformable defines the set of actions which can be performed on an underlying stream of data (typically stdin and stdout) as part of applying a transformation process to it. Note: There generally be NO arbitrary writing to stdout for logging purposes with a StreamTransformable as often the stream is stdin / stdout itself.

func NewStdStreamTransformable

func NewStdStreamTransformable() *StreamTransformable

NewStdStreamTransformable creates a new StreamTransformable using stdin for obtaining the input into, and stdout for writing the result of a transformation action

func NewStreamTransformable

func NewStreamTransformable(in io.Reader, out io.Writer) *StreamTransformable

NewStreamTransformable creates a new StreamTransformable

type Tfvars

type Tfvars struct {
	// contains filtered or unexported fields
}

Tfvars provides utility functions pertaining to the terraform.tfvars file

func NewTfVars

func NewTfVars(f string, excl bool) *Tfvars

NewTfVars creates a new Tfvars holder based on the provided filename

func (*Tfvars) Values

func (t *Tfvars) Values() ([]string, error)

Values returns a list of the sensitive values which were detected in the provided tfvars file

type TransformOpts

type TransformOpts struct {
	TransformItems []Transformable
	TfvarsFilename string
}

TransformOpts holds the specific options detailing how, and on what the transformation action should be performed.

type Transformable

type Transformable interface {
	// contains filtered or unexported methods
}

Transformable defines the set of actions which can be performed on some underlying content as part of applying a transformation process to it.

type VaultCliClient

type VaultCliClient struct {
}

VaultCliClient provides a wrapper around calling Vault via the CLI and uses it to provide the required functionality

func NewVaultCliClient

func NewVaultCliClient() (*VaultCliClient, error)

NewVaultCliClient creates a new VaultCliClient

func (*VaultCliClient) Decrypt

func (v *VaultCliClient) Decrypt(key, ciphertext string) (string, error)

Decrypt uses the named encryption key to decrypt the supplied content

func (*VaultCliClient) Encrypt

func (v *VaultCliClient) Encrypt(key, b64text string) (string, error)

Encrypt uses the named encryption key to encrypt the supplied content

func (*VaultCliClient) MountTransitBackend

func (v *VaultCliClient) MountTransitBackend() error

MountTransitBackend ensures the transit backend is mounted

func (*VaultCliClient) RegisterNamedEncryptionKey

func (v *VaultCliClient) RegisterNamedEncryptionKey(key string) error

RegisterNamedEncryptionKey registers the named encryption key within Vault's transit backend

type VaultClient

type VaultClient interface {

	// RegisterNamedEncryptionKey registers the named encryption key
	// within Vault's transit backend
	RegisterNamedEncryptionKey(key string) error
	// MountTransitBackend ensures the transit backend is mounted
	MountTransitBackend() error
	// Encrypt uses the named encryption key to encrypt the supplied content
	Encrypt(key, text string) (string, error)
	// Decrypt uses the named encryption key to decrypt the supplied content
	Decrypt(key, ciphertext string) (string, error)
}

VaultClient defines the basic functionality required by terrahelp when interacting with Vault

type VaultEncrypter

type VaultEncrypter struct {
	// contains filtered or unexported fields
}

VaultEncrypter wraps the real core Vault client exposing convenient methods required to interact with Vault in order to perform encrypting and decrypting of tfstate files

func NewVaultCliEncrypter

func NewVaultCliEncrypter() (*VaultEncrypter, error)

NewVaultCliEncrypter creates a new CLI based VaultEncrypter

func NewVaultEncrypter

func NewVaultEncrypter() (*VaultEncrypter, error)

NewVaultEncrypter creates a new VaultEncrypter

func (*VaultEncrypter) Decrypt

func (cu *VaultEncrypter) Decrypt(key string, ciphertext []byte) ([]byte, error)

Decrypt uses the named encryption key to decrypt the provided ciphertext

func (*VaultEncrypter) Encrypt

func (cu *VaultEncrypter) Encrypt(key string, plaintext []byte) ([]byte, error)

Encrypt uses the named encryption key to encrypt the provided plaintext

func (*VaultEncrypter) Init

func (cu *VaultEncrypter) Init(key string) error

Init is used to initialise the VaultEncrypter for the purposes of using its encryption as a service functionality

Package Files

Documentation was rendered with GOOS=linux and GOARCH=amd64.

Jump to identifier

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to identifier