feat(build): #252 aws secrets from env

- Allow in makes.nix to specify aws secrets from env
  vars
- No secret values are dumped to the nix-store, of course.
  Just env-var names (which are not secret)

Author: kamadorueda

README.md

@@ -30,6 +30,10 @@ in just a few steps, in any technology.
 - [Makes.nix format](#makesnix-format)
     - [Caching](#caching)
         - [cache](#cache)
+    - [Secrets](#secrets)
+        - [secrets](#secrets)
+            - [aws](#aws)
+                - [fromEnv](#fromenv)
     - [Formatters](#formatters)
         - [formatBash](#formatbash)
         - [formatMarkdown](#formatmarkdown)
@@ -445,6 +449,103 @@ Example `makes.nix`:
 }
 ```
 
+## Secrets
+
+Managing secrets is critical for application security.
+
+The following functions are secure
+and allow you to re-use secrets
+across different [Makes][MAKES] components.
+
+### secrets
+
+#### aws
+
+Secrets for authenticating into [Amazon Web Services (AWS)][AWS].
+
+##### fromEnv
+
+Load [AWS][AWS] secrets from [Environment Variables][ENV_VAR].
+
+Attributes:
+
+- self (`attrsOf awsFromEnvType`): Optional.
+  Defaults to `{ }`.
+
+Custom Types:
+
+- awsFromEnvType (`submodule`):
+
+    - accessKeyId (`str`): Optional.
+      Name of the [environment variable][ENV_VAR]
+      that stores the value of the [AWS][AWS] Access Key Id.
+      Defaults to `"AWS_ACCESS_KEY_ID"`.
+
+    - defaultRegion (`str`): Optional.
+      Name of the [environment variable][ENV_VAR]
+      that stores the value of the [AWS][AWS] Default Region.
+      Defaults to `"us-east-1"`.
+
+    - secretAccessKey (`str`): Optional.
+      Name of the [environment variable][ENV_VAR]
+      that stores the value of the [AWS][AWS] Secret Access Key.
+      Defaults to `"AWS_SECRET_ACCESS_KEY"`.
+
+    - sessionToken (`str`): Optional.
+      Name of the [environment variable][ENV_VAR]
+      that stores the value of the [AWS][AWS] Session Token.
+      Defaults to `"AWS_SESSION_TOKEN"`.
+
+Always available outputs:
+
+- `/secrets/aws/fromEnv/__default__`:
+    - accessKeyId: "AWS_ACCESS_KEY_ID";
+    - defaultRegion: "us-east-1";
+    - secretAccessKey: "AWS_SECRET_ACCESS_KEY";
+    - sessionToken: "AWS_SESSION_TOKEN";
+
+Example `makes.nix`:
+
+```nix
+{ outputs
+, ...
+}:
+{
+  secrets = {
+    aws = {
+      fromEnv = {
+        makesDev = {
+          accessKeyId = "MAKES_DEV_AWS_ACCESS_KEY_ID";
+          secretAccessKey = "MAKES_DEV_AWS_SECRET_ACCESS_KEY";
+        };
+        makesProd = {
+          accessKeyId = "MAKES_PROD_AWS_ACCESS_KEY_ID";
+          secretAccessKey = "MAKES_PROD_AWS_SECRET_ACCESS_KEY";
+        };
+      };
+    };
+  };
+  lintTerraform = {
+    modules = {
+      moduleDev = {
+        authentication = [
+          outputs."/secrets/aws/fromEnv/makesDev"
+        ];
+        src = "/my/module1";
+        version = "0.12";
+      };
+      moduleProd = {
+        authentication = [
+          outputs."/secrets/aws/fromEnv/makesProd"
+        ];
+        src = "/my/module2";
+        version = "0.12";
+      };
+    };
+  };
+}
+```
+
 ## Formatters
 
 Formatters help your code be consistent, beautiful and more maintainable.
@@ -803,19 +904,14 @@ Attributes:
 Custom Types:
 
 - moduleType (`submodule`):
+    - authentication (`listOf package`): Optional.
+      [Makes Secrets][MAKES_SECRETS] to use (if required by your module).
+      Defaults to `[ ]`.
     - src (`str`):
       Path to the [Terraform][TERRAFORM] module.
     - version (`str`):
       [Terraform][TERRAFORM] version your module is built with.
 
-Required environment variables:
-
-- If your [Terraform][TERRAFORM] module uses the AWS provider:
-    - `AWS_ACCESS_KEY_ID`
-    - `AWS_DEFAULT_REGION`
-    - `AWS_SECRET_ACCESS_KEY`
-    - `AWS_SESSION_TOKEN`: Required only if the AWS credentials are temporary.
-
 Example `makes.nix`:
 
 ```nix
@@ -835,15 +931,7 @@ Example `makes.nix`:
 }
 ```
 
-Example invocation:
-
-```bash
-$ AWS_ACCESS_KEY_ID=123 \
-  AWS_DEFAULT_REGION=us-east-1 \
-  AWS_SECRET_ACCESS_KEY=123 \
-  AWS_SESSION_TOKEN=123 \
-  m . /lintTerraform
-```
+Example invocation: `$ m . /lintTerraform`
 
 ### lintWithLizard
 
@@ -1579,6 +1667,9 @@ $ m . /example
 - [APACHE_MAVEN]: https://maven.apache.org/
   [Apache Maven][APACHE_MAVEN]
 
+- [AWS]: https://aws.amazon.com/
+  [Amazon Web Services (AWS)][AWS]
+
 - [BASH]: https://www.gnu.org/software/bash/
   [Bash][BASH]
 
@@ -1609,6 +1700,9 @@ $ m . /example
 - [DOCTOC]: https://github.com/thlorenz/doctoc
   [DocToc][DOCTOC]
 
+- [ENV_VAR]: https://en.wikipedia.org/wiki/Environment_variable
+  [Environment Variable][ENV_VAR]
+
 - [FLUID_ATTACKS]: https://fluidattacks.com
   [Fluid Attacks][FLUID_ATTACKS]
 
@@ -1663,6 +1757,9 @@ $ m . /example
 - [MAKES_RELEASES]: https://github.com/fluidattacks/makes/releases
   [Makes Releases][MAKES_RELEASES]
 
+- [MAKES_SECRETS]: #secrets
+  [Makes Secrets][MAKES_SECRETS]
+
 - [MARKDOWN_LINT]: https://github.com/markdownlint/markdownlint
   [Markdown lint tool][MARKDOWN_LINT]
 

src/args/default.nix

@@ -31,6 +31,7 @@ let
     makeScript = import ./make-script/default.nix args;
     makeScriptParallel = import ./make-script-parallel/default.nix args;
     makeSearchPaths = import ./make-search-paths/default.nix args;
+    makeSecretAwsFromEnv = import ./make-secret-aws-from-env/default.nix args;
     makeTerraformEnvironment = import ./make-terraform-environment/default.nix args;
     inherit makesVersion;
     makeTemplate = import ./make-template/default.nix args;

src/args/lint-terraform/default.nix

@@ -3,7 +3,8 @@
 , makeTerraformEnvironment
 , ...
 }:
-{ config
+{ authentication
+, config
 , name
 , version
 , src
@@ -24,6 +25,6 @@ makeScript {
       (makeTerraformEnvironment {
         inherit version;
       })
-    ];
+    ] ++ authentication;
   };
 }

src/args/make-secret-aws-from-env/default.nix

@@ -0,0 +1,19 @@
+{ makeTemplate
+, ...
+}:
+{ accessKeyId
+, defaultRegion
+, name
+, secretAccessKey
+, sessionToken
+}:
+makeTemplate {
+  replace = {
+    __argAccessKeyId__ = accessKeyId;
+    __argDefaultRegion__ = defaultRegion;
+    __argSecretAcessKey__ = secretAccessKey;
+    __argSessionToken__ = sessionToken;
+  };
+  name = "make-secret-aws-from-env-for-${name}";
+  template = ./template.sh;
+}

src/args/make-secret-aws-from-env/template.sh

@@ -0,0 +1,18 @@
+# shellcheck shell=bash
+
+function main {
+  local access_key_id_name='__argAccessKeyId__'
+  local default_region_name='__argDefaultRegion__'
+  local secret_access_key_name='__argSecretAcessKey__'
+  local session_token_name='__argSessionToken__'
+
+  require_env_var "${access_key_id_name}" \
+    && require_env_var "${default_region_name}" \
+    && require_env_var "${secret_access_key_name}" \
+    && export AWS_ACCESS_KEY_ID="${!access_key_id_name}" \
+    && export AWS_DEFAULT_REGION="${!default_region_name}" \
+    && export AWS_ACCESS_KEY_ID="${!secret_access_key_name}" \
+    && export AWS_SESSION_TOKEN="${!session_token_name:-}"
+}
+
+main "${@}"

src/args/shell-commands/makes-setup.sh

@@ -30,3 +30,11 @@ function copy {
   cp --no-target-directory --recursive "${@}" \
     && chmod --recursive +w "${@: -1}"
 }
+
+function require_env_var {
+  local var_name="${1}"
+
+  if test -z "${!var_name:-}"; then
+    critical Env var is required but is empty or not present: "${var_name}"
+  fi
+}

src/cli/main/__main__.py

@@ -250,7 +250,10 @@ def _help_and_exit(
         _log()
         _log("[OUTPUT] can be:")
         for attr in attrs:
-            if attr not in {"__all__"}:
+            if attr not in {
+                "__all__",
+                "/secrets/aws/fromEnv/__default__",
+            }:
                 _log(f"  {attr}")
     if exc is not None:
         _log()

src/evaluator/modules/default.nix

@@ -6,5 +6,6 @@ args:
     (import ./inputs.nix)
     (import ./outputs/default.nix args)
     (import ./required-makes-version.nix args)
+    (import ./secrets.nix args)
   ];
 }

src/evaluator/modules/outputs/builtins/lint-terraform/default.nix

@@ -9,9 +9,10 @@
 , ...
 }:
 let
-  makeOutput = name: { src, version }: {
+  makeOutput = name: { authentication, src, version }: {
     name = "/lintTerraform/${name}";
     value = lintTerraform {
+      inherit authentication;
       config = builtins.toFile "tflint.hcl" config.lintTerraform.config;
       inherit name;
       src = path src;
@@ -37,6 +38,10 @@ in
         default = { };
         type = lib.types.attrsOf (lib.types.submodule (_: {
           options = {
+            authentication = lib.mkOption {
+              default = [ ];
+              type = lib.types.listOf lib.types.package;
+            };
             src = lib.mkOption {
               type = lib.types.str;
             };

src/evaluator/modules/secrets.nix

@@ -0,0 +1,69 @@
+{ __toModuleOutputs__
+, makeSecretAwsFromEnv
+, ...
+}:
+{ config
+, lib
+, ...
+}:
+let
+  awsFromEnvType = lib.types.submodule (_: {
+    options = {
+      accessKeyId = lib.mkOption {
+        default = "AWS_ACCESS_KEY_ID";
+        type = lib.types.str;
+      };
+      defaultRegion = lib.mkOption {
+        default = "us-east-1";
+        type = lib.types.str;
+      };
+      secretAccessKey = lib.mkOption {
+        default = "AWS_SECRET_ACCESS_KEY";
+        type = lib.types.str;
+      };
+      sessionToken = lib.mkOption {
+        default = "AWS_SESSION_TOKEN";
+        type = lib.types.str;
+      };
+    };
+  });
+  makeAwsFromEnvOutput = name:
+    { accessKeyId
+    , defaultRegion
+    , secretAccessKey
+    , sessionToken
+    }: {
+      name = "/secrets/aws/fromEnv/${name}";
+      value = makeSecretAwsFromEnv {
+        inherit accessKeyId;
+        inherit defaultRegion;
+        inherit name;
+        inherit secretAccessKey;
+        inherit sessionToken;
+      };
+    };
+in
+{
+  options = {
+    secrets = {
+      aws = {
+        fromEnv = lib.mkOption {
+          default = { };
+          type = lib.types.attrsOf awsFromEnvType;
+        };
+      };
+    };
+  };
+  config = {
+    outputs =
+      (__toModuleOutputs__ makeAwsFromEnvOutput config.secrets.aws.fromEnv) //
+      (__toModuleOutputs__ makeAwsFromEnvOutput {
+        __default__ = {
+          accessKeyId = "AWS_ACCESS_KEY_ID";
+          defaultRegion = "us-east-1";
+          secretAccessKey = "AWS_SECRET_ACCESS_KEY";
+          sessionToken = "AWS_SESSION_TOKEN";
+        };
+      });
+  };
+}