Add SSM EnvVarLoader in SymfonyBundle (#490)

jderusse · chalasr · web-flow · commit 2ed34005af93 · 2020-04-23T08:23:35.000+02:00
* Add SSM EnvVarLoader in SyfonyBundle

* Apply suggestions from code review

Co-Authored-By: Robin Chalas &lt;chalasr@users.noreply.github.com&gt;

* Add minimum stability in Integration too

* Fix CS

Co-authored-by: Robin Chalas &lt;chalasr@users.noreply.github.com&gt;
diff --git a/composer.json b/composer.json
@@ -17,9 +17,10 @@
         "symfony/http-kernel": "^4.4 || ^5.0"
     },
     "require-dev": {
-        "async-aws/s3": "^0.3",
-        "async-aws/ses": "^0.3",
-        "async-aws/sqs": "^0.3",
+        "async-aws/s3": "^0.3 || ^0.4",
+        "async-aws/ses": "^0.3 || ^0.4",
+        "async-aws/sqs": "^0.3 || ^0.4",
+        "async-aws/ssm": "^0.1",
         "matthiasnoback/symfony-config-test": "^4.1",
         "nyholm/symfony-bundle-test": "^1.6.1"
     },
diff --git a/src/DependencyInjection/AsyncAwsExtension.php b/src/DependencyInjection/AsyncAwsExtension.php
@@ -4,6 +4,7 @@
 
 namespace AsyncAws\Symfony\Bundle\DependencyInjection;
 
+use AsyncAws\Symfony\Bundle\Secrets\SsmVault;
 use Symfony\Component\Config\Definition\Exception\InvalidConfigurationException;
 use Symfony\Component\DependencyInjection\ContainerBuilder;
 use Symfony\Component\DependencyInjection\ContainerInterface;
@@ -20,6 +21,7 @@ public function load(array $configs, ContainerBuilder $container)
 
         $usedServices = $this->registerConfiguredServices($container, $config);
         $usedServices = $this->registerInstalledServices($container, $config, $usedServices);
+        $this->registerEnvLoader($container, $config);
         $this->autowireServices($container, $usedServices);
     }
 
@@ -33,7 +35,7 @@ private function registerConfiguredServices(ContainerBuilder $container, array $
         foreach ($config['clients'] as $name => $data) {
             $client = $availableServices[$data['type']]['class'];
             if (!class_exists($client)) {
-                throw new InvalidConfigurationException(sprintf('You have configured "async_aws.%s" but the "%s" package is not installed. Try running "composer require %s"', $name, $name, $availableServices[$name]['package']));
+                throw new InvalidConfigurationException(sprintf('You have configured "async_aws.%s" but the "%s" package is not installed. Try running "composer require %s"', $name, $data['type'], $availableServices[$data['type']]['package']));
             }
 
             $serviceConfig = array_merge($defaultConfig, $data);
@@ -96,6 +98,46 @@ private function addServiceDefinition(ContainerBuilder $container, string $name,
         $container->setDefinition(sprintf('async_aws.client.%s', $name), $definition);
     }
 
+    private function registerEnvLoader(ContainerBuilder $container, array $config): void
+    {
+        if (!$config['secrets']['enabled']) {
+            return;
+        }
+
+        $availableServices = AwsPackagesProvider::getAllServices();
+        if (!class_exists($className = $availableServices['ssm']['class'])) {
+            throw new InvalidConfigurationException(sprintf('You have enabled "async_aws.secrets" but the "%s" package is not installed. Try running "composer require %s"', 'ssm', $availableServices['ssm']['package']));
+        }
+
+        if (null !== $client = $config['secrets']['client']) {
+            if (!isset($config['clients'][$client])) {
+                throw new InvalidConfigurationException(sprintf('The client "%s" configured in "async_aws.secrets" does not exists. Available clients are "%s"', $client, implode(', ', \array_keys($config['clients']))));
+            }
+            if ('ssm' !== $config['clients'][$client]['type']) {
+                throw new InvalidConfigurationException(sprintf('The client "%s" configured in "async_aws.secrets" is not a SSM client.', $client));
+            }
+        } else {
+            if (!isset($config['clients']['ssm'])) {
+                $client = 'ssm';
+            } else {
+                $client = 'secrets';
+                $i = 1;
+                while (isset($config['clients'][$client])) {
+                    $client = 'secrets_' . $i;
+                }
+            }
+            $this->addServiceDefinition($container, $client, $config, $className);
+        }
+
+        $container->register(SsmVault::class)
+            ->setAutoconfigured(true)
+            ->setArguments([
+                new Reference('async_aws.client.' . $client),
+                $config['secrets']['path'],
+                $config['secrets']['recursive'],
+            ]);
+    }
+
     private function autowireServices(ContainerBuilder $container, array $usedServices): void
     {
         $awsServices = AwsPackagesProvider::getAllServices();
diff --git a/src/DependencyInjection/Configuration.php b/src/DependencyInjection/Configuration.php
@@ -32,13 +32,23 @@ public function getConfigTreeBuilder()
                         ->children()
                             ->booleanNode('register_service')->info('If set to false, no service will be created for this AWS type.')->defaultTrue()->end()
                             ->arrayNode('config')->info('Configuration specific to this service.')->normalizeKeys(false)->prototype('variable')->end()->end()
-                            ->enumNode('type')->info('A valid AWS type. The service name will be used as default. ')->values(AwsPackagesProvider::getServiceNames())->end()
+                            ->enumNode('type')->info('A valid AWS type. The service name will be used as default.')->values(AwsPackagesProvider::getServiceNames())->end()
                             ->scalarNode('credential_provider')->info('A service name for AsyncAws\Core\Credentials\CredentialProvider.')->end()
                             ->scalarNode('http_client')->info('A service name for Symfony\Contracts\HttpClient\HttpClientInterface.')->end()
                             ->scalarNode('logger')->info('A service name for Psr\Log\LoggerInterface.')->end()
                         ->end()
                     ->end()
                 ->end()
+
+                ->arrayNode('secrets')
+                    ->info('The SSM EnvLoader configuration.')
+                    ->canBeEnabled()
+                    ->children()
+                        ->scalarNode('path')->info('Path to the parameters.')->defaultNull()->end()
+                        ->booleanNode('recursive')->info('Retrieve all parameters within a hierarchy.')->defaultValue(true)->end()
+                        ->scalarNode('client')->info('Name of the SSM client. When null, use the default SSM configuration.')->defaultNull()->end()
+                    ->end()
+                ->end()
             ->end();
 
         return $treeBuilder;
diff --git a/src/Secrets/SsmVault.php b/src/Secrets/SsmVault.php
@@ -0,0 +1,45 @@
+<?php
+
+namespace AsyncAws\Symfony\Bundle\Secrets;
+
+use AsyncAws\Ssm\SsmClient;
+use AsyncAws\Ssm\ValueObject\Parameter;
+use Symfony\Component\DependencyInjection\EnvVarLoaderInterface;
+
+class SsmVault implements EnvVarLoaderInterface
+{
+    private $client;
+
+    private $path;
+
+    private $recursive;
+
+    public function __construct(SsmClient $client, ?string $path, bool $recursive)
+    {
+        $this->client = $client;
+        $this->path = $path ?? '/';
+        $this->recursive = $recursive;
+    }
+
+    public function loadEnvVars(): array
+    {
+        $parameters = $this->client->getParametersByPath([
+            'Path' => $this->path,
+            'Recursive' => $this->recursive,
+            'WithDecryption' => true,
+        ]);
+
+        $secrets = [];
+        $prefixLen = \strlen($this->path);
+        /** @var Parameter $parameter */
+        foreach ($parameters as $parameter) {
+            if ((null === $name = $parameter->getName()) || (null === $value = $parameter->getValue())) {
+                continue;
+            }
+            $name = \strtoupper(\strtr(ltrim(substr($name, $prefixLen), '/'), '/', '_'));
+            $secrets[$name] = $value;
+        }
+
+        return $secrets;
+    }
+}
diff --git a/tests/Functional/BundleInitializationTest.php b/tests/Functional/BundleInitializationTest.php
@@ -8,7 +8,9 @@
 use AsyncAws\Ses\SesClient;
 use AsyncAws\Sns\SnsClient;
 use AsyncAws\Sqs\SqsClient;
+use AsyncAws\Ssm\SsmClient;
 use AsyncAws\Symfony\Bundle\AsyncAwsBundle;
+use AsyncAws\Symfony\Bundle\Secrets\SsmVault;
 use Nyholm\BundleTest\BaseBundleTestCase;
 use Nyholm\BundleTest\CompilerPass\PublicServicePass;
 use Symfony\Component\Config\Definition\Exception\InvalidConfigurationException;
@@ -33,6 +35,7 @@ public function testInitBundle()
         $this->assertServiceExists('async_aws.client.sqs', SqsClient::class);
         $this->assertServiceExists('async_aws.client.ses', SesClient::class);
         $this->assertServiceExists('async_aws.client.foobar', SqsClient::class);
+        $this->assertServiceExists('async_aws.client.secret', SsmClient::class);
 
         // Test autowired clients
         $this->assertServiceExists(S3Client::class, S3Client::class);
@@ -42,6 +45,9 @@ public function testInitBundle()
         // Test autowire by name
         $this->assertServiceExists(SqsClient::class . ' $foobar', SqsClient::class);
 
+        // Test secret
+        $this->assertServiceExists(SsmVault::class, SsmVault::class);
+
         $container = $this->getContainer();
         self::assertFalse($container->has(SqsClient::class . ' $notFound'));
         self::assertFalse($container->has(S3Client::class . ' $foobar'));
diff --git a/tests/Functional/Resources/config/default.yaml b/tests/Functional/Resources/config/default.yaml
@@ -8,3 +8,9 @@ async_aws:
         ses: ~
         foobar:
             type: sqs
+        secret:
+            type: ssm
+    secrets:
+        path: /application1
+        recursive: true
+        client: secret
diff --git a/tests/Unit/DependencyInjection/ConfigurationTest.php b/tests/Unit/DependencyInjection/ConfigurationTest.php
@@ -28,6 +28,12 @@ public function testDefaultValues(): void
             'credential_provider' => null,
             'config' => [],
             'clients' => [],
+            'secrets' => [
+                'enabled' => false,
+                'path' => null,
+                'recursive' => true,
+                'client' => null,
+            ],
         ]);
     }
 
diff --git a/tests/Unit/Secrets/SsmVaultTest.php b/tests/Unit/Secrets/SsmVaultTest.php
@@ -0,0 +1,39 @@
+<?php
+
+namespace AsyncAws\Symfony\Bundle\Tests\Unit\Secrets;
+
+use AsyncAws\Core\Test\ResultMockFactory;
+use AsyncAws\Ssm\Result\GetParametersByPathResult;
+use AsyncAws\Ssm\SsmClient;
+use AsyncAws\Ssm\ValueObject\Parameter;
+use AsyncAws\Symfony\Bundle\Secrets\SsmVault;
+use PHPUnit\Framework\TestCase;
+
+class SsmVaultTest extends TestCase
+{
+    /**
+     * @dataProvider provideParameters
+     */
+    public function testLoadEnvVars($path, $parameterName, $expected)
+    {
+        $client = $this->createMock(SsmClient::class);
+        $ssmVault = new SsmVault($client, $path, true);
+
+        $client->expects(self::once())
+            ->method('getParametersByPath')
+            ->willReturn(ResultMockFactory::create(GetParametersByPathResult::class, ['Parameters' => [new Parameter(['Name' => $parameterName, 'Value' => 'value'])]]));
+
+        $actual = $ssmVault->loadEnvVars();
+
+        self::assertEquals($expected, $actual);
+    }
+
+    public function provideParameters(): iterable
+    {
+        yield 'simple' => [null, '/FOO', ['FOO' => 'value']];
+        yield 'case insensitive' => [null, '/fOo', ['FOO' => 'value']];
+        yield 'remove prefix' => ['/my_app', '/my_app/foo', ['FOO' => 'value']];
+        yield 'remove trailing' => ['/my_app/', '/my_app/foo', ['FOO' => 'value']];
+        yield 'recursive' => [null, '/foo/bar', ['FOO_BAR' => 'value']];
+    }
+}
