Support retrieving secrets from SSM Parameter Store

Nish Bhat · Nish Bhat · commit e59db223295e · 2019-10-25T14:10:49.000-07:00
diff --git a/clrenv/lazy_env.py b/clrenv/lazy_env.py
@@ -6,15 +6,13 @@
 from itertools import chain, groupby
 import shlex
 import sys
-import types
 
 from munch import Munch, munchify
 import yaml
 
 from .path import find_environment_path, find_user_environment_paths
 from functools import reduce
 
-
 class LazyEnv(object):
     def __init__(self):
         self.__mode = tuple(shlex.split(environ.get('CLRENV_MODE', '')))
@@ -152,6 +150,14 @@ def _get_keyfile_cache():
         _kf_dict_cache = clrypt.read_file_as_dict('keys', 'keys')
     return _kf_dict_cache
 
+_ssm_client = None
+def _get_ssm_client():
+    import boto3
+    global _ssm_client
+    if not _ssm_client:
+        _ssm_client = boto3.client('ssm')
+    return _ssm_client
+
 def _clear_keyfile_cache():
     global _kf_dict_cache
     _kf_dict_cache = {}
@@ -162,19 +168,26 @@ def _apply_functions(d, recursive=False):
 
       ^function rest
 
-    Currently, the only function available is `keyfile', which attempts
-    to replace with a value from the currently loaded keyfile."""
+    Available functions:
+      ^keyfile: Looks up the given value in the current environment's clrypt keyfile.
+      ^parameter: Looks up the given value in AWS Parameter store.
+    """
     new = Munch()
 
-    for k, v in list(d.items()):
-        if isinstance(v, dict):
-            v = _apply_functions(v, recursive=True)
-        elif isinstance(v, str):
-            if v.startswith('^keyfile '):
-                v = v[9:]
-                v = _get_keyfile_cache().get(v, '')
-
-        new[k] = v
+    for key, value in list(d.items()):
+        if isinstance(value, dict):
+            value = _apply_functions(value, recursive=True)
+        elif isinstance(value, str):
+            if value.startswith('^keyfile '):
+                value = value[9:]
+                value = _get_keyfile_cache().get(value, '')
+            elif value.startswith("^parameter "):
+                value = value.split(' ', 1)[1]
+                value = _get_ssm_client().get_parameter(
+                    Name=value,
+                    WithDecryption=True
+                )['Parameter']['Value']
+        new[key] = value
 
     if not recursive:
         # Cache no longer needed, clear encrypted data.
diff --git a/requirements.txt b/requirements.txt
@@ -1,4 +1,5 @@
 PyYAML==4.2b1
 munch==2.2.0
 future==0.16.0
+boto3==1.5.36
 -e git+https://github.com/ColorGenomics/clrypt.git@v0.1.6#egg=clrypt
