From 29438c5f5f97a8c8beddf7c802cf1800165bfde9 Mon Sep 17 00:00:00 2001 From: Safeer Jiwan Date: Wed, 26 Jun 2024 18:02:49 -0700 Subject: [PATCH] fix: add an FTL tag and filter ASM secrets (#1888) Fixes #1876 --- common/configuration/asm_leader.go | 12 +++++++++++- common/configuration/asm_test.go | 7 +++++++ 2 files changed, 18 insertions(+), 1 deletion(-) diff --git a/common/configuration/asm_leader.go b/common/configuration/asm_leader.go index 1e171a8c73..59b78ea258 100644 --- a/common/configuration/asm_leader.go +++ b/common/configuration/asm_leader.go @@ -19,6 +19,7 @@ import ( ) const asmLeaderSyncInterval = time.Minute * 5 +const asmTagKey = "ftl" type asmLeader struct { client *secretsmanager.Client @@ -54,6 +55,9 @@ func (l *asmLeader) sync(ctx context.Context, secrets *xsync.MapOf[Ref, cachedSe out, err := l.client.ListSecrets(ctx, &secretsmanager.ListSecretsInput{ MaxResults: aws.Int32(100), NextToken: nextToken.Ptr(), + Filters: []types.Filter{ + {Key: types.FilterNameStringTypeTagKey, Values: []string{asmTagKey}}, + }, }) if err != nil { return fmt.Errorf("unable to get list of secrets from ASM: %w", err) @@ -100,7 +104,10 @@ func (l *asmLeader) sync(ctx context.Context, secrets *xsync.MapOf[Ref, cachedSe } } out, err := l.client.BatchGetSecretValue(ctx, &secretsmanager.BatchGetSecretValueInput{ - SecretIdList: secretIDs, + Filters: []types.Filter{ + {Key: types.FilterNameStringTypeName, Values: secretIDs}, + {Key: types.FilterNameStringTypeTagKey, Values: []string{asmTagKey}}, + }, }) if err != nil { return fmt.Errorf("unable to get batch of secret values from ASM: %w", err) @@ -149,6 +156,9 @@ func (l *asmLeader) store(ctx context.Context, ref Ref, value []byte) (*url.URL, _, err := l.client.CreateSecret(ctx, &secretsmanager.CreateSecretInput{ Name: aws.String(ref.String()), SecretString: aws.String(string(value)), + Tags: []types.Tag{ + {Key: aws.String(asmTagKey), Value: aws.String(ref.Module.Default(""))}, + }, }) // https://github.com/aws/aws-sdk-go-v2/issues/1110#issuecomment-1054643716 diff --git a/common/configuration/asm_test.go b/common/configuration/asm_test.go index 2b46c4477b..0c3db22835 100644 --- a/common/configuration/asm_test.go +++ b/common/configuration/asm_test.go @@ -22,6 +22,7 @@ import ( "github.com/aws/aws-sdk-go-v2/config" "github.com/aws/aws-sdk-go-v2/credentials" "github.com/aws/aws-sdk-go-v2/service/secretsmanager" + "github.com/aws/aws-sdk-go-v2/service/secretsmanager/types" ) func localstack(ctx context.Context, t *testing.T) (*ASM, *asmLeader, *secretsmanager.Client, *clock.Mock) { @@ -208,6 +209,9 @@ func testClientSync(ctx context.Context, _, err = sm.CreateSecret(ctx, &secretsmanager.CreateSecretInput{ Name: aws.String(smRef.String()), SecretString: aws.String(jsonString(t, "sm-first")), + Tags: []types.Tag{ + {Key: aws.String(asmTagKey), Value: aws.String(smRef.Module.Default(""))}, + }, }) assert.NoError(t, err, "failed to create secret via sm") waitForUpdatesToProcess(cache) @@ -233,6 +237,9 @@ func testClientSync(ctx context.Context, _, err = sm.CreateSecret(ctx, &secretsmanager.CreateSecretInput{ Name: aws.String(smClientRef.String()), SecretString: aws.String(jsonString(t, "sm-client-first")), + Tags: []types.Tag{ + {Key: aws.String(asmTagKey), Value: aws.String(smClientRef.Module.Default(""))}, + }, }) assert.NoError(t, err, "failed to create secret via sm") _, err = client.store(ctx, smClientRef, jsonBytes(t, "sm-client-second"))