Implemented update functionality (#26)

* test environment (#16) * Build release (#17) * test environment * add space * fix test * debug worfklow * rebuild * test exit codes * test exit codes (#19) * test exit codes * test exit codes * List secrets (#14) * add protos * add list to server and client * add clarifying content * add INFO * Implemented update functionality * checkout main build-nonprod * fix formatting Co-authored-by: alxk <alex@kaskaso.li>
ovotech · Jul 1, 2021 · ea63771 · ea63771
1 parent f016871
commit ea63771
Show file tree

Hide file tree

Showing 7 changed files with 310 additions and 35 deletions.
diff --git a/client/cmd/main.go b/client/cmd/main.go
@@ -48,18 +48,24 @@ var (
 		"The k8s service account that requires access to the secret.",
 	)
 
+	updateSecretCmd   = flag.NewFlagSet("update", flag.ExitOnError)
+	updateSecretName  = updateSecretCmd.String("name", "", "The name of the secret to update.")
+	updateSecretValue = updateSecretCmd.String("value", "", "The new value of the secret.")
+
 	deleteSecretCmd    = flag.NewFlagSet("delete", flag.ExitOnError)
 	deleteSecretName   = deleteSecretCmd.String("name", "", "The name of the secret.")
 	deleteSecretPolicy = deleteSecretCmd.Bool(
 		"policy",
 		false,
 		"Delete the AWS IAM policy for reading this secret.",
 	)
+
 	subcommands = map[string]*flag.FlagSet{
 		pingCmd.Name():         pingCmd,
 		createSecretCmd.Name(): createSecretCmd,
 		listSecretsCmd.Name():  listSecretsCmd,
 		bindSecretCmd.Name():   bindSecretCmd,
+		updateSecretCmd.Name(): updateSecretCmd,
 		deleteSecretCmd.Name(): deleteSecretCmd,
 	}
 )
@@ -120,6 +126,11 @@ func main() {
 			*bindSecretName,
 			*bindSecretServiceAccount,
 		)
+	case "update":
+		if *updateSecretName == "" || *updateSecretValue == "" {
+			log.Fatalf("[ERROR] -name and -value are required, see help for more details.")
+		}
+		client.UpdateSecret(kissClient, timeout, namespace, *updateSecretName, *updateSecretValue)
 	case "delete":
 		if *deleteSecretName == "" {
 			log.Fatalf("[ERROR] -name is required, see help for more details.")

diff --git a/client/update_secret.go b/client/update_secret.go
@@ -0,0 +1,29 @@
+package client
+
+import (
+	"context"
+	"log"
+	"time"
+
+	pb "github.com/ovotech/kiss/proto"
+)
+
+func UpdateSecret(client pb.KISSClient, timeout time.Duration, namespace, name, value string) {
+	log.Println("[DEBUG] Updating secret...")
+	ctx, cancel := context.WithTimeout(context.Background(), timeout)
+	defer cancel()
+
+	_, err := client.UpdateSecret(
+		ctx,
+		&pb.UpdateSecretRequest{
+			Metadata: &pb.ClientMeta{Namespace: namespace},
+			Name:     name,
+			Value:    value,
+		},
+	)
+	if err != nil {
+		log.Fatalf("[ERROR] Error occurred while updating secret: %v\n", err)
+	} else {
+		log.Println("[INFO] Successfully updated secret")
+	}
+}
diff --git a/pkg/aws/secretmanager.go b/pkg/aws/secretmanager.go
@@ -157,6 +157,48 @@ func (m *Manager) isManagedSecret(secretOutput *sm.DescribeSecretOutput) bool {
 	return false
 }
 
+// Update a secret with the given string value in the namespace provided.
+func (m *Manager) UpdateSecret(namespace, name, value string) error {
+	secret, err := m.GetSecret(
+		namespace,
+		name,
+	)
+	if err != nil {
+		return err
+	}
+
+	if !m.isManagedSecret(secret) {
+		return &awserrors.AWSError{
+			Code:    awserrors.NotManagedErrorCode,
+			Message: "The secret is not managed by KISS",
+		}
+	}
+
+	_, err = m.smclient.UpdateSecret(
+		m.ctx,
+		&sm.UpdateSecretInput{SecretId: secret.Name, SecretString: &value},
+	)
+
+	if err != nil {
+		var ae smithy.APIError
+		if errors.As(err, &ae) && ae.ErrorCode() == "ResourceNotFoundException" {
+			return &awserrors.AWSError{
+				Code:    awserrors.AlreadyExistsErrorCode,
+				Message: "A resource with this name already exists.",
+			}
+		}
+		if errors.As(err, &ae) && ae.ErrorCode() == "InvalidRequestException" {
+			return &awserrors.AWSError{
+				Code:    awserrors.InvalidRequestErrorCode,
+				Message: ae.ErrorMessage(),
+			}
+		}
+		return &awserrors.AWSError{Code: awserrors.OtherErrorCode, Message: err.Error()}
+	}
+
+	return nil
+}
+
 // Delete a secret with the given name.
 func (m *Manager) DeleteSecret(namespace, name string) error {
 	secret, err := m.GetSecret(

diff --git a/proto/resources.pb.go b/proto/resources.pb.go
diff --git a/proto/resources.proto b/proto/resources.proto
@@ -16,6 +16,7 @@ service KISS {
     rpc CreateSecret(CreateSecretRequest) returns (CreateSecretResponse) {}
     rpc ListSecrets(ListSecretsRequest) returns (ListSecretsResponse) {}
     rpc DeleteSecret(DeleteSecretRequest) returns (DeleteSecretResponse) {}
+    rpc UpdateSecret(UpdateSecretRequest) returns (UpdateSecretResponse) {}
     rpc BindSecret(BindSecretRequest) returns (BindSecretResponse) {}
     rpc CreateSecretIAMPolicy(CreateSecretIAMPolicyRequest) returns (CreateSecretIAMPolicyResponse) {}
     rpc DeleteSecretIAMPolicy(DeleteSecretIAMPolicyRequest) returns (DeleteSecretIAMPolicyResponse) {}
@@ -58,6 +59,14 @@ message CreateSecretIAMPolicyRequest {
 
 message CreateSecretIAMPolicyResponse {}
 
+message UpdateSecretRequest {
+    ClientMeta metadata = 1;
+    string name = 2;
+    string value = 3;
+}
+
+message UpdateSecretResponse {}
+
 message DeleteSecretRequest {
     ClientMeta metadata = 1;
     string name = 2;