Chef Infra, a powerful automation platform that transforms infrastructure into code automating how infrastructure is configured, deployed and managed across any environment, at any scale
While not often thought of as a "secrets manager" the AWS SSM Parameter Store is a pretty capable general-purpose key/value store that also has IAM based access control. This makes it a great secrets manager for many and also a nice place to store configuration options if they need them accessible by other AWS services or don't want to put them directly into their Chef Infra Server.
The AWS cookbook has a resource to get/set these parameters, which is functional, but rather odd since it's a resource that fetches into the node state. We really just want a helper for fetching (not setting) that behaves similarly to the resource, but fetch directly w/o messing with the node.
Looking at the current API it seems like we can probably consolidate things a bit. We currently have a get, get_parameters, and get_parameters_by_path action on the resource. We may be able to get away with either specifying a direct path to the parameter in which case we return a string, or a path above that where we'd return a hash of all the keys and values.
Also we should just also perform the function of the with_decryption property.
Definition of Done
Helper method for accessing ssm_parameter_store roughly matching the capabilities of the existing chef resource
Documentation on docs.chef.io
Helpers included in the chef vscode plugin via the method -> YARD -> vscode automation
So if not pulling down into node state, will there not be any form of caching? I'd be concerned at least with get_parameters_by_path depending on how many parameters there are if you are fetching on every access.
While not often thought of as a "secrets manager" the AWS SSM Parameter Store is a pretty capable general-purpose key/value store that also has IAM based access control. This makes it a great secrets manager for many and also a nice place to store configuration options if they need them accessible by other AWS services or don't want to put them directly into their Chef Infra Server.
The AWS cookbook has a resource to get/set these parameters, which is functional, but rather odd since it's a resource that fetches into the node state. We really just want a helper for fetching (not setting) that behaves similarly to the resource, but fetch directly w/o messing with the node.
Here's the current resource: https://github.com/sous-chefs/aws#aws_ssm_parameter_store
More information on SSM Parameter Store: https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-parameter-store.html
Looking at the current API it seems like we can probably consolidate things a bit. We currently have a
get
,get_parameters
, andget_parameters_by_path
action on the resource. We may be able to get away with either specifying a direct path to the parameter in which case we return a string, or a path above that where we'd return a hash of all the keys and values.Also we should just also perform the function of the
with_decryption
property.Definition of Done