ssm-diff icon indicating copy to clipboard operation
ssm-diff copied to clipboard

Published 20 hours ago verified publisher icon runtheops

Enhanced Storage Classes

Open ambsw-technology opened this issue 5 years ago • 0 comments

This PR is built on #18 (for easy merging) but is mostly unrelated. It introduces a variety of improvements to the storage engines (i.e. YAMLFile and ParamterStore) with related changes to the CLI experience:

  • YAMLFile accepts a root_path kwarg (default=/, env variable SSM_YAML_ROOT). The root of the YAML file will be equivalent to this path in the Parameter Store when reading and writing (closes #11).
  • ParameterStore accepts a no_secure kwarg (default=False, env variable SSM_NO_SECURE). If true, it will not request secure parameters from ParameterStore (closes #13)
  • ParameterStore coerces basic types (e.g. int, float, NoneType) so a YAML integer and SSM string are recognized as a match if they're otherwise equal.
  • ParameterStore now supports the StringList type (i.e. a list of strings) and is more aggressive about type checking.
  • The -p flag has been converted to the env variable SSM_PATHS to increase safety (resolves #15). The env variable accepts : and ; as separators (the kwarg expects a tuple/list/set).

However, the more significant improvement is the introduction of metadata in the YAML files. YAML files now store the root_path, paths and no_secure settings used to generate them. If a subsequent command attempts to use the file with incompatible configurations, it will throw an exception.

This is a more general solution to my concerns in #15. It can be extended to cover all relevant parameters, whether used through the CLI or programmatically. For example, it prevents the following sequence of events:

> set SSM_PATHS=/my/deep/path
> ssh-diff init
# close the command prompt and reopen, implicitly resetting the PATHS env variable:
> set SSM_PATHS=/
# anything outside /my/deep/path would be deleted
> ssh-diff apply
ValueError: Path / was not included in this file when it was created.

However, it's smart enough to permit subsets of the original scope:

> set PATHS=/
> ssh-diff init
# because this path is contained in our original scope, it's "safe" to update that branch
> set PATHS=/test
# change /other/key and /test/child/key
# PATHS continues to limit updates to the relevant branch 
> ssh-diff plan
~/test/child/key:
        < original
        > changed

P.S. This PR may contain small fixes to previous PRs.

EDIT: Encapsulated the type checking and coercion in ParameterStore. I had originally implemented it in the DiffResolver, but realized that ParameterStore is really the limiting factor here. In theory, you could use the DiffResolver with a less restrictive endpoint (Azure? Vault? AWS Secrets?) and might want different coercion and type checking.

ambsw-technology avatar May 01 '19 20:05 ambsw-technology