cc74ef8471
When constructing a Deployment (which is a plaintext representation of a Snapshot), ensure that we encrypt secret values. To do so, we introduce a new type `secrets.Manager` which is able to encrypt and decrypt values. In addition, it is able to reflect information about itself that can be stored in the deployment such that we can deserialize the deployment into a snapshot (decrypting the values in the process) without external knowledge about how it was encrypted. The ability to do this is import for allowing stack references to work, since two stacks may not use the same manager (or they will use the same type of manager, but have different state). The state value is stored in plaintext in the deployment, so it **must not** contain sensitive data. A sample manager, which just base64 encodes and decodes strings is provided, as it useful for testing. We will allow it to be varried soon.
70 lines
2.4 KiB
Go
70 lines
2.4 KiB
Go
// Copyright 2016-2018, Pulumi Corporation.
|
|
//
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
// you may not use this file except in compliance with the License.
|
|
// You may obtain a copy of the License at
|
|
//
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
//
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
// See the License for the specific language governing permissions and
|
|
// limitations under the License.
|
|
|
|
package httpstate
|
|
|
|
import (
|
|
"context"
|
|
|
|
"github.com/pkg/errors"
|
|
"github.com/pulumi/pulumi/pkg/backend"
|
|
"github.com/pulumi/pulumi/pkg/backend/httpstate/client"
|
|
"github.com/pulumi/pulumi/pkg/resource/deploy"
|
|
"github.com/pulumi/pulumi/pkg/resource/stack"
|
|
"github.com/pulumi/pulumi/pkg/secrets"
|
|
)
|
|
|
|
// cloudSnapshotPersister persists snapshots to the Pulumi service.
|
|
type cloudSnapshotPersister struct {
|
|
context context.Context // The context to use for client requests.
|
|
update client.UpdateIdentifier // The UpdateIdentifier for this update sequence.
|
|
tokenSource *tokenSource // A token source for interacting with the service.
|
|
backend *cloudBackend // A backend for communicating with the service
|
|
sm secrets.Manager
|
|
}
|
|
|
|
func (persister *cloudSnapshotPersister) Invalidate() error {
|
|
token, err := persister.tokenSource.GetToken()
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
return persister.backend.client.InvalidateUpdateCheckpoint(persister.context, persister.update, token)
|
|
}
|
|
|
|
func (persister *cloudSnapshotPersister) Save(snapshot *deploy.Snapshot) error {
|
|
token, err := persister.tokenSource.GetToken()
|
|
if err != nil {
|
|
return err
|
|
}
|
|
deployment, err := stack.SerializeDeployment(snapshot, persister.sm)
|
|
if err != nil {
|
|
return errors.Wrap(err, "serializing deployment")
|
|
}
|
|
return persister.backend.client.PatchUpdateCheckpoint(persister.context, persister.update, deployment, token)
|
|
}
|
|
|
|
var _ backend.SnapshotPersister = (*cloudSnapshotPersister)(nil)
|
|
|
|
func (cb *cloudBackend) newSnapshotPersister(ctx context.Context, update client.UpdateIdentifier,
|
|
tokenSource *tokenSource, sm secrets.Manager) *cloudSnapshotPersister {
|
|
return &cloudSnapshotPersister{
|
|
context: ctx,
|
|
update: update,
|
|
tokenSource: tokenSource,
|
|
backend: cb,
|
|
sm: sm,
|
|
}
|
|
}
|