Skip to content

Commit

Permalink
Merge pull request #896 from dsalaza4/main
Browse files Browse the repository at this point in the history 
feat(back): #889 support retries
  • Loading branch information
@dsalaza4
dsalaza4 authored Sep 6, 2022
2 parents 4c3a326 + c1f0691 commit 4710c73
Show file tree
Hide file tree
Showing 4 changed files with 46 additions and 9 deletions.
7 changes: 7 additions & 0 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2285,6 +2285,11 @@ Types:
Duration in seconds of the session.
Defaults to `3600`.
- retries (`ints.positive`): Optional.
Number of login retries before failing.
One retry per second.
Defaults to `15`.
Example `makes.nix`:
```nix
Expand All @@ -2298,10 +2303,12 @@ Example `makes.nix`:
makesDev = {
roleArn = "arn:aws:iam::123456789012:role/dev";
duration = 3600;
retries = 30;
};
makesProd = {
roleArn = "arn:aws:iam::123456789012:role/prod";
duration = 7200;
retries = 30;
};
};
lintTerraform = {
Expand Down
2 changes: 2 additions & 0 deletions src/args/make-secret-for-aws-from-gitlab/default.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,12 +6,14 @@
}: {
duration,
name,
retries,
roleArn,
}:
makeTemplate {
replace = {
__argDuration__ = duration;
__argName__ = toDerivationName name;
__argRetries__ = retries;
__argRoleArn__ = roleArn;
};
name = "make-secret-for-aws-from-gitlab-for-${name}";
Expand Down
32 changes: 27 additions & 5 deletions src/args/make-secret-for-aws-from-gitlab/template.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,22 +8,44 @@ function _get_credential {
}

function login {
# AWS STS args
local args=(
--role-arn "${1}"
--role-session-name "gitlab-${CI_PROJECT_ID}-${CI_PIPELINE_ID}-${CI_JOB_ID}"
--web-identity-token "${CI_JOB_JWT_V2}"
--duration-seconds "${2}"
)

# Retry logic
local retries="__argRetries__"
local wait="1"
local try="1"
local success="1"

# Session variables
local session
export AWS_ACCESS_KEY_ID
export AWS_SECRET_ACCESS_KEY
export AWS_SESSION_TOKEN

: \
&& session="$(aws sts assume-role-with-web-identity "${args[@]}")" \
&& AWS_ACCESS_KEY_ID="$(_get_credential "AccessKeyId" "${session}")" \
&& AWS_SECRET_ACCESS_KEY="$(_get_credential "SecretAccessKey" "${session}")" \
&& AWS_SESSION_TOKEN="$(_get_credential "SessionToken" "${session}")"
&& while [ "${try}" -le "${retries}" ]; do
if session="$(aws sts assume-role-with-web-identity "${args[@]}" 2> /dev/null)"; then
success="0" \
&& break
else
info "Login failed. Attempt ${try} of ${retries}." \
&& sleep "${wait}" \
&& try=$((try + 1))
fi
done \
&& if [ "${success}" == "0" ]; then
AWS_ACCESS_KEY_ID="$(_get_credential "AccessKeyId" "${session}")" \
&& AWS_SECRET_ACCESS_KEY="$(_get_credential "SecretAccessKey" "${session}")" \
&& AWS_SESSION_TOKEN="$(_get_credential "SessionToken" "${session}")"
else
error "Could not login to AWS."
fi
}

function main {
Expand All @@ -33,7 +55,7 @@ function main {
info "Logging in as '__argName__' using GitLab OIDC." \
&& login "__argRoleArn__" "__argDuration__"
else
warn "Looks like this job is not running on GitLab CI. Skipping."
warn "It looks like this job is not running on GitLab CI. Skipping."
fi
}

Expand Down
14 changes: 10 additions & 4 deletions src/evaluator/modules/secrets-for-aws-from-gitlab/default.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,23 +9,29 @@
}: let
type = lib.types.submodule (_: {
options = {
roleArn = lib.mkOption {
type = lib.types.str;
};
duration = lib.mkOption {
default = 3600;
type = lib.types.ints.positive;
};
retries = lib.mkOption {
default = 15;
type = lib.types.ints.positive;
};
roleArn = lib.mkOption {
type = lib.types.str;
};
};
});
output = name: {
roleArn,
duration,
retries,
roleArn,
}: {
name = "/secretsForAwsFromGitlab/${name}";
value = makeSecretForAwsFromGitlab {
inherit duration;
inherit name;
inherit retries;
inherit roleArn;
};
};
Expand Down

0 comments on commit 4710c73

Please sign in to comment.