Follow up PR to SSM migration (#1147)

* Changes the ssm credentials conventions * Refactors some code to be clearer * Fixup * Add a FIXME comment * Another fixup * Doublequote * fixup
airbnb · Feb 21, 2020 · 90c42f6 · 90c42f6
1 parent 8c79800
commit 90c42f6
Show file tree

Hide file tree

Showing 4 changed files with 25 additions and 25 deletions.
diff --git a/docs/source/outputs.rst b/docs/source/outputs.rst
@@ -53,15 +53,6 @@ For example:
 
   python manage.py output slack
 
-.. note::
-
-  If this is the first time you have configured new outputs via the cli, you may see this error for certain services:
-
-  `An error occurred while sending credentials to S3 for key '<SERVICE>/<KEY>' in bucket '<PREFIX>-streamalert-secrets': The specified bucket does not exist`.
-
-  If you encounter this error, first make sure you've followed the `Quick Start <getting-started.html#quick-start>`_ steps.
-  If you've already configured StreamAlert in the past, you may just have to run `python manage.py build`.
-  This ensures the S3 bucket used for storing encrypted secrets is created and only needs to be run once.
 
 The above command will then prompt the user for a ``descriptor`` to use for this configuration::
 

diff --git a/streamalert/alert_processor/outputs/credentials/provider.py b/streamalert/alert_processor/outputs/credentials/provider.py
@@ -363,7 +363,7 @@ def load_credentials(self, descriptor):
         Returns:
             Credentials: The loaded Credentials. None on failure
         """
-        parameter_name = self.get_parameter_name(descriptor)
+        parameter_name = self._get_parameter_name(descriptor)
         try:
             plaintext_creds = AwsSsm.get_parameter(parameter_name, self._region)
             credentials = Credentials(plaintext_creds, is_encrypted=False, region=self._region)
@@ -399,18 +399,31 @@ def save_credentials(self, descriptor, credentials, kms_key_alias):
             else credentials.data()
         )
 
-        parameter_name = self.get_parameter_name(descriptor)
+        parameter_name = self._get_parameter_name(descriptor)
 
         return AwsSsm.put_parameter(parameter_name, unencrypted_creds, self._region, kms_key_alias)
 
-    def get_parameter_prefix(self):
-        """Generate the parameter prefix from prefix and descriptor"""
-        return "{}_streamalert_secrets".format(self._prefix)
+    def _get_parameter_name(self, descriptor):
+        """
+        Returns the name of the AWS SSM Parameter Store parameter in which the current output
+        service stores its credentials.
+
+        FIXME (Ryxias) DRY out this SSM parameter name with what is configured in the
+          tf_alert_processor_iam Terraform module.
+
+        @see https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services
+                /ssm.html#SSM.Client.put_parameter
+
+        Params:
+            descriptor (str): Descriptor of current output
 
-    def get_parameter_name(self, descriptor):
-        parameter_prefix = self.get_parameter_prefix()
+        Returns:
+            str
+        """
         parameter_suffix = get_formatted_output_credentials_name(self._service_name, descriptor)
-        return '/{}/{}'.format(parameter_prefix, parameter_suffix)
+
+        # The leading forward slash character is intentional for parameters in a hierarchy
+        return "/{}/streamalert/outputs/{}".format(self._prefix, parameter_suffix)
 
 
 class LocalFileDriver(CredentialsProvidingDriver, FileDescriptorProvider, CredentialsCachingDriver):

diff --git a/terraform/modules/tf_alert_processor_iam/main.tf b/terraform/modules/tf_alert_processor_iam/main.tf
@@ -59,11 +59,12 @@ data "aws_iam_policy_document" "output_secrets" {
     resources = [var.kms_key_arn, var.sse_kms_key_arn]
   }
 
-  // Allow retrieving encrypted output secrets
+  # FIXME (Ryxias) DRY out this SSM parameter name with what is configured in the SSMDriver
+  # Allow retrieving encrypted output secrets
   statement {
     effect    = "Allow"
     actions   = ["ssm:GetParameter"]
-    resources = ["arn:aws:ssm:${var.region}:${var.account_id}:parameter/${var.prefix}_streamalert_secrets/*"]
+    resources = ["arn:aws:ssm:${var.region}:${var.account_id}:parameter/${var.prefix}/streamalert/outputs/*"]
   }
 }
 

diff --git a/tests/unit/streamalert/alert_processor/outputs/test_output_base.py b/tests/unit/streamalert/alert_processor/outputs/test_output_base.py
@@ -25,8 +25,6 @@
 )
 from requests.exceptions import Timeout as ReqTimeout
 
-from streamalert.alert_processor.outputs.credentials.provider import \
-    get_formatted_output_credentials_name
 from streamalert.alert_processor.outputs.output_base import (
     OutputDispatcher,
     OutputProperty,
@@ -168,10 +166,7 @@ def test_check_http_response(self, mock_response):
     @mock_kms
     def test_load_creds(self):
         """OutputDispatcher - Load Credentials"""
-        param_name = '/{}_streamalert_secrets/{}'.format(
-            PREFIX, get_formatted_output_credentials_name('test_service', self._descriptor)
-        )
-
+        param_name = '/{}/streamalert/outputs/test_service/desc_test'.format(PREFIX)
         creds = {
             'url': 'http://www.foo.bar/test',
             'token': 'token_to_encrypt'