Updated as per ITS-2050

Pipfile

@@ -10,7 +10,6 @@ debugpy = "*"
 [packages]
 bs4 = "*"
 aiohttp = "*"
-requests = ">=2.31.0"
 boto3 = "*"
 gitpython = "*"
 google-api-python-client = "1.12.8"
@@ -19,6 +18,7 @@ ldap3 = "*"
 metadata-parser = "*"
 hvac = "*"
 squad-client = "*"
+requests = ">=2.31.0"
 
 [requires]
 python_version = "3.8"

generate_project_json.py

@@ -8,16 +8,31 @@
 from requests.auth import HTTPBasicAuth
 
 import json_generation_lib
-from linaro_vault_lib import get_vault_secret
+# from linaro_vault_lib import get_vault_secret
+import ssmparameterstorelib
 
 PI_SLUG = "Project Information"
 NESTING_LEVEL = 0
 
 
+# def initialise_ldap():
+#     """ Return a LDAP Connection. """
+#     username = "cn=bamboo-bind,ou=binders,dc=linaro,dc=org"
+#     password = get_vault_secret(f"secret/ldap/{username}")
+#     return Connection(
+#             'ldaps://login.linaro.org',
+#             user=username,
+#             password=password,
+#             auto_bind="DEFAULT"
+#         )
+
+
 def initialise_ldap():
     """ Return a LDAP Connection. """
     username = "cn=bamboo-bind,ou=binders,dc=linaro,dc=org"
-    password = get_vault_secret(f"secret/ldap/{username}")
+    password = ssmparameterstorelib.get_secret_from_ssm_parameter_store(
+        "/secret/ldap/bamboo-bind"
+    )
     return Connection(
             'ldaps://login.linaro.org',
             user=username,
@@ -26,10 +41,19 @@ def initialise_ldap():
         )
 
 
+# def initialise_auth():
+#     """ Return a HTTP Auth. """
+#     username = "it.support.bot"
+#     password = get_vault_secret(f"secret/ldap/{username}")
+#     return HTTPBasicAuth(username, password)
+
+
 def initialise_auth():
     """ Return a HTTP Auth. """
     username = "it.support.bot"
-    password = get_vault_secret(f"secret/ldap/{username}")
+    password = ssmparameterstorelib.get_secret_from_ssm_parameter_store(
+        f"/secret/ldap/{username}"
+    )
     return HTTPBasicAuth(username, password)
 
 

json_generation_lib.py

@@ -3,9 +3,10 @@
 import subprocess
 import sys
 import tempfile
+import ssmparameterstorelib
 
 from git.repo import Repo
-from linaro_vault_lib import get_vault_secret
+# from linaro_vault_lib import get_vault_secret
 
 def run_command(command):
     result = subprocess.run(
@@ -17,15 +18,33 @@ def run_command(command):
         sys.exit(1)
 
 
+# def run_git_command(command):
+#     # We do some funky stuff around the git command processing because we want
+#     # to keep the SSH key under tight control.
+#     # See https://stackoverflow.com/a/4565746/1233830
+
+#     # Fetch the SSH key from Vault and store it in a temporary file
+#     with tempfile.NamedTemporaryFile(mode='w+', delete=False) as pem_file:
+#         pem = get_vault_secret("secret/misc/linaro-build-github.pem",
+#                                iam_role="arn:aws:iam::968685071553:role/vault_jira_project_updater")
+#         pem_file.write(pem)
+#         pkf = pem_file.name
+
+#     git_cmd = 'ssh-add "%s"; %s' % (pkf, command)
+#     full_cmd = "ssh-agent bash -c '%s'" % git_cmd
+#     run_command(full_cmd)
+#     os.remove(pkf)
+
 def run_git_command(command):
     # We do some funky stuff around the git command processing because we want
     # to keep the SSH key under tight control.
     # See https://stackoverflow.com/a/4565746/1233830
 
-    # Fetch the SSH key from Vault and store it in a temporary file
+    # Fetch the SSH key from SSM Parameter Store and store it in a temporary file
     with tempfile.NamedTemporaryFile(mode='w+', delete=False) as pem_file:
-        pem = get_vault_secret("secret/misc/linaro-build-github.pem",
-                               iam_role="arn:aws:iam::968685071553:role/vault_jira_project_updater")
+        pem = ssmparameterstorelib.get_secret_from_ssm_parameter_store(
+            "secret/misc/linaro-build-github.pem"             
+        )
         pem_file.write(pem)
         pkf = pem_file.name
 

project_json_from_cloud.py

@@ -8,7 +8,8 @@
 # from requests.auth import HTTPBasicAuth
 
 import json_generation_lib
-from linaro_vault_lib import get_vault_secret
+# from linaro_vault_lib import get_vault_secret
+import ssmparameterstorelib
 
 ADDED_TO_JSON = {}
 
@@ -62,16 +63,31 @@
     "Project Membership": "project"
 }
 
+# def initialise_auth():
+#     """ Return encoded authentication """
+#     username = get_vault_secret(
+#         "secret/user/atlassian-cloud-it-support-bot",
+#         iam_role="arn:aws:iam::968685071553:role/vault_jira_project_updater",
+#         key="id")
+#     password = get_vault_secret(
+#         "secret/user/atlassian-cloud-it-support-bot",
+#         iam_role="arn:aws:iam::968685071553:role/vault_jira_project_updater",
+#         key="pw")
+#     # Construct a string of the form username:password
+#     combo = "%s:%s" % (username, password)
+#     # Encode it to Base64
+#     combo_bytes = combo.encode('ascii')
+#     base64_bytes = base64.b64encode(combo_bytes)
+#     return base64_bytes.decode('ascii')
+
 def initialise_auth():
     """ Return encoded authentication """
-    username = get_vault_secret(
-        "secret/user/atlassian-cloud-it-support-bot",
-        iam_role="arn:aws:iam::968685071553:role/vault_jira_project_updater",
-        key="id")
-    password = get_vault_secret(
-        "secret/user/atlassian-cloud-it-support-bot",
-        iam_role="arn:aws:iam::968685071553:role/vault_jira_project_updater",
-        key="pw")
+    username = ssmparameterstorelib.get_secret_from_ssm_parameter_store(
+        "/secret/user/atlassian-cloud-it-support-bot", key="id"
+    )
+    password = ssmparameterstorelib.get_secret_from_ssm_parameter_store(
+        "/secret/user/atlassian-cloud-it-support-bot", key="pw"
+    )
     # Construct a string of the form username:password
     combo = "%s:%s" % (username, password)
     # Encode it to Base64

rebuild_confluence_pages.py

@@ -12,7 +12,8 @@
 from ldap3 import SUBTREE, Connection
 from requests.auth import HTTPBasicAuth
 
-from linaro_vault_lib import get_vault_secret
+# from linaro_vault_lib import get_vault_secret
+import ssmparameterstorelib
 
 IMAGE_URL = "https://static.linaro.org/common/member-logos"
 SERVER = "https://linaro.atlassian.net/wiki"
@@ -124,28 +125,54 @@ def save_page(key, body):
         print("%s: Couldn't retrieve content" % key)
 
 
+# def initialise_ldap():
+#     """ Initialise a LDAP connection """
+#     global CONNECTION # pylint: disable=global-statement
+#     username = "cn=moinmoin,ou=binders,dc=linaro,dc=org"
+#     password = get_vault_secret("secret/ldap/{}".format(username),
+#                                 iam_role="arn:aws:iam::968685071553:role/vault_confluence_ldap_automation")
+#     CONNECTION = Connection(
+#             'ldaps://login.linaro.org',
+#             user=username,
+#             password=password,
+#             auto_bind="DEFAULT"
+#         )
+
+
 def initialise_ldap():
     """ Initialise a LDAP connection """
     global CONNECTION # pylint: disable=global-statement
     username = "cn=moinmoin,ou=binders,dc=linaro,dc=org"
-    password = get_vault_secret("secret/ldap/{}".format(username),
-                                iam_role="arn:aws:iam::968685071553:role/vault_confluence_ldap_automation")
+    password = ssmparameterstorelib.get_secret_from_ssm_parameter_store(
+         "/secret/ldap/moinmoin"         
+    )
     CONNECTION = Connection(
             'ldaps://login.linaro.org',
             user=username,
             password=password,
             auto_bind="DEFAULT"
         )
 
+# def initialise_confluence():
+#     """ Initialise the Confluence authentication """
+#     global AUTH # pylint: disable=global-statement
+#     username = get_vault_secret("secret/user/atlassian-cloud-it-support-bot",
+#                                 iam_role="arn:aws:iam::968685071553:role/vault_confluence_ldap_automation",
+#                                 key="id")
+#     password = get_vault_secret("secret/user/atlassian-cloud-it-support-bot",
+#                                 iam_role="arn:aws:iam::968685071553:role/vault_confluence_ldap_automation")
+#     AUTH = HTTPBasicAuth(username, password)
+
 
 def initialise_confluence():
     """ Initialise the Confluence authentication """
     global AUTH # pylint: disable=global-statement
-    username = get_vault_secret("secret/user/atlassian-cloud-it-support-bot",
-                                iam_role="arn:aws:iam::968685071553:role/vault_confluence_ldap_automation",
-                                key="id")
-    password = get_vault_secret("secret/user/atlassian-cloud-it-support-bot",
-                                iam_role="arn:aws:iam::968685071553:role/vault_confluence_ldap_automation")
+    username = ssmparameterstorelib.get_secret_from_ssm_parameter_store(
+        "/secret/user/atlassian-cloud-it-support-bot", key="id"
+    )
+    password = ssmparameterstorelib.get_secret_from_ssm_parameter_store(
+        "/secret/user/atlassian-cloud-it-support-bot"         
+    )
     AUTH = HTTPBasicAuth(username, password)
 
 

ssmparameterstorelib.py

@@ -0,0 +1,40 @@
+
+""" Script to retrieve parameter value from AWS Systems Manager Parameter Store"""
+import json
+import boto3
+
+ROLE_ARN = "arn:aws:iam::487149096843:role/ssm-parameter-store-access-role"
+
+def assume_role(session_name="CrossAccountSession"):
+    """Assume a role in Account 487149096843 and return temporary credentials"""
+    sts_client = boto3.client("sts")
+    assumed_role = sts_client.assume_role(
+        RoleArn=ROLE_ARN,
+        RoleSessionName=session_name
+    )
+    return assumed_role["Credentials"]
+
+def get_secret_from_ssm_parameter_store(parameter_name, key=None, with_decryption=True):
+    """Retrieve a parameter value from AWS Systems Manager Parameter Store"""
+    credentials = assume_role()
+    ssm_client = boto3.client(
+        "ssm",
+        region_name="us-east-1",
+        aws_access_key_id=credentials["AccessKeyId"],
+        aws_secret_access_key=credentials["SecretAccessKey"],
+        aws_session_token=credentials["SessionToken"]
+    )
+
+    # Get the parameter
+    response = ssm_client.get_parameter(
+        Name=parameter_name,
+        WithDecryption=with_decryption
+    )
+    parameter_value = response["Parameter"]["Value"]
+    data = json.loads(parameter_value)
+
+    # Return the "key" if passed, otherwise return "pw"
+    if key:
+        return data.get(key, None)
+    else:
+        return data.get("pw", None)

update_maintainers_json.py

@@ -5,7 +5,8 @@
 from googleapiclient.discovery import build
 
 import json_generation_lib
-from linaro_vault_lib import get_vault_secret
+# from linaro_vault_lib import get_vault_secret
+import ssmparameterstorelib
 
 nesting_level = 0
 SCOPES = [
@@ -48,13 +49,28 @@ def create_json_object(delegated_creds):
                 json_blob["maintainers_by_company"].append({"name": row[0], "num": row[1] })
     return json_blob
 
+# def initialise_auth():
+#     # Username (email) of user to run scripts as.
+#     username = "[email protected]"
+#     # Get the Google Service Account JSON blob
+#     google_service_account_json = json.loads(get_vault_secret(
+#         "secret/misc/google-gitmaintainerssync.json",
+#         iam_role="arn:aws:iam::968685071553:role/vault_jira_project_updater"))
+#     # Instantiate a new service account auth object
+#     service_account_auth = service_account.Credentials.from_service_account_info(
+#             google_service_account_json, scopes=SCOPES)
+#     delegated_creds = service_account_auth.with_subject(username)
+#     return delegated_creds
+
 def initialise_auth():
     # Username (email) of user to run scripts as.
     username = "[email protected]"
     # Get the Google Service Account JSON blob
-    google_service_account_json = json.loads(get_vault_secret(
-        "secret/misc/google-gitmaintainerssync.json",
-        iam_role="arn:aws:iam::968685071553:role/vault_jira_project_updater"))
+    google_service_account_json = json.loads(
+        ssmparameterstorelib.get_secret_from_ssm_parameter_store(
+            "/secret/misc/google-gitmaintainerssync.json"
+        )
+    )
     # Instantiate a new service account auth object
     service_account_auth = service_account.Credentials.from_service_account_info(
             google_service_account_json, scopes=SCOPES)

update_members.py

@@ -24,19 +24,34 @@
 import requests
 from git.repo import Repo
 from ldap3 import SUBTREE, Connection
-from linaro_vault_lib import get_vault_secret
+# from linaro_vault_lib import get_vault_secret
+import ssmparameterstorelib
 
 IMAGE_URL = "https://static.linaro.org/common/member-logos"
 GOT_ERROR = False
 INVALIDATE_CACHE = False
 
 
+# def initialise_ldap():
+#     """ Return a LDAP Connection """
+#     username = "cn=update-members,ou=binders,dc=linaro,dc=org"
+#     password = get_vault_secret(
+#         "secret/ldap/{}".format(username),
+#         iam_role="arn:aws:iam::968685071553:role/vault_update_members")
+#     return Connection(
+#             'ldaps://login.linaro.org',
+#             user=username,
+#             password=password,
+#             auto_bind="DEFAULT"
+#         )
+
+
 def initialise_ldap():
     """ Return a LDAP Connection """
     username = "cn=update-members,ou=binders,dc=linaro,dc=org"
-    password = get_vault_secret(
-        "secret/ldap/{}".format(username),
-        iam_role="arn:aws:iam::968685071553:role/vault_update_members")
+    password = ssmparameterstorelib.get_secret_from_ssm_parameter_store(
+        "/secret/ldap/update-members"
+    )
     return Connection(
             'ldaps://login.linaro.org',
             user=username,