From bc11cc5045272b08716be5b3995b31701089eaf1 Mon Sep 17 00:00:00 2001 From: Pavel Salamon Date: Fri, 2 Feb 2024 11:05:15 +0100 Subject: [PATCH 1/6] aws secrets provider --- project/Dependencies.scala | 6 ++ server/src/main/resources/reference.conf | 4 ++ .../scala/za/co/absa/atum/server/Main.scala | 2 + .../api/database/TransactorProvider.scala | 13 ++++- .../atum/server/aws/AwsSecretsProvider.scala | 48 ++++++++++++++++ .../absa/atum/server/config/AwsConfig.scala | 29 ++++++++++ .../server/{api => }/ConfigProviderSpec.scala | 2 +- .../CreatePartitioningIfNotExistsSpec.scala | 3 +- .../runs/functions/WriteCheckpointSpec.scala | 3 +- .../server/aws/AwsSecretsProviderSpec.scala | 57 +++++++++++++++++++ 10 files changed, 161 insertions(+), 6 deletions(-) create mode 100644 server/src/main/scala/za/co/absa/atum/server/aws/AwsSecretsProvider.scala create mode 100644 server/src/main/scala/za/co/absa/atum/server/config/AwsConfig.scala rename server/src/test/scala/za/co/absa/atum/server/{api => }/ConfigProviderSpec.scala (96%) create mode 100644 server/src/test/scala/za/co/absa/atum/server/aws/AwsSecretsProviderSpec.scala diff --git a/project/Dependencies.scala b/project/Dependencies.scala index cf6de2eb0..99f030b97 100644 --- a/project/Dependencies.scala +++ b/project/Dependencies.scala @@ -64,6 +64,8 @@ object Dependencies { val playJson = "2.9.4" val postgresql = "42.5.4" + + val awssdk = "2.23.15" } private def limitVersion(version: String, parts: Int): String = { @@ -153,6 +155,9 @@ object Dependencies { // Fa-db lazy val faDbDoobie = faDbOrg %% "doobie" % Versions.fadb + // aws + lazy val awsSdk = "software.amazon.awssdk" % "aws-sdk-java" % Versions.awssdk + // testing lazy val zioTest = zioOrg %% "zio-test" % Versions.zio % Test lazy val zioTestSbt = zioOrg %% "zio-test-sbt" % Versions.zio % Test @@ -172,6 +177,7 @@ object Dependencies { tapirSwagger, tapirPlayJson, playJson, + awsSdk, zioTest, zioTestSbt, zioTestJunit, diff --git a/server/src/main/resources/reference.conf b/server/src/main/resources/reference.conf index 7dabe41e0..7091aa556 100644 --- a/server/src/main/resources/reference.conf +++ b/server/src/main/resources/reference.conf @@ -1,4 +1,8 @@ { + aws { + region = "af-south-1" + serviceUserSecretKey = "serviceUserSecretKey" + } logger { # This format includes timestamp, level, thread (fiberId), message, and cause format = "%label{timestamp}{%fixed{32}{%timestamp}} %label{level}{%level} %label{thread}{%fiberId} %label{class}{%name:%line} %label{message}{%message} %label{cause}{%cause}" diff --git a/server/src/main/scala/za/co/absa/atum/server/Main.scala b/server/src/main/scala/za/co/absa/atum/server/Main.scala index 9c0d21d0d..57c8c9071 100644 --- a/server/src/main/scala/za/co/absa/atum/server/Main.scala +++ b/server/src/main/scala/za/co/absa/atum/server/Main.scala @@ -22,6 +22,7 @@ import za.co.absa.atum.server.api.database.runs.functions.{CreatePartitioningIfN import za.co.absa.atum.server.api.http.Server import za.co.absa.atum.server.api.repository.{CheckpointRepositoryImpl, PartitioningRepositoryImpl} import za.co.absa.atum.server.api.service.{CheckpointServiceImpl, PartitioningServiceImpl} +import za.co.absa.atum.server.aws.AwsSecretsProviderImpl import zio.config.typesafe.TypesafeConfigProvider import zio.logging.consoleLogger import zio._ @@ -43,6 +44,7 @@ object Main extends ZIOAppDefault with Server { WriteCheckpoint.layer, PostgresDatabaseProvider.layer, TransactorProvider.layer, + AwsSecretsProviderImpl.layer, zio.Scope.default ) diff --git a/server/src/main/scala/za/co/absa/atum/server/api/database/TransactorProvider.scala b/server/src/main/scala/za/co/absa/atum/server/api/database/TransactorProvider.scala index c77ab26f6..093fe8aad 100644 --- a/server/src/main/scala/za/co/absa/atum/server/api/database/TransactorProvider.scala +++ b/server/src/main/scala/za/co/absa/atum/server/api/database/TransactorProvider.scala @@ -18,16 +18,22 @@ package za.co.absa.atum.server.api.database import com.zaxxer.hikari.HikariConfig import doobie.hikari.HikariTransactor -import za.co.absa.atum.server.config.PostgresConfig +import za.co.absa.atum.server.aws.AwsSecretsProvider +import za.co.absa.atum.server.config.{AwsConfig, PostgresConfig} import zio.Runtime.defaultBlockingExecutor import zio._ import zio.interop.catz._ object TransactorProvider { - val layer: ZLayer[Any with Scope, Throwable, HikariTransactor[Task]] = ZLayer { + val layer: ZLayer[Any with Scope with AwsSecretsProvider, Throwable, HikariTransactor[Task]] = ZLayer { for { postgresConfig <- ZIO.config[PostgresConfig](PostgresConfig.config) + awsConfig <- ZIO.config[AwsConfig](AwsConfig.config) + + awsSecretsProvider <- ZIO.service[AwsSecretsProvider] + passwordSecret <- awsSecretsProvider.getSecretValue(awsConfig.serviceUserSecretKey) + hikariConfig = { val config = new HikariConfig() config.setDriverClassName(postgresConfig.dataSourceClass) @@ -35,10 +41,11 @@ object TransactorProvider { s"jdbc:postgresql://${postgresConfig.serverName}:${postgresConfig.portNumber}/${postgresConfig.databaseName}" ) config.setUsername(postgresConfig.user) - config.setPassword(postgresConfig.password) + config.setPassword(passwordSecret) config.setMaximumPoolSize(postgresConfig.maxPoolSize) config } + xa <- HikariTransactor .fromHikariConfig[Task](hikariConfig, defaultBlockingExecutor.asExecutionContext) .toScopedZIO diff --git a/server/src/main/scala/za/co/absa/atum/server/aws/AwsSecretsProvider.scala b/server/src/main/scala/za/co/absa/atum/server/aws/AwsSecretsProvider.scala new file mode 100644 index 000000000..c5e80b065 --- /dev/null +++ b/server/src/main/scala/za/co/absa/atum/server/aws/AwsSecretsProvider.scala @@ -0,0 +1,48 @@ +/* + * Copyright 2021 ABSA Group Limited + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package za.co.absa.atum.server.aws + +import software.amazon.awssdk.regions.Region +import software.amazon.awssdk.services.secretsmanager.SecretsManagerClient +import software.amazon.awssdk.services.secretsmanager.model.GetSecretValueRequest +import za.co.absa.atum.server.config.AwsConfig +import zio._ +import zio.macros.accessible + +@accessible +trait AwsSecretsProvider { + def getSecretValue(secretName: String): Task[String] +} + +class AwsSecretsProviderImpl(secretsManagerClient: SecretsManagerClient) extends AwsSecretsProvider { + override def getSecretValue(secretName: String): Task[String] = { + ZIO.attempt { + val getSecretValueRequest = GetSecretValueRequest.builder().secretId(secretName).build() + secretsManagerClient.getSecretValue(getSecretValueRequest).secretString() + } + } +} + +object AwsSecretsProviderImpl { + val layer: ZLayer[Any, Config.Error, AwsSecretsProviderImpl] = ZLayer { + for { + awsConfig <- ZIO.config[AwsConfig](AwsConfig.config) + } yield new AwsSecretsProviderImpl( + SecretsManagerClient.builder().region(Region.of(awsConfig.region)).build() + ) + } +} diff --git a/server/src/main/scala/za/co/absa/atum/server/config/AwsConfig.scala b/server/src/main/scala/za/co/absa/atum/server/config/AwsConfig.scala new file mode 100644 index 000000000..61ed14013 --- /dev/null +++ b/server/src/main/scala/za/co/absa/atum/server/config/AwsConfig.scala @@ -0,0 +1,29 @@ +/* + * Copyright 2021 ABSA Group Limited + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package za.co.absa.atum.server.config + +import zio.Config +import zio.config.magnolia.deriveConfig + +case class AwsConfig ( + region: String, + serviceUserSecretKey: String +) + +object AwsConfig { + val config: Config[AwsConfig] = deriveConfig[AwsConfig].nested("aws") +} diff --git a/server/src/test/scala/za/co/absa/atum/server/api/ConfigProviderSpec.scala b/server/src/test/scala/za/co/absa/atum/server/ConfigProviderSpec.scala similarity index 96% rename from server/src/test/scala/za/co/absa/atum/server/api/ConfigProviderSpec.scala rename to server/src/test/scala/za/co/absa/atum/server/ConfigProviderSpec.scala index aa5664677..a58232da7 100644 --- a/server/src/test/scala/za/co/absa/atum/server/api/ConfigProviderSpec.scala +++ b/server/src/test/scala/za/co/absa/atum/server/ConfigProviderSpec.scala @@ -14,7 +14,7 @@ * limitations under the License. */ -package za.co.absa.atum.server.api +package za.co.absa.atum.server import zio.config.typesafe.TypesafeConfigProvider import zio.test.ZIOSpec diff --git a/server/src/test/scala/za/co/absa/atum/server/api/database/runs/functions/CreatePartitioningIfNotExistsSpec.scala b/server/src/test/scala/za/co/absa/atum/server/api/database/runs/functions/CreatePartitioningIfNotExistsSpec.scala index a04c5b97c..a1d506efa 100644 --- a/server/src/test/scala/za/co/absa/atum/server/api/database/runs/functions/CreatePartitioningIfNotExistsSpec.scala +++ b/server/src/test/scala/za/co/absa/atum/server/api/database/runs/functions/CreatePartitioningIfNotExistsSpec.scala @@ -18,8 +18,9 @@ package za.co.absa.atum.server.api.database.runs.functions import org.junit.runner.RunWith import za.co.absa.atum.model.dto.{PartitionDTO, PartitioningSubmitDTO} +import za.co.absa.atum.server.ConfigProviderSpec import za.co.absa.atum.server.api.database.PostgresDatabaseProvider -import za.co.absa.atum.server.api.{ConfigProviderSpec, TestTransactorProvider} +import za.co.absa.atum.server.api.TestTransactorProvider import zio.test._ import zio.test.junit.ZTestJUnitRunner import zio._ diff --git a/server/src/test/scala/za/co/absa/atum/server/api/database/runs/functions/WriteCheckpointSpec.scala b/server/src/test/scala/za/co/absa/atum/server/api/database/runs/functions/WriteCheckpointSpec.scala index 5965ba4ed..de0827bd9 100644 --- a/server/src/test/scala/za/co/absa/atum/server/api/database/runs/functions/WriteCheckpointSpec.scala +++ b/server/src/test/scala/za/co/absa/atum/server/api/database/runs/functions/WriteCheckpointSpec.scala @@ -19,8 +19,9 @@ package za.co.absa.atum.server.api.database.runs.functions import org.junit.runner.RunWith import za.co.absa.atum.model.dto.MeasureResultDTO.{ResultValueType, TypedValue} import za.co.absa.atum.model.dto._ +import za.co.absa.atum.server.ConfigProviderSpec import za.co.absa.atum.server.api.database.PostgresDatabaseProvider -import za.co.absa.atum.server.api.{ConfigProviderSpec, TestTransactorProvider} +import za.co.absa.atum.server.api.TestTransactorProvider import za.co.absa.fadb.exceptions.DataNotFoundException import za.co.absa.fadb.status.FunctionStatus import zio.test._ diff --git a/server/src/test/scala/za/co/absa/atum/server/aws/AwsSecretsProviderSpec.scala b/server/src/test/scala/za/co/absa/atum/server/aws/AwsSecretsProviderSpec.scala new file mode 100644 index 000000000..d27b6af0c --- /dev/null +++ b/server/src/test/scala/za/co/absa/atum/server/aws/AwsSecretsProviderSpec.scala @@ -0,0 +1,57 @@ +/* + * Copyright 2021 ABSA Group Limited + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package za.co.absa.atum.server.aws + +import org.junit.runner.RunWith +import org.mockito.ArgumentMatchers.any +import org.mockito.Mockito.{mock, when} +import software.amazon.awssdk.services.secretsmanager.SecretsManagerClient +import software.amazon.awssdk.services.secretsmanager.model.{GetSecretValueRequest, GetSecretValueResponse} +import za.co.absa.atum.server.ConfigProviderSpec +import za.co.absa.atum.server.config.AwsConfig +import zio.test._ +import zio.test.junit.ZTestJUnitRunner +import zio.{Scope, ZIO, ZLayer} + +@RunWith(classOf[ZTestJUnitRunner]) +class AwsSecretsProviderSpec extends ConfigProviderSpec { + + private val secretsManagerClientMock = mock(classOf[SecretsManagerClient]) + + private val dummySecretValue = "expectedValue" + private val mockedResponse = GetSecretValueResponse.builder().secretString(dummySecretValue).build() + + when(secretsManagerClientMock.getSecretValue(any[GetSecretValueRequest]())).thenReturn(mockedResponse) + + private val testAwsSecretsProviderLayer = ZLayer.succeed(new AwsSecretsProviderImpl(secretsManagerClientMock)) + + override def spec: Spec[TestEnvironment with Scope, Any] = { + + suite("AwsSecretsProviderSuite")( + test("GetSecretValue returns expected secret's value"){ + for { + awsConfig <- ZIO.config[AwsConfig](AwsConfig.config) + awsSecretValue <- AwsSecretsProvider.getSecretValue(awsConfig.serviceUserSecretKey) + } yield assertTrue(dummySecretValue == awsSecretValue) + } + ) + + }.provide( + testAwsSecretsProviderLayer + ) + +} From 8cc9ac4a030c30ef9f3ab0254a1981dc02eb6bd0 Mon Sep 17 00:00:00 2001 From: Pavel Salamon Date: Fri, 2 Feb 2024 12:34:55 +0100 Subject: [PATCH 2/6] secretsmanager only instead of full aws-sdk-java --- project/Dependencies.scala | 5 +++-- .../za/co/absa/atum/server/aws/AwsSecretsProvider.scala | 4 +--- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/project/Dependencies.scala b/project/Dependencies.scala index 99f030b97..e5f72c9ed 100644 --- a/project/Dependencies.scala +++ b/project/Dependencies.scala @@ -132,6 +132,7 @@ object Dependencies { val faDbOrg = "za.co.absa.fa-db" val playOrg = "com.typesafe.play" val sbtOrg = "com.github.sbt" + val awsSdkOrg = "software.amazon.awssdk" // zio lazy val zioCore = zioOrg %% "zio" % Versions.zio @@ -156,7 +157,7 @@ object Dependencies { lazy val faDbDoobie = faDbOrg %% "doobie" % Versions.fadb // aws - lazy val awsSdk = "software.amazon.awssdk" % "aws-sdk-java" % Versions.awssdk + lazy val awsSecretsManagerSdk = awsSdkOrg % "secretsmanager" % Versions.awssdk // testing lazy val zioTest = zioOrg %% "zio-test" % Versions.zio % Test @@ -177,7 +178,7 @@ object Dependencies { tapirSwagger, tapirPlayJson, playJson, - awsSdk, + awsSecretsManagerSdk, zioTest, zioTestSbt, zioTestJunit, diff --git a/server/src/main/scala/za/co/absa/atum/server/aws/AwsSecretsProvider.scala b/server/src/main/scala/za/co/absa/atum/server/aws/AwsSecretsProvider.scala index c5e80b065..93e61e080 100644 --- a/server/src/main/scala/za/co/absa/atum/server/aws/AwsSecretsProvider.scala +++ b/server/src/main/scala/za/co/absa/atum/server/aws/AwsSecretsProvider.scala @@ -41,8 +41,6 @@ object AwsSecretsProviderImpl { val layer: ZLayer[Any, Config.Error, AwsSecretsProviderImpl] = ZLayer { for { awsConfig <- ZIO.config[AwsConfig](AwsConfig.config) - } yield new AwsSecretsProviderImpl( - SecretsManagerClient.builder().region(Region.of(awsConfig.region)).build() - ) + } yield new AwsSecretsProviderImpl(SecretsManagerClient.builder().region(Region.of(awsConfig.region)).build()) } } From 7569016758fb4b47a8fc5c1ff0ea78f18ea442fc Mon Sep 17 00:00:00 2001 From: Pavel Salamon Date: Wed, 14 Feb 2024 09:28:04 +0100 Subject: [PATCH 3/6] credentials fallback to config value --- project/Dependencies.scala | 2 -- .../atum/server/api/database/TransactorProvider.scala | 9 +++++++-- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/project/Dependencies.scala b/project/Dependencies.scala index e96948dd7..892710c52 100644 --- a/project/Dependencies.scala +++ b/project/Dependencies.scala @@ -67,8 +67,6 @@ object Dependencies { val http4sBlazeBackend = "0.23.15" val playJson = "3.0.1" -// val postgresql = "42.5.4" - val awssdk = "2.23.15" } diff --git a/server/src/main/scala/za/co/absa/atum/server/api/database/TransactorProvider.scala b/server/src/main/scala/za/co/absa/atum/server/api/database/TransactorProvider.scala index 093fe8aad..9f1407249 100644 --- a/server/src/main/scala/za/co/absa/atum/server/api/database/TransactorProvider.scala +++ b/server/src/main/scala/za/co/absa/atum/server/api/database/TransactorProvider.scala @@ -32,7 +32,12 @@ object TransactorProvider { awsConfig <- ZIO.config[AwsConfig](AwsConfig.config) awsSecretsProvider <- ZIO.service[AwsSecretsProvider] - passwordSecret <- awsSecretsProvider.getSecretValue(awsConfig.serviceUserSecretKey) + password <- awsSecretsProvider.getSecretValue(awsConfig.serviceUserSecretKey) + // fallback to password property's value from postgres section of reference.conf; useful for local testing + .orElse { + ZIO.logError("Credentials were not retrieved from AWS, falling back to config value.") + .as(postgresConfig.password) + } hikariConfig = { val config = new HikariConfig() @@ -41,7 +46,7 @@ object TransactorProvider { s"jdbc:postgresql://${postgresConfig.serverName}:${postgresConfig.portNumber}/${postgresConfig.databaseName}" ) config.setUsername(postgresConfig.user) - config.setPassword(passwordSecret) + config.setPassword(password) config.setMaximumPoolSize(postgresConfig.maxPoolSize) config } From a999523f73795f2b386ce9a52446fdda9a46f3e0 Mon Sep 17 00:00:00 2001 From: Pavel Salamon Date: Wed, 14 Feb 2024 09:45:55 +0100 Subject: [PATCH 4/6] interface for secrets provider in a separate file --- .../atum/server/aws/AwsSecretsProvider.scala | 39 +----------------- .../server/aws/AwsSecretsProviderImpl.scala | 40 +++++++++++++++++++ 2 files changed, 41 insertions(+), 38 deletions(-) create mode 100644 server/src/main/scala/za/co/absa/atum/server/aws/AwsSecretsProviderImpl.scala diff --git a/server/src/main/scala/za/co/absa/atum/server/aws/AwsSecretsProvider.scala b/server/src/main/scala/za/co/absa/atum/server/aws/AwsSecretsProvider.scala index 93e61e080..6988e496b 100644 --- a/server/src/main/scala/za/co/absa/atum/server/aws/AwsSecretsProvider.scala +++ b/server/src/main/scala/za/co/absa/atum/server/aws/AwsSecretsProvider.scala @@ -1,46 +1,9 @@ -/* - * Copyright 2021 ABSA Group Limited - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - package za.co.absa.atum.server.aws -import software.amazon.awssdk.regions.Region -import software.amazon.awssdk.services.secretsmanager.SecretsManagerClient -import software.amazon.awssdk.services.secretsmanager.model.GetSecretValueRequest -import za.co.absa.atum.server.config.AwsConfig -import zio._ +import zio.Task import zio.macros.accessible @accessible trait AwsSecretsProvider { def getSecretValue(secretName: String): Task[String] } - -class AwsSecretsProviderImpl(secretsManagerClient: SecretsManagerClient) extends AwsSecretsProvider { - override def getSecretValue(secretName: String): Task[String] = { - ZIO.attempt { - val getSecretValueRequest = GetSecretValueRequest.builder().secretId(secretName).build() - secretsManagerClient.getSecretValue(getSecretValueRequest).secretString() - } - } -} - -object AwsSecretsProviderImpl { - val layer: ZLayer[Any, Config.Error, AwsSecretsProviderImpl] = ZLayer { - for { - awsConfig <- ZIO.config[AwsConfig](AwsConfig.config) - } yield new AwsSecretsProviderImpl(SecretsManagerClient.builder().region(Region.of(awsConfig.region)).build()) - } -} diff --git a/server/src/main/scala/za/co/absa/atum/server/aws/AwsSecretsProviderImpl.scala b/server/src/main/scala/za/co/absa/atum/server/aws/AwsSecretsProviderImpl.scala new file mode 100644 index 000000000..8d12ef29e --- /dev/null +++ b/server/src/main/scala/za/co/absa/atum/server/aws/AwsSecretsProviderImpl.scala @@ -0,0 +1,40 @@ +/* + * Copyright 2021 ABSA Group Limited + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package za.co.absa.atum.server.aws + +import software.amazon.awssdk.regions.Region +import software.amazon.awssdk.services.secretsmanager.SecretsManagerClient +import software.amazon.awssdk.services.secretsmanager.model.GetSecretValueRequest +import za.co.absa.atum.server.config.AwsConfig +import zio._ + +class AwsSecretsProviderImpl(secretsManagerClient: SecretsManagerClient) extends AwsSecretsProvider { + override def getSecretValue(secretName: String): Task[String] = { + ZIO.attempt { + val getSecretValueRequest = GetSecretValueRequest.builder().secretId(secretName).build() + secretsManagerClient.getSecretValue(getSecretValueRequest).secretString() + } + } +} + +object AwsSecretsProviderImpl { + val layer: ZLayer[Any, Config.Error, AwsSecretsProviderImpl] = ZLayer { + for { + awsConfig <- ZIO.config[AwsConfig](AwsConfig.config) + } yield new AwsSecretsProviderImpl(SecretsManagerClient.builder().region(Region.of(awsConfig.region)).build()) + } +} From 256d773e716f59062dc97925d03aa7fb53369bc3 Mon Sep 17 00:00:00 2001 From: Pavel Salamon Date: Wed, 14 Feb 2024 14:40:23 +0100 Subject: [PATCH 5/6] added missing license --- .../atum/server/aws/AwsSecretsProvider.scala | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/server/src/main/scala/za/co/absa/atum/server/aws/AwsSecretsProvider.scala b/server/src/main/scala/za/co/absa/atum/server/aws/AwsSecretsProvider.scala index 6988e496b..1b835fdfd 100644 --- a/server/src/main/scala/za/co/absa/atum/server/aws/AwsSecretsProvider.scala +++ b/server/src/main/scala/za/co/absa/atum/server/aws/AwsSecretsProvider.scala @@ -1,3 +1,19 @@ +/* + * Copyright 2021 ABSA Group Limited + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + package za.co.absa.atum.server.aws import zio.Task From 8c140232b4fa4202da217bd78668c606daff1611 Mon Sep 17 00:00:00 2001 From: Pavel Salamon Date: Thu, 15 Feb 2024 20:00:42 +0100 Subject: [PATCH 6/6] dbPasswordSecretName --- server/src/main/resources/reference.conf | 2 +- .../co/absa/atum/server/api/database/TransactorProvider.scala | 2 +- .../main/scala/za/co/absa/atum/server/config/AwsConfig.scala | 4 ++-- .../za/co/absa/atum/server/aws/AwsSecretsProviderSpec.scala | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/server/src/main/resources/reference.conf b/server/src/main/resources/reference.conf index d62c5049e..c0f34eea2 100644 --- a/server/src/main/resources/reference.conf +++ b/server/src/main/resources/reference.conf @@ -12,7 +12,7 @@ } aws { region = "af-south-1" - serviceUserSecretKey = "serviceUserSecretKey" + dbPasswordSecretName = "serviceUserSecretKey" } ssl { enabled=false diff --git a/server/src/main/scala/za/co/absa/atum/server/api/database/TransactorProvider.scala b/server/src/main/scala/za/co/absa/atum/server/api/database/TransactorProvider.scala index 9f1407249..a82a07aa5 100644 --- a/server/src/main/scala/za/co/absa/atum/server/api/database/TransactorProvider.scala +++ b/server/src/main/scala/za/co/absa/atum/server/api/database/TransactorProvider.scala @@ -32,7 +32,7 @@ object TransactorProvider { awsConfig <- ZIO.config[AwsConfig](AwsConfig.config) awsSecretsProvider <- ZIO.service[AwsSecretsProvider] - password <- awsSecretsProvider.getSecretValue(awsConfig.serviceUserSecretKey) + password <- awsSecretsProvider.getSecretValue(awsConfig.dbPasswordSecretName) // fallback to password property's value from postgres section of reference.conf; useful for local testing .orElse { ZIO.logError("Credentials were not retrieved from AWS, falling back to config value.") diff --git a/server/src/main/scala/za/co/absa/atum/server/config/AwsConfig.scala b/server/src/main/scala/za/co/absa/atum/server/config/AwsConfig.scala index 61ed14013..32cc85f66 100644 --- a/server/src/main/scala/za/co/absa/atum/server/config/AwsConfig.scala +++ b/server/src/main/scala/za/co/absa/atum/server/config/AwsConfig.scala @@ -19,9 +19,9 @@ package za.co.absa.atum.server.config import zio.Config import zio.config.magnolia.deriveConfig -case class AwsConfig ( +case class AwsConfig( region: String, - serviceUserSecretKey: String + dbPasswordSecretName: String ) object AwsConfig { diff --git a/server/src/test/scala/za/co/absa/atum/server/aws/AwsSecretsProviderSpec.scala b/server/src/test/scala/za/co/absa/atum/server/aws/AwsSecretsProviderSpec.scala index d27b6af0c..2551e8a09 100644 --- a/server/src/test/scala/za/co/absa/atum/server/aws/AwsSecretsProviderSpec.scala +++ b/server/src/test/scala/za/co/absa/atum/server/aws/AwsSecretsProviderSpec.scala @@ -45,7 +45,7 @@ class AwsSecretsProviderSpec extends ConfigProviderSpec { test("GetSecretValue returns expected secret's value"){ for { awsConfig <- ZIO.config[AwsConfig](AwsConfig.config) - awsSecretValue <- AwsSecretsProvider.getSecretValue(awsConfig.serviceUserSecretKey) + awsSecretValue <- AwsSecretsProvider.getSecretValue(awsConfig.dbPasswordSecretName) } yield assertTrue(dummySecretValue == awsSecretValue) } )