{ "info": { "author": "Martin Kaberg", "author_email": "martin.kaberg@nordcloud.com", "bugtrack_url": null, "classifiers": [], "description": "# README #\n\n\n\n### What is this repository for? ###\n\n* To encrypt values in cloudformation\n* To Create secure ssm parameters in cloudformation\n* To Retrieve secure ssm paramters in cloudformation\n\n\n\n### What does it do? ###\n\nThe repo provides two simple lambda functions\n* simple_encrypt.py: exposes the kms encrypt api to cloudformation.\nIt does this by a custom resource called Encrypt.\n* ssm_parameter.py: Makes it possible to create ssm parameters of\ntype SecureString in cloudformation. It does this by a custom resource\ncalled SecureParameter\n\n\n#### Encrypt ####\n\nThe custom resource expects base64 encoded input and outputs base64\nencrypted blob\n\nIt supports encryption context\n\n#### SecureParameter ####\nTakes name, value, description and KeyId\n\nIf the parameter name was not created in this stack update will fail\n\n### How do I get set up? ###\n\n* install the module in via pip\n~~~~\n pip install cfn-encrypt\n~~~~\n\n\n### template.py ###\nThis is the template that provision the lambda function.\n\nIt takes two parameters\n\n#### Parameter: KmsKeyArn ####\nThis is the arn of the kms key you want to use for encryption. If the\nkey is located in another AWS account make sure that it allows the\naccount you create the stack in *Encrypt* action on the key.\n\n\n#### Parameter: PlainText ####\nThis is just a string that will test the encryption and secure parameter\nfunctionality.\n\n### If the stack creation fails ###\nCheck the log group /aws/lambda/*stack name*\n\n\n### generate the template ###\n~~~~\n python template.py > /tmp/encrypt.template\n~~~~\n* create a stack using `/tmp/encrypt.template`\n* Make sure you do not rollback on failure, since that will delete the\nlog group that might contain valuable information\n* Supply the KMS key arn that you want to use, and optionally a value that\nyou want to encrypt.\n* outputs: `KmsKeyArn, LambdaArn, EncryptedValue`\n* exports: all outputs are exported and their names are prepended with\nthe name of the stack\n\n\n\n### How do i use it other stacks? ###\n\nUse the example template to provision the lambda function. The example\ntemplate will export the arn of the lambdas\n\n\n##### simple encrypt usage #####\nImport the custom resource class\n~~~~\nfrom cfn_encrypt import Encrypt, EncryptionContext\n~~~~\n\n\nCreate a parameter so you can reference to the template the lambda was\ncreated in\n~~~~\nencrypt_lambda_stack = t.add_parameter(Parameter(\n \"EncryptLambdaStack\",\n Type=\"String\",\n Description=\"Stack name of the encryption lambda\"\n))\n~~~~\n\nImport KmsKeyArn and LambdaArn from the lambda stack\n~~~~\nkms_key_arn = ImportValue(Sub(\"${EncryptLambdaStack}-KmsKeyArn\"))\nlambda_arn = ImportValue(Sub(\"${EncryptLambdaStack}-EncryptLambdaArn\"))\n~~~~\n\n\nAdd a parameter for the value you want to encrypt, make sure you set\nNoEcho to True\n~~~~\nmy_secret = t.add_parameter(Parameter(\n \"MySecret\",\n Type=\"String\",\n Description=\"Enter your secret\",\n NoEcho=True\n))\n~~~~\n\n\nInvoke the lambda\n~~~~\nencrypted_secret = t.add_resource(Encrypt(\n \"EncryptedSecret\",\n ServiceToken=lambda_arn,\n Base64Data=Base64(Ref(my_secret)),\n KmsKeyArn=kms_key_arn\n))\n~~~~\n\nIf you want to use encryption context.\n* Note that encryption context should not be sensitive values.\n~~~~\n my_encrypted_value_with_context = t.add_resource(Encrypt(\n \"MyEncryptedValueWithContext\",\n ServiceToken=lambda_arn,\n Base64Data=Base64(Ref(plain_text)),\n KmsKeyArn=kms_key_arn,\n EncryptionContext=EncryptionContext(\n Name=\"Test\",\n Value=\"Test\"\n )\n))\n~~~~\nThe the encrypted parameter can be retrieved base64 encoded using GetAtt\n~~~~\nGetAtt(encrypted_secret, \"CiphertextBase64\"),\n~~~~\n\n\n\n#### ssm parameter usage ####\n\nImport the custom resource class\n~~~~\nfrom cfn_encrypt import SecureParameter\n~~~~\n\n\nCreate a parameter so you can reference to the template the lambda was\ncreated in\n~~~~\nencrypt_lambda_stack = t.add_parameter(Parameter(\n \"EncryptLambdaStack\",\n Type=\"String\",\n Description=\"Stack name of the encryption lambda\"\n))\n~~~~\n\nImport KmsKeyArn and LambdaArn from the lambda stack\n~~~~\nkms_key_arn = ImportValue(Sub(\"${EncryptLambdaStack}-KmsKeyArn\"))\nlambda_arn = ImportValue(Sub(\"${EncryptLambdaStack}-EncryptLambdaArn\"))\n~~~~\n\n\nAdd a parameter for the value you want to encrypt, make sure you set\nNoEcho to True\n~~~~\nmy_secret = t.add_parameter(Parameter(\n \"MySecret\",\n Type=\"String\",\n Description=\"Enter your secret\",\n NoEcho=True\n))\n~~~~\n\n\nInvoke the lambda\n~~~~\n\nmy_secure_parameter = t.add_resource(SecureParameter(\n \"MySecureParameter\",\n ServiceToken=lambda_arn,\n Name=\"MySecureParameter\",\n Description=\"Testing secure parameter\",\n Value=Ref(my_secret),\n KeyId=kms_key_arn\n))\n\n~~~~\n\n\n\n\n#### get ssm parameter ####\n\n\nImport the custom resource class\n~~~~\nfrom cfn_encrypt import GetSsmValue\n~~~~\n\n\nCreate a parameter so you can reference to the template the lambda was\ncreated in\n~~~~\nencrypt_lambda_stack = t.add_parameter(Parameter(\n \"EncryptLambdaStack\",\n Type=\"String\",\n Description=\"Stack name of the encryption lambda\"\n))\n~~~~\n\nImport KmsKeyArn and LambdaArn from the lambda stack\n~~~~\nkms_key_arn = ImportValue(Sub(\"${EncryptLambdaStack}-KmsKeyArn\"))\nlambda_arn = ImportValue(Sub(\"${EncryptLambdaStack}-EncryptLambdaArn\"))\n~~~~\n\n\n\n\nInvoke the lambda\n~~~~\nmy_decrypted_value = t.add_resource(GetSsmValue(\n \"MyDecryptedValue\",\n ServiceToken=lambda_arn,\n Name=\"/My/Parameter/Name\",\n KeyId=kms_key_arn,\n Version=5 # Optional\n\n))\n\nUse GetAtt to get information about the parameter\n 'Name': 'string',\n 'Type': 'String'|'StringList'|'SecureString',\n 'KeyId': 'string',\n'LastModifiedDate': datetime(2015, 1, 1),\n'LastModifiedUser': 'string',\n'Description': 'string',\n'Value': 'string',\n'AllowedPattern': 'string',\n'Version': 123\n\n~~~~\n\n\n\n### How to contribute and report bugs ###\n\nYou can contribute by sending a PR to the repo. \n\n1. Fork the repository\n2. Make changes\n3. Issue a PR\n\nEvery PR should be backed by an issue requesting a change. \n\n\n\n\n", "description_content_type": null, "docs_url": null, "download_url": "", "downloads": { "last_day": -1, "last_month": -1, "last_week": -1 }, "home_page": "https://github.com/nordcloud/cfn-encrypt", "keywords": "", "license": "Apache Common 2.0", "maintainer": "", "maintainer_email": "", "name": "cfn-encrypt", "package_url": "https://pypi.org/project/cfn-encrypt/", "platform": "", "project_url": "https://pypi.org/project/cfn-encrypt/", "project_urls": { "Homepage": "https://github.com/nordcloud/cfn-encrypt" }, "release_url": "https://pypi.org/project/cfn-encrypt/0.0.14/", "requires_dist": [ "awacs (>=0.7.0)", "troposphere (>=1.9.5)" ], "requires_python": "", "summary": "Lambda cloudformation custom resource that use KMS encrypt", "version": "0.0.14" }, "last_serial": 3616703, "releases": { "0.0.10": [ { "comment_text": "", "digests": { "md5": "fd2bc6f35107df55266b823cb74a756a", "sha256": "78330a7bb64c702b3a989a64582afcb22a73817747c5ccd06e9c85c6be9770f0" }, "downloads": -1, "filename": "cfn_encrypt-0.0.10-py2-none-any.whl", "has_sig": false, "md5_digest": "fd2bc6f35107df55266b823cb74a756a", "packagetype": "bdist_wheel", "python_version": "py2", "requires_python": null, "size": 7130, "upload_time": "2018-01-15T13:48:22", "url": "https://files.pythonhosted.org/packages/ab/56/1fd543e2c0dcebb1b2822e8d2f3e9cd90c7a488c119600d63a1bbeac2ac8/cfn_encrypt-0.0.10-py2-none-any.whl" }, { "comment_text": "", "digests": { "md5": "2dd75a71fc795ca39882970c9dd80885", "sha256": "77f79fe1971e173681892f784b5118d5dfcb50a8a378a3c77cbd722c4cf0de51" }, "downloads": -1, "filename": "cfn_encrypt-0.0.10-py2.py3-none-any.whl", "has_sig": false, "md5_digest": "2dd75a71fc795ca39882970c9dd80885", "packagetype": "bdist_wheel", "python_version": "py2.py3", "requires_python": null, "size": 7134, "upload_time": "2018-01-15T14:34:43", "url": "https://files.pythonhosted.org/packages/4c/37/6f0f9afe7ffe2dad72b8ba5f2c845594b28099b1527eb571f544985ed41f/cfn_encrypt-0.0.10-py2.py3-none-any.whl" }, { "comment_text": "", "digests": { "md5": "a84ece51a624955b68b54744759cd9b2", "sha256": "ce3ee07b71ad3259d132aa8dfce74ea8a27d320ecd80aec8baba6b8199661187" }, "downloads": -1, "filename": "cfn_encrypt-0.0.10-py3-none-any.whl", "has_sig": false, "md5_digest": "a84ece51a624955b68b54744759cd9b2", "packagetype": "bdist_wheel", "python_version": "py3", "requires_python": null, "size": 7095, "upload_time": "2018-01-15T14:34:44", "url": "https://files.pythonhosted.org/packages/d0/81/83f34894410c55d63638e15a38f1097dd5a4b58e556fea3cd8e9b7b94ea0/cfn_encrypt-0.0.10-py3-none-any.whl" } ], "0.0.11": [ { "comment_text": "", "digests": { "md5": "110b462a73ded2356a945573b63d06fc", "sha256": "113f2c87b196ab24fed958c6935615bc6513751bfe6e95f9d9397970bb40d1e7" }, "downloads": -1, "filename": "cfn_encrypt-0.0.11-py2.py3-none-any.whl", "has_sig": false, "md5_digest": "110b462a73ded2356a945573b63d06fc", "packagetype": "bdist_wheel", "python_version": "py2.py3", "requires_python": null, "size": 7135, "upload_time": "2018-01-15T14:34:45", "url": "https://files.pythonhosted.org/packages/c1/57/f567520bf11f39e07ba3d49265e6711181ad46437dce0ac14cf7c249985d/cfn_encrypt-0.0.11-py2.py3-none-any.whl" } ], "0.0.12": [ { "comment_text": "", "digests": { "md5": "c6cc23cfa73b24f5a99edec9afea3d1f", "sha256": "3a3fad9c9ca2f446c01913a1acd6aa62cee256f7527d57af23a0bdf73521ae55" }, "downloads": -1, "filename": "cfn_encrypt-0.0.12-py2.py3-none-any.whl", "has_sig": false, "md5_digest": "c6cc23cfa73b24f5a99edec9afea3d1f", "packagetype": "bdist_wheel", "python_version": "py2.py3", "requires_python": null, "size": 7133, "upload_time": "2018-01-15T14:41:54", "url": "https://files.pythonhosted.org/packages/00/04/f531cb220c14d66271c3a7770d3f335a06e4a6b6572e338de331909ba074/cfn_encrypt-0.0.12-py2.py3-none-any.whl" } ], "0.0.13": [ { "comment_text": "", "digests": { "md5": "14c5495b1d88382c0794090d056a793a", "sha256": "62f679e0e49a992622571d35575acbd2e345bfe23c4a5836fa59999719890d16" }, "downloads": -1, "filename": "cfn_encrypt-0.0.13-py2.py3-none-any.whl", "has_sig": false, "md5_digest": "14c5495b1d88382c0794090d056a793a", "packagetype": "bdist_wheel", "python_version": "py2.py3", "requires_python": null, "size": 8567, "upload_time": "2018-01-19T14:32:56", "url": "https://files.pythonhosted.org/packages/e1/d2/1a22de3693d28c826f2219d14cf2ab48ec241a6578fde1c03288e8d82dfc/cfn_encrypt-0.0.13-py2.py3-none-any.whl" } ], "0.0.14": [ { "comment_text": "", "digests": { "md5": "f8c0a9ca40f4c529f1330b9ab31aff66", "sha256": "43b5a7fff7f5388d38e0c7c79f1507eddf1676d3e21f520e5837b74e4284ff30" }, "downloads": -1, "filename": "cfn_encrypt-0.0.14-py2.py3-none-any.whl", "has_sig": false, "md5_digest": "f8c0a9ca40f4c529f1330b9ab31aff66", "packagetype": "bdist_wheel", "python_version": "py2.py3", "requires_python": null, "size": 8573, "upload_time": "2018-02-26T09:48:41", "url": "https://files.pythonhosted.org/packages/32/9c/3e8432443c40ed48d076072bcbaf77853d6696a56cc35ecf1837532afc3b/cfn_encrypt-0.0.14-py2.py3-none-any.whl" } ] }, "urls": [ { "comment_text": "", "digests": { "md5": "f8c0a9ca40f4c529f1330b9ab31aff66", "sha256": "43b5a7fff7f5388d38e0c7c79f1507eddf1676d3e21f520e5837b74e4284ff30" }, "downloads": -1, "filename": "cfn_encrypt-0.0.14-py2.py3-none-any.whl", "has_sig": false, "md5_digest": "f8c0a9ca40f4c529f1330b9ab31aff66", "packagetype": "bdist_wheel", "python_version": "py2.py3", "requires_python": null, "size": 8573, "upload_time": "2018-02-26T09:48:41", "url": "https://files.pythonhosted.org/packages/32/9c/3e8432443c40ed48d076072bcbaf77853d6696a56cc35ecf1837532afc3b/cfn_encrypt-0.0.14-py2.py3-none-any.whl" } ] }