fix: add an FTL tag and filter ASM secrets (#1888)

Fixes #1876
block · Jun 27, 2024 · 29438c5 · 29438c5
1 parent d11d904
commit 29438c5
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 1 deletion.
diff --git a/common/configuration/asm_leader.go b/common/configuration/asm_leader.go
@@ -19,6 +19,7 @@ import (
 )
 
 const asmLeaderSyncInterval = time.Minute * 5
+const asmTagKey = "ftl"
 
 type asmLeader struct {
 	client *secretsmanager.Client
@@ -54,6 +55,9 @@ func (l *asmLeader) sync(ctx context.Context, secrets *xsync.MapOf[Ref, cachedSe
 		out, err := l.client.ListSecrets(ctx, &secretsmanager.ListSecretsInput{
 			MaxResults: aws.Int32(100),
 			NextToken:  nextToken.Ptr(),
+			Filters: []types.Filter{
+				{Key: types.FilterNameStringTypeTagKey, Values: []string{asmTagKey}},
+			},
 		})
 		if err != nil {
 			return fmt.Errorf("unable to get list of secrets from ASM: %w", err)
@@ -100,7 +104,10 @@ func (l *asmLeader) sync(ctx context.Context, secrets *xsync.MapOf[Ref, cachedSe
 			}
 		}
 		out, err := l.client.BatchGetSecretValue(ctx, &secretsmanager.BatchGetSecretValueInput{
-			SecretIdList: secretIDs,
+			Filters: []types.Filter{
+				{Key: types.FilterNameStringTypeName, Values: secretIDs},
+				{Key: types.FilterNameStringTypeTagKey, Values: []string{asmTagKey}},
+			},
 		})
 		if err != nil {
 			return fmt.Errorf("unable to get batch of secret values from ASM: %w", err)
@@ -149,6 +156,9 @@ func (l *asmLeader) store(ctx context.Context, ref Ref, value []byte) (*url.URL,
 	_, err := l.client.CreateSecret(ctx, &secretsmanager.CreateSecretInput{
 		Name:         aws.String(ref.String()),
 		SecretString: aws.String(string(value)),
+		Tags: []types.Tag{
+			{Key: aws.String(asmTagKey), Value: aws.String(ref.Module.Default(""))},
+		},
 	})
 
 	// https://github.com/aws/aws-sdk-go-v2/issues/1110#issuecomment-1054643716

diff --git a/common/configuration/asm_test.go b/common/configuration/asm_test.go
@@ -22,6 +22,7 @@ import (
 	"github.com/aws/aws-sdk-go-v2/config"
 	"github.com/aws/aws-sdk-go-v2/credentials"
 	"github.com/aws/aws-sdk-go-v2/service/secretsmanager"
+	"github.com/aws/aws-sdk-go-v2/service/secretsmanager/types"
 )
 
 func localstack(ctx context.Context, t *testing.T) (*ASM, *asmLeader, *secretsmanager.Client, *clock.Mock) {
@@ -208,6 +209,9 @@ func testClientSync(ctx context.Context,
 	_, err = sm.CreateSecret(ctx, &secretsmanager.CreateSecretInput{
 		Name:         aws.String(smRef.String()),
 		SecretString: aws.String(jsonString(t, "sm-first")),
+		Tags: []types.Tag{
+			{Key: aws.String(asmTagKey), Value: aws.String(smRef.Module.Default(""))},
+		},
 	})
 	assert.NoError(t, err, "failed to create secret via sm")
 	waitForUpdatesToProcess(cache)
@@ -233,6 +237,9 @@ func testClientSync(ctx context.Context,
 	_, err = sm.CreateSecret(ctx, &secretsmanager.CreateSecretInput{
 		Name:         aws.String(smClientRef.String()),
 		SecretString: aws.String(jsonString(t, "sm-client-first")),
+		Tags: []types.Tag{
+			{Key: aws.String(asmTagKey), Value: aws.String(smClientRef.Module.Default(""))},
+		},
 	})
 	assert.NoError(t, err, "failed to create secret via sm")
 	_, err = client.store(ctx, smClientRef, jsonBytes(t, "sm-client-second"))