s3resource

package module
v0.0.0-...-97e441e Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 3, 2019 License: Apache-2.0 Imports: 25 Imported by: 0

README

Note: forked

This resource has been forked to add support for retrieving AWS credentials from IAM instance profiles. That feature isn't going to be implemented upstream at the moment, but the Concourse team are looking at other ways to retrieve credentials in the future.

Please do not add additional features or bug fixes to this fork/branch without first talking to the Tech Lead or Tech Architect on the Government PaaS team.

Docker Hub builds a container from the gds branch. There is no automated testing because the integration tests require credentials, so you will need to run the tests yourself.

S3 Resource

Versions objects in an S3 bucket, by pattern-matching filenames to identify version numbers.

Source Configuration

  • bucket: Required. The name of the bucket.

  • access_key_id: Optional. The AWS access key to use when accessing the bucket.

  • secret_access_key: Optional. The AWS secret key to use when accessing the bucket.

  • session_token: Optional. The AWS STS session token to use when accessing the bucket.

  • region_name: Optional. The region the bucket is in. Defaults to us-east-1.

  • private: Optional. Indicates that the bucket is private, so that any URLs provided are signed.

  • cloudfront_url: Optional. The URL (scheme and domain) of your CloudFront distribution that is fronting this bucket (e.g https://d5yxxxxx.cloudfront.net). This will affect in but not check and put. in will ignore the bucket name setting, exclusively using the cloudfront_url. When configuring CloudFront with versioned buckets, set Query String Forwarding and Caching to Forward all, cache based on all to ensure S3 calls succeed.

  • endpoint: Optional. Custom endpoint for using S3 compatible provider.

  • disable_ssl: Optional. Disable SSL for the endpoint, useful for S3 compatible providers without SSL.

  • skip_ssl_verification: Optional. Skip SSL verification for S3 endpoint. Useful for S3 compatible providers using self-signed SSL certificates.

  • server_side_encryption: Optional. An encryption algorithm to use when storing objects in S3.

  • sse_kms_key_id: Optional. The ID of the AWS KMS master encryption key used for the object.

  • use_v2_signing: Optional. Use signature v2 signing, useful for S3 compatible providers that do not support v4.

File Names

One of the following two options must be specified:

  • regexp: Optional. The pattern to match filenames against within S3. The first grouped match is used to extract the version, or if a group is explicitly named version, that group is used. At least one capture group must be specified, with parentheses.

    The version extracted from this pattern is used to version the resource. Semantic versions, or just numbers, are supported. Accordingly, full regular expressions are supported, to specify the capture groups.

  • versioned_file: Optional If you enable versioning for your S3 bucket then you can keep the file name the same and upload new versions of your file without resorting to version numbers. This property is the path to the file in your S3 bucket.

Initial state

If no resource versions exist you can set up this resource to emit an initial version with a specified content. This won't create a real resource in S3 but only create an initial version for Concourse. The resource file will be created as usual when you get a resource with an initial version.

You can define one of the following two options:

  • initial_path: Optional. Must be used with the regexp option. You should set this to the file path containing the initial version which would match the given regexp. E.g. if regexp is file/build-(.*).zip, then initial_path might be file/build-0.0.0.zip. The resource version will be 0.0.0 in this case.

  • initial_version: Optional. Must be used with the versioned_file option. This will be the resource version.

By default the resource file will be created with no content when get runs. You can set the content by using one of the following options:

  • initial_content_text: Optional. Initial content as a string.

  • initial_content_binary: Optional. You can pass binary content as a base64 encoded string.

Behavior

check: Extract versions from the bucket.

Objects will be found via the pattern configured by regexp. The versions will be used to order them (using semver). Each object's filename is the resulting version.

in: Fetch an object from the bucket.

Places the following files in the destination:

  • (filename): The file fetched from the bucket.

  • url: A file containing the URL of the object. If private is true, this URL will be signed.

  • version: The version identified in the file name.

Parameters
  • unpack: Optional. If true and the file is an archive (tar, gzipped tar, other gzipped file, or zip), unpack the file. Gzipped tarballs will be both ungzipped and untarred. It is ignored when get is running on the initial version.
out: Upload an object to the bucket.

Given a file specified by file, upload it to the S3 bucket. If regexp is specified, the new file will be uploaded to the directory that the regex searches in. If versioned_file is specified, the new file will be uploaded as a new version of that file.

Parameters

  • file: Required. Path to the file to upload, provided by an output of a task. If multiple files are matched by the glob, an error is raised. The file which matches will be placed into the directory structure on S3 as defined in regexp in the resource definition. The matching syntax is bash glob expansion, so no capture groups, etc.

  • acl: Optional. Canned Acl for the uploaded object.

  • content_type: Optional. MIME Content-Type describing the contents of the uploaded object

Example Configuration

Resource

When the file has the version name in the filename

- name: release
  type: s3
  source:
    bucket: releases
    regexp: directory_on_s3/release-(.*).tgz
    access_key_id: ACCESS-KEY
    secret_access_key: SECRET

or

When the file is being versioned by s3

- name: release
  type: s3
  source:
    bucket: releases
    versioned_file: directory_on_s3/release.tgz
    access_key_id: ACCESS-KEY
    secret_access_key: SECRET
Plan
- get: release

- put: release
  params:
    file: path/to/release-*.tgz
    acl: public-read

Required IAM Permissions

Non-versioned Buckets

The bucket itself (e.g. "arn:aws:s3:::your-bucket"):

  • s3:ListBucket

The objects in the bucket (e.g. "arn:aws:s3:::your-bucket/*"):

  • s3:PutObject
  • s3:PutObjectAcl
  • s3:GetObject
Versioned Buckets

Everything above and...

The bucket itself (e.g. "arn:aws:s3:::your-bucket"):

  • s3:ListBucketVersions
  • s3:GetBucketVersioning

The objects in the bucket (e.g. "arn:aws:s3:::your-bucket/*"):

  • s3:GetObjectVersion
  • s3:PutObjectVersionAcl

Developing on this resource

First get the resource via: go get github.com/concourse/s3-resource

Development

Prerequisites
  • golang is required - version 1.9.x is tested; earlier versions may also work.
  • docker is required - version 17.06.x is tested; earlier versions may also work.
  • godep is used for dependency management of the golang packages.
Running the tests

The tests have been embedded with the Dockerfile; ensuring that the testing environment is consistent across any docker enabled platform. When the docker image builds, the test are run inside the docker container, on failure they will stop the build.

Run the tests with the following command:

docker build -t s3-resource .
Integration tests

The integration requires two AWS S3 buckets, one without versioning and another with. The docker build step requires setting --build-args so the integration will run.

Run the tests with the following command:

docker build . -t s3-resource --build-arg S3_TESTING_ACCESS_KEY_ID="access-key" --build-arg S3_TESTING_SECRET_ACCESS_KEY="some-secret" --build-arg S3_TESTING_BUCKET="bucket-non-versioned" --build-arg S3_VERSIONED_TESTING_BUCKET="bucket-versioned" --build-arg S3_TESTING_REGION="us-east-1" --build-arg S3_ENDPOINT="https://s3.amazonaws.com"
Contributing

Please make all pull requests to the master branch and ensure tests pass locally.

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func Fatal 

func Fatal(doing string, err error)

func NewAwsConfig 

func NewAwsConfig(
	accessKey string,
	secretKey string,
	sessionToken string,
	regionName string,
	endpoint string,
	disableSSL bool,
	skipSSLVerification bool,
) *aws.Config

func Sayf 

func Sayf(message string, args ...interface{})

func Sign 

func Sign(req *request.Request)

Sign requests with signature version 2.

Will sign the requests with the service config's Credentials object Signing is skipped if the credentials is the credentials.AnonymousCredentials object.

Types

type MetadataPair 

type MetadataPair struct {
	Name  string `json:"name"`
	Value string `json:"value"`
}

type S3Client 

type S3Client interface {
	BucketFiles(bucketName string, prefixHint string) ([]string, error)
	BucketFileVersions(bucketName string, remotePath string) ([]string, error)

	UploadFile(bucketName string, remotePath string, localPath string, options UploadFileOptions) (string, error)
	DownloadFile(bucketName string, remotePath string, versionID string, localPath string) error

	DeleteFile(bucketName string, remotePath string) error
	DeleteVersionedFile(bucketName string, remotePath string, versionID string) error

	URL(bucketName string, remotePath string, private bool, versionID string) string
}

func NewS3Client 

func NewS3Client(
	progressOutput io.Writer,
	awsConfig *aws.Config,
	useV2Signing bool,
) S3Client

type Source 

type Source struct {
	AccessKeyID          string `json:"access_key_id"`
	SecretAccessKey      string `json:"secret_access_key"`
	SessionToken         string `json:"session_token"`
	Bucket               string `json:"bucket"`
	Regexp               string `json:"regexp"`
	VersionedFile        string `json:"versioned_file"`
	Private              bool   `json:"private"`
	RegionName           string `json:"region_name"`
	CloudfrontURL        string `json:"cloudfront_url"`
	Endpoint             string `json:"endpoint"`
	DisableSSL           bool   `json:"disable_ssl"`
	ServerSideEncryption string `json:"server_side_encryption"`
	SSEKMSKeyId          string `json:"sse_kms_key_id"`
	UseV2Signing         bool   `json:"use_v2_signing"`
	SkipSSLVerification  bool   `json:"skip_ssl_verification"`
	InitialVersion       string `json:"initial_version"`
	InitialPath          string `json:"initial_path"`
	InitialContentText   string `json:"initial_content_text"`
	InitialContentBinary string `json:"initial_content_binary"`
}

func (Source) IsValid 

func (source Source) IsValid() (bool, string)

type UploadFileOptions 

type UploadFileOptions struct {
	Acl                  string
	ServerSideEncryption string
	KmsKeyId             string
	ContentType          string
}

func NewUploadFileOptions 

func NewUploadFileOptions() UploadFileOptions

type Version 

type Version struct {
	Path      string `json:"path,omitempty"`
	VersionID string `json:"version_id,omitempty"`
}

Source Files

View all Source files

Directories

Path Synopsis
cmd
check command
in command
out command
This file was generated by counterfeiter
 This file was generated by counterfeiter

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.