Skip to content

Instantly share code, notes, and snippets.

@tlwr
Last active April 25, 2019 21:56
Show Gist options
  • Save tlwr/c1f8f6849a12e388581012d38f188e4c to your computer and use it in GitHub Desktop.
Save tlwr/c1f8f6849a12e388581012d38f188e4c to your computer and use it in GitHub Desktop.
Hijackable pipeline for adding secrets to Concourse
---
resource_types:
- name: meta
type: docker-image
source:
repository: swce/metadata-resource
resources:
- name: job-metadata
type: meta
jobs:
- name: run-me-and-then-hijack
serial: true
plan:
- get: job-metadata
- task: hijack-me
config:
platform: linux
image_resource:
type: docker-image
source:
repository: governmentpaas/awscli
params:
CONCOURSE_NAME: concourse
TEAM_NAME: main
KMS_KEY_ID: fill-me-in
SECRETS_PATH_PREFIX: fill-me-in
REGION: fill-me-in
inputs:
- name: job-metadata
run:
path: sh
args:
- -uec
- |
cat <<HELP
Ensure you are logged in with the following command:
$ fly --target "$CONCOURSE_NAME" login --team-name "$TEAM_NAME" --concourse-url "$(cat job-metadata/atc-external-url)" -b
---
You can use fly to set some secrets manually. Run the following fly command:
$ fly --target "$CONCOURSE_NAME" hijack --job "$(cat job-metadata/build-pipeline-name)/$(cat job-metadata/build-job-name)" sh
Select the hijack-me task, then you can run:
$ aws ssm put-parameter \\
--name "$SECRETS_PATH_PREFIX/my_secret_name" \\
--value "my-secret-value" \\
--type SecureString \\
--key-id "$KMS_KEY_ID" \\
--overwrite \\
--region $REGION
This secret will be available in all your pipelines using the syntax: ((my_secret_name))
---
You can make a secret available in only a single pipeline using:
$ aws ssm put-parameter \\
--name "$SECRETS_PATH_PREFIX/pipeline-name-change-me/my_secret_name" \\
--value "my-secret-value" \\
--type SecureString \\
--key-id "$KMS_KEY_ID" \\
--overwrite \\
--region $REGION
---
If you happen to be creating large chunks of data as a secret (RSA for instance), you may find it that the TTY behaves strangely. For instance, replaces random characters in your blob (I know, HOW WOULD YOU KNOW!?) with arbitrary different characters...
It is possible to exec your desired command directly on the box without _really_ hijacking a container.
fly --target "$CONCOURSE_NAME" hijack --job "$(cat job-metadata/build-pipeline-name)/$(cat job-metadata/build-job-name)" -- aws ssm put-parameter # ...
---
Fly can only hijack containers that are running or have recently run
If you are experiencing problems try running this job again.
---
Sleeping for a while so you can hijack this job
HELP
sleep 60
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment