Merge pull request #16 from jwelborn-sugar/CS-1253

CS-1253 Refactor to use Secrets Manager
sugarcrm · Dec 14, 2020 · be01e15 · be01e15
2 parents 40b92d0 + 37f48ac
commit be01e15
Show file tree

Hide file tree

Showing 3 changed files with 79 additions and 12 deletions.
diff --git a/src/core/api.js b/src/core/api.js
@@ -12,6 +12,7 @@
 const axios = require('axios');
 
 const { HttpStatus } = require('../constants/http-status.js');
+const { Secrets } = require('../utils/aws/secrets');
 
 const methodToRequest = {
     'read': 'GET',
@@ -22,8 +23,6 @@ const methodToRequest = {
 
 module.exports = () => {
     const serverUrl = (process.env.sugarUrl || 'localhost') + '/rest/v11_10';
-    const username = process.env.sugarUsername || '';
-    const password = process.env.sugarPass || '';
 
     return {
         serverUrl: serverUrl,
@@ -33,6 +32,9 @@ module.exports = () => {
         },
 
         call: async function(method, url, data, params) {
+            const secrets = JSON.parse(await Secrets);
+            const username = secrets.sugarUsername || '';
+            const password = secrets.sugarPass || '';
             try {
                 let response = await axios.post(this.buildUrl('oauth2/token'), {
                     grant_type: 'password',

diff --git a/src/utils/aws/secrets.js b/src/utils/aws/secrets.js
@@ -0,0 +1,51 @@
+/*
+ * Your installation or use of this SugarCRM file is subject to the applicable
+ * terms available at
+ * http://support.sugarcrm.com/Resources/Master_Subscription_Agreements/.
+ * If you do not agree to all of the applicable terms or do not have the
+ * authority to bind the entity as an authorized representative, then do not
+ * install or use this SugarCRM file.
+ *
+ * Copyright (C) SugarCRM Inc. All rights reserved.
+ */
+
+// Use this code snippet in your app.
+// If you need more information about configurations or implementing the sample code, visit the AWS docs:
+// https://aws.amazon.com/developers/getting-started/nodejs/
+
+// Load the AWS SDK
+let AWS = require('aws-sdk');
+let region = process.env.region;
+let secretName = process.env.secretManagerName;
+let secret;
+
+// Create a Secrets Manager client
+let client = new AWS.SecretsManager({
+    region: region
+});
+
+/**
+ * Wrap the code provided by AWS Secrets Manager in a Promise so we can
+ * await the resolution of `client.getSecretValue` in `app.api.call`.
+ */
+const secretPromise = new Promise((resolve, reject) => {
+    client.getSecretValue({ SecretId: secretName }, function(err, data) {
+        if (err) {
+            reject(err);
+        } else {
+            // Decrypts secret using the associated KMS CMK.
+            // Depending on whether the secret is a string or binary, one of these fields will be populated.
+            if ('SecretString' in data) {
+                secret = data.SecretString;
+            } else {
+                let buff = Buffer.from(data.SecretBinary, 'base64');
+                secret = buff.toString('ascii');
+            }
+            resolve(secret);
+        }
+    });
+});
+
+module.exports = {
+    Secrets: secretPromise
+};
diff --git a/template.yml b/template.yml
@@ -53,6 +53,16 @@ Resources:
   # Each Lambda function is defined by properties:
   # https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#awsserverlessfunction
 
+  # Secrets Manager Secret to store Sugar Username/Password
+  SugarSecrets:
+    Type: AWS::SecretsManager::Secret
+    Properties:
+      Name: SugarSecrets
+      Description: This secret stores your SugarCRM Credentials using AWS Secrets Manager
+      SecretString: !Sub 
+        - '{"sugarUsername": "${Username}", "sugarPass": "${Password}"}'
+        - { Username: !Ref SugarUsername, Password: !Ref SugarPassword }
+
   # This is a Lambda function config associated with the source code: create-case.js
   CreateCaseFunction:
     Type: AWS::Serverless::Function
@@ -63,13 +73,14 @@ Resources:
       Timeout: 100
       Environment:
         Variables:
-          sugarUsername: !Ref SugarUsername
-          sugarPass: !Ref SugarPassword
+          region: !Ref AWS::Region
+          secretManagerName: SugarSecrets
           sugarUrl: !Ref SugarUrl
       Description: A Lambda function that creates a case.
       Policies:
         # Give Lambda basic execution Permission to write CloudWatch logs
         - AWSLambdaBasicExecutionRole
+        - SecretsManagerReadWrite
 
   # This is a Lambda function config associated with the source code: add-note-to-case.js
   AddNoteToCaseFunction:
@@ -81,13 +92,14 @@ Resources:
       Timeout: 100
       Environment:
         Variables:
-          sugarUsername: !Ref SugarUsername
-          sugarPass: !Ref SugarPassword
+          region: !Ref AWS::Region
+          secretManagerName: SugarSecrets
           sugarUrl: !Ref SugarUrl
       Description: A Lambda function that adds a note to a case.
       Policies:
         # Give Lambda basic execution Permission to write CloudWatch logs
         - AWSLambdaBasicExecutionRole
+        - SecretsManagerReadWrite
 
   # This is a Lambda function config for source code: case-status.js
   CaseStatusFunction:
@@ -100,12 +112,13 @@ Resources:
       Timeout: 60
       Environment:
         Variables:
-          sugarUsername: !Ref SugarUsername
-          sugarPass: !Ref SugarPassword
+          region: !Ref AWS::Region
+          secretManagerName: SugarSecrets
           sugarUrl: !Ref SugarUrl
       Policies:
         # Give Lambda basic execution Permission to createCase
         - AWSLambdaBasicExecutionRole
+        - SecretsManagerReadWrite
 
   # This is a Lambda function config for source code: lex-get-string.js
   LexGetStringFunction:
@@ -131,8 +144,8 @@ Resources:
       Timeout: 60
       Environment:
         Variables:
-          sugarUsername: !Ref SugarUsername
-          sugarPass: !Ref SugarPassword
+          region: !Ref AWS::Region
+          secretManagerName: SugarSecrets
           sugarUrl: !Ref SugarUrl
 
   CallRecordingFunction:
@@ -146,8 +159,8 @@ Resources:
       Timeout: 60
       Environment:
         Variables:
-          sugarUsername: !Ref SugarUsername
-          sugarPass: !Ref SugarPassword
+          region: !Ref AWS::Region
+          secretManagerName: SugarSecrets
           sugarUrl: !Ref SugarUrl
           awsConnectInstance: !Ref AwsConnectInstance
           awsConnectDomain: !Ref AWSConnectDomain
@@ -193,6 +206,7 @@ Resources:
         - "arn:aws:iam::aws:policy/AmazonS3FullAccess"
         - "arn:aws:iam::aws:policy/CloudWatchLogsFullAccess"
         - "arn:aws:iam::aws:policy/AWSLambdaExecute"
+        - "arn:aws:iam::aws:policy/SecretsManagerReadWrite"
 
   # Role to give StartChat lambda access to the client amazon connect instance
   StartChatLambdaExecutionRole: