init

Author: kendavis2

.github/shell/Dockerfile

@@ -0,0 +1,7 @@
+FROM golang:1.13.7
+
+RUN go get github.com/mitchellh/gox && \
+    go get github.com/tcnksm/ghr
+
+ADD entrypoint.sh /entrypoint.sh
+ENTRYPOINT ["/entrypoint.sh"]

.github/shell/entrypoint.sh

@@ -0,0 +1,2 @@
+#!/bin/sh
+sh -c "$*"

.github/workflows/publish.yml

@@ -0,0 +1,33 @@
+name: BuildNDeploy
+on:
+  push:
+    tags:
+    - 'v[0-9]+.[0-9]+.[0-9]+-[a-zA-Z0-9]*'
+    - 'v[0-9]+.[0-9]+.[0-9]+'
+jobs:
+ 
+  build:
+    name: Build
+    runs-on: ubuntu-latest
+    steps:
+    - name: Set up Go
+      uses: actions/setup-go@v1
+      with:
+        go-version: 1.13
+
+    - name: Check out Code
+      uses: actions/checkout@v2
+     
+    - name: Set Version
+      run: echo ::set-env name=version::${GITHUB_REF##*v}
+
+    - name: Build and Publish Release
+      uses: ./.github/shell
+      env:
+        GOROOT: /usr/local/go
+      with: 
+        args: |
+          cd cli
+          gox -os='darwin' -os='linux' -os='windows' -ldflags '-X main.version=${{ env.version }}.${{ github.run_number }}' -output 'artifacts/stash_{{.OS}}_{{.Arch}}'
+          ghr -t '${{ secrets.GITHUB_TOKEN }}' -u dabblebox -r stash -c $GITHUB_SHA -delete ${GITHUB_REF##*/} artifacts
+        

.gitignore

@@ -0,0 +1,21 @@
+# exe
+/stash
+/cli/cmd/stash_test
+
+# config
+*.env
+*.json
+*.cert
+*.sql
+*.js
+*.pub
+id_rsa
+
+# catalog
+stash.yml
+
+# terraform
+.terraform
+*.tf
+*.tfstate*
+*.tfvars

AWS_METHODS.md

@@ -0,0 +1,150 @@
+# AWS Configuration Methods
+
+Managing configuration is divided into two processes, [Configuration Management](#configuration-management) which is the process modifying and storing configuration in a cloud storage service, and [Configuration Consumption](#configuration-consumption) which is the process of ingesting the configuration from a cloud storage service into a Fargate container or Lambda function. 
+
+## Configuration Management
+
+When using *Stash*, management is consistent accross supported cloud storage services. 
+
+```bash
+$ stash sync config/dev/.env
+```
+```bash
+$ stash edit -t dev
+```
+
+## Configuration Consumption
+
+Consumption has many methods with different benefits. The pupose of this document is to discuss AWS methods for Fargate containers and Lambda functions, but some of the following methods may also apply to other technologies.
+
+#### User and Role Policies
+AWS methods require developers and the container execution role or application role to have access to the appropriate cloud storage service and KMS keys.
+
+The following *Stash* command generates Terraform scripts specific to the `dev` configuration. This makes it easier to manage the AWS access policies through Terraform.
+
+```bash
+$ stash get -t dev -o terraform
+```
+
+### Method 1: Download Configuration File (Stash CLI)
+
+**Supports**: ECS Fargate Containers
+
+On start up containers can call a storage service directly using the *Stash* CLI and create a configuration file inside the container allowing the application to load it into memory.
+
+**Requirement**: The stash.yml file used to sync the configuration must included in the Docker image where *Stash* can find it.
+
+Dockerfile (build)
+```bash
+FROM golang:1.13
+
+ARG version=0.0.0-unknown.0
+
+# install stash
+RUN curl -L -o  /usr/local/bin/stash https://github.com/dabblebox/stash/releases/download/v0.1.0-rc/stash_linux_386 && chmod +x /usr/local/bin/stash
+
+
+COPY . /app/  
+
+WORKDIR /app
+
+RUN go build -ldflags '-X main.version='$version -o app
+
+ENTRYPOINT [ "./docker-entrypoint.bash" ]
+```
+
+docker-entrypoint.bash (get)
+```bash
+#!/bin/bash
+
+echo "Getting $CONFIG_ENV configuration."
+
+stash get -l -t $CONFIG_ENV 1> .env
+
+exec ./app
+```
+
+### Method 2: File Injection (Stash CLI)
+
+On start up containers can call a storage service directly using the *Stash* CLI and inject secrets into a configuration file inside the container allowing the application to load the file containing the secrets into memory. Secret tokens can be added to a configuration file that is checked into a repository. 
+
+The tokens are AWS Secret Manager secret names. Use double colons, `::`, to specify any field in the secret's json object.
+
+.env (config)
+```
+USER=${app/dev/db::user}
+PASSWORD=${app/dev/db::password}
+```
+
+Dockerfile (build)
+```bash
+FROM golang:1.13
+
+ARG version=0.0.0-unknown.0
+
+# install stash
+RUN curl -L -o  /usr/local/bin/stash https://github.com/dabblebox/stash/releases/download/v0.1.0-rc/stash_linux_386 && chmod +x /usr/local/bin/stash
+
+COPY . /app/  
+
+WORKDIR /app
+
+RUN go build -ldflags '-X main.version='$version -o app
+
+ENTRYPOINT [ "./docker-entrypoint.bash" ]
+```
+
+docker-entrypoint.bash (inject)
+```bash
+#!/bin/bash
+
+echo "Injecting $CONFIG_ENV configuration."
+
+stash inject $CONFIG_ENV/.env -l -s secrets-manager 1> secrets.env
+
+exec ./app
+```
+
+### Method 3: Environment Injection (AWS)
+
+**Supports**: ECS Fargate Containers
+
+Configuration and secret references to cloud services like Secrets Manager, Parameter Store, and S3 can be listed in ECS task definitions. On container start, AWS injects the configuration and/or secrets from cloud service references into the containers environment variables.
+
+*Stash* provides commands that print the task definition JSON for stashed configuration making it easier to add to a task definition. [Secrets](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/specifying-sensitive-data.html) from AWS Secrets Manager and SSM Parameter Store along with S3 [environment files](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/taskdef-envfiles.html) are supported.
+
+```bash
+$ stash get -t dev -o ecs-task-inject-json
+```
+
+```bash
+$ stash get -t dev -o ecs-task-inject-env
+```
+
+### Method 4: Direct Ingest (Stash Library)
+
+**Supports**: ECS Fargate Containers / Lambda Functions
+
+Code can use the *Stash* Go integration library to load configuration directly into memory.
+
+**Requirement**: The stash.yml file used to sync the configuration must be included in the Docker image or Lambda function where *Stash* can find it.
+
+```go
+package main
+
+import (
+	"log"
+
+	"github.com/dabblebox/stash"
+	"github.com/dabblebox/stash/component/output"
+)
+
+config, err := stash.GetMap(stash.GetOptions{})
+if err != nil {
+  log.Fatal(err)
+}
+
+for k, v := range config {
+  log.Printf("%s=%s\n", k, v)
+}
+```

CATALOG.md

@@ -0,0 +1,15 @@
+# Configuration Catalog
+
+A catalog file, `stash.yml`, is automatically generated after syncing a configuration file with a cloud service. This file catalogs each configuration file stored in the cloud and allows specific actions like `purge` or `edit` to be performed without the user knowing where the data is stored or how the data is encrypted.
+
+| Field | Example | Options | Description |
+|-|-|-|-|
+|version|0.0.0-local|String|The version of Stash used to sync the configuration.|
+|context|my-slick-app|String|The repository or app name for the stored configuration.|
+|clean|true|Boolean|Delete local files after updating a cloud service.|
+|files[].path| config/dev/.env| String |The local file path where the cofiguration is initially synced from and restored during a get command.||
+|files[].service|secrets-manager|secrets-manager, parameter-store, s3| The cloud service where configuration is stored.|
+|files[].opt.kms_key_id||Guid|The KMS key id used to encrypt the configuration. Enter alias to create a new KMS key. (default: aws/secretsmanager)|
+|files[].opt.secrets|single|single, multiple| Specifies if each key/value pair should be stored in a separate Secrets Manager secret for JSON and ENV file types. |
+|files[].keys|| Object{} |The cloud service keys used to get configuration.|
+|files[].tags|| Object{} |Local tags used when running Stash commands to target specific configuration stored in the cloud.|