Merge pull request #113 from cisagov/improvement/add-remote-state-switch

Add option to `terraform-to-secrets` to search for secrets in remote state resources

Author: dav3r

project_setup/scripts/terraform-to-secrets

@@ -44,6 +44,7 @@ Options:
   -l --log-level=LEVEL   If specified, then the log level will be set to
                          the specified value.  Valid values are "debug", "info",
                          "warning", "error", and "critical". [default: info]
+  -m --remote-state      Look for secrets in remote state resources also.
   -r --repo=REPONAME     Use provided repository name instead of detecting it.
   -s --state=JSONFILE    Read state from a file instead of asking Terraform.
   -t --token=PAT         Specify a GitHub personal access token (PAT).
@@ -137,18 +138,27 @@ def find_tagged_secret(
     return
 
 
-def find_outputs(terraform_state: Dict) -> Generator[Dict, None, None]:
+def find_outputs(
+    terraform_state: Dict, include_remote_state: bool
+) -> Generator[Dict, None, None]:
     """Search for resources with outputs in the Terraform state."""
     for resource in terraform_state["values"]["root_module"].get("resources", []):
+        # Exclude remote state resources unless requested
+        if (
+            not include_remote_state
+            and resource.get("type") == "terraform_remote_state"
+        ):
+            continue
         if resource.get("values", dict()).get("outputs", dict()):
             yield resource["values"]["outputs"]
 
 
 def parse_tagged_outputs(
     terraform_state: Dict,
+    include_remote_state: bool,
 ) -> Generator[Tuple[str, str], None, None]:
     """Search all outputs for tags requesting the creation of a secret."""
-    for outputs in find_outputs(terraform_state):
+    for outputs in find_outputs(terraform_state, include_remote_state):
         for output_name, output_data in outputs.items():
             yield from find_tagged_secret(output_name, output_data)
     return
@@ -207,9 +217,16 @@ def parse_creds(terraform_state: Dict) -> Generator[Tuple[str, str, str], None,
 
 def parse_tagged_resources(
     terraform_state: Dict,
+    include_remote_state: bool,
 ) -> Generator[Tuple[str, str], None, None]:
     """Search all resources for tags requesting the creation of a secret."""
     for resource in find_resources(terraform_state, None):
+        # Exclude remote state resources unless requested
+        if (
+            not include_remote_state
+            and resource.get("type") == "terraform_remote_state"
+        ):
+            continue
         yield from find_tagged_secret(resource["address"], resource["values"])
     return
 
@@ -309,14 +326,20 @@ def get_users(terraform_state: Dict) -> Dict[str, Tuple[str, str]]:
     return user_creds
 
 
-def get_resource_secrets(terraform_state: Dict) -> Dict[str, str]:
+def get_resource_secrets(
+    terraform_state: Dict, include_remote_state: bool
+) -> Dict[str, str]:
     """Collect secrets from tagged Terraform resources."""
     secrets: Dict[str, str] = dict()
     logging.info("Searching Terraform state for tagged resources.")
-    for secret_name, secret_value in parse_tagged_resources(terraform_state):
+    for secret_name, secret_value in parse_tagged_resources(
+        terraform_state, include_remote_state
+    ):
         logging.info(f"Found secret: {secret_name}")
         secrets[secret_name] = secret_value
-    for secret_name, secret_value in parse_tagged_outputs(terraform_state):
+    for secret_name, secret_value in parse_tagged_outputs(
+        terraform_state, include_remote_state
+    ):
         logging.info(f"Found secret: {secret_name}")
         secrets[secret_name] = secret_value
     return secrets
@@ -425,6 +448,7 @@ def main() -> int:
     github_env: str = validated_args["--env"]
     github_token_to_save: str = validated_args["<github-personal-access-token>"]
     log_level: str = validated_args["--log-level"]
+    include_remote_state: bool = validated_args["--remote-state"]
     repo_name: str = validated_args["--repo"]
     state_filename: str = validated_args["--state"]
     github_token: str = validated_args["--token"]
@@ -467,7 +491,9 @@ def main() -> int:
     user_secrets: Dict[str, str] = create_user_secrets(user_creds)
 
     # Secrets created from tagged resources. Names mapped to value.
-    resource_secrets: Dict[str, str] = get_resource_secrets(terraform_state)
+    resource_secrets: Dict[str, str] = get_resource_secrets(
+        terraform_state, include_remote_state
+    )
 
     # Check if there are overlaps in the keys.
     if not user_secrets.keys().isdisjoint(resource_secrets.keys()):